Along with other groups, we joined the Electronic Privacy Information Center (EPIC) today as it released a Privacy Report Card for the Obama administration. Our own statement gave the administration an A for its introduction of proposed Consumer Financial Protection Agency legislation that returns federal law to a floor not a ceiling. Excerpt from my statement:

“In the long run, one of the most important privacy actions taken by the Obama administration may be one that hardly mentions privacy, if at all. The Obama proposal to establish a Consumer Financial Protection Agency takes the giant step of proposing that federal consumer banking law return to its roots as a floor or a minimum standard of protection, not a ceiling, reinstating the long-eviscerated rights of the states to enact stronger consumer banking and credit laws. If we can defend this proposal against the phalanx of corporate lobbyists against it, it is a game-changer."

Sorry for the blank space for a few days: I've been in the northeastern U.S. but in a large forested area apparently abandoned by my very large wireless telecom provider formerly known as Ma Bell.

Last week, U.S. PIRG Media and Telecommunications Reform Attorney Amina Fazlullah joined nine other advocates in a news event demanding baseline privacy protections against widespread behavioral tracking and targeting on the Internet. Our joint release including links to materials. USA Today blog.

On Wednesday, I will join many of the same groups in a news event (advisory) to discuss Congressional and administration efforts to either enhance or diminish both on- and offline privacy. I fully expect that in every battle over privacy we will face an ugly fight over whether or not the states -- the absolute longtime privacy superstars -- can continue to lead the way, or whether the demands of corporate interests for weak, preemptive federal laws will prevail.

You know where we stand. So long as federal laws are strong enough, there is no need for the states to act, and they will not. That's not rational. But if federal laws fail to do the job, we need the states as first responders-- their rights to act should never be taken off the board. That's not rational. But it serves corporate privacy invaders well.

The government has announced (New York Times and Associated Press) the indictment of several hackers in the old data breach case involving 130 million credit and debit card numbers swiped from merchants (Hannaford and 7-11) and a third-party payment processor (Heartland).

Expect all kinds of trolls to come out selling credit monitoring and other sorts of over-priced identity theft protection services at between $5-$20/month or more. Don't do it. These breaches involve fraud against existing accounts, not true identity theft (although such fraud is technically a violation of identity theft laws). If it's your credit card, you shouldn't care because the law protects you well and it is the bank's money after all, so the bank will fight hard to protect it; but anyone who uses debit cards should be watching their deposit account statements regularly all the time since fraud protection on debit cards is not as good (not good at all) as on credit cards, and it is your own money they might take. As for actual identity theft, or bad guys opening new accounts in your name, generally they'd need more information about you, such as your SSN. Only a security freeze that blocks access to your credit report can stop identity theft. None of these so-called identity theft services can.

The story And You Thought a Prescription Was Private by Milt Freudenheim in today's New York Times will probably shock a lot of people. But the fact is, despite major improvements made by the American Recovery and Reinvestment Act (ARRA) of 2009 to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, neither your prescription privacy nor your medical privacy more broadly are yet fully guaranteed. When the ARRA changes take full effect, you'll be better, but not fully, protected. The story explains how "de-identified" information can be "re-identified;" how hackers and voyeurs can gain access to your records, and also some of the "therapeutic" and other exceptions to supposed limits on marketing. It also explains important efforts by states to rein in drug marketing and protect privacy.

The World Privacy Forum has prepared a detailed Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy, written by Bob Gellman, one of the experts cited in the NYT. The WPF also explains why consumer-controlled Personal Health Records (PHRs) may sometimes be covered by HIPAA, but not if provided for you by a non-covered entity, such as a website. In that case you may only be protected by the website's privacy policy. Other good resources are PatientPrivacyRights.org and the EPIC medical privacy page. Also, check out this New York Times blog page of reader comments largely opposing direct to consumer advertising of drugs.

Last week we participated in a press conference to introduce federal legislation banning the use of credit reports by most employers; today the New York Times has a page one story on Another Hurdle for the Jobless: Credit Inquiries. The story reports on several states that have restricted the practice (Washington State and Hawaii) and several where it has been under consideration (Michigan and Ohio, with California governor Arnold Schwarzenegger vetoing a similar proposal). Opposition to use of credit reports is for several reasons:

“How do you get out from under it?” asked Matthew W. Finkin, a law professor at the University of Illinois, who fears that the unemployed and debt-ridden could form a luckless class. “You can’t re-establish your credit if you can’t get a job, and you can’t get a job if you’ve got bad credit.”

Others say that the credit check can be used to provide cover for discriminatory practices.

Update: I hadn't noticed, but reporter Stephanie Clifford had posted a great sidebar to the story discussed below, on her blog. Here it is: An Interview With David Vladeck of the F.T.C.: Excerpt:

"Q: I’m not sure “icky” is a legal term. A: I use that because our chief economist uses that term. I don’t. I talk about dignity."

Original post: For several years, U.S. PIRG and the Center for Digital Democracy have filed detailed petitions to the Federal Trade Commission explaining that certain emerging online advertising practices amount to behavioral tracking intended to result in consumer manipulation -- and that the practices could not be solved by "privacy disclosures." Now, as Stephanie Clifford of the New York Times reports, new FTC Director of Consumer Protection David Vladeck has Fresh Views at Agency Overseeing Online Ads:

Privacy policies have become useless, the commission’s standards for the cases it reviews are too narrow, and some online tracking is “Orwellian,” Mr. Vladeck said.

Now, Mr. Vladeck indicated, the commission would begin considering not just whether companies caused monetary harm, but whether they violated consumers’ dignity. “There’s a huge dignity interest wrapped up in having somebody looking at your financial records when they have no business doing that,” he said.

At another level, though, when Vladeck talks about dignity, he is recognizing what two young lawyers, Samuel Warren and Louis Brandeis, postulated (after Cooley) in the Harvard Law Review over 100 years ago as the "right to be let alone." Later, as a Supreme Court Justice, Brandeis, in a famous dissent in what was I think the court's first electronic privacy case (Olmstead, wiretapping) later expanded that to say:

[privacy is] "the right to be let alone—the most comprehensive of rights and the right most valued by civilized men.”

Especially in a bad economy, job seekers shouldn't be rejected because of errors on their credit reports or because they were victims of identity theft. We just did a press conference with Rep. Steve Cohen (D-TN) in support of his bill to ban the use of credit reports for employment, except in limited circumstances. Also participating were co-sponsor Luis Gutierrez (D-IL), Hilary Shelton of the NAACP, Audrey Wiggins of the Lawyers Committee for Civil Rights Under Law, Ruth Susswein of Consumer Action and Deidre Swesnik of the National Fair Housing Alliance. Many other consumer and civil rights groups, including the National Consumer Law Center, also support the bill. As I said (pdf of my full release):

Rep. Steve Cohen’s Equal Employment for All Act (HR 3149) is the right way to go. Let’s not deny jobs on factors that have nothing to do with potential work performance, especially when those factors could be mistaken and consumers face a nightmare on credit street trying to get the mistakes fixed.”

U.S. PIRG Statement Supporting
“Equal Employment for All Act of 2009,” HR 3149, by Rep. Steve Cohen (D-TN)

By Edmund Mierzwinski, Consumer Program Director
News Conference, Wednesday, 29 July 2009

“PIRG’s “Mistakes Do Happen” reports on credit bureau errors have documented that one-quarter to one-third of credit bureau reports contain errors serious enough to deny credit or employment. Then, there’s the Kafkaesque complaint dispute process. And, many industry observers call our error findings conservative.

In my ongoing review of credit reporting practices since the 1970 Fair Credit Reporting Act I have yet to determine why Congress allowed credit reports to be used for employment purposes in the first place.

With so many mistakes in reports, and such a tough job market out there, it makes even less sense.

Rep. Steve Cohen’s Equal Employment for All Act is the right way to go. Let’s not deny jobs on factors that have nothing to do with potential work performance, especially when those factors could be mistaken and consumers face a nightmare on credit street trying to get the mistakes fixed.”

-30-

In case you missed it, reporter Walecia Konrad had a story Medical Problems Could Include Identity Theft in the New York Times Saturday. The story featured Pam Dixon of the World Privacy Forum, who has done groundbreaking work (WPF medical theft id page) on the problem affecting over 250,000 Americans each year. From the Times:

When people are not aware their medical identities have been stolen, insurance companies may simply continue to pay the fraudulent claims without the victim’s knowledge. The person might learn of the fraud only when trying to make a legitimate claim, and the insurance company informs them they have reached their lifetime cap on benefits.

The U.S. Solicitor General's office has filed a tortured brief urging the Supreme Court not to accept several bank associations' petition to overturn California's financial privacy law. The U.S. first uses weak analysis (did they read the appellate decision?) to back the banks (taking the longstanding position of the federal bank regulators) and says it agrees with the bankers' view that the federal law preempts. That's not good. But it then says that the bankers' case doesn't meet the court's normal standards for review so it shouldn't accept the petition. Here's a story from the San Francisco Chronicle with some details. More information on the landmark SB1 and our support for it to remain California law.

This morning, Amina Fazlullah, U.S. PIRG counsel for Internet, telecom and Internet issues, joined our colleague Jeff Chester of Center for Digital Democracy on a plenary panel called Privacy, Online Advertising and the Future of the Internet at the 2009 Computers, Freedom and Privacy conference (CFP2009). Also on the panel were senior representatives of Google, Microsoft, the FTC and the Internet Advertising Bureau. The moderator was Amy Schatz, reporter from the Wall Street Journal. Had I gotten this note up earlier, you could have watched the lively debate live. The conference continues tomorrow and you can stream it from that link. In the photo, that's Jeff to Amina's left and Mike Hintze of Microsoft on the right, in a not-my-sharpest video grab from the Flip. Story Internetnews.com.

Consumer attorney Chris Kittell has started a new blog devoted to explaining the law known as the Fair Credit Reporting Act. Along with other consumer attorneys, many of whom are members of the National Association of Consumer Advocates, a large part of Chris's practice is devoted to helping consumers fight unfair practices by credit bureaus and the banks, other creditors and debt collectors that share your account information with credit bureaus (these are called "furnishers" in the law) or buy credit reports from them (collectively, these are called "users"). Credit bureaus and furnishers and users all have certain accuracy and procedural and dispute reinvestigation requirements under the FCRA law. Guess what, they don't always comply.

John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation today announced a Senate Commerce Committee investigation into certain e-commerce marketing practices that generate thousands of mysterious monthly charges to consumer credit cards.

On many well-known websites, including Fandango.com and Orbitz.com, after consumers make a purchase, a hyperlink or “pop up” window appears and offers consumers a cash back reward if they sign up for a company’s online membership service.

The practices? Pre-acquired account telemarketing and "free-to-pay" scams. Without your informed consent, if any consent at all -- a company you "trust" (some of the companies you used to trust were called "banks") shares your confidential credit card, debit card or even checking account information with a "marketing partner" that it "trusts" to provide it with massive commissions after it signs you up for products you didn't order and clubs you didn't join.

In the free-to-pay variant, you might get a few weeks free. But unlike the Mickey Mouse Club, you don't even get a cool hat. You just get monthly bills and find it a royal pain in the neck to get your money back.

Yes, Virginia, it is "very true" that websites are sharing your credit card number with third parties that bill you for products you didn't order and club memberships for clubs you didn't join. But, you say, "I just clicked on a "special offer" popup and immediately closed the horrific page of junky offers. I had no idea they could, or would, enroll me for looking at a page for two seconds. They can do that?"

Yes, websites could and yes, they would. And they have for years (my previous blog). But maybe, as part of this investigation and the renewed Congressional oversight of the financial system, the old problem of "pre-acquired account telemarketing" will finally be solved.

The 1999 Gramm-Leach-Bliley Financial Services Modernization Act was supposed to fix a lot of things. It was supposed to remove barriers that prevented financial firms from becoming giant one-stop financial supermarkets that would create synergies, boost competition, offer consumers choices, lower prices and make America strong. How's that going for you?

In response to a rotten privacy scandal involving Memberworks and U.S. Bank, first uncovered by the Minnesota Attorney General, GLBA was also supposed to stop banks and other firms from sharing your credit card, debit card and even checking account numbers with "trusted" marketing partners without your consent. Who needs identity theft? An identity thief didn't steal your information and sell it. Your bank had it already and sold it.

Just as its consolidation of the banking industry didn't work out, GLBA didn't completely solve this problem, either, so after pressure from the state attorneys general, the FTC made changes to the Telemarketing Sales Rule to further limit the seamy practice of "pre-acquired account telemarketing" as explained in these supplemental comments of the Minnesota and Illinois Attorneys General. As the Minnesota comments make clear, it isn't just hard to avoid being signed up without consent, it's hard to cancel.

Some financial institutions have a “hotline” system so that consumer calls can be transferred directly from the customer service center at the financial institution to the retention department of the preacquired account seller. As one bank told its customer service representatives: We prefer that cardmembers contact the Business Partner directly when
attempting to cancel. However, when a call comes into [Bank], we will attempt to re-route the call to the Business Partner via an abbreviated warm transfer, i.e., we introduce the caller and then the Business Partner handles the call.

Unfortunately, GLBA and the TSR include only limited protections against pre-acquired account telemarketing and related "free-to-pay" scams. Let's hope Senator Rockefeller's investigation leads to more financial privacy reforms, including on the Internet.

Believe it or not, Vertrue even has a page warning about pre-acquired account telemarketing, even though that's its game.

More links:

My testimony from a 2002 Senate hearing on privacy and Gramm-Leach Bliley. Other pro-privacy witnesses at the hearing included the Minnesota and Vermont Attorneys General and Phyllis Schlafly, head of the conservative Eagle Forum. Among the industry witnesses was John Dugan, now head of the obscure, but powerful, federal OCC (previous blog).

An article from the Multinational Monitor about Memberworks and U.S. Bank.

New credit law will regulate Freecreditreport.com, a classic free-to-pay scam.

Well. as you can see, I am so excited about this investigation, this blog could go on and on...

The new credit card law signed Friday in the Rose Garden by the President includes some hidden gems. I understand Sen. Carl Levin (D-MI), chairman of the Permanent Subcommittee on Investigations, deserves credit for Section 205 of the law, which brings freecreditreport.com under clear FTC rulemaking authority. The provision will require, in nine months, that any radio or TV ad for this over-priced subscription credit monitoring product or similar product will have to include the following words: "This is not the free credit report provided for by Federal law."

Under the Bush administration FTC, Experian paid some nickels and dimes in civil penalties for deceptively marketing freecreditreport.com (previous blog), but a poorly written consent decree allowed it to continue to extract millions of dollars from the pockets of hardworking American consumers who thought they were getting the free credit report provided by law, which is available from each of three bureaus at the government-mandated site annualcreditreport.com. Instead, freecreditreport.com used the threat of IDENTITY THEFT! or a LOW CREDIT SCORE! to seduce consumers into signing up for an over-priced credit monitoring service with a very shabby short-term opt-out-- if you didn't cancel in a week or ten days, you found out you'd signed up for a $12-15/month product you didn't need. The FTC rulemaking on this must strive to limit the deceptive use of the word "free" in circumstances other than the marketing of credit reports. More on free reports and also Senator Levin after the jump.

Consumers in several states are also entitled to a separate, second additional annual free credit report under state law, by calling each of the three bureaus (Experian, Trans Union and Equifax) directly. Those states are Colorado, Georgia, Massachusetts, Maryland, Maine, New Jersey and Vermont. Here is a good FTC page explaining your free credit report rights, and for those who don't like putting personal data on the Internet, explaining how to get reports under federal law by mail or phone.

The bureaus hate the state laws, so you'll have to listen carefully to their voicemail pick lists to find out how to order your free reports if you live in one of those free report states. Be persistent and complain to your state Attorney General if you think that it is warranted.

Senator Levin also deserves credit for his early hearings featuring consumer victims. Those hearings helped tell the story of unfair credit card company practices. Who could forget the testimony of Wesley Wannemacher, who went just $100 over a $3000 limit, paid Chase Bank that full principal back plus over $3000 more in interest and fees, and still owed Chase $4000 more? (Previous blog.)

In a followup to a report first posted on Wikileaks, the Richmond Times Dispatch says: Health Professions records breach being investigated. From the Richmond paper:

State and federal authorities said very little yesterday about a hacker's claim that millions of patient prescription records kept on Virginia Department of Health Professions computers have been stolen. The FBI and the Virginia State Police have confirmed that an investigation is under way.

On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand: "I have your s***! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original.

The Supreme Court has issued its decision in Flores-Figueroa v. United States, holding that the severe crime of aggravated identity theft, with a mandatory two year jail sentence, could not be invoked unless the defendant "knowingly" knew he or she was using information of "another person." While no one is in favor of identity theft, the crime of aggravated identity theft was intended to be brought against terrorists, money launderers and hardened criminals, not, for example, against college students sneaking into bars or, as in this case, an undocumented worker trying to get a job. Other more proportional, more appropriate sanctions may exist against these actions. In its friend of the court brief, the privacy group EPIC argued on behalf of 20 legal scholars that the crime of "identity theft" should require an intent to impersonate another.

Concerned about medical privacy on the web? Over at the Consumer Law and Policy blog, check out Jeff Sovern's Thursday post Website Collects Medical Data and Uses That Data for Drug Company Solicitations. Jeff's lede:

Today's [New York] Times includes Online Age Quiz is a Window for Drug Makers, about a web site, RealAge, which tells you your "biological age" if you answer some 150 questions and offers suggestions for reducing that age. Sounds great. But, the article explains, the information collected is then used to identify patients who might be candidates for medications, and the company sends these patients emails sponsored by drug companies that sell the medications.

The New York Times has a story Many See Privacy on Web as Big Issue, Survey Says by Stephanie Clifford on a survey to be released later today by TrustE:

When asked if they were comfortable with behavioral targeting — when advertisers use a person’s browsing history or search history to decide which ad to show them — only 28 percent said they were. More than half said they were not. And more than 75 percent of respondents agreed with the statement, “The Internet is not well regulated, and naïve users can easily be taken advantage of.”

If you saw the Tom Cruise techno-thriller set in the near future, Minority Report, you may recall where his character, John Anderton, is walking through a mall and the interactive billboards are using retina-scans to ID and then pitch him: "John Anderton, you could use a Guinness right about now."

Who needs retina scans? Advertisers are using smartphones. As Stephanie Clifford reports in the story Advertisers Get a Trove of Clues in Smartphones in today's New York Times:

Advertisers already tailor ads for small groups of consumers on the Web based on personal information. But cellphones have a much higher potential for personalized advertising, especially when they use applications like Yelp or Urbanspoon with GPS to identify a person’s location, right down to the street corner where they are standing.

“It’s potentially a portable, personal spy,” said Jeff Chester,[...]

NYTimes quote continues:

[Chester] who will appear before Federal Trade Commission staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. “Users are going to be inclined to say, sure, what’s harmful about a click, not realizing that they’ve consented to give up their information.”

Of course, Minority Report is based on a story by the late science-fiction writer Philip K. Dick (his official site). As Wikipedia notes, "monopolistic corporations and authoritarian governments" whose actions on privacy and civil liberties affect the lives of consumers and citizens were important themes in his often dystopian novels and short stories. They're still making his stories into movies today, years after his death in 1982.

Some of the other well-known movies based on his work include Blade Runner with Harrison Ford, Total Recall with Arnold Schwarzenegger, and Paycheck with Ben Affleck.

Back to Jeff Chester: Ten Questions To Ask Your Cell Phone Provider—and the Online Marketers They Work With—to Protect Your Mobile Privacy.

Over at his Practical Nomad blog, longtime privacy activist Edward Hasbrouck (that's his headshot) chronicles the correspondence and events -- starting with AMEX sending letters to cardholders changing its terms of service to allow myriad privacy invasions including robocalls, whether you object or not -- culminating this week in the cancellation of his card.

Hasbrouck has been a leader in challenging intrusive security measures by TSA and other agencies. He is a well-known author of several books on how to travel the world without burning a hole in your wallet. He notes in this post:

Before ATM's were so widespread, I used to recommend carrying an American Express card as a check-cashing card when travelling abroad. More recently, although their practices have prompted me to threaten to cancel my card, I've kept it as an emergency backup.

Over at Business Week, you can read about The Complaint Almost Filed Against Facebook. It was drafted by EPIC and we would have been a lead co-complainant, as we have been in a number of online privacy complaints filed jointly with EPIC and/or the Center for Digital Democracy or both. Business Week writer Douglas MacMillan speculates that the complaint "appears to have heavily influenced Facebook’s stance" when it dropped the new terms.

Meanwhile, over at the Washington Post, reporter/columnist Rob Pegoraro asks:

Seen another way, though, why would anybody pay more attention to Facebook's terms of service than to the other contracts we casually accept? Who reads the roughly 17,500-word "terms and conditions" contract governing Apple's iTunes Store before buying a song? Who digests Microsoft's nearly 5,500-word license for Windows Vista before booting up a new PC? For that matter, how many home buyers read in full the terms of their mortgages before signing stacks of settlement documents?

Facebook has decided not to change their terms of service at this time, following a massive uproar by their own members and in the blogosphere, as kicked off by the Consumerist headline: Facebook's New Terms Of Service: "We Can Do Anything We Want With Your Content. Forever." last weekend. Washington Post. Facebook has stumbled and bumbled on privacy in the past (Beacon).

In his story Saturday in the New York Times, American Express Kept a (Very) Watchful Eye on Charges, Ron Lieber drills down into a story (previous blog) that broke late last year about the American Express credit card's use of behavioral data-mining. Their letters to customers facing reduced credit limits or higher rates stated that the firm compiled information about where they shopped and where they lived. AmEx then compared it to payment patterns of others who shopped and lived there. If others were deadbeats, you might have your credit limit lowered or your rate raised, even if you'd always paid on time. According to the story, AmEx claims to Lieber that it never looked at specific merchants but was discontinuing use of "spending patterns" in its data-mining. Claiming it never looked at specific merchants is a sharp departure from a line from its customer letter Lieber quotes:

“Other customers who have used their card at establishments where you recently shopped,” one of those letters said, “have a poor repayment history with American Express.”

It sure sounded as if American Express had developed a blacklist of merchants patronized by troubled cardholders. But late this week, American Express told me that wasn’t the case. The company said it had also decided to stop using what it has called “spending patterns” as a criteria in its credit line reductions.

began documenting his experience on newcreditrules.com, where he posted the names of all the merchants he patronized, in the hope that other American Express customers would cross-check his list with theirs and solve the mystery.

I've been disappointed that neither Congress nor the bank regulators have investigated these practices more thoroughly, although I was encouraged when the FTC and FDIC penalized the predatory credit card company CompuCredit for (among myriad other violations) its use of behavioral scoring.

Interesting story from Chris Soghoian over at his CNET Surveillance State column: White House quietly exempts YouTube from federal Web privacy rules. The story points out that Youtube has been exempted from an otherwise government-wide ban on websites using long-term tracking cookies.

While the White House might not be tracking visitors, the Google owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama's home in cyberspace. No other company has been singled out and rewarded with such a waiver.

Over at his Zero Day Threat book blog, USA Today tech reporter Byron Acohido rips the Heartland payment processor for the lack of transparency about its massive security breach (my previous blog) involving 100 million or more credit and debit card numbers. From Byron:

Once again, we have a case where more transparency would clearly serve the greater good of making the Internet incrementally safer. Instead, what appears to be unfolding is yet another demonstration of plausible deniability by the centrally involved financial institutions, as each tries to dodge liability.

Well, it isn't Friday afternoon and it isn't Christmas Eve. Those bad news days happen every year, Fridays more than once, and were routinely used by the Bush Administration to bury announcements. Today, on the much-less-common and much tougher news day, President Barack Obama's Inauguration Day, the payments processor Heartland decided to report that over the last year it may have suffered the largest data breach in history, over 100 million credit and debit card numbers. The numbers were collected over time through a piece of malicious tracking software added to the firm's computers. Brian Krebs at the Washington Post has more in Payment Processor Breach May Be Largest Ever.

Along with Jeff Chester's Center for Digital Democracy, U.S. PIRG will file an amended complaint (here is the release) to the FTC on mobile privacy. As the Internet, and its advertisers, have migrated to cell phones with locational tracking, privacy rules have not kept pace. From the Washington Post story Online Privacy Decisions Confront Obama by Kim Hart:

Separately, the Center for Digital Democracy and the U.S. Public Interest Research Group said they plan to file a complaint today with the Federal Trade Commission, urging the agency to investigate mobile marketing practices that may threaten consumer privacy.[...] the Center for Digital Democracy and U.S. PIRG are asking the FTC to examine the practices of companies such as Bango, which analyzes mobile audiences, and AdMob, a mobile advertising network, for using "unfair marketing tactics" that do not adequately inform consumers about how personal information is used. Jeff Chester, executive director of the Center for Digital Democracy, said mobile customers are particularly vulnerable to ads for new loans, refinancing deals or new credit cards in the uncertain economy. Most devices can track a user's location, which advertisers can leverage for marketing purposes.

“Policies governing consumer privacy on the mobile Web have failed to keep pace with these new marketing practices,” observed Ed Mierzwinski, director of consumer protection for USPIRG. “Most critically, as the user’s location has become part of the data collection and targeting process, the ‘mobile marketing ecosystem’--as the industry calls it--poses serious new threats to consumer privacy.”

The new complaint examines five key aspects of mobile marketing: behavioral targeting, location-based targeting, user tracking/mobile analytics, audience segmentation, and data mining. Through an analysis of industry marketing data and other sources, it offers a revealing--and disturbing--examination of an industry that provides mobile communications services to 267 million Americans. Mobile marketers are building profiles of these users so they can be targeted for advertising based on their behavior and their current location.

“We are well aware of the important role mobile communications are playing in our society, from politics to shopping,” explained Mierzwinski. “Increasingly, consumers and citizens will use their mobile devices as essential tools to engage in sensitive financial, medical, and purchasing transactions. But the growth of mobile communications must be accompanied by meaningful consumer privacy and marketing policies. That’s why the FTC must quickly act.”

Today's New York Times story by Steve Lohr Health Care That Puts a Computer on the Team extols all of the purported virtues of health information technology and some of the challenges in making it work. Incredibly, the story fails to discuss its biggest challenge--privacy. The phalanx of powerful special interests and beltway bandits sweeping along well-intentioned medical and research organizations to help them push Congress to spend big on computerized health records has so far failed to ensure adequate privacy guarantees. When consent is granted virtually automatically, as it will be in these systems, privacy is at risk. Congress must go further to ensure that computerization of health records doesn't represent the death of privacy protection. For more information worldprivacyforum.org

Today the FTC issued a Congressionally-mandated interim study on the accuracy of credit reports.

The FTC also ordered nine large insurance companies "to produce information for a study on the use and effect of credit-based insurance scores on consumers of homeowners insurance." Our previous blog on issues related to use of credit reports to determine insurance eligibility.

Blog excerpt: Should your car insurance bill be based on how many claims, accidents and speeding tickets you have? Makes sense to us but not to the insurance industry. They want to base your rates on whether you paid your Mastercard on time last month and whether your credit score is high enough.

I've often written about the freecreditreport.com scam. The website is run by the credit bureau Experian. Over at Smartmoney.com, in her story FreeCreditReport.com: Not So Free -- Still, reporter Stacey Bradford points out two key astonishing facts.

FreeCreditReport.com spent a little more than $19 million on advertising during the third quarter, an increase of 28% from the same period in 2007, according to TNS Media Intelligence. A vast majority of that money -- roughly $14 million -- was spent on television ads.

The somnolent lapdog known as the Bush Administration Federal Trade Commission is responsible for the deception. Perhaps the numbers in the Bradford piece will wake them up. In weak settlements totaling a paltry $1.2 million dollars, it has continued to allow Experian to use the word "free" for its overpriced subscription service. Using the word "free" confuses consumers into thinking that they are going to the government-mandated annualcreditreport.com site where you can get an actual free credit report required by law. The web is full of other blogs that agree with me: (MSNBC Red Tape Chronicles blog, Huffington Post blog, Washington Post blog). If you are tricked into purchasing over-priced credit monitoring with the promise that it is "free", complain to the FTC and also to your own state attorney general (list here). He or she is a tough consumer cop, unlike the FTC.

Here's another thing: When the full history of the financial meltdown is written, it will describe the role of the credit bureaus. Not only did their super-duper credit scores fail to accurately warn of consumers' ability to repay, but their use of trigger lists and their incessant Internet ads for products such as lowermybills.com (also owned by, you guessed it, Experian) drove people to the mortgage companies where they got hooked on over-priced debt (previous blog). Over at his Center for Digital Democracy, Jeff Chester has written about the role of the credit bureaus in the explosive growth of behavioral advertising on the Internet.

Our counsel for media and telecommunications reform, Amina Fazlullah, has sent letters to Attorney General Mukasey and to Department of Justice antitrust chief Thomas Barnette expressing our opposition to the proposed Google/Yahoo online advertising agreement on both antitrust and privacy grounds:

The combined market share of Google and Yahoo would probably exceed 90 percent. Such concentration raises concerns about a lack of competition in the paid search advertising market, which could have negative repercussions for content providers, advertisers and consumers. [...] In our opinion the proposed agreement induces the remaining paid search advertising outlets to resort to privacy invasive techniques which harms consumer privacy online and thus threatens online discourse in general.

We recently joined NACA and NCLC in an amicus (or friend of the court) brief in an important 11th Circuit case concerning the rights of consumers to enforce the federal Fair Credit Reporting Act (FCRA). In general, but in particular with the FCRA, when strong consumer remedies are eliminated by bad court decisions, then all consumers run the risk that credit bureaus and creditors will ignore the law even more than they already do. That will leave us all paying more for credit due to mistakes or even perhaps-intentional mis-interpretations that please creditor-customers at the expense of consumers. As an example of the importance of consumer enforcement of the FCRA, just a few months ago, a court stopped credit bureaus from mis-reporting debts discharged in bankruptcy. That class action is ongoing, but the injunctive relief is an important victory concerning the (information on White vs. Experian). Due to the injunctive relief granted, millions of consumers will benefit as credit bureaus are now forced to verify the accuracy of certain information received from creditors.

Without consumer enforcement, where would we be? The FTC occasionally, but not often enough, at least slaps a small fine at its regulated credit bureaus. But, when was the last time you recall one of the bank regulators penalizing a bank for violating the FCRA?

In today's New York Times, Brad Stone's story Banks Mine Data and Pitch to Troubled Borrowers explains how the Big Three credit bureaus continue to develop new data sources and methods that allow them to sell even more sophisticated consumer profiles and dossiers to lenders. The firms are exploiting the light hand of the FTC to expand their use of the credit and insurance "pre-screening" exceptions to the Fair Credit Reporting Act's otherwise strict limits on the use of credit reports for marketing.

Back in December, USA Today also had a nice story that explained how certain credit bureau products such as "trigger lists" or "lead generators," coupled with the aggressive online direct-to-consumer advertising of some of their subsidiaries, such as lowermybills.com, were contributing to the mortgage bubble. As I blogged at the time:

In the view of many, the lists do not meet the criteria to qualify for the special [pre-screening] exception. But the FTC claims that they do, in some very thin letters and fact sheets lacking any buttressing legal authorities. Incredibly, the FTC, the credit bureaus, and the subprime mortgage crisis are also linked to the Internet advertising bubble. Lowermybills.com was and may still be one of the biggest web advertisers. You do have a right to opt-out of pre-screened lists. You can call 1-888-5-OPTOUT or find out more about doing so by mail or on the web from the FTC.

We have yet another Strategic Plan to combat identity theft. Government likes issuing strategy papers. Unfortunately the tactics proposed are inadequate to protect ordinary Americans from hassles created by the sloppy data practices of the public and private sector. Identity theft is booming partly because it is a simple skill that can be taught to thieves still in short pants who are not destined to become rocket scientists. Until we improve consumer rights to compensation from the companies that lose our data to their simple schemes, the firms will continue to be negligent about protecting it better.

And while the government may be trumpeting the increased penalties recently enacted for committing "aggravated identity theft," I would note that recent news stories suggest that these penalties are being used more to threaten individual undocumented low-wage immigrants than to hold identity theft kingpins to account.

As I repeatedly told government officials in meetings and conference calls over the last 18 months of the development of the report, its failure to recommend adequate restrictions on private sector uses of Social Security Numbers means it won't work well. Further, despite the stunning record of over 40 state governments in enactment of security freeze and data breach identity theft protections since passage of the federal Fair and Accurate Transactions Act (FACTA) of 2003 (which allowed stronger state identity theft laws), the report refers to the usual pejorative "patchwork" of state laws and calls for uniform national standards to preempt stronger, or newer state security breach notification efforts. Even worse, nearly every such federal proposal I have seen would not only establish uniform national breach law standards, it would also broadly preempt other state privacy efforts. Proposing yet again to preeempt the states, and taking 50 important tools out of the democracy toolbox, shows that the conservative principle of federalism doesn't matter to this President.

For more on the government's position against stronger state law health and safety protections, see this brief commentary Safety Last by law professor David Vladeck in The Nation.

Massachusetts regulators (their release, detailed regulations, Boston Globe story) have issued data protection rules for businesses, implementing its recent identity theft law, which was enacted following a spate (TJ Marshalls and other TJX stores, Hannaford Stores and Harvard U, etc) of high-profile data breaches right in the hub of Red Sox Nation. In addition, Governor Deval Patrick has issued an executive order

"requiring all state agencies to immediately take steps to implement security measures consistent with the requirements established by OCABR's regulations for private companies."

Shortly after the TJX incident, Patrick signed sweeping legislation requiring companies to notify the state of future security breaches and ordering the consumer affairs agency to craft new regulations. [...] After business groups raised objections to an early draft of the rules, Crane said, the agency made several changes. [...] Still, Eric Bourassa, a consumer advocate for the Massachusetts Public Interest Research Group, said he is pleased with the final version.

Oops, a few days ago I said Tuesday was 9/24. It is actually today. In what seems like a short deadline for a recently approved settlement, consumers must register here by Tuesday WEDNESDAY 9/24, (name, address and some details but no bank account or credit card numbers required) to obtain benefits (either six months of credit monitoring with a possible cash payment OR nine months of enhanced credit monitoring) in a nationwide settlement of a lawsuit against the credit bureau Trans Union. More information in this pdf summary. The good news is that the settlement prohibits TU from automatically renewing you, although it certainly hopes and dreams consumers will convert to for-profit credit monitoring at the end. Take it for free but just say no when it is over.

Over at his Surveillance State blog, Chris Soghoian Debunks Google's log anonymization propaganda.

Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users.

Hundreds of thousands of Connecticut residents are among those just learning in the last few weeks that BNY Mellon (its breach site) placed them at financial risk when it lost unencrypted data tapes (excuse me, it blames a trusted courier) containing millions of customers' Social Security Numbers, bank account numbers, addresses and other building blocks of new account identity theft. But BNY Mellon apparently lost the information in either February or May. Its letter to customers in late August claims that its "forensic investigation" was responsible for the delayed notification. Neither Connecticut's Republican Governor Jodi Rell (her release) nor its Democratic Attorney General Dick Blumenthal (his release) think BNY complied with the state's timely data breach notification requirement, which provides that:

"Such disclosure shall be made without unreasonable delay ...[unless]...a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed."

This week, the Ninth Circuit US Court of Appeals (decision, San Francisco Chronicle story) reinstated part of a landmark PIRG-backed California financial privacy law, SB 1, that will prevent banks and other financial firms from sharing some of your information with affiliates if you choose to opt-out. The new decision differentiates between sharing for credit purposes, which will still be subject to a "no-opt" rule and sharing for marketing or profiling purposes, which will have a newly enforced opt-out right. From the Chronicle:

For example, Deputy Attorney General Catherine Ysrael, the state's lawyer in the case, said customers provide personal and financial information to banks that maintain their accounts, and their credit card statements might reveal buying patterns that a bank could turn over to affiliated retailers. The law allows customers to block the sharing of such information.

Federal law (the 1999 Gramm-Leach-Bliley Financial Modernization Act) allows unfettered sharing between firms and their affiliates regardless of your preference; it only gives you a limited right to opt-out whenever information is shared with some third parties. California law now says that some sharing (for marketing or profiling) with affiliates requires the firm to first offer you a right to opt out (say no) and that all sharing with most third parties requires you to first affirmatively consent (opt-in or say yes). That part of the law had not been challenged and has been in force. (Note that some third parties selling financial products on behalf of the bank are treated as if they are affiliates; so, the opt-in that applies to "most third parties" applies primarily to sharing with all telemarketers and their ilk). SB 1 was championed by then-state senator Jackie Speier, who became U.S. Rep. Jackie Speier (D-CA) in a special election earlier this year following the death of Rep. Tom Lantos (D-CA).

During Congressional consideration of the 1999 Gramm-Leach-Bliley Financial Modernization Act, it became clear that information sharing among corporate affiliates was an issue of bi-partisan concern. While much has been written of the Victoria's Secret catalog that helped us, gross abuses of privacy by some of the nation's biggest banks -- including U.S. Bank and Bank of America predecessor NationsBank also helped us make the case for privacy. However, due to the power of the banking lobby, the final federal law resulted in privacy notices, but not much in the way of actual privacy rights. However, former Senator Paul Sarbanes (D-MD), a consumer champion, inserted language allowing states to pass stronger financial privacy laws. As it often does, California went first, passing SB 1. However, the legal turmoil (my 2005 blog entry) that ensued caused other states to drop similar efforts. The GLBA had unfortunately also included language preserving the Fair Credit Reporting Act. This conflict between its anti-preemptive Sarbanes amendment and its cross-reference to the preemptive Fair Credit Reporting Act's definition of affiliate led to the myriad court decisions before today. The court's decision this week recognizes that affiliate sharing not for credit reporting purposes should not be preempted by this cross-reference. This is important for privacy since it gives consumers the right to prevent unwanted marketing and invasive profiling. More older background from EPIC.

The House Energy and Commerce Committee is posting responses of major and minor Internet companies -- from Google and Verizon to CBeyond and Suddenlink -- to its Internet data collection privacy inquiries led by its senior leadership, including Chairman John Dingell (D-MI), Rep. Cliff Stearns (R-FL) and privacy hawks Ed Markey (D-MA) and Joe Barton (R-TX). As Ellen Nakashima reports in in today's Washington Post, Some Web Firms Say They Track Behavior Without Explicit Consent:

The revelations came in response to a bipartisan inquiry of how more than 30 Internet companies might have gathered data to target customers. Some privacy advocates and lawmakers said the disclosures help build a case for an overarching online-privacy law.

"Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites," said Jeffrey Chester, executive director of the Center for Digital Democracy. He said that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone."

Over at the Wall Street Journal, in a followup story today on the indictment of 11 hackers (previous blog) over the theft of 40 million credit and debit card numbers, questions are asked. According to Some Stores Quiet Over Card Breach: Customers Not Told About Alleged Theft of Consumer Data by Joseph Pereira, Jennifer Levitz and Jeremy Singer-Vine, (pd. subs. req'd): While four chains clearly notified customers of massive data breaches as required by over 40 state laws (Consumers Union list), two chains did not and three chains won't say if they did or not.

Excerpt:

Dan Clements, chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat-rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches. "Telling the public that they've been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down."

"The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures."

Yesterday the US Attorney General and a number of U.S. Attorneys announced charges against eleven members of an international "Retail Hacking Ring" that stole at least 40 million credit and debit card numbers. The DOJ press release credits the ring with the infamous hack of a microwave transmission from a Miami TJX Marshalls store, as well as other thefts of card numbers from DSW Shoe Warehouse, the Sports Authority, Boston Market and other retailers. According to a Page One Wall Street Journal story today (pd. subs. req'd):

The indictments allege that the computer breach at TJX -- which was hardest hit by the scheme -- was part of a much broader conspiracy involving the other retailers that lasted between 2003 and 2005. Although the government said the defendants managed to steal more than 40 million credit- and debit-card numbers, some consultants in court testimony estimated that 100 million account numbers were compromised in the TJX case alone.

These categories of cases, where civil penalties could enable the Commission to better achieve the law enforcement goal of deterrence, include malware (spyware), data security, and telephone records pretexting.

A firm entrusted with the government's trusted traveler program has lost an unencrypted laptop containing records of 33,000 applicants. Not to worry. From the Washington Post:

"We don't believe the security or privacy of these would-be members will be compromised in any way," said Steven Brill, chief executive of Verified Identity Pass.

I blogged last week on a Business Week story on the troubling ways that consumer prescription drug data are being used to invade consumer privacy. Today, the Washington Post has a front page story Prescription Data Used To Assess Consumers: Records Aid Insurers but Prompt Privacy Concerns by Ellen Nakashima:

While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories. Traditionally, insurance companies have judged an applicant's risk by gathering medical records from physicians' offices. But the new tools offer the advantage of being "electronic, fast and cheap," said Mark Franzen, managing director of Milliman IntelliScript, which provides consumers' personal drug profiles to insurers. The trend holds promise for improved health care and cost savings, but privacy and consumer advocates fear it is taking place largely outside the scrutiny of federal health regulators and lawmakers.

Interstate Commerce Subcommittee Chairman Byron Dorgan (D-ND) and Chairman Daniel Inouye (D-HI) of the Senate Commerce Committee held a hearing today entitled Privacy Implications of Online Advertising. In her testimony, Lydia Parnes, Associate Director of the FTC, referenced the PIRG/Center for Digital Democracy online advertising petition to the FTC (previous blog).

In her testimony, Leslie Harris of the Center for Democracy and Technology offered a good overview of what's at stake. She pointed out, as does our PIRG and CDD petition, that the new trend of behavioral targeting poses greater threats than traditional search advertising:

There is also a risk that profiles for behavioral advertising may be used for purposes other than advertising. For example, ad networks that focus on “re-targeting” ads may already be using profiles to help marketers engage in differential pricing.10 Behavioral profiles, particularly those that can be tied to an individual, may also be a tempting source of information in making decisions about credit, insurance, and employment. [...] The concerns about behavioral advertising practices are heightened because of the increasingly sensitive nature of the information that consumers are providing online in order to take advantage of new services and applications. Two data types of particular concern are health information and location information.

The use of ISP data for behavioral advertising is one area that requires close scrutiny from lawmakers. The interception and sharing of Internet traffic content for behavioral advertising defies reasonable user expectations, can be disruptive to Internet and Web functionality, and may run afoul of communications privacy laws.

Papers reported widely this week on a federal judge's decision ordering Google (owner of Youtube) to give the TV network Viacom "its records of which users watched which videos on YouTube, the Web’s largest video site by far." Google Told to Turn Over User Data of YouTube by Miguel Helft in the New York Times, Anick Jesdanun in the Associated Press, and Slashdot. In the case, Viacom is asserting broad rights to protect its copyrighted broadcast materials that may have been posted as clips on Youtube. While both companies claimed they would devise ways to anonymize data and protect consumer privacy, the order raises a variety of questions for consumer and privacy advocates and civil libertarians, not the least of which, to me, is the overarching question: have the courts and Congress gone too far in protecting the rights of intellectual property holders without considering those of consumers?

Among the questions raised in the Times' and other stories:

"Users should have the right [under Bork law] to challenge and contest the production of this deeply private information," said Kurt Opsahl, senior staff lawyer at the Electronic Frontier Foundation, an online civil liberties group."

Interestingly, Google has rejected demands by privacy groups for more stringent protections for I.P. address records, saying that in most cases the addresses cannot be used to identify users.

Both companies have argued that I.P. addresses alone cannot be used to unmask the identities of individuals with certainty. But in many cases, technology experts and others have been able to link I.P. addresses to individuals using other records of their online activities.[...] Mr. Opsahl also said that even records that did not include a user’s login name and I.P. address might be able to be associated with specific people. In 2006, after AOL released for research purposes the search records of thousands of anonymous users, reporters from The New York Times were able to track down one person by analyzing her search queries. Mr. Opsahl said anonymous viewing habits may similarly yield clues about the identity of viewers.

Update: This Center for Digital Democracy blog by Jeff Chester discusses other undiscussed issues in the Google/Viacom story. At Google,

"They now call YouTube a "next-generation advertising platform," something we think reflects how they really view the service. Google is pitching the branding and sellling of YouTube to advertisers. Google is now tracking YouTube views as it promotes to advertisers a scheme to take advantage of the "viral" marketing capabilities of YouTube."

Also, this Huffington Post blog entitled A few Important Stories That Are Not News (in the US) by Jamie Love of Knowledge Ecology International discusses some international intellectual property issues of note.

"ACTA: Japan, the US and the European Union are holding secret negotiations on a new intellectual property right enforcement treaty, misleadingly named the Anti-Counterfeiting Trade Agreement. This negotiation is making headlines in Canada and is reported in Europe, but not by the US newspapers and wire services."

I confess. I read thrillers, from Ludlum and Cussler to Thor and more. I took Jeffery Deaver's latest book featuring the forensic detective duo of Lincoln Rhyme and Amelia Sachs to the beach this week. Without giving away the plot, as this info is all from the flyleaf, Deaver's "The Broken Window" explores the questions: What if a bad guy (really bad guy) had access to all the tools and information used and sold by data brokers and data miners to the government and others, including identity thieves? How could he use and manipulate these data both to manipulate victims and avoid his own detection?

Deaver credits a variety of privacy and civil liberties groups -- including EPIC and the Electronic Frontier Foundation -- in both the narrative and an acknowledgments page. He also urges readers to check out "No Place to Hide," the non-fiction book on what its author, Robert O'Harrow of the Washington Post, calls the "security-industrial complex." Both books are worth the read.

We had a small victory on privacy this week-- a new threat has been stopped. Earlier this month, we joined a number of privacy and consumer groups in a letter urging a Congressional investigation of a proposal by Charter Communications, a large Internet ISP, to use controversial tracking and spying technology from a company called NebuAd that essentially would allow it to track everything you do online. Following up on that letter to Chairman Ed Markey (D-MA) of the House Telecommunications and the Internet subcommittee and Rep. Joe Barton, full Energy and Commerce ranking member, Markey and Barton sent their own letter to Charter and several groups released a report on the problem (letter and report). This week, Charter said they'd drop the plan. Story from AP Charter Won’t Track Customers’ Web Use via New York Times and story from ClickZ.

And, of course, the places you've been. The New York Times has an interesting article today by Michael Fitzgerald -- Predicting Where You’ll Go and What You’ll Like. It looks at some locational privacy issues largely through the lens of a company that

"applies complex statistical algorithms to sift through the growing heaps of data about location and to make predictions or recommendations on various questions -- where a company should put its next store, for example."

The government, too, wants greater access to locational information. While GPS-enabled cellphones have valid emergency uses, such as e911, law enforcement officials want access to much more information for more purposes than that.

A recent article from privacy scholars at Boalt Hall, the law school of the University of California at Berkeley, notes that consumers are using a variety of web-based locational services -- Yahoo Zone Tags, BuddyBeacon, DodgeBall and Loopt, on their cellphones. (Other sources of locational data could include automatic toll systems such as EZPass and, as the article notes, vehicle telematic systems such as GM OnStar.) From the article A Supermajority of Californians Supports Limits on Law Enforcement Access to Cell Phone Location Information by Jennifer King and Chris Hoofnagle:

The location data generated by these devices is of growing interest to law enforcement. While location data can enable the rescue of kidnapped or missing people in emergency situations, it also can be used to pervasively track individuals in nonemergency situations, as well as provide a historical account of one's travels. The Washington Post reported in November 2007 that federal officials were "routinely asking courts to order cell phone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects," often without demonstrating probable cause. The availability of location data, and the ease with which law enforcement is able to obtain this data, raises concerns about the balance of power between the individual and government. In particular, obtaining location data from service providers gives law enforcement far more surveillance capability, both in breadth and depth, than agencies would have if conducting comparable surveillance themselves.

"a supermajority of Californians supports judicial intervention and informing suspects before law enforcement acquires retrospective (historical) location data on individuals from wireless phone companies. A majority of Californians understands that wireless phones can track their location, and that there is broad support for location tracking in emergency situations."

Mobile commerce will enable consumers to use their mobile phones to conveniently purchase goods and services (like parking passes or theater tickets) and to receive timely information content (like directions and maps). Mobile commerce is also generating new advertising opportunities for suppliers of new and existing products and services directed at consumers through their mobile phones. Consumers may welcome mobile advertising or view it as an annoyance. In either case, this Article argues that consumers and advertisers should be concerned about protecting consumers' privacy and personal data in this new environment.

Also yesterday, Public Knowledge and Free Press released a report on the controversial NebuAd technology that U.S. ISPs may be using already to track their customers across the web. Here's the News release from PK. From FP, here is the report NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking. Here is a letter from privacy hawks and senior Energy and Committee members Ed Markey (D-MA) and Joe Barton (R-TX) to the head of the ISP Charter, asking, essentially, what was he thinking. From the joint release:

NebuAd uses special equipment that "monitors, intercepts and modifies the contents of Internet packets" as consumers go online...."NebuAd commandeers users' Web browsers" to load tracking cookies and collects information from users in order to place ads from ISPs.

Scouring the Internet this morning, I found our name and data from our 2004 report on credit bureau errors Mistakes Do Happen in two recent PR news releases from two separate firms claiming NOT to be illegal credit repair doctors -- one from Lexington Law Firm and another from something called NACRA.

We are not connected with either of these firms and would never urge you to give your money (hundreds of dollars!) to a company that claims it can eliminate bad credit, even ones that claim to do "legal" credit repair. You can fix mistakes yourself. You can eliminate identity theft and fraud accounts yourself. But your own bad credit can only go away over time. Keep your current bills timely. Pay down your credit cards so you aren't maxed out. But don't waste your money on credit repair. More from the FTC.

Anytime a firm claims not to be an "illegal" credit doctor, but makes promises to fix bad credit for large amounts of cash, use your head. if your efforts to fix false or inaccurate negative information on your credit report fail, we recommend you talk instead with an attorney who specializes in the Fair Credit Reporting Act, such as one from the National Association of Consumer Advocates.

Over at his Red Tape Chronicles, MSNBC's Bob Sullivan reports that when student loan giant Sallie Mae merely changed its reporting method to credit bureaus, something in the the massive credit reporting/credit scoring system burped, and the credit scores of young graduates with student loans that were paid as agreed came crashing down. For those interested in credit bureaus and credit scores, here's some more analysis from me.

Credit scores are derived from credit bureau databases. The bureaus sell their own now, but the market leader in scoring has long been Fair Isaac and its FICO score. As Sullivan reports, a coding change at the bureaus or at Fair Isaac caused the scoring algorithm to presume that regular, on time payments as agreed were actually partial payments negotiated by delinquents as part of a workout strategy. Some consumers lost over a hundred points.

For years, Fair Isaac protected its scoring system like the Coca-Cola formula. No one could look inside the black box. They wouldn't even explain the general concepts and weighting of factors.

They claimed it was so consumers couldn't figure out how to game the system. They claimed it was to protect their intellectual property from would-be competitors.

It seems to me that another reason is they don't like to admit mistakes. For years, for example, their software downgraded consumers who were simply shopping around, for example, for the best deal on insurance or a new car. FICO instead presumed their multiple inquiries were precursors to credit-binge fueled bankruptcies.

Today, thanks to pressure from advocates and ground-breaking California legislation on credit score disclosure later incorporated into federal law, FICO's system is more transparent, it is richer (thanks to sales to consumers) and it has some competition. But it still needs to do a better job of preventing these sorts of errors before they happen.

In this case, either the bureau computers or FICO computers bungled entries that resulted from a laudable Sallie Mae program that benefited its younger borrowers by setting repayment schedules to ramp up as a young graduate's income increased over time. The mis-coding presumed these were not payments as agreed, but some sort of partial payment workout plan after a consumer's delinquency. (The default switch at a credit bureau is generally "D for deadbeats." The FICO analytics rely on the coding of the payment history it receives from the bureaus.)

Sometimes, creditors game the scoring system:
But Sallie Mae hasn't always been so altruistic. Several years ago, it came under Congressional pressure for failing to report to all the credit bureaus. Columnist Ken Harney helped expose the fiasco. This resulted in potentially lower scores for consumers when their score was calculated from a credit report at a bureau that Sallie didn't report to. Many young consumers only have a few trade lines on their credit reports. To use a collegiate analogy, it would be like calculating their cumulative grade point average on only 3, not all 4, of the courses they were taking.

Sallie did this intentionally -- both to deflate scores, making their customers appear less desirable to competitors who wanted to send them pre-screened offers, and also to make it harder for those competitors to find their customers generally, so they'd never send the offers in the first place. Sallie didn't want other student loan companies to offer loan consolidation deals. This was also during its high-flying days when it wanted to become a one-stop shop for all financial products. Keeping its own customers as a captive customer base and limiting their ability to shop around aided that business plan.

But it certainly made it harder for young consumers who were applying for auto or home financing to get the credit they deserve, when their paid-as-agreed student loan wasn't adding points to their score. Under pressure from the Congress, Sallie changed its ways. By the way, one of its lamer defenses at the time was that it was simply doing it for the students, since for every consumer who benefited from reporting, it claimed there was another who didn't make payments as agreed and would benefit from not having that negative trade line shared. Of course, that's ridiculous.

Another way to game the system and make your customers appear less desirable to competitors seeking to buy pre-screened lists from the bureaus to make offers is to report only partial information about them. Credit card companies, including Capital One and Citibank (again, Ken Harney was on the case), have been accused of doing this, in Congressional hearings and other venues. If you only report a consumer's credit card balance but not his or her credit limit, the scoring computers' default setting is that the current (or highest previous) balance equals the limit. If your balance equals your limit, you are of course maxed out. Maxed out consumers have lower scores.

I am not necessarily a big fan of pre-screened offers, which can led into too much debt. But some consumers may benefit. More importantly, remember that the consumer making his own or her own applications for credit is hurt also.

Finally, even though FICO guards the scoring algorithm as if it were the fabled Cocoa-Cola formula, it is prone to systemic mistakes as above, it can be spoofed by creditors as above, and it's even been reverse-engineered (by the Fed and others). "Pay no attention to that man behind the curtain, I am the great and powerful FICO," just doesn't cut it anymore.

In addition, the bureau coding systems contribute to the problem. Everyone involved needs to do a better job.

Over at The Consumerist blog, check out the important warning Watch For Baloney "Reservation Rewards" Charges On Your Credit Card. Companies, including federally-insured banks whose regulators should have them concerned with "reputation risk," form partnerships with often-sued marketers including Trilegiant (see 2006 settlement between 16 state Attorneys General and Chase Bank and Trilegiant. Chase has recently been accused of continuing these practices anyway). Another firm in the biz is the ever-morphing Memberworks (is it now Vertrue?). The companies and their partners exploit gaping loopholes in the porous 1999 Gramm-Leach-Bliley Financial Modernization Act which "allow" them to share confidential information garnered from account relationships with the telemarketers. The club purveyors then claim the right to bill you based on either a "one-click" look at their pages or, in the offline version of the scam, after you cash a teeny $2.37 or so check that arrives with your bill. In either case, you've "signed up" for an often useless but expensive $10-$15 month club membership. Insist that your credit card company remove these charges.

Our colleague Jeff Chester of the Center for Digital Democracy is on a panel today at the FTC's Town Hall-- Beyond Voice: Mapping the Mobile Marketplace. As noted in today's Media Post (subs. req'd):

Two leading advocacy groups intend to file a complaint with the Federal Trade Commission about mobile marketing, Jeff Chester, founder and executive director of the Center for Digital Democracy, will announce today. "We're filing a complaint to force the FTC to take a proactive stance," Chester said. Mobile ad companies "incorporate the same problematic business practices that we witnessed with PC-based broadband marketing, including behavioral targeting and profiling techniques--except that this time they know your location," he said.

Over at ConsumerAffairs.com, reporter Joe Enoch has a nice detailed piece Lifelock Sales Surge Despite Critics: 'Concierge' system charges top dollar for service consumers could get for free explaining some of the issues swirling around Lifelock, the third party firm that wants to protect you from identity theft. I point out in his story that federally-mandated free fraud alerts on your credit report don't actually stop issuance of credit to thieves -- so go with the tougher security freeze or free credit report (find more here and here ) for peace of mind (list of state security freeze laws from Consumers Union) and besides, you can impose fraud alerts yourself for free. I also note, however, that if the credit bureau Experian prevails in its self-serving lawsuit (see Phoenix BizJournal, also see Red Tape Chronicles), against Lifelock, the case law it creates could damage consumer Fair Credit Reporting Act (FCRA) legal rights against credit bureaus.

The Office of Thrift Supervision has posted a summary of anticipated rules preventing unfair and deceptive credit card and overdraft checking practices. OTS writes rules for thrifts; the Fed for banks. The National Credit Union Administration will join the Fed and OTS and tomorrow (or soon) all three agencies are expected to post the detailed rule for comment.

"Once all three agencies have approved, each will post the proposal to its website. Upon publication in the Federal Register, the notice will be open for public comment for 75 days. The agencies expect to finalize the rule by the end of the year."

While the devil may be in the details (and undisclosed but hinted at "exceptions") we haven't seen yet, for credit cards, the proposal includes several significant and positive reform elements of proposed Congressional credit card legislation; for overdraft checking plans, consumers are protected not so much.

Here's more on the highlights of the proposed prohibitions, again, this is based on a press release, not the specific rule, so we reserve the right to change our mostly positive preliminary views tomorrow:

The regulator/cheerleader known as the Office of the Comptroller of the Currency does not have its own rulemaking authority. That's a good thing. When the Fed's version of these rules becomes final, then OCC would presumably have to enforce them against its own national banks. While the OTS website says OCC was consulted, to my knowledge nothing in these rules has ever been been supported in OCC testimony or enforcement actions, except for certain actions it has taken against predatory "fee-harvester" cards, which would also be restricted under this proposal.

If the rules are generally as strong as they appear from the press release (and have I said that the devil is always in the details?), we fully expect that the bank associations will be encouraging banks to oppose these rules in any way possible. We'll then of course ask you to support them and strengthen them. Here is our most recent testimony, from an April 17 hearing before the House Financial Institutions and Consumer Credit Subcommittee, on these issues. here is our Truthaboutcredit.org website.

Update: Turns out David Lazarus of the LA Times has already explained their business model. His story raises questions I share and I hope regulators take a look at.

I've received 3 apologies -- here's one -- in the last week, not necessarily from close friends or colleagues, but merely from people I've once given my business card to and who must have added me to their address books:

Earlier today a website called Reunion.com sent an invitation with my name attached to my entire contact list asking you to join. Please erase this and disregard it, as I did not intend to send it. If you attempt to log on and retrieve whatever message I purportedly sent you, it will do the same thing, and send an invite to your entire contact list.

Today, the Center for Digital Democracy and U.S. PIRG filed detailed comments in the FTC inquiry into behavioral marketing, intrusive search advertising business models and the future of the Internet. We note that the entire inquiry is the result of our initial 2006 petition and we pose a solution that protects privacy while encouraging commerce on the web. Here is our lede:

The commission has failed to effectively protect U.S. consumer privacy in the digital marketing era. The commission's decision to issue its proposed staff principles on the same day it approved, 4-1, Google's acquisition of behavioral marketing and online ad giant DoubleClick -- without any privacy safeguards -- is not a coincidence. The commission—frankly under both the Bush and the Clinton administrations—has been largely incapable to take a meaningful stand on data collection and interactive marketing.

If you're thinking that today's New York Times story California Hospital Faces Sanctions After Workers Wrongly Looked at Patient Records by Jennifer Steinhauer couldn't happen to you because you're nobody, think again. That story about hospital voyeurs looking at health records of Maria Shriver (first lady of California) and actress Farrah Fawcett happened in the old world of "strictly" regulated medical records.

Welcome to the new world. Web heavies Microsoft and Google are vying with insurance companies and others to win the newest data sweepstakes-- storing not-so-much-regulated Personal Health Records on line. It's a massive issue and policymakers are helping to drive it with related domestic and international initiatives to encourage the use of electronic health records. Over at the World Privacy Forum, Pam Dixon is watching both related issues closely. As she said recently in the AP story by Michael Liedtke (via USA Today), Google to store patients' health records:

The third-party services are troublesome because they aren't covered by the Health Insurance Portability and Accountability Act, or HIPAA, said Pam Dixon, executive director of the World Privacy Forum, which just issued a cautionary report on the topic. [...] a patient who agrees to transfer medical records to an external health service run by Google or Microsoft could be unwittingly making it easier for the government or some other legal adversary to obtain the information, Dixon said.

Our colleagues at Center for Digital Democracy have released a brief new report "on widgets, third-party apps" called The Facebook Economy: Deficits in Data Privacy. The report investigates the new Facebook ecosystem, which allows third party developers to integrate their products into Facebook, "changing Facebook from a closed social network into an open business forum" and posing privacy questions. Excerpt:

Because of their deep integration into Facebook, developers have extensive access to user information, but it is often unclear if, when and how they exploit this data. This situation is perpetuated by Facebook’s unwillingness to regulate the widgets that operate on the site. As a result, users often have no idea who is collecting their data, how information is obtained as one interacts with these applications and how such data -- even so called not non-personally identifiable information -- is subsequently used.

The driving force behind this prying is commerce. The big growth area in online advertising right now is "behavioral targeting." Web sites can charge a premium if they are able to tell the maker of an expensive sports car that its ads will appear on Web pages clicked on by upper-income, middle-aged men. [...] There is also no guarantee that the information will stay with the company that collected it. It can be sold to employers or insurance companies, which have financial motives for wanting to know if their workers and policyholders are alcoholics or have AIDS. It could also end up with the government, which needs only to serve a subpoena to get it (and these days that formality might be ignored). If George Orwell had lived in the Internet age, he could have painted a grim picture of how Web monitoring could be used to promote authoritarianism.

The Hannaford stores security breach of 4.2 million credit and debit cards happened even though the stores may have met payment industry security standards; your re-issued credit card after a breach may mess up your credit; don't buy ID theft services; and, that passport thing with the candidates? Not the first time. Here's more:

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.[...] Another intriguing facet is that Hannaford was found -- while the hack was still going on last month -- to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

A replacement card should not affect your credit score, says Craig Watts of Fair Isaac, which created the FICO credit score. "FICO will see the account as a single history, even though there are two account numbers." But spokesmen for Experian and TransUnion -- two of the three major credit bureaus -- say that how the issuer reports the reissued account could make a difference. If it's reported as an old account with a new number, your payment history is unchanged. If it's treated as a new account, however, the closed account and the new account will both be listed on your credit report.

"We don't feel that credit-monitoring services are worth it," said Paul Stephens of the Privacy Rights Clearinghouse.

As long as we keep creating more databases of citizens and consumers, and the more we link them for multiple uses, we'll keep having more mistakes that falsely ensnare innocent consumers, we'll keep having more identity theft, and we'll keep having more "imprudent curiosity." Better controls will help; fewer databases and fewer secondary uses will help, too.

Harvard University is providing a year of free identity theft credit monitoring to thousands of applicants after its electronic application records were hacked; the records contain Social Security Numbers, ages, home addresses and other building blocks of identity theft. It's serious, as one applicant informed me he'd received his warning by overnight FedEx. The Chronicle of Higher Education reports.

Meanwhile, the New England-based Hannaford grocery chain reports that at least 4.2 million credit card and debit cards may have been compromised in the latest merchant breach. The Patriot-Ledger (MA); the Washington Post.

If you are offered free credit monitoring after a breach, be suspicious if they claim to need your credit card or checking account number to set it up; you need to be sure that the product is not set up to automatically convert to a fee-based system with automatic billing at the end of that free year, unless you remember to cancel.

Under federal law, anyone is entitled to a free annual credit report on request from each of the three credit bureaus. Don't use those up --available from www.annualcreditreport.com. Why? Instead, in addition, under federal law anyone who suspects that they are a fraud victim can request an additional free credit report. Contact the bureaus directly to obtain your "suspected victim of fraud" report. And, under state law, don't forget that three New England states, Massachusetts, Maine and Vermont, are among 7 states that provide an additional free report on request annually.

In today's New York Times, reporter Lousie Story reports in To Aim Ads, Web Is Keeping Closer Eye on You that

A new analysis of online consumer data shows that large Web companies are learning more about people than ever from what they search for and do on the Internet, gathering clues about the tastes and preferences of a typical user several hundred times a month.

Meanwhile, in the latest sign of the apocalypse, Eric Bellam and Tariq Engineer report in the Wall Street Journal that India Appears Ripe For Cellphone Ads (pd. subs. req'd):

"We are thinking of providing 30 to 60 second commercials [over the phone] where we will pass on some kind of benefit," like free airtime for the subscribers that had agreed to receive them, says Arif Ali, head of brand communication at BPL.

Two data broker firms that have designed their business models to operate largely outside the strict data security and consumer protection rules of the Fair Credit Reporting Act will be under the same corporate umbrella, as Reed Elsevier, the international data and publishing conglomerate that owns Lexis-Nexis, has announced plans to buy the data broker ChoicePoint. As Ellen Nakashima and Robert O'Harrow report in the Washington Post story LexisNexis Parent Set to Buy ChoicePoint:

With customers including government agencies, insurance companies, banks, rental apartments, corporate personnel offices and private investigators, the combined company's reach would extend from national security offices to the living rooms of ordinary Americans. Both companies have played key roles in law enforcement, homeland security and intelligence. Both have also had identity-theft and security problems.

ChoicePoint has been credited by some with improving its business and data protection practices following the February 2005 debacle where it sold some 163,000 consumer dossiers to fly-by-night identity thieves. That event resulted in at least 3,200 known cases of identity theft, a $10 million FTC fine and accompanying $5 million consumer dollar restitution order and also triggered "the year of the breach," which precedes the "year of the recall" on the consumer calendar. While the FTC did impose its largest ever privacy fine in this case, it has never responded to allegations in a petition filed in 2004 by the Electronic Privacy Information Center and George Washington University Law Professor Daniel Solove that ChoicePoint sells products that appear to be credit reports but are sold outside of Fair Credit Reporting Act rules. ChoicePoint is a spinoff of the credit bureau Equifax.

Here is EPIC's detailed ChoicePoint page, which includes updated information about the original complaint. Lexis-Nexis has also been involved in a security breach, but of the more garden variety-- it didn't go out and sell the information, its safeguards were weak and it was hacked through a compromised subscriber account.

In a book, No Place To Hide, the Post's O'Harrow coined the term "security-industrial complex" to describe the threats to privacy posed by the new relationships between private data vendors collecting commercial data and selling it to government agencies. Unless subject to rigorous privacy scrutiny, this union will exacerbate that threat.

There's a nice column on the long-running Facebook privacy debacle by Adam Cohen in today's New York Times: One Friend Facebook Hasn't Made Yet: Privacy Rights. Here's a key excerpt:

In a visit to the editorial board not long ago, a top Google lawyer made the often-heard claim that in the Internet age, people -- especially young people -- do not care about privacy the way they once did. It is a convenient argument for companies that make money compiling and selling personal data, but it's not true. Protests forced Facebook to modify Beacon and to ease its policies on deleting information. Push-back of this sort is becoming more common.

The offer [from a company called TrialPay] is not a swindle, nor is it a return to the insanity of the early days of the dot-com boom, when retailers practically gave away goods in order to attract buzz and customers. Rather, it is a new marketing method that relies on a web of business relationships to give consumers free goods, as long as they buy something else from a long list of well-known online stores.

As the intermediary, TrialPay receives an undisclosed portion of that commission, and it also uses some technological wizardry to determine which free-product offers a prospective customer is more likely to click on.

The research firm Javelin has a new id theft study. Here's a key excerpt from the story Identity thieves turn to paper and plastic: Fraud most likely in case of lost wallet, credit card or checkbook, not online by AP reporter Eileen Alt Powell via the Albany Times Union:

James Van Dyke, president of Javelin, said in an interview that many Americans are too trusting on the phone. "In a typical situation, unsuspecting consumers receive phone calls from parties claiming to represent nonprofit organizations, billing institutions or other financial institutions," Van Dyke said. "Far too many of these consumers provide the callers with personal information, such as Social Security numbers, bank account numbers and credit card numbers."

In the Atlanta Constitution, Ben Smith reports that the Ga. House overwhelmingly OKs $3 credit 'freezes' to fight identity theft. Against the wishes of the sponsor, a House floor amendment lowered the cost of freezing or temporarily lifting your freeze from the industry-approved $10 to a more reasonable $3.

It is interesting that Georgia is the home to Equifax, one of the so-called Big Three credit bureaus, yet doesn't appear to love Equifax the way Virginia, say, loves Phillip Morris.

About twelve or so years ago Georgia became one of seven states to grant consumers the right to a free credit report. Only Georgia outdid the other 6 states that acted before Congress, in 2003, finally got around to establishing a federal right to a free credit report. Under Georgia law, you get not just one, but two free credit reports each year from each credit bureau. (You can get three altogether in Georgia -- including the federal free report.) You can get both a federal and a state free report from each bureau in Colorado, Maryland, Maine, Massachusetts, New Jersey and Vermont.

Of course, on the freeze, Georgia is slow to the party. Thirty-nine states and DC have already enacted laws. But some of them cost more than $3.

Yesterday Microsoft put big money into a $44 billion bid for Yahoo, in an acknowledgment of the competitive threat to its longtime computer hegemony posed by the Googleplex. While Microsoft had stayed on top largely due to clever marketing of what most consider average products bolstered by a variety of controversial and even anti-competitive business practices, it had never figured out the Internet. No problem, they'll buy part of it. A big chunk, as Steve Lohr explains in the New York Times story Yahoo Offer Is Strategy Shift for Microsoft. The deal at $31 per share is 62% above Yahoo's current price of around $19.

Our colleagues Jeff Chester of the Center for Digital Democracy and Professor Joe Turow of the University of Pennsylvania's Annandale School for Communication have issued strong statements. Here's Professor Turow's statement in its entirety:

"Microsoft's decision to buy Yahoo! is a direct result of the decision by the FTC to allow Google to purchase DoubleClick. It is further evidence that despite the appearance of unlimited choice in the new media environment, people's activities will be tracked and shaped by a very small number of companies who care far more about surveillance and targeted advertising than the public interest. The federal government, which should have been the guardian of the public interest, has dropped the ball."

In November 2006, the Center for Digital Democracy and the U.S. Public Interest Research Group petitioned the FTC to open up an antitrust investigation into the growing consolidation of the online ad business. We asked the FTC to impose competition safeguards in the Google/DoubleClick deal. The FTC failed to do both and has now placed consumers and competitors at risk.

Richard Burnett of the Orlando (FL) Sentinel is reporting that Fifth Third Bank's error mars credit reports -- Fifth Third says a computer glitch put false information into 'several thousand' customer accounts last month:

Fifth Third Bank acknowledged to the Orlando Sentinel this week that a computer glitch related to the recent acquisition of another bank spilled false information into "several thousand" customer accounts, in some cases generating credit-history errors and incorrect credit scores. The problem began last month, when Fifth Third converted files of customers from the former R-G Crown Bank of Casselberry to its own system. Fifth Third, the region's seventh-largest bank, closed its buyout of Crown in mid-November. Cincinnati-based Fifth Third did not say how the glitch occurred but indicated that a third-party vendor was involved.

We've often said, don't use risky debit cards. Over at the Washington Post, reporter Nancy Trejos puts herself into the story about why: Identity Theft Gets Personal: When a Debit Card Number Is Stolen, America's New Crime Wave Hits Home. Trejos first points out why she uses debit cards: "In my unsuccessful quest to keep myself debt-free, I avoid using credit cards whenever possible."

Then, however, she goes on to point out one of the several reasons to avoid debit cards. Unfortunately, due to bank propaganda about zero liability, most people are not aware that debit cards put you at risk of losing all the money from your checking account:

From the Post:

I also learned that if someone fraudulently uses your credit card, you are reimbursed for nearly all the money lost. That may not be so with a debit card, especially if you do not notice it right away. According to the Electronic Fund Transfer Act, your liability is capped at $50 if you notify your bank in the first two business days. After that, you could lose up to $500. If you wait 60 days, you could lose it all.

[But Ed, aren't you forgetting about the zero liability promises banks make?] No, actually, I am not forgetting about the promises that the banks and Visa and Mastercard make, but those are only promises, not the law. Read your account contract and check the fine print. These promises don't apply in all circumstances. These promises are only promises, not the law.

Here is a PIRG fact sheet explaining the risks of debit cards and here's another fact sheet from the Fed, which uses its own clunky term, EFT card, for debit card.

In this case, Trejos learned of the fraud when her bank called her. Since the bank's fraud surveillance software determined that she was a victim, she probably had an easier re-investigation than the average consumer does. But I hear all the time from consumers who don't get their money back for a long time, if at all, and are treated as if presumed guilty during the investigation.

At the beginning of this blog I said there are several reasons not to use a debit card:

Here's a consumer strategy:

And whether you use credit or debit cards, if you get a call or an email asking for non-public personal information from someone claiming to be from your bank, don't give up the information. If it is a phone call, call back on the number you have written on your card. If it is an email, again, call the number on your card, never click through to any link.

A fairly common scam is for a bad guy who has part of your information to pretend to be from your bank's security department to get the rest. He or she calls:

"Mr. Mierzwinski, don't be alarmed, I am from the bank. To verify who I am I will read you part of your account number. We won't read all of it because that will compromise it. After I read you part of it, we need you to give us your PIN number to verify that you, in fact, are Mr. Mierzwinski. Then we will tell you why we are calling."

He asked: How did I know she was really calling from the bank? The next time, he said, ask the person if you can call him or her back and call the phone number on the back of your card. "You just never know," he said.

The Federal Trade Commission staff seeks comments by February 25th on the security freeze, the PIRG-backed solution to identity theft. The staff are responding to a goal of an identity theft task force strategic plan to study the possibility of a federal freeze law. Following a joint PIRG/Consumers Union campaign that has resulted, so far, in 39 states and DC enacting security freeze legislation, the credit bureaus themselves have rolled out clunky, over-priced plans for the remainder of the country. The fight now will be over whether any federal freeze is slow and clunky or, worse, would take away the longstanding right of the states to protect their citizens from identity theft and other harms. Here's a blog entry with a lot more background on the history of the security freeze.

Remember-- over-priced credit bureau Privacy Guard and other subscription-based ($8-15/month) credit monitoring services do not stop the issuance of credit to id thieves. Neither does the federal fraud alert. Only the freeze blocks access to your credit report, effectively preventing the issuance of credit to a thief.

That's why the bureaus have rolled out their own clunky, slow and expensive freeze. They want people to stick with their over-priced services that don't work rather than switching to the lower cost service that works. If they don't make it easy to use, people won't use it and they can argue to the FTC that the freeze is a last resort that people do not like.

The credit bureaus' strategy is clear-- they want to override the strong state laws that apply to any consumer and replace them with an industry-approved, clunky federal law that only could be used by previous victims. (Yes, that has been their federal position.) As we often say, that is like saying you cannot have a seatbelt until you've already been in a car crash. Even Delaware, the home to many a bank, has passed a law that has only a one-time fee and is fast and easy to use, pleasing merchants, credit unions and consumers. Why a one-time fee and no fees for temporarily unfreezing your report? You buy a lock for your door, but do you pay again every time you lock and unlock it? Why fast and easy-to-use? So neither merchants nor consumers are inconvenienced by credit bureau bureaucracy.

We've issued a news release with the Consumer Federation of America and the National Consumer Law Center critiquing last week's IRS actions on privacy and predatory lending. Here is the lede from our release:

Consumer group representatives condemned new taxpayer "un-privacy" rules recently issued by the IRS for expanding rather than closing "gaping loopholes" that already allow sharing and marketing based on tax records, but issued cautious support for a separate IRS request for comments on developing new regulations that could rein in the marketing of predatory refund anticipation loans by tax preparers. On the same day that it issued its weak final privacy rule, the IRS asked for comments on developing rules restricting the sharing of tax return information to market refund anticipation loans, refund checks, audit insurance and other high cost products typically sold to low income taxpayers.

CALPIRG has released a new report documenting that companies are failing to provide consumers with details required by state law about their uses and sharing of non-public personal information. This information, which includes Social Security Numbers, enables identity theft if it falls into the wrong hands.

California's consumers are "Still in the Dark" when it comes to who has access to their personal information [...]Only about one-third (33 percent) of survey participants reported receiving a response consistent with the terms of the "Shine the Light" law.

Identity theft has never been rocket science, despite efforts by big businesses to call themselves victims of high-tech hackers and computerized skullduggery. No, identity theft is mostly enabled by the way that big business and big government both overly rely on Social Security Numbers and fail to protect them. They leave them lying around in online and offline piles ripe for the picking. Unsophisticated identity thieves armed with nothing more than your Social Security Number, the key to unlocking your financial identity, then take advantage of easy credit to make easy money.

Today's Page One Washington Post story Online Records May Aid ID Theft by Bill Brubaker reports that the SSNs of General Colin Powell, quarterback Troy Aikman, Maryland Attorney General Doug Gansler and even a woman with an unlicensed dog -- and probably yours, too -- are all lying around on the Internet:

"With that information, an identity thief could open up new accounts in her [the dog-owner's] name," said Betsy Broder, an identity fraud expert with the Federal Trade Commission, "because the identity thief has virtually all the information that he or she needs to open up a credit card account, seek employment if they don't have legal status in this country, apply for a driver's license or, if they are arrested for some crime, use this other person's identity as their own."

Identity theft is a serious problem, and it will only get worse as more court records are scanned onto the Internet. The Privacy Rights Clearinghouse has an extensive paper explaining the issues.

The Post also has a story Data Breaches, Thefts on the Rise by Ellen Nakashima explaining that:

Companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of personal data such as credit card and Social Security numbers with more sophisticated firewalls and encryption, but the investment often is too little, too late.

On Monday, Byron Acohido and Jon Swartz had a story in USA Today -- FTC under fire as credit bureaus sell consumers' data -- explaining that the FTC is being blamed for exacerbating the subprime crisis by allowing credit bureaus to aggressively market so-called lead generator or trigger lists. Excerpt:

In February, the National Association of Mortgage Brokers lambasted the FTC for giving the credit bureaus tacit approval to keep selling listings -- called "trigger lists" -- containing personal and financial data of prospective borrowers. Some unscrupulous lenders used trigger lists to contact people who recently filled out a loan application, and then pitched them subprime mortgages, higher-priced loans aimed at people with spotty credit histories but also marketed to borrowers with good credit.

Also see my previous blog and this New York Times blog which describe the problem through the lens of Lowermybills.com, an Experian subsidiary selling these lead generator or trigger lists based on supposedly private consumer credit reports. Lead generator lists appear to take advantage of the so-called pre-screening exception that allows the sale of credit reports for credit or insurance marketing without an actual credit or insurance "permissible purpose." In the view of many, the lists do not meet the criteria to qualify for the special exception. But the FTC claims that they do, in some very thin letters and fact sheets lacking any buttressing legal authorities.

Incredibly, the FTC, the credit bureaus, and the subprime mortgage crisis are also linked to the Internet advertising bubble. Lowermybills.com was and may still be one of the biggest web advertisers.

You do have a right to opt-out of pre-screened lists. You can call 1-888-5-OPTOUT or find out more about doing so by mail or on the web from the FTC.

Check out Dr. Deborah Peel's Campaign for Prescription Privacy video They Sell Your Information. Then take action to keep your health records private.

Update: Here is the indictment making the charges of wire fraud, fraudulent elicitation of Social Security records, solicitation of federal tax information and aggravated identity theft.

Private detectives are among the groups (another is the information brokers) seeking exceptions from privacy laws. The detectives claim they deserve special access to information due to the purported purity of purpose of their work, such as looking for lost children or other noble causes. We've always been concerned about these exception requests, and...we have our reasons. This just in from today's Seattle Times story by Mike Carter, Private eyes indicted in ID-theft case:

State and federal agents have broken up a nationwide "pretext" identity-theft scheme involving private detectives who obtained personal information about their targets --from financial and medical records to tax returns --through deceit and lies, according to a federal grand-jury indictment unsealed Thursday. The confidential records were purchased by attorneys, law firms, collection agents and others, and federal agents are "actively investigating" whether they might have broken the law as well, said Assistant U.S. Attorney Kathryn Frierson.

Hundreds of stories (LA Times, CNET, San Jose Mercury News) are reporting that Facebook's 23-year old billionaire (on paper) founder Mark Zuckerberg has finally admitted Facebook was wrong to automatically track and then share data about Facebook user web purchases with their own social network "friends" through its Beacon online advertising system. (Our previous blog). Our colleague Jeff Chester of Center for Digital Democracy points out that Beacon is just the tip of the iceberg of the privacy invasions around the Facebook model: Excerpt:

"Today's announcement that Facebook users will be able to turn off Beacon, following last week's opt-in changes, is a step in the right direction. But Mr. Zuckerberg isn't truly candid with Facebook users. Beacon is just one aspect of a massive data collection and targeting system put in place by Facebook."

MoveOn.org has joined the push against Facebook's newest privacy-invasive marketing technique, the one where Facebook broadcasts a "beacon" of your online shopping to all your friends. Oh, without your consent. As Ellen Nakashima reports in today's Washington Post story Feeling Betrayed, Facebook Users Force Site to Honor Their Privacy:

Sean Lane's purchase was supposed to be a surprise for his wife.[...]Without Lane's knowledge, the headline was visible to everyone in his online network, including 500 classmates from Columbia University and 220 other friends, co-workers and acquaintances. And his wife.

On November 12, we had joined the Center for Digital Democracy in a letter to FTC Chairman Deborah Majoras urging scrutiny of "ambitious new targeted advertising schemes on the part of both Facebook and MySpace."

The FTC has updated its 2003 survey on identity theft. The new survey finds that identity theft is still a big problem. FTC Releases Survey of Identity Theft in the U.S. Study Shows 8.3 Million Victims in 2005. The study found that 1.8 million adults, or nearly one in a hundred Americans, were victims of new-account fraud, which is the worst form of identity theft in many ways, because you never had a relationship with the institution where the fraud took place, and only find out when your name's been wrecked. The others were victims of fraud on existing credit and debit cards, cell phone accounts, etc. Industry apologists will try to claim that the 8.3 million is a decline from the 2003 report's 10 million plus victims. This FTC report makes it clear that the change is not statistically significant.

The new FTC study shows that all the corporate promises of stronger security measures appear to be failed promises, because they've failed to reduce identity theft. Until Congress enacts laws that gives consumers stronger rights to hold creditors and retailers accountable when their sloppiness contributes to identity theft and fraud, expect identity thieves to keep winning.

Despite the lessons from two years of high profile data breaches in the U.S., with banks, stores and government agencies leaving unencrypted data on computer tapes and disks to be stolen, lost in shipping or on airport baggage carousels or left somewhere by a hapless intern, or using sloppy computer programs so data can be plucked out of the air, I guess not everyone has learned. Britain's chancellor of the Exchequer is fumbling through bumbling explanations, as the New York Times reporter Eric Pfanner explains in his story Data Leak in Britain Affects 25 Million:

The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era.

But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16.

The fallout was never going to be pretty but the Chancellor of the Exchequer, Alistair Darling, has been savaged in the British press.

Phil Booth, the national co-ordinator of the NO2ID campaign group, said the government should not only immediately halt development of the cards but carry out an audit of the information it already held about the public. "This data disaster shows up the madness behind the government's ID schemes," he said.

A New York PIRG report "survey of 275 airline, travel-agency, hotel and car-rental Web sites found that many of them ask for an excessive amount of personal information in the process of making a sale." according to the story Warning issued on identity theft by Dan Osburn in the Ithaca Journal. Also check out NYPIRG's website cyberstreetsmart.org.

Meanwhile, in the green mountains across the Hudson, VPIRG and Vermont Senator Bernie Sanders {I-VT) are challenging plans by the mega-behemoth Verizon to purchase Unicel, a smaller wireless provider. This week, in response to a petition from VPIRG, the FCC granted a 90 day extension of the comment period on the sale. From the story FCC extends sale of Unicel by Neal Goswami in the Bennington Banner:

Verizon announced in July that it wanted to acquire Unicel, owned by Rural Cellular Corp., a smaller company that serves mainly rural areas in Vermont and 14 other states in a $2.7 billion deal.

Burns said VPIRG is seeking conditions that would require Verizon Wireless to provide universal coverage of the state, allow Unicel customers to exchange their phones for comparable Verizon handsets, and commit to national pricing standards and reasonable roaming rates for the state. Sanders, who has also been pushing for those conditions, said the two companies are the only cell phone carriers with significant resources in Vermont. If Verizon is allowed to take over Unicel's customers it will create a "de facto monopoly" in the state that could have a negative impact on the state's economy, he said. "Vermonters must take a very close look at what a Verizon Wireless monopoly would mean in terms of progress towards universal service at reasonable prices," Sanders said Wednesday.

Check out the the last three words in the subhead of Catherine Holahan's Business Week online story and you'll learn all you need to know: no opt out from your friend's ad feed.

BW: Facebook: Marketers Are Your 'Friends'
The social network's new ad system delivers everything you say, do, and buy to marketers--with no opt out Excerpt:

Facebook's Zuckerberg doesn't appear to be anticipating a backlash. The company hasn't even provided a way for users to opt out of the Social Ad feeds, though Zuckerberg says the company will watch users' reactions.

From Louise Story's piece in the New York Times: Facebook Is Marketing Your Brand Preferences (With Your Permission)

Facebook users will not be able to avoid these personally recommended ads if they are friends with participating people. Participation can involve joining a fan club for a brand, recommending a product or sharing information about their purchases from external Web sites.

Some privacy experts applauded Facebook for letting people choose whether or not to make product recommendations. But they also expressed concern that Facebook might one day change its policy of not sharing data with marketers. "That's been one of the historical problems in this field -- the shifting promises," said Chris Hoofnagle, a senior lawyer at the Samuelson Law, Technology & Public Policy Clinic at the University of California in Berkeley.

We've joined the Center for Digital Democracy in a supplement filed today at the FTC to our November 2006 complaint on Internet privacy and behavioral targeting. Here is the news release. Excerpt from the release:

In connection with today's FTC Town Hall meeting, "Ehavioral Advertising: Tracking, Targeting, and Technology," the two groups filed a 74-page supplemental statement in support of the formal complaint they filed last year which identified new technology designed to aggressively track Internet users and create data profiles used in personalized "one-to-one" targeting schemes. "Over the past 12 months, new tracking and targeting technologies have escalated the attack on personal privacy online. As our report documents, online marketers are creating digital dossiers on individual consumers ('behavioral profiling'), so they can be tracked when surfing the Web, watching a broadband video, or using their mobile phone," explained Jeff Chester, executive director of the CDD.

"The new business models of the Internet and mobile commerce can stimulate the economy and offer consumers choices," observed Ed Mierzwinski, Consumer Program Director of U.S. PIRG, "but unless the FTC steps in now and sets some basic rules for privacy protection, the costs to consumers posed by so-called behavioral targeting, the manipulation of both surfing and price choices, and the 24/7 corporate surveillance and dossier-building will easily outweigh any supposed benefits to consumers."

Today, both U.S. PIRG staff attorney Amina Fazlullah and The Center for Digital Democracy's Jeff Chester are featured panelists at the opening day of the FTC's 2-day Town Hall on Behavioral Targeting and Internet Advertising. Watch this space. At 9 am we will post the latest update to our fall 2006 CDD/U.S. PIRG complaint to the FTC outlining the scope of threats to privacy and consumer well-being posed by the Internet's unchained and unregulated search/advertising business model. Many trace the origins of this town hall to the issues we raised one year ago.

Today's Wall Street Journal has a front page expose on the business of "lead cards" called Marketers Use Trickery To Evade No-Call Lists (pd. subs. req'd). The story by Jennifer Levitz and Kelley Greene explains that "Older Americans around the country are getting duped by a seemingly innocuous tactic that can expose them to hard-sell pitches from the insurance industry." Read the story and you won't be surprised to find that right in the middle of it are the data brokers, led by ChoicePoint (you remember ChoicePoint, the ones who sold consumer dossiers to identity thieves and paid a $15 million fine including victim restitution to the FTC). Well, according to information obtained during a successful lawsuit by AARP to defend its name:

In internal emails, ChoicePoint employees attributed the cards' success in generating responses to their "fear factor" and described response rates that "tumbled" when AARP's name was temporarily removed from mailings.

In April 2006 it [AARP] won a permanent injunction in U.S. District Court in Jacksonville, Fla., prohibiting a company owned by ChoicePoint Inc., a big Alpharetta, Ga., seller of personal data, from referring to AARP on its lead cards and from using a Washington, D.C., return address unless it had an office there. In a settlement, ChoicePoint also agreed to destroy lead cards violating the injunction and paid an undisclosed sum to AARP.

When the virtually unregulated data brokers lobby Congress for exceptions from privacy laws, they argue that they deserve the right to use non-public personal information like Social Security Numbers because their practices are allegedly in the public's interest. They point to their relatively minor efforts to find lost children or missing heirs, track potential terrorists and expose miscreant "deadbeat dads." Funny, I haven't seen the legislative fact sheet that explains the public benefits of misusing AARP's name to trick seniors into dropping off the federal Do Not Call list so that they can be scammed out of their life savings. Here's some older material of ours explaining the data brokers' unregulated "parallel universe."

The story also explains that many state attorneys generals, including Illinois AG Lisa Madigan, are attacking the deceptive use of "lead cards" to trick consumers, especially seniors, into dropping off the federal Do not call list designed to protect their privacy:

The technique is centered on a marketing tool called the lead card, and it became popular after the federal government created its Do Not Call Registry in 2003 to shield consumers from unwanted solicitors. Sent through the mail, the lead card invites the recipient to mail off an enclosed reply for free information about, say, estate planning. But the cards fail to warn that by sending off replies, recipients are giving up their right to avoid telephone solicitations from the sender -- even if their phone numbers are on the Do Not Call list. "It's a huge loophole," says Pam Dixon, executive director of the World Privacy Forum...

From Jon Swartz's story TJX data breach may involve 94 million credit cards in USA Today:

The massive computer data breach at TJX (TJX) may be worse than expected: At least 94 million Visa and MasterCard accounts -- nearly double the previous estimate by the retailer -- could have been exposed, new court files say.

Over at the Center for American Progress, law professor Peter Swire has posted an important paper rebutting the conventional wisdom that privacy should not be part of the FTC's antitrust analysis in the pending Google/DoubleClick merger. We strongly agree with Swire that privacy should be part of the analysis. U.S. PIRG, in coalition with the Center for Digital Democracy and EPIC (its detailed Google merger page) has filed joint papers at the FTC opposing the merger. From Swire's paper:

In brief, privacy harms can reduce consumer welfare, which is a principal goal of modern antitrust analysis. In addition, privacy harms can lead to a reduction in the quality of a good or service, which is a standard category of harm that results from market power. Where these sorts of harms exist, it is a normal part of antitrust analysis to assess such harms and seek to minimize them.

You can always find a few interesting items in the New York Times to blog about. From Monday's paper:

Home buyers in predominantly black and Hispanic neighborhoods in New York City were more likely to get their mortgages last year from a subprime lender than home buyers in white neighborhoods with similar income levels, according to a new analysis of home loan data by researchers at New York University.

"There's no question that if you live in a predominantly African-American and Latino neighborhood you're going to be paying more for your mortgage," said Sarah Ludwig, executive director of the nonprofit [Neighborhood Economic Development] Advocacy Project, which is based in New York.

Today's Wall Street Journal explains that Escalating Health-Care Costs Fuel Medical Identity Theft (pd. subs. req'd.). As reporter Victoria E. Knight explains:

Medical identity theft can imperil your health and finances. Unfortunately, detecting this form of thievery isn't always easy for consumers, who are often unaware of its existence, and remedying the damage can be difficult. However, there are steps to take to protect yourself from becoming a victim, experts say. "You need to treat your medical ID card as if it were a Visa card with a million-dollar credit limit," says Nils Frederiksen, a spokesman for the Pennsylvania attorney general's office, which has successfully brought prosecutions against medical ID thieves.

Ten years ago, PIRG helped draft the first security freeze law, which was eventually enacted in California over the objections of the 3 credit bureaus, who were forced, kicking and screaming, to reluctantly give consumers a powerful tool that stops identity theft. Now 39 states and the District of Columbia have followed suit (although not all laws have taken effect), after a three year PIRG/Consumers Union campaign. Now the bureaus, in an effort to stave off better federal legislation that would allow the states to continue to modify and improve their laws to make them better, are offering expensive, clunky freezes nationwide (Washington Post story on Experian announcement; Trans Union has already announced.) It's a cautionary victory as long as we keep the momentum moving for better state laws and a better federal floor. Protection from identity theft is not something that should be left to a market that has failed miserably for ten years to stop the problem.

No other tool stops identity theft before it starts. Only the security freeze does. Other options don't work. The bureaus say-- "get a 90-day fraud alert" (a federal right available since late 2003)." But a fraud alert doesn't stop the issuance of credit. And, of course, you have to keep renewing it. Really, the bureaus prefer to market, sometimes deceptively, their rip-off credit monitoring services, which for as much as $15/month, will tell that your credit data have already left the barn.

Consumers deserve a freeze that's easy-to-use, with a business-friendly instant unfreeze when they want to purchase credit themselves. And consumers should pay once for a security freeze from each of the three bureaus, not each time time they temporarily lift or unfreeze their reports. You buy a lock for your front door once-- you don't pay every time you use the key. These features -- 15 minute lifts and one-time fees -- are features of the best state laws. Heck, Indiana's law is totally free; even Delaware, home of the banks and proud of it, has a 15-minute unfreeze and a one-time fee.

I got a new credit card this week, partly because my insurance company told me earlier this year that my insurance credit score (and cost of car insurance) was hurt by having "too few" revolving accounts. Who knew?

When I called the 800-number from my home phone to activate the card (calling from your home phone is a nice, simple security feature), they had a tricky ad for PrivacyGuard, the over-priced credit monitoring service from Trilegiant. "Press one to get your credit report from PrivacyGuard for only one dollar."

What if you don't want PrivacyGuard and just want them to turn on your new credit card? Do they say "Press 2?" No. They say nothing. So I did nothing.

I waited for about ten seconds, to see what would happen. And sure enough, the voice comes on again: "Are you sure you don't want to fight identity theft? Press one now for PrivacyGuard." I was sure, so I waited them out. Ten seconds later, the little voice said: "Your new credit card is activated. Good bye." Waiting was the right thing to do. Credit monitoring is over-priced and doesn't stop identity theft.

After your one-dollar 2-month trial, the rate goes up, way up, as the following, tortured 58 word sentence explains. From the small print:

For my convenience, unless I call toll free to cancel during the two months of my $1 trial, my privileges will automatically continue at the low $11.99 monthly membership fee, or then-current month's fee, automatically billed to the credit card I provide which I verify is not a debit card without my having to do anything further.

No credit monitoring service stops identity theft. Only the security freeze does. Don't spend $8-15/month on these useless, over-priced subscription services that don't fight identity theft.

Jeff Chester of the Center for Digital Democracy, our colleague in several online privacy complaints to the FTC, has a new article in The Nation Online: Google: Search and Data Seizure. Here's an excerpt:

Internet users are largely oblivious to the fact that our online experience--websites, search engines and social networks--is being shaped to better serve advertisers, including those "big brand" purveyors of cars, fast food, and prescription drugs. As part of this process, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so we can be "micro-targeted." The goal of interactive marketing is to use the awesome power of new media to deeply engage us in what is being sold: whether it's a car, a vacation, a politician or a belief.

Google is by far the most ambitious of this new breed of interactive advertising companies. It now dominates the search business, recently earning more than three-quarters of ad dollars spent for that medium.

Saturday's Wall Street Journal (pd. subs. req'd) has two major stories on data breach issues. One story concerns the potential for new account fraud. Mortgage Firm's Data Breach, by Jaime Levy Pessin, describes how:

The names, Social Security numbers and mortgage information of thousands of people have been leaked by an employee of Citigroup Inc.'s ABN Amro Mortgage Group unit onto a popular peer-to-peer file-sharing network. The leak made the information available to millions of casual music-sharers, as well as would-be identity thieves.

That story, In Data Leaks, Culprits Often Are Mom, Pop, by Robin Sidel, points out that:

Smaller shops have proven ill-prepared for the complexities of safeguarding credit-card information. Since 2005, more than 80% of the instances of unauthorized access to card data have involved small merchants, according to Visa USA Inc., the largest payment-card network. These businesses account for 85% of the seven million locations nationwide that accept plastic, according to Visa.

The first story, about Citibank, describes how an employee loaded Citibank data onto her own computer containing the P2P software (or, loaded personal peer-to-peer software onto a Citibank computer, more likely the former). Either way, the P2P software allowed everyone on the network to access her entire hard drive, including the detailed personal dossiers. Companies cannot simply tell employees their rules, they must audit and verify that their practices are being complied with. And the rules themselves must be robust. The notion that so much confidential data can be placed on a personal computer and left unencrypted and available to a P2P network suggests that Citi's rules weren't that well-thought out to begin with.

Similarly, as discussed in the second story, credit card companies and networks cannot simply blame small merchants for not complying with their complex data protection and retention standards, known as PCI. The card networks and their third party processors are in such a rush to expand their business that they probably simply put a sentence in a one-page contract that tells prospective merchant payment card accepters to go online and read hundreds of pages of rules. That means that the breaches are not entirely the small firm's fault. As the story by Robin Sidel explains:

Many small merchants aren't even aware that the rules exist. These store owners "are provided with no information and, sometimes, with erroneous information," says Anita Boomstein, a lawyer at Hughes Hubbard & Reed LLP who represents small merchants.

Consumers typically aren't liable for fraudulent purchases on their credit cards, but the theft of card data can still create big headaches, particularly if the information is used to create a fake identity. Industry experts recommend that cardholders scour their account statements regularly and report irregularities as soon as they are spotted.

Today at 9am US Eastern time, U.S. PIRG, CDD and EPIC hold a press briefing on Internet privacy at the National Press Club. Meanwhile, Google Calls for International Standards on Internet Privacy (Washington Post), as reported widely including this Washington Post story that ran on Saturday.

The story explains that in a recent speech in Europe, Peter Fleischer, global privacy counsel for Google, called for international rules that are less of a "patchwork" than U.S. laws and less "inflexible" than European laws. Google apparently likes "something closer to the privacy framework developed by the Asia-Pacific Economic Cooperation forum."

In the WP story, EPIC's Marc Rotenberg says that

Google, under investigation for violating global privacy standards, is calling for international privacy standards. It's somewhat like someone being caught for speeding saying there should be a public policy to regulate speeding.

Our colleague and Canadian privacy expert Philippa Lawson says (although not in the Washington Post), "It's no surprise that Google has jumped on these principles. They may be a good first step for China, but that's about it." We agree. China's got privacy problems, as well as dangerous toy and food problems. Lawson is leading a Canadian challenge to the Google/DoubleClick merger. She directs the Canadian Internet Policy and Public Interest Clinic of the University of Ottawa Faculty of Law. My previous blog on Google/privacy issues.

U.S. PIRG and Consumers Union have again updated our state model law for preventing identity theft (downloadable here as a pdf or doc). Among its highlights are a strengthened state Social Security Number protection provision, which is also available as a stand-alone model SSN bill.

The centerpiece of the comprehensive multi-part model law remains the security freeze. Only a security freeze prevents identity theft. Neither fraud alerts nor over-priced credit monitoring services can stop identity theft before it starts.

To date, 39 states and the District of Columbia have enacted security freeze legislation (although not all laws have taken effect). The best laws are free (Indiana) or very low one-time cost (several states) and/or provide for an instant temporary lift or unfreeze. Consumers Union maintains an up-to-date summary of both security freeze and state breach notice laws.

The lead story in the 6 September Privacy Times (subscription only) reports the following:

Pay attention, data collectors. Sloppy information practices are not free.

How much of the mortgage crisis was fueled by deceptive, targeted Internet ads? We don't know that, but we know the ad giants will take their share of the hit. Over at his Digital Destiny blog, Jeff Chester points out that Internet advertising giants and search engines will be next to face the mortgage meltdown-- lots of their advertisers are subprime lenders, or lead generators to them. In his blog entry Role of Interactive Advertising & the Subprime Scandal: Another wake-up call for FTC Jeff cites a number of authoritative recent sources on the nexus between Internet ads and subprime mortgages. One additional point I'll add is this: in a chart of top web advertisers from a ZDNET column Jeff posts, Experian is listed as the 3rd largest advertiser. Some of you may think Experian and its ubiquitous "freecreditreport.com" ads are just along for the ride. Actually, Experian also owns lowermybills.com, a subprime mortgage referral, or lead generator, company. On the New York Times Bits blog, Brad Stone notes LowerMyBills Lowers Its Ad Bill.

Along with Jeff Chester and his Center for Digital Democracy, we are looking forward to the FTC's planned November 1-2 digital "Town Hall" to investigate online privacy issues.

When we did our first PIRG report on identity theft in 1996, we had trouble measuring the extent of the crime but we knew it was big. We still don't know how bad it is (but it is still big, and getting bigger). Over at the Consumer Law and Policy blog, professor Jeff Sovern summarizes Chris Hoofnagle's new paper, Identity Theft: Making the Known Unknowns Known available at SSRN and forthcoming in the fall issue of the Harvard Journal of Law and Technology. From the Hoofnagle paper:

If "lending institutions," used here to describe the entities that actually extend credit (such as banks and credit card companies) and control access to accounts (including payment companies such as Paypal and Western Union), were required to provide statistical data about the crime, a more
complete and focused picture would emerge. Lending institutions have not provided this information because it could cause embarrassment and because it could attract unwanted regulatory attention. Another important reason is the advent of "synthetic" identity theft. This new form of the crime, I argue below, has caused us to underestimate the prevalence and severity of identity theft greatly.

You won't find a press release anywhere, but buried deep on the Federal Reserve Board website is its August report to Congress on Credit Scoring and Its Effects on the Availability and Affordability of Credit (2 mB pdf). Its a companion to the widely criticized recent FTC report on credit scoring and insurance. Both reports were required by 2003 amendments to the Fair Credit Reporting Act. I haven't read the Fed report yet, but look forward to it, since it has the contradictory finding that even though non-whites have lower credit scores, not to worry, because there is "no compelling evidence, however, that any particular demographic group has experienced markedly greater changes in credit availability or affordability than other groups due to credit scoring."

I just did a local TV interview on the latest breach: Hundreds of thousands of job applicants with resumes at Monster.com had their email addresses stolen for use in a phishing attack (phishing attacks are always better if the "phish" think you are their friend).

Even though the hackers didn't directly obtain non-public personal information, the hackers were able to then send the job applicants phishing emails containing legitimizing information and purporting to be from the trusted (to the job seekers) website Monster. But, the emails were actually designed to trick the applicants into loading malicious software on their machines. Some news stories report that the bad software included keystroke loggers to obtain passwords and account numbers later; others report that the software propagated Trojan Horse ransom emails, or both. What concerns me both is that a Monster official said that because the hackers used passwords of legitimate outside users that the "security breach was not due to a bug in his company's systems." Yes, Monster, it was due to a bug in your system. Your system, dear Monster, failed to audit its authorized users adequately, allowing a malicious user to to troll through and collect millions of names. What legitimate user would conceivably do that and why didn't the system catch it? Reminds me of my friends at Mattel blaming the Chinese supplier instead of admitting that it was their fault for failing to check up on him.

Our privacy and online marketing colleague Jeff Chester of the Center for Digital Democracy has a long blog post critiquing the op-ed Googling 'Monopoly' (pd sub. may be req'd) in today's Wall Street Journal by two officials of the Progress and Freedom Foundation. From CDD:

The Progress and Freedom Foundation (PFF) is a classic example of a think-tank whose ideological worldview is so distorted, it can't be relied on to truly provide an objective analysis. Its commentary, "Googling 'Monopoly'" (Wall Street Journal, Aug 21, 2007. Sub. maybe required), fails to be an well-informed discussion of the issues raised by the FTC's review of the proposed Google acquisition of Doubleclick. The commentary was co-authored by PFF's acting president Thomas M. Lenard and Paul H. Ruben (a professor at Emory University and a PFF senior fellow). Both were FTC senior officials during the 1980's. Clearly it was written to influence the FTC as that agency currently engages in a serious review of the proposed deal.

What if there were a credit bureau that only reported negative information and your better payment of your more recent bills wouldn't help your score? Actually, there are numerous credit bureaus that only collect negative information, which is then used to blacklist consumers or workers. Among these are bounced check databases, workers' compensation bureaus and tenant screening bureaus. Bankrate.com has a good explanation of the problems renters face due to the often sloppy practices of tenant screening bureaus.

The big 3 credit bureaus (Experian, Trans Union and Equifax) collect both positive and negative information about how you pay your bills and then combine it with public record financial data (generally all negative) to compile credit reports. You can improve a bad credit report by improving your bill payment history, since positive information raises your credit score. You can also attempt to correct mistakes, of course.

It's worse with a blacklist bureau, where all the information is negative. What if you were legally withholding rent because the landlord hadn't completed repairs? What if the tenant screening bureau reported you'd been sued by a landlord but not that you'd won the case, including damages against the landlord for a retaliatory eviction? What if you were mixed up with someone else who'd filed for bankruptcy or been convicted of a crime? You can attempt to correct mistakes, of course, just as if it were one of the Big 3. But when all the information is negative, it's harder to climb out of the hole. Attorneys who go after these tenant screening bureaus tell me that their attitude is often even more arrogant than that of the Big 3. You are entitled to look at your file, of course, but first you have to know if you have one, and at which tenant bureau. Bankrate has a recent list of some of the major specialty bureaus, of all sorts.

Jeff Chester of the Center for Digital Democracy (CDD), our colleague and co-complainant in several FTC privacy petitions, has posted a serious blog critique called CDT's Privacy "Report" --Full Disclosure is Missing of a new report on Internet search privacy from the Center for Democracy and Technology (CDT's Search Privacy Practices report). From Jeff's blog:

CDT has long been an ally of the various data collection companies it purports to oversee on behalf of consumers. It's funded by a number of them. In fact Microsoft's Bill Gates helped raise money for the group just last March.[...]Most troubling is that CDT fails to acknowledge that the widespread and evolving role of interactive advertising practices by these companies--including behavioral targeting, "rich" immersive media, and virtual reality formats--pose a serious threat to privacy and personal autonomy. It is not just the "bad" actors that require federal legislation, as CDT's report suggests. If all Americans are to be protected online, the entire industry must be governed by federal policies designed to ensure privacy and consumer protection.

The Yale Daily News is reporting on a recent security breach involving theft of two password-protected computers. I'd heard about this a few days ago from an alum, who'd sent me the breach notice letter. Yale's letter to the alum stated that a "computer containing your name and Social Security Number" but not your "financial account numbers" was stolen on July 17th from the Yale College Dean's Office. Yale Police "have very strong reason" to believe that "in such cases, the purchaser of stolen equipment usually moves quickly to erase the hard drive to hide its origin" and, further, that the thief had "no interest" in identity theft.

How exactly do they know this? Actually, I don't see how they can, unless they've already recovered it and conducted forensic research on the hard drive. Even though the letter goes on to advise the recipient to add a fraud alert to his credit reports, the tone of this letter is similar to the attitude taken by pretty much every industry lobbyist in Washington. Here, the industry hordes are lobbying fiercely that any federal breach notice law both preempt stronger state laws and also set a "risk trigger" before notification is required after a breach. It's a patronizing attitude. "Since we know best we believe that we should decide whether the risk of identity theft is high or low before we notify potential victims that we've lost their confidential financial information." Since they do not actually know the risk, the default should be to always notify. Not only does always notifying place potential victims on alert, which will make it easier for them to spot identity theft, an "always notify" requirement will force data collectors to do a better job protecting data in the first place, instead of leaving non-public information on unencrypted machines that are unsecure. Oh, by the way, breaches are happening almost daily, as the Privacy Rights Clearinghouse reports.

In scheduling a two day Town Hall to Examine Privacy Issues and Online Behavioral Advertising on 1-2 November, the U.S. Federal Trade Commission (FTC) has taken its first deliberative, tentative baby steps in response to the fall 2006 online privacy complaint filed by U.S. PIRG and the Center for Digital Democracy. The FTC has also received additional filings in support of our views from other experts, as well as our subsequent USPIRG/CDD/EPIC petition against Google/DoubleClick's merger. PC World explains that the FTC wants to "learn more about current practices in targeted advertising." But our co-complainant, Jeff Chester of the Center for Digital Democracy says in the same story: "The FTC should be issuing rules, not invitations for an industry talkfest that will result in a delay protecting consumers."

The Canadian Internet Policy and Public Interest Clinic of the University of Ottawa Faculty of Law has asked Canadian competition authorities to undertake a similar review of the Google/DoubleClick merger as we and others have requested of the U.S. FTC:

In an application to the Competition Bureau, CIPPIC requests areview of the proposed merger between Google and DoubleClick. CIPPIC is concerned that the merger prevents or lessens competition substantially in the online targeted advertising market, as Google-DoubleClick will be able to manipulate the market to raise advertising prices and advertisers and web publishers will have to choose Google-DoubleClick in order to be visible in the e-commerce market.

Along with other leading groups, we joined testimony today by attorney Joanne Faulkner on behalf of the National Association of Consumer Advocates (NACA) before the Senate Commerce Committee's hearing on Oversight of Telemarketing Practices and the Credit Repair Organizations Act (CROA). MORE.

Faulkner's testimony concerned the CROA aspects of the hearing only. It addressed both the vile practices of credit repair doctors and also the interminable, ongoing efforts by the credit bureaus themselves to exempt their actions from CROA (previous post), which regulates the credit repair doctor practices. Credit repair doctors are ripoff artists who make a living claiming that they can fix accurate, but negative, credit report items. Unfortunately, the main reason that CROA was before the committee was only that the credit bureaus seek a self-serving exemption from the act. Why? Because their own deceptive advertising of over-priced ($12-15/month), next-to-useless (don't stop identity theft, only the security freeze can do that) credit monitoring services has gotten them caught up in class action lawsuits for violating the CROA themselves. But, after strong testimony from Faulkner, and opposition to the current industry proposal from the FTC witness, Lydia Parnes, the director of the Bureau of Consumer Protection, we doubt the committee or the Congress will move forward. Although we aren't directly signed onto their testimony, we also strongly support the views of Iowa Assistant Attorney General Steve St. Clair and AARP board member Richard Johnson, who both testified on deceptive telemarketing ripoffs primarily aimed at the elderly (previous post describing how banks aid and abet fraudsters directly debiting consumer accounts).

In the fall, U.S. PIRG and the Center for Digital Democracy filed a broad-ranging FTC complaint calling for an immediate, formal investigation of online advertising practices and their impact on consumer privacy. The FTC has recently replied to us that it will hold a "public workshop" to review the issues we raised. Then, in April, U.S. PIRG, Center for Digital Democracy and EPIC filed an FTC complaint challenging the merger of Google and DoubleClick. That filing urged the FTC to consider the effects of the information collection regime that the merger creates.

Since our complaints, interest in on-line privacy has surged. Congress will hold hearings (Marketwatch story). And, as Ellen Nakashima reports in today's Washington Post:

Online search companies Google, Yahoo, Ask.com and Microsoft are tightening their privacy policies in the face of mounting public, congressional and regulatory agency concern about the vast amounts of personal data they gather and store.

UPDATE on 11 July 07 to update state numbers: As of 9/1/2007, 28 states and DC will have freeze laws that have already taken effect for everyone. As of today, 33 states and DC have enacted freeze laws for everyone (or laws that upgrade to include everyone) but the remaining 5 state laws take effect in 2008. [Washington State is included in the 33; it has a current "victims-only law" that will upgrade to all consumers in 2008.] 4 additional states have already enacted freeze laws for victims only -- one of these (AR) takes effect in 2008, 3 (KS, MS, SD) are in effect.

Original post: Your best defense against identity theft is to freeze your credit report. That way, when a thief applies for credit using your purloined Social Security Number, he or she is denied when the cell phone company or department store contacts the bureau and is told that your report is frozen.

Since June 1, 6 new security freeze laws, in North Dakota (6/1), Hawaii (upgrade to all consumers on 6/15), DC, Montana and Wyoming (7/1) and West Virginia (7/2), have taken effect. When the Indiana law and the Texas upgrade to all consumers take effect on 9/1, all consumers living in 27 28 states and DC will have the right to a security freeze.

Several of the new laws are or will be among the best in the nation. Indiana's law will be the first to have no fees at all for either placing or temporarily removing a freeze. That's important, because you need freezes at 3 different credit bureaus. DC ($10) joins Delaware ($20) as states with one-time only fees. These states have no fees for temporarily lifting or removing the freeze, when you want to apply for credit yourself. The new Hawaii law caps both freeze and lift fees at $5 and West Virginia caps them at $3. These are all great pro-consumer provisions. New Jersey, Delaware, Utah and DC are among states that all will eventually require temporarily lifts to take place in 15 minutes or less. That's a 21st century convenience that's important both to consumers and businesses. It's being fought vehemently by the credit bureaus. They want the freeze to be slow and clunky, so people won't use it.

All states that have passed laws applying to all consumers allow identity theft victims free freeze and unfreeze or lift rights. Some state (Florida, Illinois, New Mexico, Oklahoma, Pennsylvania, and Rhode Island) laws are also free to seniors over 65 years old.

On the negative side, four states (Kansas, Mississippi, South Dakota and (in 2008) Arkansas) still limit their laws to previous identity theft victims and don't appear to have a plan to upgrade soon. That's like saying you cannot have a seatbelt until you've already been in a car accident. The worst of these laws -- in Mississippi and Arkansas -- impose $10 fees on victims if they want a freeze. Incredible.

Nevertheless, when all the laws that have already passed take effect, by 2008, fully 34 states will grant security freeze rights to all consumers. In Congress, S. 1178 has passed the Commerce Committee. While not as good as the best state laws, it allows stronger state laws. That's a departure from the usual Congressional mantra of "preempt, preempt, preempt."

The state security freeze laws are based on a model law written by U.S. PIRG and Consumers Union. Over at Consumers Union, this page is the most up-to-date listing of state laws.

NOTED: FTC Targets Additional Group of ChoicePoint Identity Theft Victims Who May Qualify for Redress

The Federal Trade Commission has mailed reimbursement claim forms to more than 2,400 consumers who may have been victims of identity theft due to alleged security lapses at data broker ChoicePoint, Inc. In December 2006, the Commission mailed claim forms to 1,400 consumers who were identified with the assistance of law enforcement, with instructions on how to file a claim. In April 2007, 1,500 consumers were identified and contacted. The FTC also has created a Web site -- http://www.ftc.gov/choicepoint -- where consumers who do not receive a letter can download a claim form and obtain information about the claims process.

Yesterday, while I was in Philadelphia speaking on unfair binding arbitration, a number of my reform colleagues (Hendricks, Wu and Bennett) testified to inaccuracies in credit reports and the failure of the Fed and other bank regulators to implement new rules required by 2003 amendments.

But the missing new rules are only part of the problem. According to the Boston Globe, at the hearing, the Fed's witness, Sandra Braunstein, also "said the agency had never imposed a fine on a bank for providing bad information to credit bureaus."

Two weeks ago, I testified that the powerful, if obscure, federal bank regulator known as the OCC was too cozy with credit card companies, since it hadn't imposed a public penalty since 2000 on a Top Ten bank. In his questioning of OCC chief John Dugan on this very point, Rep. Emanuel Cleaver (D-MO) had Dugan flustered.

AS for an excuse for the lax attitude of the Fed toward the new rules, Braunstein then gave the tired response that "More complex regulations might cause some retailers to drop out of the credit rating system completely."

Dugan and Braunstein, and her bosses, the Fed governors, who've also been providing such incredibly out-of-touch testimony on consumer issues lately you'd think that they were space aliens new to Earth, and other bank regulators, need to get out more into the real world. If the banks they're cozy with don't feel the pain of civil penalties, they will continue to make sloppy or anti-consumer behavior part of their business model. At least the Federal Trade Commission is throwing an occasional small fine at the Big Three credit bureaus, although much more could be done.

So why put all the Social Security Numbers of 64,000 Ohio state employees on one apparently-barely-encrypted backup data disk? (AP-Ohio data loss is worse than said) And why add the names and Socials of 53,000 citizens receiving drug benefits? And then, why entrust this identity theft treasure trove to an intern who left it in a car to be stolen? Big companies, and big agencies, need to take data protection a little more seriously. Citizens, consumers and employees deserve better.

Despite sweeping 1996 and 2003 amendments to the 1970 Fair Credit Reporting Act (FCRA), consumers still face the problem of mixed-up credit reporting files. The problem has grown worse in the age of identity theft, since fraudster accounts have joined the mixed-file accounts on consumers' financial resumes (credit reports) and added to the burden consumers face in clearing their names. On Tuesday, three consumer experts will face off with two industry witnesses at a hearing of the House Financial Services Committee to "Examine Consumers' Ability to Dispute and Change Inaccurate Information." Our witnesses will be Chi Chi Wu, editor of the National Consumer Law Center's encyclopedic Fair Credit Reporting Manual, Evan Hendricks, publisher of Privacy Times and author of Credit Scores and Credit Reports (a history of the 1996 and 2003 amendment process) and attorney Len Bennett of Virginia, a member of the National Association of Consumer Advocates and a top gun litigator against creditors and credit bureaus that fail to correct mistakes and therefore deny consumers economic opportunity.

The problem is twofold:

And the problem is worse than in the past, since virtually every decision in the marketplace -- to obtain credit, obtain a deposit account, rent or buy a house, get insurance or get a job or obtain a variety of different services -- involves a credit report or a credit score derived from a report. The bureaus have literally become gatekeepers to almost all societal advancement and mobility.

The hearing is at least partially a response to an excellent summer 2006 series and its December 2006 followup series that found the problems hadn't been fixed by Beth Healey and other reporters at the Boston Globe, which happens to be the biggest newspaper in FSC Chairman Barney Frank's (D-MA) state. Since the epic struggle and debate leading up to enactment of the massive 2003 Fair and Accurate Credit Transactions Act amendments to the FCRA, Mr. Frank has had a deep interest in improving credit report accuracy.

Today's New York Times editorial Watching Your Every Move points out what we've been saying all along: look at Google, but look at every company in the net space, because it isn't only Google that needs better privacy, it's the whole Internet, and governments need to step in.

Google is the focus of privacy advocates right now, but it is hardly the only concern. Competitors like Yahoo and Microsoft have the same set of incentives. Privacy is too important to leave up to the companies that benefit financially from collecting and retaining data.. The F.T.C. should ask tough questions as it considers the DoubleClick acquisition, and Congress and the European Union need to establish clear rules on the collection and storage of personal information by all Internet companies.

The release of the Privacy International report A Race to the Bottom: Privacy Ranking of Internet Service Companies has apparently rankled Google, which achieved a low score. Privacy International also reports that Google has launched a smear campaign against it and has sent Google an open letter documenting the tactics.

Along with EPIC and the Center for Digital Democracy, we recently filed a second amended complaint urging the Federal Trade Commission to examine Google's privacy practices before its pending merger with Doubleclick. (More from EPIC on the privacy issues of the merger.) But at the same time, Google is an important corporate ally of ours both on preserving net neutrality and promoting renewable energy. So, I hope that the rumors of a Google smear campaign against a legitimate and independent privacy organization are not true. That would be below Google. Unfortunately, however, big companies often hire PR firms for "strategic advice." These firms generally have lots of money and lots of flacks, but only a small toolkit of mediocre ideas. "Smear campaign" is often one of their principal weapons. If true, that's the wrong response. A better response would have been a filing at the FTC, or at the European Commission, explaining how Google would improve its privacy practices, or how its practices meet all guidelines.

Google is a powerhouse company with a lot of good ideas, but it needs to spend more time making sure that its business model meets privacy guidelines and less time on PR consultants with bad ideas.

According to news reports, including the New York Times and the Wall Street Journal, the FTC, not the Justice Department, will review the antitrust implications of the merger of the online powerhouse search firm Google with the ad-server giant DoubleClick. This is important, because the FTC has privacy expertise, while DOJ does not. While privacy is not itself an antitrust concern, we, along with the Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC), filed a privacy complaint to the FTC when the merger was announced in April. Over at his CDD Digital Destiny blog, our colleague Jeff Chester is chronicling daily the privacy and behavioral targeting implications of the recent mega-mergers of Internet firms, including Microsoft's recent $6 billion purchase of aQuantive. Microsoft paid dearly (not to worry, it can afford it) because it had lost the DoubleClick sweepstakes. We fully intend to support full government antitrust and privacy review of this combination as well, even though Microsoft seems to think only Google's merger is not in the public interest and what's good for Microsoft is good for everyone.

If you've ever had to fight with a bank over a disputed automatic debit or electronic fund transfer from your account by a health club or a utility or a contractor that didn't finish the work so you refused to pay, you know how difficult it is to get the bank to believe you. The Electronic Fund Transfer Act is certainly one of the weakest and least enforced consumer protection laws going. It's true that they've got your money and you've got nothing. But when it all comes down to it-- maybe it's simpler than that. Maybe it's nothing more than that bank wants to keep all the fee revenue.

Although Wachovia, the nation's 4th-largest bank, has apparently returned the money and not been "accused of wrongdoing," Charles Duhigg reports today in a major New York Times story -- Bilking the Elderly, With a Corporate Assist -- that Wachovia

accepted $142 million of unsigned checks from companies that made unauthorized withdrawals from thousands of accounts, federal prosecutors say. Wachovia collected millions of dollars in fees from those companies, even as it failed to act on warnings, according to records.[...]Banking rules required Wachovia to periodically screen companies submitting unsigned checks. Yet there is little evidence Wachovia screened most of the firms that profited from the withdrawals.

processing consumer payments for an international network of fraudulent telemarketers. [...] Fraudulent telemarketers transmitted consumers' bank account information to PPC. PPC then created unsigned bank drafts -- checks without signatures-- based upon the consumers' fraudulently obtained bank account information. Using accounts at Wachovia Bank, PPC processed the unsigned bank drafts for payment.[emphasis added]

sold his name, and data on scores of other elderly Americans, to known lawbreakers, regulators say. InfoUSA advertised lists of "Elderly Opportunity Seekers," 3.3 million older people "looking for ways to make money," and "Suffering Seniors," 4.7 million people with cancer or Alzheimer's disease. "Oldies but Goodies" contained 500,000 gamblers over 55 years old, for 8.5 cents apiece. One list said: "These people are gullible. They want to believe that their luck can change."

Banks continue to make life miserable for consumers whose debit cards are victimized by fraud or identity theft. Don't let those shallow "zero liability" promises fool you-- a debit card is less protected by law than a credit card. Even if the bank decides to honor its promise: remember, you've already lost your money and you've got to fight to get it back. You also could face similar problems getting your money back with electronic transfer fraud or forged check fraud, as Bob Sullivan's latest MSNBC Red Tape Chronicles blog explains:

For two full weeks after [Rachel] Poor reported the [forged check] crime to her bank, her imposter continued to withdraw money from her account as fast as she added it. As a result, she was hit with 20 overdraft fees totaling $670, and nearly six weeks after the fact, she was still fighting to get all her money back. "Basically, I feel like I was the victim of fraud twice, once by the (person) who was using my account and again by Bank of America," Poor said. "Every time my balance went positive for even a moment another fraud charge would pass through ... so you can imagine my frustration."

Even though the regulators don't like this, begin immediately to copy all letters and faxes to your bank's regulator. It is often the only way to get the bank's attention. Don't wait until your dispute fails to get your money back.

Not sure which of the hodgepodge of regulators to write to or call? The OCC, chief regulator of national banks, is a good bet. They're not too busy, as no one's ever heard of them and they like it that way. They'll tell you which other regulator to complain to if they're the wrong one. Ignore their advice about trying to work it out with the bank first. Work with the bank, but keep the regulators apprised every step of the way.

The agency in charge of airport security, the Transportation Security Administration, has lost a hard drive containing detailed sensitive information on current and past employees, according to news stories including TSA Hard Drive With Employee Data Is Reported Stolen by Spencer S. Hsu in the Washington Post.

The FBI and the Secret Service have opened a criminal investigation into the apparent theft of a computer hard drive containing the personal, payroll and bank information of 100,000 current and former workers of the Transportation Security Administration, including airport security officers and federal air marshals, the TSA said yesterday.

Recently, the Senate Commerce Committee and the Senate Judiciary Committee approved data security bills. Senate Banking has not acted, nor have any major House committees. While the approved bills have the fingerprints of industry lobbyists all over them, there are a few bright spots.

It is possible that were the bill's original exception from notice for breaches of both credit card and debit card numbers when companies were part of online fraud prevention programs that it might have immunized TJX (TJ Maxx and Marshalls) from notification in its recent 45 million credit and debit card number breach.

In today's Wall Street Journal, in the story How Credit Card Data Went Out Wireless Door (pd. subs. req'd), Joseph Pereira reports that outside a Marshall's store near St. Paul, Minnesota a few years ago:

hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

That purloined information included both debit and credit card numbers. Since consumers are largely unprotected by federal debit card laws, Congress should not pass laws making things worse. Consumers are largely unaware of the risks of debit cards, and are primarily protected only by contractual promise, not by law. While credit cards are protected by the strong terms of the Truth In Lending Act, debit cards (which look the same but access your own accounts) are subject to the weak Electronic Fund Transfer Act, which allows banks unduly long investigation periods before reinstating money into a victim’s account and, under some circumstances, even allows the bank to deny all the consumer’s restitution claims even after fraudulent activity. Conversely, the Truth In Lending Act limits a consumer’s fraud liability to $50, by law. Even the Fed agrees!

Industry groups want a federal data privacy law. The myth, however, is that they need it due to supposed high costs of a patchwork of state laws. Their costs are low and that's a red herring. Their strategy is more Machiavellian -- their ultimate goal is to use the furor over data security and the identity theft crime wave to convince Congress into permanently eliminating all state financial privacy laws and even weakening existing federal laws. That's the wrong outcome. Consumers have been better served by state leadership on privacy, on global warming and on virtually every policy matter. Federal law should always be a floor protecting everyone at minimum levels, never a ceiling preventing states from acting more quickly or going further in defense of consumers and the environment. As we said in our letter to Judiciary members:

States have demonstrated an ability to respond more quickly to privacy and other problems, including global warming. On the matter of privacy alone, seven states (led by Vermont) gave consumers the right to a free credit report before Congress acted, forty states had do-not-call lists before the FTC acted, at least three-dozen states have security breach notification laws (and this bill is weaker than an estimated 23 of them yet would preempt them all), and some twenty-eight states have given consumers the right to prevent identity theft through placement of a security freeze on their credit reports.

Industry claims to the contrary, the states never enact 50 different laws; indeed they tend to enact a few similar laws and then other states perfect those efforts with virtually identical laws. When Congress steps in, it should create a federal floor protecting consumers in the few remaining unprotected states; it should not override the stronger state laws, nor should it prevent further experimentation. Any specious industry claims of compliance costs could be met by simply complying with the strongest state law nationwide, as many firms have done following the first widely-reported breaches.

The President's Identity Theft Task Force has issued a slick full color report with recommendations on identity theft. The problem: There's no there there. We've been living for at least 11 years through an identity theft crime wave, fueled by two things: easy access to Social Security Numbers, the keys to your financial identity and (2) sloppy credit granting practices. What does the report recommend? Studies of private and public sector use of SSNs. For the public sector, recommendation #1: "Complete Review of Use of SSNs." For the private sector, recommendation #1: "Develop comprehensive record on private sector use of SSNs."

Hello, we've got the results of an 11 year longitudinal study. It's definitive. The report goes on to recommend a weak federal "reasonable risk"-based data breach law that preempts stronger laws. The report explicitly recommends against giving consumers the right to enforce their privacy rights in court after a data breach. Much of the remainder of its recommendations are common sense and have been among our recommendations for years.

The report states: "SSNs are an integral part of our financial system. They are essential in matching consumers to their credit file," This is simply not true. They are currently overly-used for these purposes, and industry has developed a dependency, but SSNs can be replaced as unique database identifiers. There simply needs to be a will to do so.

When I first came to Washington 17 years ago, and would read the printed Congressional Record, its regular listings of military officers receiving promotions, such as to general officer rank, included names and Social Security Numbers. While SSNs are still the military ID, at least their unwise disclosure in the CR (but not on family ID cards) stopped years ago. Now, in today's New York Times, Ron Nixon reports in U.S. Database Exposed Social Security Numbers that two different agencies, the Agricultural Department and its aider and abettor, the Census Bureau, have been posting SSNS on the Internet. An "unaware:"

Agriculture Department for years publicly listed Social Security numbers of tens of thousands of people who received financial aid from two of its agencies, raising concerns about identity theft and other privacy violations. [...]The problem was reported to the government last week by a farmer in Illinois who stumbled across the data on the Internet.

Teuber said the USDA had been using Social Security numbers as part of a 15-digit federal contract identifier number. The practice dates back more than 25 years, she said, to when Social Security numbers were printed on checks. She said the USDA's information-security division was not aware of this continuing practice until last week.
The loans database was part of a larger public Web site run by the Census Bureau, which collects all federal loan and grant data. The site has been up since 1996.

We've joined the Electronic Privacy Information Center and the Center for Digital Democracy in an important complaint to the Federal Trade Commission (Washington Post story today by Ellen Nakashima explaining complaint) challenging the announced merger of the online powerhouse Google with the ad-server giant Doubleclick. The filing urges the FTC to consider the effects of the information collection regime that the merger creates. Before it can go forward we want the FTC to ask: if Google can record, analyze, track, and profile the activities of Internet users with newly-available abilities to combine data that are personally identifiable and data that are not personally identifiable, how can privacy be ensured? We also urge the FTC to require Google to publicly present a plan to comply with the recognized gold standard rule for information collection: the OECD Privacy Guidelines. Finally, we make it clear that the federal government must also consider the antitrust implications of the combination before allowing it to go forward.

Co-filer Jeff Chester of the Center for Digital Democracy has a recent column The War Against Google in The Nation along with a number of recent blog entries explaining the issues. In November, PIRG and CDD had filed a previous FCC complaint asking for FTC action against Microsoft, Google and others for a broad variety of new behavioral tracking practices that fail to guarantee Internet privacy and may subject conusmers to price discrimination (weblining) and other harms. Privacy on the Internet, to the extent that it is guaranteed at all, is protected largely through privacy policies, not by enforceable privacy rights. The two complaints, together, raise troubling questions about how new technologies have enabled the collection and use of massive consumer information resources by Internet firms, for a variety of behavioral, consumer control and other purposes without any government oversight, consumer knowledge or consent or any ethical consideration of the implications on consumer lives. Yet, the technologies also afford an historic opportunity to protect privacy, if used fairly.

MASSPIRG's Eric Bourassa has called on Secretary of State William Galvin, who has been an investor champion, to become a privacy champion, too. So far, Galvin has resisted MASSPIRG's calls to remove Social Security Numbers, the basic operating toolkit of identity thieves, from public records and filings on his website. Here's today's AP story Mass. needs law banning private data on state Web sites, some say and here is one from yesterday: Privacy advocates blast Galvin. As privacy expert Robert Ellis Smith points out in today's story, states, including Vermont, have begun passing laws to redact or remove SSNs from older records, and prohibit their disclosure on newer records:

"Social Security numbers are inappropriate on Web sites, period," said Robert Ellis Smith, who publishes the online newsletter Privacy Journal, based in Providence, R.I. "State and county officials rush to put information online. Only now, after the fact, have they started to have these redaction laws."

Late this afternoon the FCC issued an order (101 pages, so here's the short news release) strengthening the protection of detailed customer telephone records known as CPNI (who you call, when you call, how long you call, how much you spend, etc.) in several ways. First, in the wake of the Hewlett-Packard boardroom drama and other scandals involving private investigators obtaining customer records, the FCC strengthened security rules. These rules will help protect against pretexting -- or, in simple English, lying -- to obtain customer records. The rules will also improve protection of the records against other unauthorized access, by hacking, for example. Second, the FCC (probably by taking a closer look at the underlying statute) realized that the sharing of detailed information with marketing partners required affirmative (opt-in) consumer consent. Finally, the FCC did all this without preempting stronger state laws. Commissioners Michael Copps and Jonathan Adelstein issued statements supporting the order but dissenting to its overly-broad law enforcement delay exceptions to its security breach notice requirements. We'll need to examine the order more closely to see what actions Congress still needs to take.

Over at the Consumer Law and Policy blog, law professor Jeff Sovern explains Chris Hoofnagle's novel proposal to deter identity theft: making companies report their internal fraud and identity theft data publicly. Chris is a longtime privacy expert now at the University of California at Berkeley's Boalt Hall Law School Technology Clinic. He described his idea in testimony before a U.S. Senate Judiciary subcommittee hearing.

Privacy expert Robert Ellis Smith, author and longtime publisher of the Privacy Journal newsletter, has a column up at Forbes.com about how the FTC and state attorneys general are hitting privacy violators where it hurts-- in the wallet. Most corporate general counsel are aware of the $10 million FTC civil penalty plus $5 million restitution order on ChoicePoint after it was nailed for selling 163,000 consumer dossiers to identity thieves, but in FTC Says It's Gonna Cost Ya, Smith details a long list of other privacy-related settlements and civil penalties against miscreant companies.

Banking and financial regulators, led by the FTC, have today jointly issued a proposal for model financial privacy notices. Comments are due 60 days after the rule is published in the Federal Register, which should be in the next few days. You've seen the "I went to ___ and all I got was this lousy t-shirt" promotions. I sometimes think of the privacy notices like those t-shirts. But while fixing the financial privacy notices isn't the same as giving us actual privacy rights, it is a step forward and we support it. MORE.

Background: In 1999, Congress approved the Gramm-Leach-Bliley Financial Modernization Act, allowing mergers between disparate financial firms such as insurance companies, banks and securities firms. The goal of the law was to create one-stop shopping financial supermarkets. During debate on the law, it became clear that many financial firms were engaging in seamy practices involving the sharing and use of confidential customer data without knowledge, let alone consent. For example, Bank of America's predecessor bank, Nationsbank, was fined millions of dollars for allowing the records of conservative certificate of deposit holders to be shared internally with a securities affiliate running a telemarketing boiler room pitching risky stocks. U.S. Bank was fined by several state attorneys general after getting caught giving non-affiliated telemarketers the credit card and checking account numbers of its customers, who were then deceived into paying for supposed free trial offers.

Following an uphill bi-partisan effort led by Reps. Joe Barton (R-TX) and Ed Markey (D-MA) and Sens. Paul Sarbanes (D-MD) and Richard Shelby (R-AL), Congress begrudgingly added Title V to the act. That title required companies to safeguard the integrity of information and prohibited customer records from being shared unless consumers were first notified of information practices. GLBA requires an initial and annual privacy notice. The new law provided a limited opt-out allowing you to limit the sharing of your information with some, but not all, third party companies. Most sharing with affiliates and some third parties is generally allowed by GLBA under a "no-opt" or "no-rights" scheme. GLBA also imposes some limits on the sharing of account numbers with telemarketers. We've never been impressed with these because "free-to-pay" or "pre-acquired account telemarketing" problems have continued, regardless.

Under GLBA, firms covered by the act have provided long, complex, unintelligible privacy notices made worse by the fact that, when all is said and done, your opt-out rights are limited by the underlying statute. Yet every independent privacy and literacy expert who has reviewed the notices believes that most firms went out of their way to hide your limited opt-out rights anyway, and to intentionally confuse you. The banks blamed the complex notices on litigation risk and the recommendations of their lawyers, of course. Right. But some of them have urged better notices.

The new rules will simplify the notices and make your opt-out rights clearer. Ideally, having to explain consumer rights more simply may cause more companies to review and limit their promiscuous sharing policies. We urge you to read the proposed rule and make a comment.

What with 10 days in Europe and all, I am behind on checking out the consumer blogs. So, here are a few excellent posts from the last few weeks: Over at Credit Slips, the consumer credit and bankruptcy professor blog:

In the paper, I build off their ideas to develop a proposal for "self-directed credit cards," which would allow consumers to pre-commit to set levels of credit-card usage and avoid the temptation to spend or borrow more in the heat of the purchasing moment.

If the average card offers is about $5,000 in pre-approved credit, that about $365,000 in offers for every American household--or about $1000 a day, every day of the year. By comparison, median household income is about $46,000, or about $127 a day. It wouldn't be unreasonable to speculate that many families are offered about seven times their annual incomes in credit card debt.

And, over at his Digital Destiny blog, Jeff Chester has some prolific and thoughtful posts:

Of course, it's consumers who pay, in stress and hassles, fraud and identity theft and higher costs for goods, credit and services. But recently, the massive breach at Massachusetts-based TJX companies has made the Massachusetts legislature a flash-point in a long simmering feud between banks and merchants over who should pay for data breach notifications, issuance of new credit and debit cards and fraud or identity theft-related benefits to consumers, such as credit monitoring or security freezes. The smaller banks (and credit unions), feel caught in the middle and blame the merchants and third-party payment processors. They want the law to explicitly force the merchants and processors to compensate them, but in our view the problem of whose fault it is may be too complex to be resolved in state or federal law and should remain a matter of contract law. What if the big credit card companies (that often provide cards to the smaller banks and credit unions) or the card networks owned by the banks (Visa and Mastercard associations) aren't enforcing their own rules? Shouldn't they have partial fault? The problem is discussed in stories in both the Wall Street Journal and the Washington Post today.

As reported today by Joe Pereira in the Wall Street Journal story Bill Would Punish Retailers For Leaks of Personal Data (pd. subs. req'd):

[a Massachusetts bill] would mandate that companies whose security systems are breached assume full financial responsibility for any fraud-related losses, costs associated with the canceling and reissuing of cards, and -- in cases of identity theft -- the freezing of accounts and credit information. The bill would apply to any company doing business in Massachusetts, wherever it may be based.

In a Washington Post story today, Customer Data Breach Began in 2005, TJX Says, Ellen Nakashima reports that "the credit card industry has set up rules for data protection called the Payment Card Industry Data Security Standard." But while one well-known data security expert, Avril Litan of the Gartner Group told Nakashima that most retailers, especially small retailers, are not following these rules:

Litan said the retailers are not solely to blame. "It's a collective problem with collective responsibility," she said. "Certainly the retailers have to tighten up their systems, but the banks have to strengthen cardholder authentication so even if the data is stolen, it's useless."

I've just received a so-called promotional email from Javelin Strategies on its latest ID theft report (what I said about the report). What the promo said:

As a professional concerned with ID theft and fraud, I'd like you to consider purchasing the full professional version of this report for your organization. Our exclusive 2007 study shows that the average identity fraud crime is $5,720, or more than twice the cost of this exclusive, nationally-representative detailed study on how to Prevent, Detect and Resolve these crimes.

In today's column, Better to Stop Data Thieves Cold, Washington Post syndicated columnist Michelle Singletary explains that expensive, defective credit monitoring services won't put the chill on identity thieves. As we do, she instead backs the security freeze.

For about a year, my husband and I paid $99 for credit monitoring...Eventually we canceled the monitoring service. Although we were never notified of any problems, we realized that if there ever were fraudulent accounts, we wouldn't know about them until after they were opened. By that time the damage would already be done. We could only react. A lot of the advertising for credit monitoring says it can help stop identity fraud. That claim is misleading. Credit monitoring is a detection system. And that's the major downside. Yes, it helps to know early if you're a victim of identity theft, but it would be better to prevent it altogether.

Over at USA Today, Jon Swartz's recent story on the FTC's fraud complaint data dump and the industry-funded Javelin study claiming that identity theft is down (my blog) includes this zinger:

Meanwhile, a forthcoming Gartner report is expected to show a significant hike in ID theft. It found 14 million Americans were victims of ID theft in 2006, compared with 10 million cited by FTC in 2003.

Synthetic identity theft occurs when thieves use pieces of data from different victims to create new identities, such as one person's name and another person's Social Security number, rather than stealing someone's information whole cloth and using it for fraud.

Since this synthetic identity is based on some real information, and sometimes upon artfully created credit histories, it can be used to apply for new credit accounts. This harms consumers because it creates subfiles at the CRAs, and the real owner of the SSN is sometimes targeted by collections efforts.

According to Mike Cook of ID Analytics (PDF), a company that specializes in reduction of fraud risk, synthetic fraud "is a larger problem than identity theft and is growing at a faster rate." Because "the combination of the name, address and Social Security number do not correspond to one particular consumer, the fraud is unreported and often goes undetect...financial losses stemming from synthetic identity fraud are difficult for organizations to label as fraud when the approved account becomes delinquent and eventually charges-off as a loss."

Old scams constantly morph into new forms. Most people now know that those phishing emails supposedly from the security division of their bank (or Paypal, or a bank they've never heard of) are really from hackers after their confidential account or personal information. In today's Washington Post, in her story Taking the Bait On a Phish Scam, Annys Shin reports that job seekers are now being hooked, and reeled in. The fraudsters are allegedly taking advantage of lax security at career and resume websites such as Monster.com and Careerbuilder to post scam ads. From the Post:

Privacy experts say the job sites could do more to weed out fraudulent ads. "People, when looking for work, are at their most vulnerable. Job sites owe it to consumers to take that extra step to make sure these scams don't slip through the net," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research and consumer group.

USA Voice's victims were persuaded to harvest personal information from others. After posting her resume on CareerBuilder, Emma Ward of Collegeville, Pa., was contacted by e-mail by USA Voice. The 24-year-old was told she qualified to be an editor and was responsible for recruiting her own writers. She just had to collect and send their e-mail addresses to the company. The writers, in turn, would be paid by the number of hits their stories received, giving them incentive to direct more people to the USA Voice site.

UPDATE --same day: This is not a study or a survey-- it's a data dump of all fraud complaints. Of course, the FTC also receives complaints about numerous other (non-fraud) unfair practices, including issues ranging from mistakes in credit reports to debt collector harassment to violations of the Funeral Practices Rule. Their absence from this list does not mean these complaints are lower in rank-- just not counted in fraud statistics. In my view, for every consumer who takes the time to complain, there are often 10-20 or more others standing behind him or her with the same problem. For example, last week's Javelin ID theft survey projected over 8 million victims nationwide -- or more than 32 times the number of actual complaints reported here to the FTC -- annually.

Original post: Consumer complaint lists include categories from sweepstakes scams and pyramid schemes to work-at-home scams (raise marmots in your bathtub! stuff envelopes! make thousands!). These are all still big problems, but for years, identity theft complaints have led the hit parade. According to the FTC's newest fraud study, fully 36% of consumer complaints to the FTC last year concerned identity theft. The next nine categories combined -- from shop-at-home scams to health care complaints -- totaled only 33% of complaints. Under federal law, identity theft includes credit and debit card fraud, which comprised the highest percentage of the id theft complaints:

Credit card fraud (25 percent) was the most common form of reported identity theft, followed by phone or utilities fraud (16 percent), bank fraud (16 percent), and employment fraud (14 percent).

Despite our successes in 26 states -- including the bank havens of Utah and Delaware (!?) -- in enacting security freeze laws to prevent identity theft, we continue to battle obstinate credit bureaus, insurers and some banks in other states, where these special interests continue to obfuscate the issue and confuse legislators. The latest intense battles are in Maryland (Clash over blocking a credit report, Baltimore Sun) and Massachusetts (Massachusetts must get serious about consumer security, opinion-editorial by State Senator Jarrett Barrios in Daily News Tribune). The credit bureaus' strategy is clear-- they want to override the strong state laws that apply to any consumer and replace them with an industry-approved, clunky federal law that only could be used by previous victims. As we often say, that is like saying you cannot have a seatbelt until you've already been in a car crash. Delaware is the home to many a bank, but it has passed a law that has only a one-time fee and is fast and easy to use, pleasing merchants, credit unions and consumers. Why a one-time fee and no fees for temporarily unfreezing your report? You buy a lock for your door, but do you pay again every time you lock and unlock it? Why fast and easy-to-use? So neither merchants nor consumers are inconvenienced by credit bureau bureaucracy. Get with it, Massachusetts and Maryland.

Here's a new url to the New York Times story on the latest identity theft survey we discussed Sunday.

The contractor Javelin Strategy and Research has released its latest report on identity theft (you can get the free consumer version or the $2500 full report). Here's John Leland's New York Times story Survey on Identity Fraud Finds a Steady Decline Since 2003. Our view is clear, as we told the Times:

In 2003, Javelin contracted with the Federal Trade Commission; now, Javelin is working for financial firms and associations: CheckFree, Visa and Wells Fargo & Company. There's a notable increase in spin and happy-talk in the claims in its news release. In addition to the skewed methodological assertions, we are most troubled by its additional assertion throughout that the main solution to identity theft is consumer self-help-- blaming the victim. The firms backing Javelin want consumers to adopt industry-preferred electronic banking, to check their accounts frequently and, worst, to pay for the over-priced, deficient product known as credit monitoring:

Replace paper invoices, statements and checks with electronic versions, if offered by your employer, bank, utility or merchant. Sign up for automatic payroll deposits and e-mail or telephone alerts, which will warn you of any unusual account activity.

Michael Totty has a Technology Report in today's Wall Street Journal How to Protect Your Private Information (pd. subs. req'd). He includes an online debate on security breaches and security freezes between our colleague Gail Hillebrand of Consumers Union and financial industry lawyer Oliver Ireland, who makes the tired industry claim that industry just can't afford to comply with differing state privacy laws. The claim, which is never buttressed with facts, is a key component in industry's campaign to eliminate all strong state privacy protections and replace them with a weaker federal law that not only fails to protect consumers but also fails to hold companies accountable when they ignore their responsibilities to protect our financial DNA from hackers and identity thieves. Ireland also rolls out, however, an additional argument that is increasingly used by industry lobbyists: that it just isn't fair for, for example, California's pro-privacy legislature to, in effect, force industry to comply nationwide with its rules (since, as he admits, the smartest companies are complying with the strongest state law everywhere. This is why the data broker ChoicePoint notified consumers in every state after losing their information, even though, at the time, only a few states had data notice laws.):

MR. IRELAND: I think that this discussion highlights the tension between increasingly national financial markets and the historic role of the states as protectors of their own citizens. In today's national markets, individual state laws increasingly tend to affect how services are delivered in other states. The line where individual state interests should give way to overall economic efficiency is not likely to be fully resolved anytime soon.

Several papers have stories today on yesterday's SEC's civil complaint against 21-year-old Floridian Aleksey Kamardin, said to be linked to a ring of Eastern European hacker/ID thieves who are taking over investors' online stock trading accounts for the purpose of manipulating the markets. It's a new variation of the old "pump and dump" scheme that the Washington Post's Ellen Nakashima calls Hack, Pump And Dump. From the SEC:

SEC Sues Floridian for Scheme to Intrude Into Online Accounts, Manipulate Market

The United States Securities and Exchange Commission today filed a complaint in the United States District Court for the Middle District of Florida charging twenty-one year old Aleksey Kamardin with participating in a fraudulent scheme to manipulate the prices of numerous stocks through the unauthorized use of other people's online brokerage accounts.

I am in Bennington, Vermont. On Thursday at 3:30 pm, I am excited to be giving the inaugural lecture in the Southern Vermont College SVC Lecture Series to Envision the Workplace of the Future: Its Technology, Design, and its Challenges to Employees. I will be talking about privacy. Meanwhile, a number of my consumer colleagues, including Travis Plunkett of Consumer Federation of America, Professor Elizabeth Warren (co-author of the "Two-Income Trap"), Professor Bob Manning (author of "Credit Card Nation"), Tamara Draut of Demos (author of "Strapped") and others will be testifying at a Senate Banking Committee hearing on the unfair practices of credit card companies. At the last minute, a few credit card companies have even apparently agreed to testify. So, if you are in southern Vermont (the Albany, NY area), come hear me at 3:30 pm. If you are in DC, go over to Senate Dirksen Room 534 in the morning. It should be a lively affair. And no matter where you are, you can watch the hearing online Thursday morning.

I have to disagree with some of the otherwise helpful information in today's New York Times column Don't Call. Don't Write. Let Me Be. by Damon Darlin. First, on the matter of financial companies providing opt-outs--that's one of the weakest areas in consumer privacy law.

Under federal law, in most circumstances, companies can share even when you do not want them to. You have no rights. Darlin says:

The popularity of the do-not-call list unleashed a demand for other opt-out lists. A consumer can now opt out of the standard practice of their banks or loan companies selling their information to others...While financial companies have to provide an opportunity to opt out of sharing personal information, other kinds of companies do not.

Second, Darlin recommends using a security freeze (he uses the term that the credit bureaus are pushing, "credit freeze,") only if

you are a true victim of identity theft, which means that some criminal has your personal information and is opening up credit card accounts, borrowing money or buying property with your credit history.

By all means, opt-out of pre-screened credit offers as Darlin recommends. Don't want to give your SSN over the phone? You can opt-out on line or by mail at optoutprecreen.com without disclosing your SSN by following instructions at this FTC page.

Finally, as I often have said, while I commend the Bush FTC for implementing the enormously successful nationwide Do-No-Call list in 2003, at least 40 states got there first with their own laws. Let's protect the longstanding right of the states to show leadership on privacy and other consumer protection and public health initiatives. For example, many of us have the right to security freezes, all of us have the right to a free credit report and we all have the generally-accepted right to know about security breaches because many companies are complying nationwide with California's strong law, only because of state action.

In a late-to-the-party effort to clean up the epidemic of security breaches, Visa and Mastercard have apparently begun fining merchants and their own member banks that violate their security rules and let identity thieves and hackers loot through confidential customer data. From Robin Sidel's latest Wall Street Journal story (pd. reg. req'd.) on the recently reported TJX breach:

Visa and MasterCard have begun clamping down on the security issue in recent months, issuing a series of hefty fines, according to people familiar with the matter. Last fall, Visa began targeting the nation's largest merchants in particular, with fines that start at $10,000 a month and can rise to $100,000 a month. Visa levied $4.6 million in fines for noncompliance with the security rules last year, up from a 2005 total of $3.4 million. It wasn't immediately clear if Fifth Third and TJX had been fined previously for noncompliance.

I appeared on CNBC's On The Money last night, along with Robin Sidel of the Wall Street Journal, who broke the story yesterday of the latest (but perhaps ongoing since 2003) and possibly the biggest (perhaps bigger than the reported 40 million records lost by processor Cardsystems) security breach at a retailer. This one occurred at TJX Companies, which includes the giant retailers TJ Maxx and Marshall's (company "Customer Alert" on its home page). Since the WSJ requires paid registration, here's an AP story. CNBC host Melissa Francis basically asked me two questions:

Here are some slightly longer answers than I was able to give in the accelerated TV format:

Over at Consumer Law and Policy blog, Deepak Gupta has posted a quick analysis and link to the Supreme Court transcript from yesterday's oral argument on insurance company compliance with the Fair Credit Reporting Act. From the early new clips (mostly quoting industry lobbyists, however) that Deepak summarizes, the Court doesn't understand the issue from our consumer protection perspective (my previous entry).

The Supreme Court just now finished up oral argument in an important case (PIRG is an amicus in what is actually two cases consolidated together: Geico v. Edo and Safeco v. Burr) over whether insurance companies are violating the Fair Credit Reporting Act, and what the penalties against them should be when they fail to give consumers appropriate adverse action notices that their denial or higher premium is due to their credit report or score. The credit reporting law known as the FCRA is a remedial self-help statute-- how can you help clean up mistakes or identity theft items that lower your creditworthiness if the creditors and insurers place themselves above the law? I couldn't get over there for the argument, but our colleague Deepak Gupta of Public Citizen Consumer Law and Policy Blog has posted a long pre-argument blog with links to all the briefs, and I expect he'll post a post-argument blog later today.

There's an interesting piece today in the New York Times by Louise Story: Anywhere the Eye Can See, It's Now Likely to See an Ad.

Outright advertising is just one contributing factor. The feeling of ubiquity may also be fueled by spam e-mail messages and the increasing use of name-brand items in TV shows and movies, a trend known as product placement. Plus, companies are finding new ways to offer free services to people who agree to view their ads, particularly on the Internet or on cellphones.

First, on the CSPI litigation: Using the word "natural," even in artificial products, is one way to unfairly sell more "fruit" "drinks." From CSPI litigation director Steve Gardner's blog entry CSPI's Litigation Project Forces Change By Two Major Food Companies:

On Monday, January 8, CSPI sued Kraft Foods for claiming that Capri Sun drinks were "natural," when in fact HFCS [high-fructose corn syrup] was the second ingredient after water. The company immediately announced that it was completely getting rid of the "natural" claim. The same day, Kraft announced that it was getting rid of the "natural" claim. Then, on Friday, January 12, Cadbury Schweppes announced that it, too, would stop calling HFCS-filled 7UP "all natural." This announcement culminated several months of negotiations between Cadbury and CSPI.

It's important to keep a close eye on the advertisers. You can learn about their goals (basically personalized, not mass, targeting) and the tactics they use to achieve them in the PIRG/CDD complaint or the CSPI litigation or the Gardner interview or the New York Times piece.

Or you can check out the 1950s science fiction classics The Space Merchants by Frederik Pohl and CM Kornbluth and The Minority Report by Phillip K. Dick. Remember in the recent Spielberg adaptation Minority Report, when the Tom Cruise character John Anderton is walking through the mall and the interactive ads are tracking him and talking directly to him? They identify him by reading his retinal implants: "John Anderton, you look like you could use a Guinness right now." Here's a blog by an ad expert -- Does "Minority Report" Portray A Scary Future -- with some more details.

In the real world, over at Spychips.com, you can find out about how tiny RFID tracking chips with unique individual codes are being inserted into consumer products (and in pets, and even some employees) to achieve some of the same advertising goals as in Minority Report (advertising is only a side-plot in this novel and book, by the way.)

For my money, the scariest dystopian future is the one in the brilliant satire The Space Merchants by Pohl and Kornbluth. The advertisers "literally run the world" (review with background) and market products infected with an addictive alkaloid. Consumers are then addicted to products from one or the other of two oligopolistic global corporations. Using one product triggers a cycle-response: for example, hunger for the next product in a tobacco-soda-food cycle. From an excerpt I found on line:

The Crunchies kicked off withdrawal symptoms that could be quelled only by another two squirts of Popsie from the fountain. And Popsie kicked off withdrawal symptoms that could only be quelled by smoking Starr Cigarettes, which made you hungry for Crunchies. Had Fowler Schocken thought of it in these terms when he organized Starrzelius Verily, the first spherical trust? Popsie to Crunchies to Starrs to Popsie?...The minute dosages of alkaloid were sapping my will..He extended a pack of cigarettes...They were Greentips. I said automatically: "No thanks. I smoke Starrs; they're tastier." And automatically I lit one, of course. I was becoming the kind of consumer we used to love. Think about smoking, think about Starrs, light a Starr. Light a Starr, think about Popsie, get a squirt. Get a squirt, think about Crunchies, buy a box. Buy a box, think about smoking, light a Starr. And at every step roll out the words of praise that had been dinned into you through your eyes and ears and pores. "I smoke Starrs; they're tastier. I drink Popsie; it's zippy. I eat Crunchies; they tang your tongue. I smoke --- "

Yesterday, President Bush signed (AP story) modest legislation, HR 4709, to make lying (pretexting) to obtain phone records a federal crime. The bill is a modest first step that fails to impose affirmative duties on phone companies to protect our information, fails to grant a private right of action and provides for too many government exceptions. On the same day, Bryan Wagner, a private investigator who was a minor figure in the Hewlett-Packard boardroom spying scandal that helped pass the law, pleaded guilty in a court appearance to two felonies, conspiracy and identity theft (but not pretexting) (AP story). My previous blog. Last week, Corey Boles of Dow Jones Newswires reported through a source that FCC chairman Kevin Martin has proposed draft regulations to the other 4 commissioners:

The Federal Communications Commission is set to force telephone companies to introduce a series of measures aimed at cracking down on criminals impersonating customers to access their phone records, a person familiar with the situation said Friday.

FCC Chairman Kevin Martin last week put a series of proposals to the other four agency commissioners that would, among other things, force carriers to require a password from customers before they could access their phone records, the person said.

Over at the Boston Globe, in a story yesterday Credit agencies lag on errors, fraud (reg. may be required),reporter Beth Healy has followed up with a number of victims of identity theft and credit bureau mistakes who'd contacted her after a major Globe series -- Debtor's Hell-- she'd co-written last summer. Healy asked, as they say, "How's that going for you, anyway?"

Answers: Badly. Not well. From the Globe:

Nearly five years later, collectors are still hounding the wrong Eric Carroll....Many felt victimized by the power and ruthless tactics of debt collectors. But Carroll and others complained of another maddening aspect of the system: The glacial and ineffectual response of the three giant keepers of consumer credit records -- Experian, Equifax, and TransUnion...The local, state, and federal law enforcement response to complaints of identity fraud is similarly passive, despite the huge volume of complaints -- 255,000 last year to the Federal Trade Commission alone. Consumers are left to fend for themselves...

Privacy expert Bob Gellman has a thoughtful recent column called Peeling the credit score onion explaining the problems with, and the spectacular rise in use of, credit and other risk scores, over at DM News. Excerpt:

Is more scoring good or bad? I worry about the effect on privacy of increased aggregation of personal data needed to fuel consumption scoring. I worry about scoring providing cover for unfair or discriminatory practices. I worry about the use and misuse of scoring by government to decide who gets on an airplane or for other purposes. I worry about health scores affecting employment practices. I worry that Americans might be pressured to live for their scores, lest they be unable to achieve fair treatment in the marketplace.

I've often called credit monitoring services shabby protection rackets. At least when you pay off the mob every week, it doesn't burn down your store. But paying off the credit bureau, or its sales agents (including credit card companies), up to $15/month or more for credit monitoring won't stop identity theft and may not even warn you that it's happened. That's shabby. There's more at Washington Post report Annys Shin's recent blog The Checkout and in a recent story by Eric Dash of the New York Times.

Don't pay for credit monitoring. It's a defective product sold at a high price by companies whose sloppy practices led to the continuing epidemic of identity theft they claim to be protecting you from in the first place. Instead, any consumer who lives in a state where either a previous victim (for free) or any consumer (for either a fair fee or a too-high fee, but still less than credit monitoring prices) can place a security freeze on their credit reports, should freeze their reports from access by thieves instead. We'll be watching Congress closely to make sure that it does not enact an industry-friendly (pricey, preemptive of better state laws and clunky to use) security freeze law next year.

In response to the HP spying debacle, last night the Senate passed a modest bill clarifying that the use of pretexting (in English: the use of lies) to obtain a consumer's phone records is against the law and subject to federal criminal penalties. The bill has already passed the House and should become law. We supported the bill, but agree with privacy advocate Marc Rotenberg, quoted in this NY Times story, that the bill is too narrow, fails to protect all consumer records, and most importantly, fails to impose any duties on phone companies to protect our confidential information. We'll be back next year. As this previous entry notes, we supported a broader bi-partisan House Energy and Commerce bill, and opposed a broader, but weaker Senate Commerce bill that gutted state privacy laws at the request of the phone companies. And we'lll be watching the detectives. Private investigators have this bizarre notion that their activities deserve exceptions from privacy laws, even though it is the private detectives who are implicated in many privacy scandals, from this HP fiasco to the tragic death of young Amy Boyer, victim of an Internet stalker.

In today's New York Times, Milt Freudenheim and Robert Pear do a very good job of exploring a variety of privacy issues raised by the ongoing switch to electronic health records, in their story Health Hazard: Computers Spilling Your History.

Would it be fair to lose a promotion because you'd been seeing a psychiatrist after a personal tragedy? Would it be fair to lose your job because a bean counter in Human Resources decided your health condition was too expensive for the firm's insurance policy? How about discrimination based on your DNA? And, with health records linked by Social Security Numbers, there's the threat of identity theft. Finally, voyeurs or persons seeking to do you harm could inappropriately use information from your health records, if those records are not well-enough protected. MORE:

The story describes the Paul Revere-like work of Dr. Deborah Peel, and of her Patient Privacy Rights coalition. Along with organizations from all parts of the political spectrum, U.S. PIRG health advocate Paul Brown has supported their important efforts to ensure that pending Congressional Health Information Technology (HIT) legislation includes provisions (1) allowing stronger state privacy laws to stand, even if a federal bill is enacted, (2) to allow consumers to keep their records out of databases without any retribution, and (3) to be notified of security breaches.

The story notes that corporate managers in charge of administering computerized health records systems are realizing that building in privacy at the outset is the only way to gain the trust of workers. It also cites two surveys where more than half of Americans expressed signifcant concern about health privacy:

The survey, conducted by Forrester Research, also found that 52 percent were "very concerned" or "somewhat concerned" that insurance claims information might be used by an employer to limit their job opportunities.

The Markle survey, to be published this week, will report even greater worry -- 56 percent were very concerned, 18 percent somewhat concerned -- about abuse by employers. But despite their worries, the Markle respondents were eager to reap the benefits of Internet technology -- for example, having easy access to their own health records.

Unfortunately, most of the health and technology industry lobbyists pushing the HIT bills are focused more on either the efficiencies or the massive anticipated revenue streams from selling new computers and databases than on agreeing to privacy protections, so due to their failure t agree to privacy protections, the legislation fortunately stalled in the last Congress, but it will be back.

Electronic recordkeeping of medical records has health benefits as well as privacy risks and costs, of course. The question is how to make sure that the less tangible privacy costs don't get lost in the shuffle. Passing legislation to accelerate the HIT conversion without building in privacy protection from the outset is the wrong way to go.

Personal privacy has always butted up against administrative efficiency, generally at the expense of privacy. Information originally collected for one narrow government or corporate purpose becomes available for many new purposes (use creep) when it is databased in a computer system. It also becomes more susceptible to misuse. These problems have been bad enough in a world where everyone's financial lives have become an open book; they'll only get worse if medical records aren't well-protected.

Along with other PIRG consumer staff, I will be attending the National Consumer Law Center's Consumer Rights Litigation Conference in Miami over the weekend. It's an exciting event for anyone who cares about access to justice. All the consumer top guns on predatory lending, credit bureaus, identity theft, debt collection law and similar topics should be there.

Oregon voters yesterday voted overwhelmingly (Oregon PIRG release) to expand a successful bulk purchasing program to lower the costs of prescription drugs, but unfortunately overwhelmingly defeated an important proposal to ban the use of credit scores in insurance-decision-making. In California, we lost statewide ballot measures to raise tobacco taxes and tax oil companies drilling for oil on California land and use the funds for clean energy development. CALPIRG will continue to push the oil measure in the legislature, since 45% of voters went for it. We won two CALPIRG-backed Sacramento County questions opposing corporate welfare for the Sacramento Kings NBA team. Previous blog with details.

We've written often lately about predatory lenders preying on the military and a successful Congressional effort to cap interest rates on loans to military personnel and their families at 36% APR. I know that sounds high, but compared to 658% APR, a common payday loan interest rate, it's low.

In another common scam against the military, a college student and a soldier at Fort Polk are on trial in Louisiana for stealing financial identities of personnel deployed overseas. Military personnel and their dependents face a problem most of the rest of us do not: their Social Security Numbers are on their ID cards. Here's 2003 Senate testimony of former Army captain John Harrison, a multiple identity theft victim. Active duty military personnel deployed overseas have a special right to prevent ID theft by placing fraud alert warnings on their credit reports. Find out more at the FTC military page.

[Updated-corrected bad links 15 Jan 07] We've prepared a two-page summary in FAQ format, of the 50 page web privacy complaint that Center for Digital Democracy and U.S. PIRG filed at the FTC last week. Previous blog has links to filing.

(updated links 7/24/07) U.S. Rep. Ed Markey (D-MA), a leading privacy champion on Capitol Hill, has announced his support for the U.S. PIRG/Center for Digital Democracy (CDD) complaint to the FTC on online advertising, data collection and consumer surveillance. Also, CDD has a new resources page Let The Browser Beware on the complaint. It includes links to corporate sites that are exemplars of some of the practices we've asked the FTC to investigate.

(corrected links 7/24/07) Here's the news release announcing the Center for Digital Democracy/U.S. PIRG complaint filed this morning to the FTC (previous blog). Excerpt from the release:

"Unfortunately, over the last several years the FTC has largely ignored the critical developments of the electronic marketplace that have placed the privacy of every American at risk," declared Jeff Chester, CDD executive director. "The FTC should long ago have sounded a very public alarm--and called for action--concerning the data collection practices stemming from such fields as Web analytics, online advertising networks, behavioral targeting, and rich 'virtual reality' media, all of which threaten the privacy of the U.S. public."

Current privacy disclosure policies, CDD and US PIRG contend, are totally inadequate, failing to effectively inform users what data are being collected and how that information is subsequently used. While many companies claim they collect only "non-personally identifiable" information, they fail to acknowledge the tremendous amounts of data compiled and associated with each unique visitor who visits their website. Thus even if these companies don't know the names and addresses of users, they literally know every move those users make online, through sophisticated online tracking and analysis technologies.

"The emergence of this on-line tracking and profiling system has snuck up on both consumers and policymakers and is much more than a privacy issue," said U.S. PIRG Consumer Program Director Ed Mierzwinski. "Its effect has been to put enormous amounts of consumer information into the hands of sellers, leaving buyer-consumers at risk of unfair pricing schemes and with fewer choices than the Internet is touted to provide."

It is therefore incumbent on the Federal Trade Commission, according to the CDD/PIRG complaint, to protect consumers from unfair and deceptive practices by using its authority under Section 5 of the FTC Act to address this issue on a variety of fronts:

launching an immediate investigation into the online marketplace in light of this new environment

exposing practices that compromise user privacy

issuing the necessary injunctions to halt current practices that abuse consumers

crafting policies--and recommending federal legislation--to prevent such abuses.

We're joining Jeff Chester and the Center for Digital Democracy (CDD) in a complaint to the FTC urging greater scrutiny and possible regulatory action of online advertising and consumer tracking, as reported by the Wall Street Journal, USA Today and San Jose Mercury News today. We'll post more details, including links to the filing and the press release as soon as we file later today. From the Mercury News:

The complaint focuses on the data collection practices that have become routine among giant Internet companies like Google, Yahoo and Microsoft, as well as much smaller Web sites. The Mercury News published a special report on the data collection practices of the largest Internet companies in August that found the companies' privacy policies did not protect personal data from disclosure under certain circumstances.

Election Day is about elections, but it is also about citizens bringing important issues to the ballot, in states where initiative and referendum is allowed (see the Initiative and Referendum Institute and the Ballot Initiative Strategy Center for info).

In 2004, for example, COPIRG and Environmental Colorado helped run a successful citizen campaign to enact Amendment 37, to dramatically boost the use of renewable energy by electric utilities.

Next week, Oregon State PIRG (OSPIRG) and CALPIRG are each backing several important consumer ballot questions. In Oregon, along with Consumers Union (publisher of Consumer Reports), OSPIRG is urging a Yes on Measure 42, to ban the use of credit scoring for insurance decision-making. The insurance industry has not been able to prove an actuarial relationship between your credit report and whether you'll be a good driver or homeowner, nor has it been able to discount independent studies that show that people of color score lower than whites, suggesting that they may be using credit scoring as a proxy for otherwise illegal rating factors. Finally, of course, it hasn't been able to explain the number of mistakes in credit reports.

OSPIRG (previous blog) is also backing Measure 44 to expand Oregon's successful prescription drug buying pool to leverage lower prices for the one million Oregonians lacking drug coverage.

OSPIRG also urges Yes on Measures 46 and 47: With no current limits on campaign contributions, this pair of measures would enact comprehensive campaign finance reform in Oregon. Measure 46 amends the constitution to allow campaign contribution limits. Measure 47 enacts low contribution limits, bans direct contributions from corporations and labor unions, and adds disclosure requirements.

CALPIRG is supporting three statewide propositions (citizen votes go by different names in different states).

For a year, private detectives from firms hired by computer and printer giant Hewlett-Packard played "I Spy" against Wall Street Journal reporter Pui-Wing Tam. The tactics used by the detective firms, many under Congressional and criminal investigation,ranged from trash-picking to electronic and Internet eavesdropping to pretexting, which is the practice of lying to obtain information about someone else, often about their phone records. Pui-Wing Tam reports on the debacle in today's front page story A Reporter's Story: How H-P Kept Tabs On Me for a Year (Paid subscription required): EXCERPT (MORE):

Unbeknownst to my family and me, someone was scoping out our trash earlier this year -- someone hired by Hewlett-Packard Co. The trash study was carried out in January by Security Outsourcing Solutions Inc., a Needham, Mass., investigative firm that H-P employed, according to a briefing H-P officials gave me yesterday. Whether the sleuths ever encountered my toddler's dirty diapers, H-P said it doesn't know...In March, a man whom the California attorney general has identified as Bryan Wagner of Littleton, Colo., allegedly used the last four digits of my Social Security number and my home phone number to set up an AT&T online account for my local phone service. Using that account, Mr. Wagner appears to have accessed some of my phone records, according to the state attorney general's criminal complaint. It's unclear how Mr. Wagner may have gotten my Social Security number, but H-P's outside attorney Mr. Schultz said there appear to be databases where Social Security numbers can be accessed.

People often ask me: "Ed, how can I fight the credit bureaus? They've ruined my life." Well, here's one way to learn more. Buy this new book. Denise Richardson is a credit-bureau-victim-turned consumer advocate who has been fighting the good fight against the credit bureaus for years. She's got a new book and I recommend it: Give Me Back My Credit! I owe her a longer book review, but here's the cover blurb I wrote for the book, which gives you an idea of my views:

"Denise Richardson's story has important lessons for all Americans. It's the story of a consumer who faced hardships created by credit bureau errors, mortgage servicing errors, abusive debt collectors and identity thieves. She learned, fought back and won. Now she's a consumer champion with a book that's a first-person story and a consumer handbook in one, with lessons for everyone who wants to win against corporate and financial predators. Buy it and then fight back yourself!"

[8 Dec Update: corrected internal links] Monday was the seventh anniversary of the death of Amy Boyer, a young New Hampshire woman who is the first known victim of an Internet stalker. Amy was brutally murdered by Liam Youens, a high school acquaintance, who hired a private detective to track her through the web. Privacy consultant Rob Douglas has a nice piece urging greater protections against pretexting, Why Has Congress Failed Amy?, over at MSNBC. Meanwhile, Saturday's Washington Post ran a column The Identity Theft Scare by law professor Fred Cate, essentially claiming that the furor over security breaches is over-wrought and that identity theft is declining. Cate does mention briefly without discussion that the data he relies on are extrapolated only from the 50% of identity theft victims who know how their data was taken. In a recent entry, I cited a counter-analysis to the conventional industry wisdom adopted by Cate, prepared by privacy expert Chris Hoofnagle of the privacy and information law clinic at Boalt Hall (the law school of the University of California at Berkeley).

Incidentally, while the Washington Post lists Cate solely as an Indiana University law professor, he is a "principal" at an industry-funded information policy center at the industry-side Hunton & Williams law firm. I am not saying Cate didn't have these views before he began working with this "center," but he and other professors should disclose their industry affiliations and potential conflicts when writing opinion pieces (and if he did tell the Post, then they should disclose them). Previous blog on professors consulting to the financial industry here. If you've got the cash, here's H&W's view of how and why your company should join the H&W information center: (More)

The Center's work is funded exclusively by member organizations. The Center's projects require extensive time commitments by the Center's talented staff and Hunton & Williams LLP's privacy and information management practice. Policymaker education requires travel and related expenditures. To support its mission the Center has created four classes of membership...Executive members contribute a minimum of $40,000 to the Center annually. Executive members shape the Center's agenda, participate in all projects and policymaker education, attend three executive committee meetings each year, and confer regularly with the Center's executive director on project-related issues.

California Attorney General Bill Lockyer will indict former HP Chair Patricia Dunn and 4 others on felony charges over HP's tawdry boardroom phone spying scandal, the NY Times website reports this afternoon:

In addition to Ms. Dunn, Attorney General Bill Lockyer intends to indict Kevin T. Hunsaker, a former senior lawyer at H.P.; Ronald L. DeLia, a Boston-area private detective; Joseph DePante, owner of Action Research Group, a Melbourne, Fla., information broker; and Bryan Wagner, a Littleton, Colo., man who is said to have obtained private phone records while working for Mr. DePante. All of those named face four charges: using of false or fraudulent pretenses to obtain confidential information from a public utility, unauthorized access to computer data, identity theft, and conspiracy to commit each of those crimes. All of the charges are felonies.

[Update 8 Dec: corrected internal URL links.] Pretexting is lying to obtain information, although some people like to call it just a "little white lie." In 1999, in the Gramm-Leach-Bliley Financial Services Modernization Act, Congress banned the use of pretexting to obtain financial records of consumers. Other types of pretexting may still be illegal as an unfair and deceptive practice in other contexts as the FTC explains or under certain state laws. As the sordid Hewlett-Packard boardroom scandal has revealed, bad guys, including private detectives, routinely call your phone company pretending to be you to obtain your detailed phone records (CPNI, see below). These phone records can then be used to build surprisingly detailed dossiers on your activities: what you do, where you go, who you associate with, etc. Will Congress protect us from it? Probably not today on the last session day before recess, despite our latest letter with Consumers Union and the Consumer Federation of America to the House urging passage of the bi-partisan HR 4943 to make pretexting illegal. But perhaps reform will pass in the lame duck session next month.

The House leadership has been sitting on this consumer group-supported phone privacy bill from the Energy and Commerce Committee since the spring. Since the phone companies they're friendly with don't like it, they don't like it. At his committee's hearings on the HP scandal Thursday and Friday, privacy champion and Chairman Joe Barton said this:

I'm going to continue to request that the House of Representatives vote on this bill [HR 4943] on the floor before this Congress adjourns this year. We must make pretexting clearly illegal. There is no room in our society for pretexters getting your phone records. If it can happen to a member of the board of directors of a Fortune 500 company, like Hewlett-Packard it can happen to any of us.

First, the legislation explicitly prohibits pretexting and other fraudulent means of obtaining customer proprietary network information, which includes detailed calling records. It also treats as a violation requesting that another party secure phone records when the requesting party knew or should have known that fraud would be used to obtain those records. These provisions will help stifle the commercial market for consumers' calling records and ensure that both those seeking to use illegally obtained records as well as those obtaining them illegally are held accountable. Moreover, it explicitly prohibits phone companies, their affiliates, joint venture partners and contractors from selling Customer Proprietary Network Information (CPNI)-- information that should never be available to the highest bidder.

While the financial pretexting law does allow banks to hire pretexters to attempt to infiltrate their own security, we wouldn't be at all surprised if it turns out that some banks knowingly went further than what's allowed, counting on their lax regulators to miss their own efforts.

One more thing, as always, the states continue to explore privacy solutions. Yesterday, California Governor Arnold Schwarzenegger signed legislation by State Senator Joe Simitian banning phone pretexting. Here's a link to a previous post on Illinois PIRG's efforts, with some fun banter from a TV interview with a private detective.

[Update Jan 2007-corrected old urls] A story in the New York Times this week, Surging Losses, but Few Victims in Data Breaches, is the latest to perpetuate the industry-propelled myth that identity thieves are mostly your friends and family:

In the majority of cases, identity thieves are family members, relatives, neighbors and co-workers. It seems that toxic social networks -- not leaky computer networks -- are the real hazard.

Thanks to Jeff Sovern of the excellent new Consumer Law and Policy Blog for his latest post linking to an analysis of identity theft by two heavyweights:

Over at the Becker-Posner Blog, two heavyweights of the blogosphere, as well as the outside world, Judge Posner and Nobel prize winner Gary S. Becker, weigh in on identity theft. Their focus is largely on using the criminal law to deter identity theft, as opposed to using consumer law to prevent it.

In a comment on that Consumer Law and Policy Post, privacy expert Chris Hoofnagle, now at Boalt Hall (University of California at Berkeley Law School)'s Technology Law Clinic, drills down on the problem, (which Posner-Becker do reference) when he points out that 50% of consumers never find out how they became victims, so the thieves are never caught (that's according to FTC data). The solution to identity theft, in PIRG's view, then, isn't merely raising the penalties for the thieves, it's improving safeguards on consumer financial information. That means holding banks, credit bureaus and other data collectors accountable under the law, too. It also means putting more police and prosecutorial resources into identity theft. But the core solution is holding the data collectors accountable under a higher standard under enforceable Fair Information Principles. For years, the banks and credit bureaus have worked to block bills placing significant increased responsibility on them. Instead, they've supported legislation raising penalties for identity theft, or the higher crime of "aggravated identity theft." That dog don't hunt.

The ID Theft Task Force's most important recommendation is one that consumer and privacy groups have been calling for for years -- better protect the Social Security Number:

The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable....OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.

The red flag guidelines are supposed to require financial instiutions and credit bureaus to implement policies and programs that would spot "patterns, practices, and specific forms of activity that should raise a "red flag" signaling a possible risk of identity theft." The rules also require specific additional steps to take when address changes are made "followed closely by a request for an additional or replacement card." The problem, as we point out in our comments (drafted primarily by the Privacy Rights Clearinghouse), is this:

overall, the proposal incorporates far too much discretion that allows financial institutions and creditors to reject even the most obvious signs of identity theft. An effective Program should not allow companies to choose not only which red flags to incorporate but also which accounts are subject to the red flags. To do so creates the prospect that companies will adopt perfunctory Programs that amount to no more than the status quo. For the final rules and guidelines, the Agencies should act to eliminate the many layers of discretion incorporated into the proposal.

Indeed, it is the identity thief's ability to provide enough information to the credit card issuer for the issuer to access the victim's credit report ... that facilitates this form of theft. Allowing creditors to verify identity by obtaining the victim's credit report ... would be to permit a practice that enables identity theft and that fails to ensure that a credit card applicant is really who the person claims to be.

Indeed, the identity verification standard should, if anything, be higher for credit card issuers. In general, at least a minimum threshold of identity verification, tailored to types of financial institutions and the specific nature of identity threat, should be included in the Red Flag guidelines. Such verification should include requiring the use of documentary identification for individuals and contacting the consumer when there are address discrepancies.

A fraud alert or active duty alert is the number one red flag for both the banking and the FTC list. The proposal not only allows discretion about whether to include a fraud alert as a red flag, but incorporates leeway in deciding what actions to be taken -- assuming a fraud alert is even included as a red flag. A fraud alert should always trigger a notice requirement.

Monsters come out at night from under the bed. But one of the most dangerous times for consumers is actually all day long, 24/7, in the last few weeks of any two-year Congressional session. That's monster time. That's right now. That's when the special interest lobbyists come out both day and night. They ratchet up their efforts to pass bad legislation that favors them; even worse, they do it outside the regular order of business. Instead of passing bills after hearings and through committee votes, they cut deals in backrooms, or slip new language into floor "packages."

The so-called Big 3 credit bureaus are making just such an end-game play in an effort to immunize themselves from the Credit Repair Organizations Act of 1996. CROA was passed to protect consumers from credit repair doctors, who make false promises that they can fix your credit. As a deterrent, the law prevents companies from collecting fees in advance, before services are performed.

But what if the credit bureaus themselves sell products that falsely claim they can fix your credit? What if the credit bureaus themselves collect money in advance for that service? Could the credit bureaus be credit doctors because they sell credit monitoring? Could their billion dollar revenue stream for a heavily-advertised product that doesn't stop identity theft and cannot improve your credit be cut off by CROA? Or, instead, will Congress immunize them by creating a special-interest safe harbor so that the bureaus can do what others cannot? Will the bill also take away strong mechanisms used to go after sleazy debt collector practices, too? Will the bill be so poorly written that credit doctors will be able to hide behind its immunities also? MORE:

A few years ago some consumer lawyers sued some of the credit bureaus, alleging that credit monitoring was a credit repair product. They also sued some of the credit card companies and so-called "membership club" companies that make huge commissions for selling credit bureau credit monitoring to their own customers. The cases allege that credit monitoring is no different than any other tawdry credit doctor product. [It actually is different. Credit doctors make a few thousand here or there; most estimates place the annual credit monitoring revenue stream at a billion dollars a year and rising.]

So the credit bureaus came to Congress and asked for a fix. Not only that, they asked that the fix be retroactive. They want Congress to pass a bill that will cancel the existing lawsuits, not merely prevent future lawsuits. Last spring, the House Financial Services Committee passed HR 3997. We've criticized that bill (LaTourette-R-OH and Hooley-D-OR) extensively because it includes a weak data breach notice provision and it would also preempt 20 state security freeze laws available to anyone. (Longer list of problems here).

HR 3997's Section 6 provides sweeping and retroactive immunity for credit bureaus, their friends, affiliates, relatives and business partners -- and perhaps credit doctors themselves -- from liability for violations of CROA. Recently, Senator WIlliam Bennett (R-UT), along with Sens. Debbie Stabenow (D-MI) and Tim Johnson (D-SD) introduced S 3662, a virtually identical companion bill.

In letters opposing the House proposal, here is an excerpt from what U.S. PIRG, Consumer Federation of America, National Consumer Law Center and National Association of Consumer Advocates have said:

We write to ask you to work to remove the amendment to the Credit Repair Organizations Act (CROA) currently included in Section 6 of H.R. 3997. In addition, we urge you to oppose the inclusion of this section in any other data security bill negotiated for Floor action. This proposal undermines a viable and important consumer protection law, going far beyond the stated purpose of relieving credit monitoring activities from coverage under the Act.

Currently, CROA broadly applies to any person who, in return for money, provides services to improve a consumer's credit record. Only non-profit organizations and a few other entities are exempted. In addition to requiring key disclosures, and mandating important contract terms, the Act prohibits credit repair agencies from violating standards of truthfulness, fraud or deception.

Advocates for consumers have found CROA a useful tool in dealing with a range of bad actors in the credit marketplace, a tool which will no longer be available if the CROA amendment in H.R. 3997 is enacted. Below are some examples of the consumer protections in the current law that would not be available under this amendment.

-- When run-of-the-mill credit repair businesses deceptively advertise their ability to improve consumers' credit scores by exaggerating what they can accomplish, CROA offers protections against this deception.
-- When debt collectors collect debts by deceptively promising improvement of a consumer's credit rating, CROA's prohibition against deception can be brought to bear.
-- Some payday lenders are now advertising themselves as credit repair specialists to evade state restrictions on interest rates; activities to which CROA's protections clearly apply.

The amendment to CROA in H.R. 3997 for credit monitoring activities includes broad and sweeping exemptions. It would allow anyone who characterizes their services as providing "access to credit reports, credit monitoring notifications, credit scores ...., any analysis, evaluation or explanation of credit scores . . . ." to be exempted from coverage under CROA so long as they provide a new disclosure and cancellation rights for credit monitoring services. In other words, any business that is currently defined to be a credit repair organization under CROA can simply escape the coverage of CROA by slightly changing the description of what they do from promising to "improve credit" to providing -- for example -- analyses and projections of a person's credit score. CROA's current strict prohibition against deception and fraud would no longer apply to that business.

The bureaus argue that the CROA was never intended to affect them. They claim that the Fair Credit Reporting Act (FCRA) provides a comprehensive enforcement scheme for credit bureaus themselves. They claim that the punitive damages exposure posed by CROA is unfair.

Consumer groups disagree, especially when the bureaus' proposed fix will probably make things worse for consumers. And even though the Financial Services Committee did approve HR 3997 with Section 6, no hearings were ever held, and the Senate has held none.

The marketing of credit monitoring services has always been tawdry, and the FTC has not seen fit to impose adequate penalties on the bureaus for misleading consumers about credit monitoring. [In 2005, the FTC did fine Experian a token $950,000 (essentially chump change) for deceiving consumers into thinking that credit monitoring was "free."]

Private enforcement is an effective deterrent that should not be undermined and Congress should not pass legislation that may gut a comprehensive law at the behest of powerful special interests.

That's especially true with credit monitoring. It doesn't stop identity theft, it simply makes money for credit bureaus.

College students and others in the Facebook online community are in an uproar over changes made to the way information is shared on the site. News stories and blog entries abound. In its own blog, Facebook defends its actions as being for you, and says that your privacy is still protected. For an alternate view, check out the blog of web guru Jeff Chester:

Excerpt: Perhaps one reason behind the recent changes at Facebook is that this social web outfit wants to make itself more advertiser-friendly. Last June, Facebook and giant ad agency powerhouse Interpublic Group (IPG) signed a deal that is all about the harvesting of data. IPG's investment gives it the clout to engage in "mining Facebook for market research trends among its young user base."

[Addendum: Here's a direct link to the audio.] Well, if if I have converted British Summer Time correctly, I expect to appear in Privacy In Peril, a special program on identity theft and data security of BBC Radio's Money Box, today Tuesday at 3:02pm (EDT) Eastern US time (2002 BST for friends in London and Portugal) and again this Sunday 3 September at 12:02 pm EDT (1702 BST). You should be able to listen to the stream anytime after the show airs today. Here's the web-version of the story, which quotes me and privacy champion Debra Bowen, California State Senator.

I'm just back from speaking at the annual convention of the National Association of State Legislatures (NCSL) at Opryland outside Nashville, Tennessee. It's not over yet; and the state PIRGs and our affiliated state environmental groups still have a large delegation there. And if you are still there, today Thursday at 3:30 PM Nashville time, at the Opry Mills Regal Theatre with co-sponsorship from Paramount Classics Pictures, the state PIRGs are screening An Inconvenient Truth, Al Gore's award-winning global warming warning first seen at Sundance this year. MORE:

I spoke on a panel on Credit Reports and Credit Scores (my outline) on a variety of issues, but primarily in opposition to the use of credit scores for insurance purposes. We recommend a ban in our PIRG/Consumers Union model state credit and identity theft law because your credit score is based on your error-ridden credit report, your credit score has no actuarial relationship to your ability to drive a car or your propensity (if any!) to burn or down or trash your house and, worst, insurance companies may be using credit scoring as a proxy for race, an otherwise illegal rating factor.

I also attended a fine workshop featuring two of the nation's academic experts on and opponents of state preemption. Law Professor Tom McGarity of the University of Texas is also President of the Center for Progressive Reform. I'm looking forward to his book on the preemption threat, due out next year. Professor Carl Stenberg of the University of North Carolina is co-author of Beyond Preemption: Intergovernmental Partnerships to Enhance the New Economy from the National Academy of Public Administration.

In yesterday's New York Times, Tom Zeller has yet another good followup analysis Your Life as an Open Book on the AOL privacy debacle:

AOL's misstep last week in briefly posting some 19 million Internet search queries made by more than 600,000 of its unwitting customers has reminded many Americans that their private searches -- for solutions to debt or bunions or loneliness --are not entirely their own.

In a previous followup, A Face Is Exposed for AOL Searcher No. 4417749 Zeller and fellow reporter Michael Barbaro explained how trails in the supposedly "headless" data in the search engine files could be followed backwards to find and identify the person who did the searches. Then, the question becomes-- if a person, in this case, Thelma Arnold, AOL Searcher No. 4417749, searches for information on health problems, (and for now ignoring the question of how and whether an insurer should have access to that information at all) should an insurer be able to use that information to deny or raise your rates?

At first glance, it might appear that Ms. Arnold fears she is suffering from a wide range of ailments. Her search history includes "hand tremors," "nicotine effects on the body," "dry mouth" and "bipolar." But in an interview, Ms. Arnold said she routinely researched medical conditions for her friends to assuage their anxieties. Explaining her queries about nicotine, for example, she said: "I have a friend who needs to quit smoking and I want to help her do it."

Here's an article States Act To Freeze Identity Thieves Out In The Cold detailing the history of the security freeze that I wrote this spring for the newsletter of the National Association of Consumer Advocates. Thanks to the folks at NACA for all their work protecting consumers. Ignore the numbers of states that have passed laws (get up to date info here) listed in the article as I wrote it in March and it was printed in June, but the rest of the story is accurate. Also, over at the National Law Journal, Marcia Coyle has a nice article Into the Breach about states leading the way to protect consumers from security breaches and identity theft.

Research Director Alison Cassady has compiled a new edition of PIRG Preemption Alert. It details the latest Congressional and regulatory threats to the right of the states to enact strong laws to protect consumer health, safety and pocketbooks. MORE:

The preemption threat level remains high to severe: powerful special interests are pushing hard as the Congressional session winds down.

The best information we now have is that the rumored floor consideration this week of HR 3997, the worst data bill ever, has been delayed again, until September at the earliest, since Congress leaves town Friday. What they say is that the bill includes provisions affecting industries that the Financial Services Committee does not have jurisdiction over. What they mean is none of the powerful special interests -- from the banks to the US Chamber of Commerce -- have agreed to any of the pro-privacy provisions in the Energy and Commerce committee's bill, HR 4127. More info.

Word is that the full House may vote next week on the horrible LaTourette-R-OH-Hooley-D-OR data "privacy" bill, HR 3997. Here's a news release from PIRG and Consumers Union. The industry-approved bill is so bad that to gain support they've apparently removed its most offensive provision-- the one that limited security freeze rights to previous identity theft victims while it preempted all 20 stronger state laws granting these rights to everyone. The bill is still grossly unacceptable: its too-high breach notice trigger will not result in many breach notices, its state preemption is still all-encompassing and the bill will largely take state cops off the privacy beat they've policed so well. It also includes a little-noticed provision that immunizes credit bureaus from the so-called credit repair doctor laws, giving them carte blanche to deceive consumers about their over-priced credit monitoring services. We think House leadership wants to send a "We Protect Your Privacy" message, so they'll likely also try to move the Veterans Affairs Committee bill bill responding to the horrendous VA breach. The House, instead, should take up the much better HR 4127, passed unanimously by the Energy and Commerce Committee. Details in this previous blog.

We've updated our state security freeze and breach laws page. Most importantly, new security freeze laws were signed recently in Rhode Island and Delaware. Kudos to George Fitzgerald, a volunteer lobbyist with the Delaware credit union league. Over two years, George built a broad coalition of consumer groups, senior groups, civic organizations and businesses in support of giving consumers real control over their credit reports to prevent identity theft. And he did so in the home state of many of the nation's most powerful banks. When the Delaware law takes effect in 2008, it will be the nation's strongest and most consumer-friendly. While we, and George as well, would like to lower its $20 security freeze fee, that's a one-time fee. Consumers will have the ability to use any number of free temporary instant (15-minutes or less) unfreezes (or "temporary lifts") when they seek credit on their own.

Nevertheless, (see next previous blog) the data industry, retailers and banks continue to block action where they can. MASSPIRG has a new report Lagging Behind that estimates that the state's failure to enact strong identity theft laws coupled with several major breaches reported in the last year, means that even though "the personal information of hundreds of thousands, if not millions, of Massachusetts residents was exposed an estimated 1.8 million times," that Bay State residents don't yet have the protections they deserve. Newspapers widely report today on MASSPIRG efforts to enact its identity theft bill.

Check out Dan Solove's blog entry Data Security Laws, the States, and Federalism over at his excellent law professor co-op blog ConcurringOpinions.com:

I never used to be a fan of federalism but in following information privacy law, I've found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

We testified yesterday before the DC City Council in support of several proposals to enact a strong security freeze and breach notice law. Under two proposed security freeze laws, one from Councilmember Patterson and one from Councilmember Cropp, DC residents would gain the right to a free security freeze (free to place and free to lift) to protect themselves from identity theft. The DC Attorney General's Office and Consumers Union also supported strong privacy protections. A variety of insurance industry and credit bureau witnesses sought special interest exceptions from the proposals.

Bob Gellman, one of the nation's leading privacy experts, has a new column in DM News calling for free credit monitoring to solve the data breach and identity theft problem. EXCERPT:

Credit monitoring is useful for addressing actual security breaches as well as the possibility of identity theft. The value of credit monitoring is not limited to known victims. It has utility to those who are not known to be victims. Here's the modest proposal. Because large percentages of the U.S. population have been or surely will be victims of security breaches or identity theft, everyone should receive free credit monitoring. If everyone had free credit monitoring, then there is a reasonable prospect that identity theft cases would be identified earlier.

Check out Jonathan Rowe's new blog entry Agents of Distrust over at On The Commons. He describes how buzz marketing (hiring "cool" people to drive certain cars, wear certain clothes, order certain drinks in bars, or even to read certain books on the subway) poses a real threat:

And when selling spills out of the traditional channels of commerce, and into our personal relationships, then the capacity to have those diminishes as well. All that's left is me. It is the ultimate triumph of the commercial values of the corporate state, because there is no refuge from them.

When the Navy posts the detailed records, including Social Security Numbers, of the 100,000 or more air crew members who've flown in the last twenty years, including files on his or her family, all you can say is "Were they thinking?" More.

From the Washington Post:

Personal records for every Navy and Marine Corps aviator or aircrew member who has logged flight hours in the past 20 years have been posted on a public Navy Web site for the past six months, compromising more than 100,000 Social Security numbers, the Navy Safety Center announced yesterday.

The real solutions to identity theft involve

• (1) imposing greater responsibility on data collectors so they think more about data security;
• (2) giving consumers greater protection, such as free (or at least very low cost) easy-to-use security freeze rights, and
• (3) forcing the credit bureaus and creditors to do a better job verifying identities before issuing credit.

Senior attorney Norma Garcia of Consumers Union has written an excellent new report Score Wars Consumers Caught in the Crossfire, The Case for Banning the Use of Credit Information in Insurance (pdf report). We and other advocates contend that insurers may be using scoring as a proxy for otherwise illegal rating factors, such as race. More:

Here's an html release. Consumers Union, the publishers of Consumer Reports magazine, is our partner in efforts to pass strong state laws protecting privacy and preventing identity theft. From the report:

This 35-page report examines the use of credit information in the underwriting and pricing of insurance and its negative impact on consumers. It discusses why using credit information is both unfair to consumers and unnecessary, examines trends in state laws over the last four years, discusses the flaws in the model law touted by the industry, offers a model state law to protect consumers, and provides additional suggestions for protecting consumers from the unfair use of credit information in insurance decisions.

There are concerns that credit scoring may simply be a double counting of other risk factors that already are taken into consideration when setting insurance rates. Scores also may be a proxy for rating factors that insurers are prohibited from using, such as race. This model law prohibits insurers from using information regarding a consumer's creditworthiness, credit standing, or credit capacity for the purpose of determining rates for insurance or eligibility for coverage.

Our colleague Pam Dixon of the World Privacy Forum has released a series of FAQs to accompany her excellent new report on medical identity theft. The report, the FAQs and other info are available at the World Privacy Forum Medical Identity Theft Pages:

It is in your best interest to find out about medical identity theft, because fraudsters who are using your identity for medical care or services can introduce changes to your medical record that can be nearly impossible to undo. These changes can range from small things that do not pose a risk to you to substantial erroneous information that can pose a medical risk to you.

Tom Zeller's story today in the New York Times, Identity Thief Finds Easy Money Hard to Resist, describes the saga of one Shiva Brent Sharma, a convicted identity thief now in jail, who started phishing for money at an early age. He was just a computer-savvy kid -- a dime-a-dozen category -- but no rocket scientist, unlike these actual NASA rocket scientists at left. More:

From the Times:

He also suggested it all became too easy too fast. "The challenge was really stopping, you know?" he said. "That was the hardest challenge of them all."

Following a series of security breaches at Ohio University, State Rep. Jimmy Stewart, an Ohio Republican who represents the university town of Athens, has introduced tough identity theft reform legislation, according to the Associated Press. The centerpiece of his bill, modeled after a new New Jersey law, would be a convenient instant-on and instantly-liftable security freeze for all consumers:

The bill's main aim is to give consumers a quick way to secure their personal accounts, he said - whether they've been victimized or only threatened. He said some other proposals on the issue limit credit protections to those who have already been targeted by identity thieves. "That's almost like saying you can't lock your door unless your house has been broken into before," he said.

Here's a nice Denver 9-News video and web news story featuring Colorado PIRG director Rex Wilmouth. As a victim of two recent breaches-- Rex is a Gulf War I veteran and a registered Denver voter-- he was at double risk of identity theft, but can now invoke a security freeze under state law. Watch out for Congress taking those rights away (previous blog). And here's a column in the Coloradoan attacking the preemptive industry-approved federal proposal, HR 3997, by Colorado State Rep. Angie Paccione, one of the architects of Colorado's tough new laws.

Two nice columns in major newspapers Sunday exposed the out and out badness of HR 3997, the industry-approved identity theft proposal before Congress that actually makes consumers worse off by taking security freeze rights from 149 million Americans in 18 states. Over at the Cleveland Plain Dealer, financial columnist Sheryl Harris had a nice piece Sunday. Excerpt:

There are several competing bills in Congress, and some offer little real protection for consumers. One industry-friendly bill, HB 3997 - written by Ohio's own Steve LaTourette, the Concord Township Republican - would force all consumers to wait for security freezes until they're victimized.

Not being able to freeze your credit until after you're a victim of identity theft is ridiculous...People should be allowed to freeze their credit file as soon as they discover that their personal information has been exposed. The law is out of step with the speed and sophistication at which identity thieves operate today.

Here's our U.S. PIRG letter delivered to the full House opposing HR 3997, sponsored by Reps. LaTourette (R-OH) and Hooley (D-OR). HR 3997 is the worst data bill ever, for the following reasons: MORE

HR 3997 as passed by the House Financial Services Committee:

It is important to note that we oppose HR 3997, the Financial Data Protection Act, as passed by the Financial Services Committee. Under House procedures, the bill was then referred to the Energy and Commerce committee, which substituted HR 4127 (the DATA Act) for HR 3997. In this version of HR 3997, we oppose the italicized section, which is the original Financial Services passed bill (pages 2-68). The remainder of the bill in boldface roman (pages 68-108) is the Energy and Commerce DATA bill, which is much better, but we cannot offer unqualifed support due to its (much narrower than HR 3997) state law preemption. See the letter for details.

One of her own state's major newspapers, The Oregonian, has editorialized against U.S. Rep. Darlene Hooley (D-OR)'s bill, HR 3997, which guts strong state identity theft protections and replaces them with industry-approved weak federal rules.

In 18 states -- mostly large ones encompassing about half of all Americans -- consumers who learn of a security breach can put a freeze on their credit to thwart identity thieves. Hooley's bill, which gives consumers no such rights, would pre-empt such state laws. It would also override a strong law passed first by California, followed by other states, that requires companies to notify consumers any time their unencrypted electronic data has been breached. Hooley's law is weaker, requiring notification only when the data loss has put the consumer at risk, and the company or government agency that lost the data gets to decide if that's the case.

In addition to offering identity theft tips in the wake of recent security breaches, Brian Krebs of the Washington Post warns that we should be prepared for Congress to take away our strong state-passed identity theft rights. My previous blog.

Friday morning (tomorrow) at 10:30 AM in the Rayburn House Office Building, Room 2218, I'll be joining colleagues from Consumers Union, EPIC and Privacy Times to brief House staff on identity theft and the differences between HR 3997 (the worst data bill ever) and other identity theft reforms. The even is sponsored by Reps. John Dingell (D-MI) and Jan Schakowsky (D-IL), both sponsors of HR 4127, the better Energy and Commerce alternative.

Here's an Rocky Mountain News opinion-editorial (op-ed) by Rex Wilmouth, a Navy veteran of the first Gulf War and director of Colorado PIRG. The op-ed explains that as of July 1, Colorado citizens will have access to a security freeze to protect their credit reports from identity thieves. That's of course only true if Congress doesn't take that right away, as this Bergen Record (NJ) editorial Watch Your Wallet explains:

New Jersey has one of the toughest identity-theft laws in the nation, but the House of Representatives could soon undo two of its most powerful protections. What are we missing here? Why make things easier for identity thieves and harder for the poor, endangered consumer? Any federal identity-theft bill should emulate, not eliminate, the kind of strict provisions that New Jersey and other states have already adopted.

Here's a reason to sign our Stop Identity Theft Petition. Leslie Walker has a nice piece in the Washington Post detailing how identity thieves use a Miss Lonelyhearts variant to lure lonely women into stealing confidential data about patients, employees or customers at work. Identity theft isn't rocket science. If a data disk containing the records of 26 million veterans and active-duty military doesn't fall out of the sky and hit you in the head, you can use a little social engineering like this to harvest the keys to consumer financial identities. Then, you go yourself, or you send your Lonelyhearts (what drug smugglers call mules) in to simply take advantage of the myriad instant credit offers at stores and cell phone companies, where the companies do a bad job of verifying applicant identities, and the credit bureaus don't care, and you're off and running as an identity thief. It's why consumers need the security freeze.

Yhe New York Times is reporting that the VA has admitted that its loss of the confidential information of over 26 million veterans "may have included information on as many as 1.1 million active-duty service members, 430,000 National Guardsmen and 645,000 members of the Reserves." The Washington Post says that the unprecedented data loss "raises concerns about national security as well as identity theft." From the Post:

"There is a global black market in this sort of information . . . and you suddenly have a treasure trove of information on the U.S. military that is available," said James Lewis, director of technology and public policy at CSIS. One defense official, speaking on the condition of anonymity because of the sensitivity of the matter, called the extent of the data loss "monumental."

Consumers: Mobile Commerce is the possibility to make purchases of goods or services using your cell (mobile) phone or your web-enabled Personal Digital Assistant (PDA) or pager or similar device. We would be very grateful if you could spare no more than 5 minutes to complete this survey exploring consumers' experiences with mobile commerce. The survey is being run by the PIRG-backed TransAtlantic Consumer Dialogue, a forum of European Union and US consumer organizations.

Over at her Washington Post Checkout blog, reporter Caroline Mayer and several commenters have blogged on deceptive add-on fees for supposedly free e-mail trial offers. Often the fees are added on your phone bill. Never click on a "free offer" balloon on a website either, as we noted last year in a blog about complaints from online Ticketmaster shoppers over websites sharing credit card numbers with third parties.

UPDATE: corrected bad urls 15 Jan 07] (I'll get to credit bureaus and the phone company in a minute, and even access to knowledge and culture and your fair use rights, as a sidebar.) But first you need to know about Johnny Fever and the Phone Police. I've seen a few comments on the big blogs this week referring to the classic "Run, it's the phone police!" episode of the hilarious late 70's-early 80's show WKRP in Cincinnati. The 2006 blog comments are of course in reference to the recent news (see e.g., Does Anyone Have Privacy Left? in the Baltimore Sun) about the phone companies assisting NSA in spying on us. On WKRP, I recall that the phone police were chasing manic deejay Dr. Johnny Fever (played by Howard Hesseman) because he hadn't paid his phone bill. MORE:

The phone police from the show are probably phone company in-house debt collectors. The phone companies always chase down the bills. Of course, the firms have always had a powerful cudgel hanging over their customers' heads, whether or not they ever employ phone police: "Can't pay us? No problem, we'll shut off your phone. Have a nice day."

Now, the phone companies may actually be turning their efficient payment apparatus into a force for the public good. Verizon is beginning to report your regular payment history -- late is bad or on-time is good -- to the credit bureaus, as Gary Haber recently reported in a comprehensive story about Verizon and credit bureaus in the Delaware News Journal. Previously, they only reported extremely negative payment behaviors -- phone shut-offs, sent to collection, etc.

However, it is a complex issue. I hope that the phone company reporting to bureaus will help consumers with thin credit histories. As the Delaware News-Journal reports:

Mierzwinski, a supporter of expanding the information collected on credit reports, said the variable is whether timely phone-bill payments improve credit scores enough to outweigh the risk that late payments will hurt credit scores.

[NCRA does not include the so-called Big Three repository credit bureaus Equifax, Trans Union or Experian as members. Instead, its members include a variety of specialized credit bureaus, including many whose business model actually includes manual labor: such as making actual phone calls to verify files to assist consumers in getting the best mortgage rates. Ask one of the Big Three to make a phone call to check out your dispute. Of course, first you'd need to get someone on the phone, but that's another blog for later!]

Consumer groups, including U.S. PIRG, support broadening the information on credit reports in principle. We supported a successful 2003 effort by U.S. Senator Debbie Stabenow (D-MI) to require a study of common unreported transactions in credit reports. In PIRG-endorsed 2005 Congressional testimony on new credit reporting systems by Margot Saunders of the National Consumer Law Center, NCLC, PIRG and other consumer groups testified that while rental payments were an excellent indicator of creditworthiness and that phone payments probably were, most energy-related utility payment patterns were not, and payments for over-priced predatory loans certainly were not:

Many of the programs devised to protect low income households from shut off of essential utility service do not punish for late payments. Indeed, in some of these programs, additional benefits are triggered only after payment delinquencies. As a result, the utility payment histories for low income households will quite often have little relevance to the issue of whether the consumer would make timely payments if they were able.

We summarized the issues this way in Margot's testimony:

if the new data and scoring systems are built and used appropriately, the potential benefits to consumers are significant. However, because of the way that credit data and scores are being used in the marketplace, if these systems are built incorrectly, or used inappropriately, the danger to these consumers could be devastating.

As a coda to my reference to WKRP, it turns out that talking about WKRP also gives me a chance to talk about copyright and access to knowledge and culture. In my web research of the show, I noticed numerous on-line ads for DVDs of the show's episodes. I'd be wary. Why? I also noted numerous stories, such as this one from Wired News, that said that the cost of "clearing rights" to all the music heard in the show was prohibitive. I don't know if that problem has been solved, or if the music has been replaced on the DVDs-- the Wired story notes that several other old shows that have put on DVD were first modified with new canned background music replacing the original soundtracks. Jaime J. Weinman's blog excerpts a very recent TV Guide interview with WKRP star Loni Anderson that indicates the problem hasn't been solved, so I am not about to buy one of these possibly altered DVDs. In his book, Free Culture, (see page 107 of the pdf online edition) Professor Larry Lessig explains the problem. He describes how John Else delayed release of his documentary movie about the making of Wagner's Ring Cycle due to rights problems. As a review of the book summmarizes:

Lessig provides an example of this with a young filmmaker and teacher, John Else, who was making a documentary about Wagner's Ring Cycle. During one scene the filmmaker was shooting some stagehands playing a board game, and in one corner of the room where filming was happening there was a television set playing an episode of "The Simpsons." When the filmmaker finished the film he attempted to clear the rights for 4.5 seconds of "The Simpsons" and was told by Fox that it would cost him $10,000. As the filmmaker feared being sued by Fox if he claimed "fair use" and couldn't afford to pay for the rights, he ultimately re-edited the film using different footage.

This week New York Attorney General Eliot Spitzer amended his H&R Block lawsuit after announcing he has new evidence that senior management had "steam-rolled conscientious employees who objected to the fact that clients were losing money" on the firm's Express IRAs marketed as an add-on to tax preparation. Also this week, in a speech to the American Bar Association Tax Section, IRS Taxpayer Advocate Nina Olsen generally backed the view of PIRG and other consumer groups that current tax privacy protections are weak, and should be strengthened more than a proposed rule would accomplish. More:

In response to the current interpretation that if a consumer consents, he or she can be sold an over-priced triple-digit APR Refund Anticipation Loan or an under-performing IRA, Olson says:

It is my personal opinion that taxpayer consent to use or disclosure of tax preparation information should be limited to only those instances where it is necessary for tax-related purposes. I believe the regulations should define what purposes are "tax-related." I do not believe that releasing tax return information for purposes of obtaining a Refund Anticipation Loan -- or RAL - is "tax-related." I do not believe that releasing tax return information to a bank --whether affiliated or unaffiliated with the preparer -- in order to obtain an IRA or other retirement account is "tax-related."

America's Number #1 populist Jim Hightower has weighed in against the IRS anti-privacy plan. Below find an excerpt from the full commentary:

It's time to call 9-1-1 about an IRS proposal to change Section 7216 of the Internal Revenue Code.

Whenever the Bushites revise regulations, you can bet that the revisions do the exact opposite of what the regulatory title claims they do. In this case, the change is titled: "Regulations to Safeguard Taxpayer Information." Uh-oh. This can't be good. Our friendly IRS quietly issued this little gem on December 8, cleverly lumping it in with a set of new rules that the agency labeled "not a significant regulatory action," hoping that no one would notice.

Fortunately, watchdog groups didn't buy the ruse. When they actually read IRS's proposed "safeguards," they were startled to find that this regulation would authorize giants like H & R Block or any other tax preparer to sell the contents of your private tax-return to any corporation wanting to buy it! All of your personal contact information – including your Social Security number – could be sold, as well as information about your income, employer, medical expenses, children, charitable donations, etcetera.

Take action here to urge your Senators to support and co-sponsor S. 2484, the Protecting Taxpayer Privacy Act, by Senator Barack Obama (D-IL). Here's the ABC News web story accompanying its Wednesday night broadcast on the IRS plan to allow tax preparers to sell your tax records. The broadcast featured PENNPIRG's Beth McConnell.

The April issue of PIRG's new newsletter, Preemption Alert, is available. Excerpts from the highlights: Protecting America's Food Supply: On March 2, over the objections of 39 Attorneys General, the House passed the National Uniformity for Food Act, which preempts at least 200 state food safety laws. Securing Chemical Plants: In a March 21 speech to the American Chemistry Council, Homeland Security Secretary Michael Chertoff signaled his support for weak federal safety standards for chemical plants and federal preemption of stronger state standards. Protecting Americans' Privacy: On March 30, the Senate Commerce Committee marked up a weak bill to protect consumers from those who seek to fraudulently access their phone records. This bill broadly preempts stronger state privacy laws or regulations as well as any laws imposing liability on companies for failing to protect consumer privacy. Providing Quality and Affordable Health Care: On March 15, the Senate Health, Education, Labor and Pensions Committee passed a bill allowing insurance companies or HMOs to circumvent state patient rights laws.

The Olympian in Washington in Washington State editorializes against the IRS plan to allow tax preparers to sell our info to third parties. So does Black Enterprise Magazine. Here's a blog on The Nation magazine website urging action against the IRS.

Last week two privacy groups, EPIC and the Electronic Frontier Foundation, released an analysis of the privacy threats posed by various commercial business proposals to set up low-cost "muni wi-fi" under contract to San Francisco. Today's New York Times describes the privacy issues posed by Google's winning entry in a story by Laurie Flynn, Some Worries as San Francisco Goes Wireless.

But in the few days since the winning bidder was announced, the city...has found itself at the center of debate about the role of advertising, the implications of the network on consumer privacy and the effect on telecommunications companies that today sell Internet access in the city.

Over the years we've worked with both Paul Weyrich's Free Congress Foundation and Phyllis Schlafly's Eagle Forum on various financial privacy proposals. That's how it should be-- privacy is a deeply-held American value that cuts across all ideological lines. Steve Lilienthal of Free Congress has a column Tax Returns - Confidentiality, Not An Open Door opposing the wrongheaded IRS proposal from a conservative stance, appearing around the net (see it also at Accuracy in Media): Excerpt:

Conservatives have good reason to express displeasure with this IRS initiative. IRS and other governmental agencies which collect sensitive personal information have no business becoming, in effect, an enabler of the direct marketing industry or financial institutions. The "consent signatures" are too likely to be signed by taxpayers based upon trust in their tax-preparer. Conservatives have qualms about mandated collection of information by government; that a government rule might serve to encourage the selling of that information to third parties, such as data brokers, should give conservatives pause.

I am speaking today at the Spring meeting of the Business Law Section of the American Bar Association in Tampa on the Frederick Fisher Memorial Program. The panel is Consumer Privacy and Information Security: Does the Risk of Security Breaches Justify the Burden of Additional Safeguards? Other panelists are Joel Winston of FTC, Jonathan Rusch of Justice, Anne Fortney of the firm Hudson Cook and Fred Cate, Indiana Law School. The correct answer of course, is yes, more federal safeguards, but no, don't preempt any better state safeguards. Other panelists may have other views.

PENNPIRG's Beth McConnell testified at yesterday IRS hearing on its own misguided proposal to weaken privacy rules for tax returns. Here's Beth's testimony on behalf of PENNPIRG Education Fund, U.S. PIRG, the Consumer Federation of America and the National Consumer Law Center (PENNPIRG's main IRS Privacy page). Connecticut Attorney General Dick Blumenthal testified on behalf of 47 state Attorneys General (their letter).

Here's a consumer letter (PIRG, Consumers Union, Consumer Federation of America) opposing S 2389, a bill marked up today in Senate Commerce that purports to protect consumer phone records from pretext calling and other privacy invasions. From the letter:

We remain deeply concerned that the bill neither requires carriers to implement meaningful safeguards to protect their customers’ private information nor addresses the problem of widespread sharing of CPNI data by carriers. Given the absence of stronger federal protections for consumers and the broad state preemption preventing states from adopting effective privacy measures, we are unable to support the bill in its current form.

CALPIRG has an IRS Action web page where you can join thousands of consumers telling the IRS No Sale of Tax Records. Register your opposition to an IRS proposal to make it easier for tax preparers to sell your tax information to the highest bidder. Here's the CALPIRG news release. Newspaper editorials are running 100% against. Previous blog with more details.

Here's our letter opposing HR 4127, the DATA bill, on preemption grounds. The DATA bill is the House Energy and Commerce Committee version of data security and breach notification legislation. On policy grounds, it is vastly superior to the worst bill ever, HR 3997, as passed by the Financial Services Committee. We commend the Energy and Commerce managers, Chairman Barton (R-TX) and Reps. Stearns (R-FL) and Dingell (D-MI) and Schakowsky (D-IL) for improving the subcommittee draft immensely. More:

On policy grounds, the full committee substitute is much improved from subcommittee. On policy grounds, we say:

In particular, the bill includes a very strong standard (but still weaker than many state standards) for determining whether notices of breaches will be required. We believe that the bill’s breach trigger will both deter breaches in the first place and require notices in many more circumstances than the weak “risk-based” triggers in most other Congressional proposals (see, for example, HR 3997 as approved by the Financial Services Committee). In addition, the bill imposes Fair Information Practice-based privacy duties on the class of virtually unregulated data brokers like Choicepoint. It also restricts the sordid practice of pretexting, literally not telling the truth, to obtain confidential consumer information.

Nevertheless, we cannot support rolling back the right of states to protect their citizens better. Here's why:

We believe that industry’s claims about the compliance cost of “50 different laws” are unsubstantiated. Indeed, if Congress passes a good enough law, the states will move onto other issues. But if Congress fails to do the job, then the states have demonstrated an ability to respond quickly to new problems. In addition, industry’s allegations about compliance costs are without foundation; a firm can comply nationally simply by ensuring that its practices meet the standards of the one strongest state law. (It should not be impossible to comply with both federal and state law. We do not, nor do other privacy or consumer groups, oppose any provision that would provide that a state law may not be inconsistent with the federal law, provided that it also says that a state law providing greater consumer protection is not inconsistent.) We are extremely troubled that on a wide range of issues from air pollution to food safety to predatory lending to product safety to privacy, the Congress and the administration generally accept industry demands to eliminate fifty laboratories of public policy as a condition of passing what often ends up to be a modest federal law.

Declan McCullagh of CNET News has posted a nice interview with me, with a picture, called Newsmaker: The politics of data security. It's a good summary of why PIRG believes no federal breach notice legislation, especially legislation that preempts stronger state laws, is necessary.

In The Nation, Jeff Chester of the Center for Digital Democracy describes how powerful interests, including Google and Earthlink and others, hope to win a self-serving contract with San Francisco (and other cities) to provide muni wi-fi services. The web product they offer will be slow and clunky, but wait, there's more: the firms hope to capture and track information on users for corporate marketing. As Chester explains:

Consumers and public officials should have no illusions that what is being touted as a public benefit is also designed to spur the growth of a mobile marketing ecosystem, an emerging field of electronic commerce that is expected to generate huge revenues for Google, Microsoft, AT&T and many others.

"subjected to intensive data-mining of their web searches, e-mail messages and other online activities are tracked, profiled and targeted. The inevitable consequences are an erosion of online privacy, potential new threats of surveillance by law enforcement agencies and private parties, and the growing commercialization of culture."

The New York Times had a story by Damon Darlin Saturday on the issues around the need for strong security freeze laws and the threat to strong state privacy protections posed by Congressional meddling. The piece quotes NJPIRG's Abigail Caplovitz, who helped champion the nation's strongest security freeze law to passage:

Consumer groups are upset that a federal law might supersede what has been done at the state level. "Is Congress going to go soft on crime?" asked Abigail Caplovitz, legislative advocate at the New Jersey Public Interest Research Group. Her group thinks that a law it pushed through the New Jersey Legislature last year cuts down on identity theft because it makes it relatively easy and inexpensive for consumers to lock and unlock their credit reports. "Unless a credit freeze is user-friendly, it is useless because it won't be used," Ms. Caplovitz said.

Take action at PENNPIRG to stop the IRS proposal that would allow tax preparers to share your confidential tax records with data marketers. At PennPIRG you can also watch PENNPIRG's Beth McConnell on a CNBC video clip criticizing the proposal. Read our comments and news release. (PDFs)

Today the House Financial Services Committee voted out HR 3997, a bill that threatens to destroy all the good work that the states have done to prevent identity theft, without preventing any itself. Here's a joint release from U.S. PIRG and Consumers Union, publisher of Consumer Reports. The bill establishes weak duties to protect confidential consumer DNA yet grants broad discretion to ignore telling us when banks or other companies lose it. The bill gives identity theft victims only, but not everyone, a clunky consumer-unfriendly right to place a security freeze on their credit report. It then preempts the 8 states that give every consumer the right to a security freeze. Among these is New Jersey's freeze, which is the most streamlined and consumer-friendly. The bill preempts all stronger state protections in a broad array of identity theft areas. Even though it amends the Fair Credit Reporting Act, a law that allows state attorneys general shared enforcement authority, HR 3997 expressly prohibits state Attorneys General from enforcing its provisions. During the debate, numerous supporters of the bill came up with an incredible new argument: "allowing state Attorneys General to enforce federal laws would upset the federal uniformity we seek." Fortunately, this bill is not yet law. For more information, see the previous 4 posts.

Here's the latest 10-group letter opposing HR 3997, easily the worst data breach bill ever. The House Financial Services Committee is scheduled to begin, but perhaps not finish, voting on the bill beginning today. Among the "highlights" of the bill, it would:
-- establish a trigger for data breach notification that experts believe would result in no notices to consumers, because the standard is too high. We only know about the 100 breaches that have occurred since Choicepoint because of the strong California trigger.
-- Establish a weak, but preemptive security freeze that only applies to victims. You've already been shot, so they give you but no one else a bulletproof vest.
-- Establish a process to begin to undercut the privacy protections of the federal Gramm Leach Bliley Act while simultaneously permanently preempting all state activities on financial privacy.
-- Fail to even lightly regulate the activities of data brokers like ChoicePoint, the unregulated company that sold 163,000 dossiers to identity thieves (other than to subject them to the same weak data security rules that shoe stores would be subject to under HR 3997).
-- Expressly disallow state Attorneys General from protecting their citizens from privacy invasions.
-- Fail to assist non-English speaking individuals who have difficulty gaining access to their credit report. The inability of Latinos and other immigrants to access their credit report in languages they can understand means that they will be unable to file complaints and fraud alerts, and monitor their credit report for identity theft purposes.

The latest draft of HR 3997 (See blog entry just below) includes a new section that preempts stronger state freeze laws and implements a weak "victims with police reports" only federal freeze. This makes a bad bill worse.

Security freezes give consumers real control over access to their credit report that no other identity theft prevention action provides them with. Your best defense is going to be a security freeze. A freeze prevents access to your credit report to new creditors. This closes a loophole that identity thieves have exploited, since most businesses will not issue new credit or loans to people without first reviewing their credit reports.

Why shouldn't all consumers have the right to a free or low-cost consumer-friendly (easy-to-use) freeze?? Don't we need "instant privacy" to counter the risk that "instant credit" poses? And don't we need real protection-- protection that the Fair Credit Reporting Act says the credit bureaus should provide us anyway?

Giving the right to a security freeze only to ID theft victims is locking the door after the horse has already left the barn. All consumers should have the right to sleep at night without worrying about identity theft, by placing a freeze on their accounts. It's the only proven way to stop identity theft before it starts.

This important right should not merely be provided after you've already become a victim. What good is that? In fact, granting the right to a freeze only to victims runs counter to industry's basic lobbying claim that existing fraud alert rights are already adequate protection to victims against repeat occurrences. (By the way, they're not: (1) fraud alerts are only available to some consumers and (2) don't absolutely stop credit granting. Presence of a fraud alert merely subjects the creditor to potential liability if it doesn't do certain things.)

On Wednesday, the House Financial Services Committee is scheduled to vote on HR 3997. The so-called Financial Data Protection Act is easily the most problematic, preemptive, loop-hole-ridden and industry friendly proposal that has a chance to move in the Congress. Here's a letter in opposition from PIRG and Consumer Union. Excerpt:

The bill would put in place a weak federal system and overturn many stronger state laws. We believe consumers today would be worse off under this bill than if nothing passed...Had H.R. 3997 been in place, we doubt we would have heard about any of the data breaches that came to light in 2005, which affected tens of millions of Americans.

I'm shocked, but not surprised, that the same IRS that let Richard Nixon and many other Presidents run roughshod over the privacy of ordinary American citizens now wants to let powerful special interests plunder our confidential tax records for commercial gain. Today, U.S. PIRG joined the National Consumer Law Center and the Consumer Federation of America in comments urging the IRS not to further weaken taxpayer privacy protections. Here are our comments and a news release.

Exceprt from the release:

The most disturbing part of the IRS proposal is a change that would allow preparers to seek consent for disclosure of return information to other third party businesses for marketing purposes. Representatives of the consumer groups expressed concerns that these changes would permit commercial preparers to sell tax return information to data brokers.

Consumers Union is maintaining a list of key federal identity theft proposals here. The list describes bill status (ready for floor, in committee, etc) and summarizes its provisions, including whether it preempts stronger state laws.

Over at his blog, Concurringopinions.com -- GWU law professor and privacy expert Daniel Solove has an excellent commentary on the FTC's settlement with ChoicePoint.

Professor Solove is co-author, with Chris Hoofnagle of EPIC, of a December 2004 ChoicePoint complaint to the FTC. That complaint largely focuses on ChoicePoint's unregulated sale of data broker information products. The settlement did not address this. We (previous post) and others, including Rep. Ed Markey (D-MA), have also criticized the failure of the settlement to reach this important issue.

Professor Solove's post makes the following and other points:

1. The settlement might not have been possible were it not for the California security breach disclosure law (SB 1386, codified at Cal. Civ. Code § 1798.82(a)) that required ChoicePoint to disclose its security breach. Currently, data brokers are trying to get Congress to pass a very weak and narrow security breach notice provision that preempts stronger state laws...A weak preemptive federal disclosure bill will wipe away much stronger protection in many states. The very kind of disclosure law that made the FTC settlement possible might be nullified if Congress passes the data "protection" laws that the data brokers want...

2. The FTC complaint and settlement illustrates why it is important to have data brokers regulated under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681. FCRA, the law upon which the FTC's complaint was premised, regulates consumer reporting agencies...These databases have yet to be regulated. The ChoicePoint settlement does not address the letter Hoofnagle and I sent to the FTC. Thus, although the settlement is a step forward, it does not address all of the problems caused by data brokers. Much more must be done to effectively regulate data brokers.

For Immediate Release, 26 January 2006

FTC Issues Big Penalty To ChoicePoint For Privacy Violations
Now What Will Congress Do?

Statement of Edmund Mierzwinski, U.S. PIRG Consumer Program Director

"Today, the FTC warned corporate America that it can't play fast and loose with consumer information without paying the price. More

The complaint and settlement order detail a stunningly sloppy business model at ChoicePoint, which was ordered to pay a record $10 million civil penalty and $5 million in consumer restitution for selling credit reports and other confidential information to identity thieves, for violating its privacy promises and for failing to have any sort of adequate data security program, especially for a firm with billions of consumer records in its files.

But the FTC is only part of our system of privacy protection. The states play a critical role as well. We only learned of the ChoicePoint breach following passage of California's pioneering security breach notice law, which ChoicePoint complied with nationwide. Security breach notices are an early warning system that you may become a victim of fraud or identity theft. Consumers also need the ability to control access to their credit reports to stop fraud and identity theft before it starts. The states are taking action. In 2005 alone, 22 more states passed breach notice laws and 8 more states, for a total of 12 so far, enacted security freeze laws that give consumers real control over who can access their credit reports.

But industry lobbyists have asked Congress to eliminate state authority to prevent identity theft. Several weak and preemptive proposals are ready for floor action but should be defeated. Further, none of the bills that are moving address the broader ChoicePoint problem. Choicepoint sells a number of data products that are unregulated, that consumers can neither look at nor correct by law, or sue ChoicePoint themselves if they are sold improperly and damage the consumer. Congress needs to regulate these unregulated data brokers. The states have already solved the breach notice problem."
-30-
U.S. PIRG is the federal lobbying office for state Public Interest Research Groups. PIRGs are non-profit, non-partisan public interest advocacy groups. PIRG's consumer pages are linked from the regularly-updated and searchable PIRG Consumer Blog at http://www.uspirg.org/consumer.

The FTC has imposed a $10 million civil penalty and ordered the data broker ChoicePoint to pay consumers $5 million in restitution to settle extremely detailed charges of sloppy practices that violated both the FTC Act and the Fair Credit Reporting Act. The complaint alleges that (so far) there are at least 800 known cases of identity theft stemming from ChoicePoint selling at least 163,000 consumer records to identity thieves. We'll have a release later today. A few excerpts from the complaint may answer your questions about just how one of the biggest and most sophisticated data brokers in America sold confidential dossiers, Social Security Numbers and regulated credit reports to identity thieves: MORE:

b. ChoicePoint accepted as verification of certain application information (e.g., business address) documents that otherwise called into question the authenticity of the applicant's business or the reliability of information supplied by the applicant, such as a utility statement showing a delinquent account or a telephone statement showing billing at a residential, rather than a business, rate;

g. ChoicePoint accepted and approved, without further inquiry, the applications of subscribers notwithstanding the fact that ChoicePoint's own internal reports on the applicant linked him or her to possible fraud associated with the Social Security number of another individual.

14. ChoicePoint also failed to monitor or otherwise identify unauthorized activity by subscribers, even after receiving subpoenas from law enforcement authorities between 2001 and 2005 alerting it to fraudulent accounts, and even when its own experiences with the subscriber should have raised doubts about the legitimacy of the subscriber’s business.

Some of ChoicePoint's products actually are strictly regulated credit reports (called consumer reports in the law):

b. Continuing to furnish consumer reports to a subscriber when the subscribe's telephone had been disconnected, the business address of the subscriber was found to be incorrect, the credit card number provided by the subscriber for payment to ChoicePoint was in the name of an individual not associated with the subscriber's ChoicePoint account, the subscriber made multiple changes of address and/or telephone numbers over a short period of time, and the subscriber made payments to ChoicePoint solely by commercial money orders drawn on multiple issuers;

21. In numerous instances, ChoicePoint has furnished consumer reports to subscribers under circumstances in which ChoicePoint had reasonable grounds for believing that the reports would not be used for a permissible purpose.

ChoicePoint has failed to implement reasonable procedures, such as site visits, audits, or other verification, for users who typically have both permissible and impermissible purposes for using consumer reports (such as attorneys, insurance companies, private investigators, detective agencies, and protective service firms) to ensure that such users were using consumer report information for permissible purposes only.

You can read the full complaint and settlement order here. Previous blog on these issues.

Yesterday, the FTC released its list of Top Ten fraud complaints for 2005: "Complaints about identity theft topped the list, accounting for 255,000 of more than 686,000 complaints filed with the agency in 2005." The study finds more than a third of complaints to the FTC are about identity theft (which includes credit card fraud). We still need to enact tough laws to prevent the crime.

I am sure industry will claim that the data can be parsed to show no new laws are needed (except weak federal laws trumping tiresome state authority, of course). Actually, here are the facts from the report: New credit card accounts are 15.6% of the misuse of victim's info, down only slighly from 2004, when it was 16.5%. Attempted (but unsuccessful) ID theft, by contrast, is steady at 6%. New utility, phone, and wireless accounts were 19.7%, down only slightly from 2004's 20.3% Clearly, after-the-fact fraud alerts don't work. We need to give consumers before-the-crime-starts control of their information through the security freeze. See previous blog.

The FTC has a news conference scheduled for 11 am to impose a multi-million dollar penalty against an unnamed company that failed to protect data security. Chris Conkey of The Wall Street Journal reports this morning that Choicepoint is the one. We only know about the millions of consumers whose financial lives have been put at risk of identity theft and fraud because of a pioneering California security breach notice law that is being complied with nationally (22 more states in 2005 passed their own new laws). The only way consumers can protect themselves against identity theft is to place a security freeze on their reports (12 states now have laws). (Our regularly updated list of state breach notice and free laws is here.) We need to watch Congress diligently as it continues to consider weak industry-friendly breach and freeze laws that would eliminate state authority to protect privacy and prevent identity theft.

All consumers should have the right to take control of their financial DNA by using a consumer-friendly and low-cost security freeze, as a new NJPIRG-backed law provides. Strong breach notice requirements without weak discretionary "risk triggers" should apply to all data collectors. Another question remains: What, if anything, is being done to affirmatively and comprehensively regulate all the business practices of ChoicePoint and other data brokers? More here from PIRG. Here's EPIC's ChoicePoint page; EPIC filed an FTC complaint on privacy-unfriendly business practices of ChoicePoint and other unregulated data brokers in December 2004. Will the FTC order also address data broker practices, or only the relatively narrow issue of data security and the ChoicePoint breach?

This PIRG Consumer Blog category archive (Protecting Privacy) keeps track of the threats to American's privacy and this one (States: Laboratories of Democracy) keeps track of Congressional, court and Bush administration threats to immunize wrongdoers from strong state requirements to protect health and safety, privacy, and other fundamental rights.

Building on research by EPIC, Illinois Governor Rod Blagojevich and Illinois Attorney General Lisa Madigan, backed by Illinois PIRG, have proposed [Chicago Tribune story] legislation to fight identity theft and protect privacy by restricting the use of "pretext phone calls" by private investigators. From the governor's release:

[The legislation would] crackdown on the unauthorized release or sale of phone records and other private information by brokers and phone companies. According to the Electronic Privacy Information Center (EPIC), Illinois would become the first state in the nation to fight “pretexting,�? which is pretending to be the account holder, or have authorization to access an account, to obtain cell phone records, long distance call records and other personal records, such as GM OnStar information.

(EXCERPT) Dylan Ratigan (Host): Does your client, the people that your client hires, to get these records, do those people lie to the phone company, misrepresent their identity, in order to obtain the records that your client then resells?

Slade: In all likelihood, yes, but I wouldn't characterize it as lying. It's what's called a pretext call...

Ratigan: Well come on, come on Larry...

Slade: It's what's called a pretext call...

Ratigan: It's called a lie...It's a lie, Larry.

On 22 December 2005, Pennsylvania Governor Ed Rendell approved SB 712, to provide for security breach notification. PennPIRG didn't support the bill and asked the Governor to veto it. It suffers from the same flaws as most federal proposals-- its exceptions are broad and its threshold, or trigger, before notification to consumers is required, is too high, way too high. It is so high, it is possible that the law won’t result in any notices at all:

The unauthorized access and acquisition of computerized data that MATERIALLY compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.

On New Year's Day or shortly thereafter, a number of state-enacted security breach notice, security freeze and other identity theft laws take effect. I list them below. Now, our big task and #1 New Year's Resolution is to prevent Congress from eviscerating all these new laws and replacing them with a weak, shoddy industry-approved alternative.

The Associated Press reports on New Jersey's law, among the toughest and broadest in the nation. The story includes extensive analysis by NJPIRG advocate Abigail Caplovitz. In addition to the nation's best security freeze, the new NJ law includes a strong breach notice provision, a requirement that police take reports from identity theft victims and document destruction and Social Security Number protection provisions. On his blog, privacy expert Chris Hoofnagle of EPIC throws some nice props to New Jersey and NJPIRG:

The privacy center of gravity may have shifted from Sacramento, California to Trenton, New Jersey...New Jersey PIRG deserves much of the credit to shepherding the legislation and keeping it strong.

Breach Notice and Security Freeze Laws Taking Effect 1 January 2006 or soon: New Jersey, Connecticut, Illinois (and North Carolina's law took effect 1 Dec 2005).
1 February 2006: Maine

Other Breach Notice Laws Taking Effect 1 January 2006 or soon:
1 January: Louisiana, Minnesota, Nevada
20 January (approx, actually 120 days after 20 Sept 05): New York
31 January: Maine
15 February: Ohio
1 March: Rhode Island

Although neither my name nor PIRG are mentioned (we'll try to get that fixed), I am the consumer advocate giving identity theft tips ("financial DNA") in this ABC News web extra video on the Marriott breach. Previous blog.

Marriott is sending breach notice letters to time-share customers after admitting it lost or misplaced or had stolen (it says it doesn't know) 206,000 time share customer data files according to the Washington Post). MORE:

I couldn't find the news release at Marriott.com. I finally found it buried under "corporate info" over at Marriott Vacation Club International along with the letters to customers and others. Over 53 million Americans have had their confidential information lost, stolen or sold to thieves (Choicepoint's claim to breach fame) by companies or agencies this year. Privacy Rights Clearinghouse and Identity Theft Resource Center keep nice lists. We're watching Congress closely to make sure that it doesn't eviscerate strong state breach notice and other privacy laws (our list) as it continues efforts in 2006 to enact an unnecessary national breach notice law. If companies are already complying nationally with the California breach notice and other state laws, who needs a weaker federal law that coincidentally guts other privacy laws also? Campaign contributor corporations that don't like being responsible and don't like admitting they blew it, that's who.

Banks like to claim they're the only victims of identity theft. Wrong. Yesterday, NJPIRG Consumer Attorney Abigail Caplovitz gave identity theft tips on the Montel Williams TV show. Watch for it in reruns. The other guests were victims of criminal identity theft who were wrongly identified as criminals. From Montel's show description:

One night Lori was at home with her twins cooking dinner when there was a knock at the door. The police ransacked her home, took some of her belongings, handcuffed her in front of her young children, and she sat in jail for two days.

NYPIRG has released a new report Many Unhappy Returns documenting store return policies and making recommendations to consumers to avoid hassles. (News clip here from the North Country Gazette) Two things to remember:

(1) State (and local) laws generally only require that retailers disclose their return policies (that is, retailers are generally not required to accept returns for 30 days with receipts, etc.)
(2) Many retailers are now using a shared database known as the Return Exchange which keeps track of frequent returners in an effort, they say, to crack down on a small number of abusers. The Return Exchange is yet another commercial database tracking Americans. Over at EPIC West, privacy expert Chris Hoofnagle explains how it works and how it appears to barely skirt the Fair Credit Reporting Act's requirements for becoming a credit bureau (which would subject it to numerous requirements and give data subjects (consumers) delineated rights).

Yesterday I spoke as part of a panel on state solutions to privacy and identity theft at the national conference of the National Center for Policy Alternatives. Other panelists were Susanna Montezemolo of Consumers Union and State Senator Jeanne Kohl-Welles of Washington State. The moderator was Georgia State Representative Alisha Thomas Morgan. C-Span covered the event. It is running live on C-Span 1 right now (2:30pm Monday). It may appear in C-Span 1, 2 or 3 re-runs or be watchable on the C-Span Internet archives for the next few weeks. Check the C-Span site.

Ohio is the 22nd state to enact a security breach notice law, HB 104. We've updated our state security freeze and breach notice pages.

Yesterday Senate Judiciary approved S 1789, the security breach notice and data broker security bill drafted by Chairman Arlen Specter (R-PA) and ranking member Pat Leahy (D-VT). While the bill includes an unacceptable preemption provision, it has the strongest breach notice "trigger" of any bill moving in the Congress. Here's more:

Unlike all the weak "industry-approved" triggers that variously give the company that lost data the authority to decide whether it has reason to believe that there may be some or substantial or reasonable risk, Specter-Leahy requires notice by companies unless they can show "no risk." Also, Specter-Leahy gives consumers privacy rights against data brokers like ChoicePoint. Most bills skip this important step (see previous blog Cutting The Privacy Baby In Half). Here's our letter on S 1789 to the committee. Also, last week I testified (summary) before the state of Vermont on security breaches. Vermont is one of the leading state laboratories of privacy democracy.

U.S. PIRG and other privacy advocates, including EPIC, have sent a letter to hill leaders (html or pdf) detailing bottom line privacy principles for any privacy legislation that Congress might enact this year.

Congress has still not taken any action on any strong privacy and security breach legislation. Last week Senator Specter intended to hold a Judiciary vote on S. 1789 (Specter-Leahy), a bill with several positive policy provisions, although it unacceptably preempts stronger state laws, but did not have a quorum. So far, that committee had previously approved an "industry-approved" bill, S 1326 (Sessions-R-AL). More here on what other committees have done in a previous blog, Cutting The Privacy Baby In Half.

Over at EPIC West, privacy expert Chris Hoofnagle has posted a "Top Ten" things you can do with little money or effort to protect your privacy.

The state PIRGs and Consumers Union have revised and updated our Model State Clean Credit and Identity Theft Protection Act. You can download it as a pdf file or a Word file here. Find out more at our state model laws page. At least 3 dozen states considered all or part of the law in 2004. Eight new states enacted security freeze laws and twenty enacted security breach laws. The model law has nine separate sections: for example, it also includes a ban on the use of credit scores in insurance and protection for Social Security Numbers. From the introduction:

In December 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACT Act). With the FACT Act, Congress significantly amended the Fair Credit Reporting Act (FCRA) , which provides consumer protections regarding the use, accuracy, and privacy of consumer credit reports. Through its passage, the financial industry won its primary goal: permanent preemption of stronger state credit and privacy laws in several, but importantly, not all, areas.

Congress did not complete the job of protecting citizens from identity theft or credit bureau mistakes when it enacted the FACT Act. Instead, the federal FACT Act allows states to take additional steps to reduce identity theft.

The State Clean Credit and Identity Theft Protection Act offers specific, workable provisions that state legislatures can adopt to reduce the risk of identity theft and to give consumers tools to prevent some of the harm from identity theft. The model law offers types of protections and of these that have actually been adopted by state legislatures.

The model law proposes additional safeguards in some of the numerous areas which the 2003 federal FACT Act left for future action by the states. The model law’s provisions address some of areas where federal law permits states to give consumers greater protection. The Appendix provides an extensive analysis of the authority of states to enact laws in the areas covered by this model law.

We're signed onto today’s testimony in a House Financial Services hearing by Evan Hendricks, publisher of Privacy Times, and we endorse the testimony of Vermont Assistant Attorney General Julie Brill. Here's a short PIRG news release. HR 3997 is yet another bill that makes consumers worse off, doesn't make good privacy policy and eviscerates stronger state laws.

Despite heroic efforts by Reps. Jan Schakowsky (D-IL) and Ed Markey, (D-MA) privacy took a beating in a House Energy and Commerce subcommittee markup (vote) Thursday on the DATA Act (Stearns-R-FL) (here is HR 4127 as introduced, but it is now weaker). In addition to derogating existing privacy protections, the committee action exposed industry's strategy of cutting the privacy baby in half by doing a "data security" bill now and a "privacy" bill regulating data brokers and granting real privacy rights later. Much later.

If this weak bill were law today, we probably wouldn't know about any of the breaches of security that have occurred this year. Here's a post-vote news release from PIRG and Consumers Union. Here's our pre-vote letter to the committee.

Note to readers: [Both Bob Sullivan over at MSNBC's Red Tape Chronicles blog and Chris Hoofnagle over at EPIC West have blogs about this vote that raise concerns, especially about the committee inaction on data brokers. And David Lazarus at the SF Chronicle also talks about the vote, in his column on Sunday: "Data theft bill a step backward."]

The DATA Act started out this summer as a bi-partisan effort to enact strong legislation to respond to two (not one) problems we learned about this year:

Problem One (smaller problem, already largely solved by states): Banks, credit card processors, state agencies, universities and others are doing a sloppy job protecting confidential consumer data from breaches: they're losing it in airports, they're getting hacked, and they're even selling it to thieves.

Problem Two (bigger, needs Congressional attention): Turns out some of those "others" who lost (or sold) info are a shadow industry of unregulated data brokers, such as ChoicePoint and Lexis-Nexis, that are amassing and selling massive dossiers on consumers, largely outside of the Fair Credit Reporting Act or any other regulation.

There was great promise that this committee would do a better job protecting privacy than the Financial Services Committee might. After all, in 1999, it did.

Some history: The full committee is now chaired by Joe Barton (R-TX), a conservative privacy hawk who co-founded the bi-Partisan Congressional Privacy Caucus in 1999 with his liberal committee colleague Markey. Back then they fought to put some real privacy protections into what became the Gramm-Leach-Bliley Financial Services Modernization Act. We have some archives on GLB here. EPIC maintains a page on the committee meeting where Barton discussed his unhappiness at receiving Victoria's Secret catalogs because his credit union had shared his name with direct marketers.

Unfortunately, back then, after Barton and Markey did pass a strong privacy amendment, House leadership refused to allow it to be considered on the floor, and we ended up with the weak "financial industry approved" GLB privacy notice provisions of the Financial Services Committee, which will hold a hearing on its own weak data security bill, HR 3997, on Wednesday.

Back to today: unfortunately, the bi-partisan negotiations broke down and an unsatisfactory, non-consensus bill was introduced and immediately sent to this markup vote. The winner was industry, not privacy. Privacy took a beating. All meaningful amendments, including amendments to strike the bill's onerous preemption of stronger state laws, were defeated on party-line votes:

(1) Markey and Schakowsky tried two amendments to improve the bill's "significant risk of identity theft" trigger before notices are required. First, they attempted to substitute the strong California style trigger used by about ten states (if information is acquired by a third party, you must notify). Failing there, they then tried unsuccessfully to change "significant risk" to the lesser "reasonable risk." As I recently testified in the Senate:

“The best way to convince companies to keep data secure in the first place is to require notices whenever they do not. The fact that the company doesn’t yet know whether or how the information will be misused should not be enough to excuse notice. Companies that lose information should not get to decide whether consumers need to take further action to protect their privacy. Consumers should be warned."

(2) Markey and Schakowsky also tried to reinstate a provision that Chairman Stearns inexplicably deleted from his own original bill before the vote, in his so-called manager's amendment or committee substitute (the version of the bill actually debated and voted on). The provision would have required data brokers to give consumers some Fair Information Practice rights to look at and dispute their data broker files similar to those they have with credit bureau files. This amendment is where Mr. Stearns chose to cut the privacy baby in half and then opposed attempts to put it back together again.

(3) Gene Green (D-TX) and Tammy Baldwin (D-WI), allies of Markey and Schakowsky, then tried to add a modest provision allowing state attorneys general -- generally the toughest consumer cops around -- to enforce the new federal law. Not only did the committee vote this amendment down, it generally ignored all recommendations in a recent bi-partisan letter from 47 state and territorial Attorneys General.

Again, all these and other laudable amendments were shot down.

The markup vote essentially achieved three strategic goals for industry:

First: industry moved a limited scope, weak breach notification bill down the field (Full Committee Chairman Barton said during the vote he wants to be on the floor with a bill this year).

Second: industry obtained a bill with narrow coverage but broad limits on future state action. Not only will its weak breach notification test (significant risk of identity theft) preempt about ten state laws with California-style strong notification triggers, but the bill will prevent states from acting in other areas to prevent identity theft.

Third: industry successfully convinced Subcommittee Chairman Stearns to cut the privacy baby in half and delete (without a vote) one of the bill's better provisions-- its requirement that brokers give customers Fair Information Practice-based privacy rights (although Markey's HR 1080 would be better, the HR 4127 language was a start).

That decision to delete the data broker provision -- and the explanation Chairman Stearns made about it -- was a tough hit for privacy.

Removing the provision was wrong on both policy grounds and political grounds (if you are for privacy, that is). The notion of separating privacy from data security is an anti-privacy move; not only is it cutting the policy baby in half, it could doom the more important half politically.

Policy problem: Just as a requirement to protect data is a privacy-protective Fair Information Practice, so is giving consumers the right to control access to it or correct it. Both are privacy practices (sometimes called principles, see Privacy Rights Clearinghouse for a history of the FIPs). Neither is sufficient, both are necessary.

Political problem: Mr. Stearns claimed that "privacy" was something to protect in some future bill that was publicly promised by Mr. Barton, while HR 4127 was to be solely a narrow proposal about security breaches.

We are not disputing that Mr. Barton will introduce such a privacy bill and attempt to move it, but the myriad industry lobbyists urging the committee (and other committees) to pass a narrow-on-policy, broad-on-preemption, broad-on-exceptions data breach notice bill today are the same industry lobbyists who'll be earning their next paycheck killing that future promised data broker privacy bill tomorrow. We and other privacy groups certainly will work with Chairman Barton on giving Americans the privacy protections they deserve, but it would be politically easier, and more proper policy-wise, to solve our privacy problems in one bill, not several.

It isn't simply that data security and privacy rights are all part of the same Fair Information Practices.

It's that the breach problem isn't the major problem Congress needs to address (the states have already solved it). The problem of unregulated data brokers is a much larger unaddressed policy problem (there are of course others, including Social Security Number protection); but the political problem of passing a pro-privacy data broker reform gets exponentially harder if that reform must be considered separately, after Congress has already expended a lot of energy on the limited and relatively minor (comparatively) matter of data breaches. Again, we already have gained constructive compliance with California's breach notice law nationally. Yet, privacy advocates must argue against weak federal breach bills that broadly restrict future state identity theft reforms.

There is no policy reason to quickly move a national data breach notice bill that does nothing about brokers or other unsolved issues. Obviously, the data brokers would like that. They've been under the radar since 1997, when the FTC gave them the right to regulate themselves. Here's a memo I wrote to Mr. Markey this spring, which has a long section on the history of non-regulation of data brokers and the FTC's 1997 failure to rein them in.

Excerpt: As its second mistake, in the late 1990s, instead of calling for regulations or Congressional action, the FTC officially encouraged self-regulation of the rapidly growing information broker industry, then-organized as the (apparently now-defunct) Individual Reference Services Group. So, on the one hand, Congress in 1970 enacted the FCRA (Fair Credit Reporting Act), strictly regulating commercial and government use of credit reports, and strengthened that law in both 1996 and 2003. Yet, on the other hand, under advice from the FTC and pressure from the politically-powerful information broker companies, Congress declined to similarly regulate the growing parallel universe of data held by these so-called information brokers.

To go forward to pass a weak breach notice bill without reining in ChoicePoint serves ChoicePoint and its ilk, not privacy. ChoicePoint is a virtually unregulated data broker that sold 145,000 consumer dossiers to thieves. Choicepoint just happened to be the first company to comply nationwide with California's breach notification law after it sold records to thieves. Its failure to protect data helped shine light on an even bigger problem. HR 4127 ignores that larger, unsolved problem: that there is a hitherto relatively stealthy, under-the-radar (and they liked it that way) parallel universe of unregulated data brokers including ChoicePoint and Lexis-Nexis and others buying and selling millions of confidential consumer dossiers. Worse, under law, consumers have virtually no rights to access or correct their files.

Many Americans learned about these secretive unregulated data brokers because of California-ordered notices after the ChoicePoint and Lexis-Nexis breaches. Now this committee's leadership has effectively said, if I can paraphrase:

Let's pass an unnecessary and weak federal breach notification bill that does what the states have already done, only not as well, that coincidentally eliminates all those better state breach notification laws, but let's put off until another day the important problem of regulating data brokers. Let's make things worse for consumers everywhere (since some companies are already complying with those stronger state notice laws nationwide) while we'll ignore the more important problem of the unregulated data brokers.

It remains to be seen whether the baby can be put back together and otherwise improved in the full committee process. We can only hope that Chairman Barton will support strengthening amendments in the full committee and will roll the inseparable issues of privacy and security back together again.

Putting data broker reform back into this bill is critical to achieving real privacy reform in the 109th Congress. Of course, it is not the only problem with this weak bill, which broadly preempts stronger state laws. Because HR 4127 could conceivably be sent toward the president after a conference committee with the similarly weakened-in-committee Senate Commerce Committee vehicle, S 1408, it needs to be turned into a real privacy bill first. Since it looks as if the commerce committees are outpacing other committees in moving their bills, improvements must be made now.

We also need to fix the industry-friendly notice triggers in both commerce committee bills and eliminate their sweeping preemption of stronger state laws. S 1408 laudably gives consumers a federal right to freeze access to their credit reports, but eliminates several stronger state security freeze laws, especially New Jersey's (previous blog).

In a post on a new Microsoft privacy proposal over at Concurringopinions.com, law professor Daniel Solove articulates why the door to state action must be left open. It's recommended reading. I will comment on the Microsoft proposal in a future post.

Some would say, "Why aren't you for incremental change? Breach notices today, more privacy protection tomorrow?" That's not the way the world works in consumer protection and industry knows it, so I am not telling them anything they don't already know. Their goal is always to strip real consumer protection and enforcement out of any bill that might move, insist on the weakest federal bill possible and still demand state preemption as if it is a birthright.

The only time Congress acts to protect consumers is when there is a big scandal (think Enron and Worldcom, as Enron wasn't enough) or when the states show the way.

HR 4127 perversely responds to the data broker scandal by ignoring it, while showing the states the door, so they can no longer show the way.

U.S. PIRG, Consumers Union, Privacy Rights Clearinghouse and EPIC have sent a strong letter opposing a weak data privacy bill, HR 4127 (Stearns-R-FL) to be voted on Thursday in a House Energy and Commerce subcommittee.

The House Subcommittee on Commerce, Trade and Consumer Protection has scheduled a Thursday (3 Nov) vote on its chairman's weak data security bill. HR 4127 (Cliff Stearns, R-FL) imposes weak data security standards with a high risk trigger before notice is required, broadly preempts states and allows broad exceptions from its coverage. Also Thursday, the Senate Judiciary Committee may complete its consideration of S. 1789. Today's New York Times has a good backgrounder comparing a number of key privacy bills before Congress.

The story, by Tom Zeller, includes a chart listing key details of some of the marquee bills under consideration. Go to the story (free reg. req.) and click on the multimedia graphic. We are accurately quoted in the story:

"Industry hopes to use the furor over breaches as a way to pass a modest federal reform that just happens to also permanently restrict the states from passing virtually any financial privacy or identity theft laws."

But these benefits came at a great price. I am extremely disappointed about the scope of preemption in this bill. States have long been the laboratories for good consumer protections. My home State of Vermont was among the first – if not the first – to require individual consent before sharing financial information with third parties, and to require a person or business to obtain consent from individuals before reviewing their credit reports. If the states had been preempted on some of these data protections earlier, we would not have had a California notice bill and might never have heard about many of these breaches. I am especially concerned about the data security section, where we have preempted such a broad field while only providing limited requirements in return.

I am also disappointed that we have removed the protections for Social Security numbers and the government’s use of commercial data to set up programs to screen Americans. We saw the problems with lack of accurate data and good procedures in the airline screening program. Just the other day, there was a report about a 62-year-old nun routinely detained for hours at the airport because a terrorist list could not distinguish between her and a male terrorist using the same last name.

We also had to sacrifice additional funding to help law enforcement agencies fight these crimes, particularly in the wake of other heightened demands on federal resources after Katrina.

The attorneys general of 47 states and territories have sent a very strong letter to Congressional leaders urging passage of the strongest possible security breach notice bill (one without any loophole known as a "reasonable risk" trigger) and security freeze protection law. The letter goes on to articulate in detail why any federal bill should not preempt, or overide, the right of the states to enact stronger privacy laws.

You can listen to our recent interview with Mari Frank on her show Privacy Piracy on KCUI-FM 88.9 FM in Irvine, CA. Mari also archives her interviews with other guests, from the Washington Post's Robert O'Harrow, author of No Place To Hide, to Robert Ellis Smith, author and publisher of Privacy Journal.

Privacy expert Dan Solove has an excellent post over at Concurringopinions.com describing the trials consumers face when they try to find their federally-mandated free credit reports on the Internet. Even after you beat your way to annualcreditreport.com (the right place), you still face slick and deceptive marketing of over-priced products. My most recent posts on the final lurch of the staggered free report rollout and on Experian's recent civil penalty and restitution order for deceptive marketing of "free" products.

The Los Angeles Times reports in More Homeowners With Good Credit Getting Stuck With Higher-Rate Loans that many consumers are paying more for mortgage loans than they should based on their credit scores.

Based on estimates from Freddie Mac and the Center for Responsible Lending, as many as 1 million borrowers are paying too much for their loans. Such customers paid an estimated $3 billion in excess interest in 2001 alone, the consumer group said in a study that year.

The story points out that some of these consumers may simply have been steered by a broker to a high rate subprime mortgage firm, because the broker might get a better commission, but that others may have simply walked into the wrong affiliate of a financial colossus.

Consumer advocates say it's a "borrower beware" market. Companies and independent brokers generally are not legally required to tell customers that they might get a better deal elsewhere, and regulations have not kept pace with the booming mortgage refinancing market and skyrocketing home prices.

"The reality is, if you happen to walk into the wrong door, you can be trapped," said Kathleen Keest, senior policy counsel at the Center for Responsible Lending, a nonprofit advocacy group in Durham, N.C.

Over the last ten years or so, as greater information resources have become available, companies have used it to develop risk-based pricing. Risk-based pricing certainly has benefits, since instead of being turned down, higher-risk consumers now get loans, though at higher subprime rates. However, some consumers may walk in that wrong door and pay too much. Worse, some subprime lenders may cross over and make predatory loans.

While some of the information resources now available are simply greater computer power and analytical tools, some of the information now available results from the lack of strong privacy laws. Unfettered information sharing is allowed between corporate affiliates; consumers have virtually no consumer privacy rights. Some companies may be using profiles or dossiers developed on consumers to predict which ones will respond to over-priced offers. The companies have a lot more information about us, and we have little control over it, yet, for example, they aren't required to tell us more about them and which of their doors we should open.

And worse, as Keest points out, nothing in federal or state law requires a sub-prime affiliate to warn you that another affiliate may have a better deal for you.

The article was written by Times reporter Scott Reckard and its special correspondent Mike Hudson. Hudson is an investigative journalist and longtime chronicler of predatory lending-- his 2003 feature Banking On Misery: Citigroup, Wall Street, and the Fleecing of the South won the magazine Southern Exposure a coveted Polk Award.

One of the subprime companies reported on in the LA Times story "More Homeowners With Good Credit Getting Stuck With Higher-Rate Loans" is Ameriquest.

Ameriquest's lending practices are being reviewed by a 30-state task force. The company recently set aside $325 million to cover a possible settlement. Speaking generally to allegations of improper practices, Ameriquest Chairman Roland E. Arnall told a Senate panel last week that "some of our employees did not do the right thing," but said the company had fired them and taken steps to correct problems. Arnall is awaiting confirmation as U.S. ambassador to the Netherlands.

The Insurance Journal reports that under an agreement with Delaware Insurance Commissioner Matt Denn the Hartford insurance company has made refunds totaling $135,000 to 1,400 Delaware consumers it wrongly scored as bad insurance risks by miscalculating their credit scores. What does your credit score have to do with your insurance risk anyway?

Nothing, in the view of leading consumer groups. The state PIRGs, Consumers Union, Consumer Federation of America and the Center for Economic Justice have long campaigned for state bans on the use of credit scores for insurance ratemaking. Hawaii, Maryland and other states have adopted all or part of our proposals. The PIRG/Consumers Union model state Clean Credit and Identity Theft Reform Act includes a section banning credit scoring for insurance.

Unfortunately, the powerful insurance industry circulates an "industry-approved" model law of its own through the National Conference of Insurance Legislators or NCOIL, so some states have actually affirmed the practice of allowing insurance companies to raise consumer rates based on a score derived from their credit reports.

While this Delaware incident shows that credit scoring models can be flat-out incompetently designed, resulting in consumers with excellent credit paying higher rates, the use of credit scores in insurance ratemaking creates much more pernicious problems than simply rate mistakes.

The information in an insurance credit score is not derived from your driving habits (number of speeding tickets, number of accidents) or the number of homeowners' claims you've filed. It is derived from your credit report. The use of credit reports for insurance ratemaking brings up two fundamental problems.

First, no actuarial study has fully linked credit reporting to insurance risk. The industry claims a correlation, but cannot show statistical proof that meets actuarial tests.

Second, while the factors used in deriving a credit score may appear on face to represent good or bad credit and then that correlation that the industry claims, analysis by the Center for Economic Justice shows that some of the companies may instead be using credit scoring as a way to subvert civil rights laws and redline lower-income and minority Americans. As CEJ's Birny Birnbaum recently argued:

As you review the factors in these scoring models, two things become clear. First, your so-called “financial responsibility�? has little weight in the scoring model. And second, the models are systematically biased against consumers in low income and minority communities. The bias arises for two reasons. First, the credit scoring models are systematically biased against the credit characteristics of low income and minority consumers, such as type of credit used. Second, consumers in low income and minority communities are not served by the financial institutions that report to credit bureaus.

Even if a consumer was able to pay the massive interest rates for a check cashing, payday loan or rent to own, it would not help because these institutions do not report to credit bureaus. And so-called thin files – little credit information – yield bad scores. In short, insurance credit scoring is the 21st century tool for redlining. In the past, for example, insurers simply didn’t write homeowners insurance for homes older than a certain age or under a certain value. These underwriting guidelines eliminated coverage in older and low-income neighborhoods.

Fair housing groups challenged these practices and prevailed – these underwriting guidelines have largely been eliminated, although these characteristics are still used for determining premium. But today, insurers have a new tool – credit scoring – that accomplishes the same redlining as in the past. Insurers defend credit scoring as an “objective�? tool that doesn’t “consider�? race or income. Sound familiar? As if bias could not be built into a computer model.

On Thursday the Senate Judiciary Committee brought up its comprehensive data breach notice/data broker regulation, bill, S 1789, but after some criticism of the chairman's substitute, consideration was delayed.

Senator Jon Cornyn (R-TX) raised the point that his staff had just received the substitute Wednesday night at 4:55pm. Senator Dianne Feinstein (D-CA) expressed concern about a specific change in that substitute, the elimination of health-related information from the list of confidential information that could trigger a breach notice to victims. So, Chairman Specter (R-PA) delayed the vote at least until next Thursday.

Chairman Specter and Ranking Member Pat Leahy (D-VT) originally introduced S. 1332, which was modified over the summer and re-introduced in late September as S. 1789 with Sens. Feinstein and Russ Feingold (D-WI) as co-sponsors.

The bill imposes modest Fair Information Practice based duties on virtually unregulated data brokers such as Choicepoint. It also requires security breach notification in many more circumstances than most of the weak bills before the Congress, which all have a "risk of harm" trigger. Unfortunately, it still preempts stronger state consumer laws in a wide variety of areas, which is unacceptable.

While the committee tabled this comprehensive bill, it voted out, on a very quick voice vote, the very weak, even more restrictive of state authority alternate security breach notice bill, S 1326 (Sessions (R-AL). Previous security breach blog.

I'm appearing live tonight at 8PM Eastern/5PM Pacific on the show Privacy Piracy, streamed on the Internet from KUCI.org 88.9 FM in Irvine, CA. The host is Mari Frank, a nationally-known ID theft victim-turned-expert, attorney, author and now radio host. We'll be talking about a wide range of privacy topics.

Professor Dan Solove of George Washington U Law School in DC has a new blog, concurringopinions.com. Dan is co-author, with EPIC's Chris Hoofnagle (his blog), of the Model Regime of Privacy Protection. Dan has a post on the effort by Consumers Union, PIRG and other consumer groups to get the recalcitrant credit bureaus to treat Katrina victims fairly by creating pre-disaster credit scores (my post on this). [He also has a great post, with action photos no less, on the new Airline Screening Playset, Hours of Fun.]

Court Ruling Takes Away Financial Privacy Rights of Californians

For Immediate Release: October 5, 2005
Contact: Steve Blackledge, Legislative Director, CALPIRG, 916-448-4516 x108
Ed Mierzwinski, Consumer Advocate, U.S.PIRG, 202-546-9707

Court Ruling Takes Away Financial Privacy Rights of Californians

Statement of Steve Blackledge, legislative director, California Public Interest Research Group (CALPIRG):

“Monday’s U.S. District Court ruling on financial privacy is troubling for Californians. Judge Morrison England determined that major sections of the California Financial Privacy Act, also known as SB 1, were preempted by federal law.

“The court ultimately decided that Congress took away most state rights to protect privacy, but Congress itself hasn’t chosen to protect privacy—far from it. Congress has voted to allow massive financial corporations to buy, sell and share confidential data with hundreds or thousands of affiliated and non-affiliated companies selling unrelated products. California citizens who were better protected are now stuck in the same leaking financial privacy boat as the rest of Americans.

“The decision is the latest in a series of blows against the right of states to protect their citizens’ privacy, health, safety and pocketbooks.�?

30 – 30 – 30

CALPIRG, the consumer advocate, is a statewide organization that stands up for California’s consumers. For more information, visit www.calpirg.org.

The U.S Congress tends to promote and enact corporate-backed anti-privacy laws, but calls them, in Orwellian fashion, privacy laws. These laws are then generally upheld by the courts (see previous blog), leaving consumers with their confidential information for sale to the highest bidder. Yet for years and years, in poll after poll, the public -- Republicans, Democrats, conservatives, independents, whoever -- strongly supports greater privacy rights. The latest CBS News/New York Times poll, titled Privacy Rights Under Attack echoes the long-standing trend:

52% think the right to privacy is under serious threat, and another 30% think it has already been lost. Only 16% think it is still safe.

A large majority of Americans [83% say that it is mostly a bad thing] express negative views about companies collecting personal information about individuals, including what they buy, their credit histories, and income information.

Federal judge Morrison England has ruled, on remand from the Ninth Circuit, that the federal Fair Credit Reporting Act preempts the affiliate-sharing provisions of the landmark California financial privacy law SB1, so that SB1 can no longer give consumers the right to opt-out of the sharing of their confidential personal information among affiliated companies. California citizens are now subject to the same industry-approved weak federal privacy laws governing affiliate sharing (that is, virtually no rights at all) as citizens in other states. On the positive side, firms cannot share information about Californians with many third parties unless they convince the consumer to say yes (opt-in) to the sharing. That part of the stronger California law was not challenged.

Privacy expert Chris Hoofnagle of EPIC has posted the anti-privacy, anti-states' rights decision and more comment on his blog.

Some history:
The PIRG-backed law was championed by State Senator Jackie Speier (her page) for four years and was finally enacted as a compromise in 2003.

In return for the banks agreeing to no longer block final enactment of the law, CALPIRG, Consumers Union, AARP, the pro-privacy E-Loan Bank and others withdrew from filing an even stronger voter ballot petition on the very deadline for filing the hundreds of thousands of signatures we'd already collected. Of course, the banks that agreed to the negotiation then looked the other way when the American Bankers Association (ABA) and their other trade associations then filed suit against California Attorney General Bill Lockyer to overturn the law. EPIC's ABA v. Lockyer page lists the history of the litigation. [Judge England originally allowed SB1 to take effect, then was partially reversed and ordered to review the case again by the Ninth Circuit, US Court of Appeals. Today's decision holds that the bank-friendly and anti-stronger state law Fair Credit Reporting Act (FCRA) trumps the pro-stronger state law Gramm-Leach-Bliley Act (GLBA).]

The federal GLBA and FCRA grant consumers virtually no rights to prevent the sharing of confidential information. The 1999 Gramm-Leach-Bliley Act states that information can be shared with affiliates and many third parties regardless of a consumer's preference; only information sharing with other third parties (primarily telemarketers) is subject to a weak opt-out under GLBA, which also gave states the right to enact stronger privacy laws. An as yet unimplemented provision -- rife with loopholes -- of comprehensive 2003 FCRA amendments would give consumers a right, not to fully opt-out of affiliate sharing for all secondary purposes, but merely to opt-out of certain but not all marketing uses of the information after it has already been shared. The banks are fighting back during the rulemaking process to weaken even this modest provision so that it provides virtually no rights.

On the other hand, SB1 had created an opt-out right for affiliate sharing (subject to some exceptions) where federal law had no right at all. It also took third party transactions subject to the weak federal opt-out right and strengthened that right to an opt-in.

In detail, SB 1 established a consumer right to say no, or opt-out, of the sharing of their confidential account and personal information by financial firms (banks, insurance companies, brokerages, etc) with their affiliates, for any secondary purpose (such as marketing or profiling) not related to their account transactions. [Some sharing with "like" affiliates was not subject to the opt-out; further, some third parties selling products in the name of the firm were treated like affiliates, not third parties, and subject only to the opt-out.]

Under SB1, before a bank shares information with other third parties, it must gain a consumer's affirmative consent (says yes or opts-in). This provision was not preempted and is still in force. We'll have more as we analyze the decision further.

We wouldn't know about all the security breaches by Choicepoint and others if it weren't for California's pioneering notice law. State Senator Joe Simitian of California -- the author of that law, has an op-ed called "U.S. no help in quest for database security law" (free reg. req.) in Friday's San Jose Mercury News. Here's a few excerpts from Senator Simitian's piece:

Lead, follow or get out of the way. It's not a particularly gracious sentiment, but when it comes to our federal government's role in protecting our privacy, it certainly is apt. To date, Washington has proven itself either unable or unwilling to take the lead in protecting our personal privacy. That being the case, California passed legislation in 2002 requiring that notice be provided to individuals in a public or private database whose personal information has been compromised.

Finally, though, we hoped to prod the federal government into taking meaningful action on a national level. Indeed, many of the opponents to California's privacy law argued against a state law in favor of a federal approach. A patchwork quilt of state-by-state statutes, they argued, was not the ideal. This argument would have been more persuasive, perhaps, had not those same opponents been arguing against such requirements in Washington. Or if Washington has shown an inclination to tackle the problem.

The Senate Banking Committee has posted a Realplayer video archive of yesterday's hearing where we opposed preemption of stronger state security breach notice and security freeze laws. At the hearing, the other witnesses (all on the industry team), practically begged Congress to preempt the states, even though they provided absolutely no information or studies to show that their allegations about the difficulty of complying with more than one state law were at all valid.

Also, yesterday NJ Governor Richard Codey signed that state's tough NJPIRG-backed identity theft law.

Governor Codey's statement on the security breach and security freeze law signing is here. A few news stories with quotes from NJPIRG's Abigail Caplovitz on the tough new law are here (AP, Asbury Park Press and the Newark Star Ledger). Also yesterday, a California court heard the claim of the big credit card associations, Mastercard and Visa, (AP story) that it's not their fault and they shouldn't have to provide notices to hundreds of thousands of consumers due to security breaches at the third party processor Cardsystems. Instead, they say, their member banks should send the notices. More on that case after we read the complaint and the card association briefs in a case brought against Visa and Mastercard and Cardsystems and others. Previous breach blog.

Consumer groups led by Consumers Union, U.S. PIRG and the Consumer Federation of America have asked (letter) the nation's leading credit scorers, Fair Isaac, purveyors of the FICO score used by most mortgage lenders, to create an automatic "Disaster Information Shield" to protect Katrina victims from negative information hurting their scores.

You can listen to a nice NPR interview (9/8) with our privacy colleague Evan Hendricks of Privacy Times warning of identity theft threats to Katrina victims. For more info on id theft, see our pages or the FTC.

FOR IMMEDIATE RELEASE
CONTACT Liz Hitchcock or Elizabeth Hoffman, 202-546-9707

Northeast Consumers Finally Gain Federal Free Credit Report Rights

U.S. PIRG Urges Consumers To Check Up On Credit Bureaus With Free Credit Reports
-- Warns of Federal Threats To Strong State Privacy Laws --

A leading consumer organization that has documented credit report errors and identity theft problems announced today that consumers in the Northeast will soon have new tools to fight these problems under a federal law that takes effect in 14 Northeastern states (SEE BELOW), Puerto Rico, the District of Columbia and all U.S. territories on September 1. Other regions of the country gained free report rights beginning last December. U.S. PIRG also urged citizens to urge Congress not to eliminate state rights to enact strong identity theft protections.

“Consumers should use our new federal right to a free report to check up on all three national credit bureaus with just one website visit, one phone call or one letter,�? said U.S. PIRG Consumer Program Director Ed Mierzwinski. “But don’t be tricked into buying an over-priced, unnecessary credit monitoring service.�?

U.S. PIRG said that consumers can log onto the government mandated site annualcreditreport.com to get their free credit reports from Experian, Equifax or Trans Union. Because scam artists have purchased many similar web addresses, consumers may want to call 877-322-8228 instead to obtain their reports. While credit reports are free under the new law, credit scores, which are mathematical summaries of the report, are not. U.S. PIRG recommended that consumers also obtain at least one low-priced score, for about $4-7, although they should avoid the high-priced credit monitoring services that the bureaus also promote. U.S. PIRG noted that this month the Federal Trade Commission fined the credit bureau Experian $950,000 and ordered it to make refunds to consumers who had purchased its deceptively marketed credit monitoring services.

“Instead of paying for an over-priced deceptively advertised credit monitoring service, consider staggering your requests for free reports under law,�? U.S. PIRG advised. “Order one now, and then one from each of the other two bureaus every four months.�?

According to a 2004 PIRG report, 1 in 4 credit reports contain serious errors that could cause credit to be denied. Other provisions of the new law, the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), took effect nationwide on December 1, 2004. These include the right to place fraud alerts on your credit report, to complain directly to your bank about mistakes on your credit report and to obtain information from businesses where you do not have an account but an identity thief has used your name fraudulently. Despite the new protections, U.S. PIRG opposed final passage of the FACT Act because it imposed unacceptable permanent limits on most state rights to protect their consumers.

“Fortunately, Congress didn’t completely eviscerate state rights to protect consumers in 2003, so the PIRGs prepared a model law to prevent identity theft, parts of which have been enacted in two dozen states this year,�? added Mierzwinski. “Yet now, in response to the widely reported security breaches at companies ranging from Bank of America to Choicepoint, Congress may pass a weaker federal law that also eliminates the right of the states to continue to better protect consumer privacy.�?

Highlights of that 2004 model state law, the State Clean Credit and Identity Theft Protection Act, prepared by U.S. PIRG and Consumers Union, publishers of Consumer Reports, include the following key provisions under threat of federal preemption:
• It gives consumers the right to freeze access to their credit reports (In 2005, at least eight states have joined California, Texas, Louisiana and Vermont in providing this right); and
• It gives consumers the same right to security breach notification as California provides. This year, an additional twenty states have also enacted breach laws.

“We wouldn’t even know about all the security breaches nationwide if not for California’s pioneering breach notification law,�? added Mierzwinski. “Yet, Congress may cave under industry pressure and enact a weaker law while preventing states from passing stronger ones.�?

-30-

16 Northeastern states: Connecticut, Delaware, District of Columbia, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia

U.S. PIRG serves as the national lobbying office for state Public Interest Research Groups, which are non-profit, non-partisan public interest advocacy organizations. U.S. PIRG’s main consumer website is www.uspirg.org/consumer. The state PIRG model identity theft law, PIRG’s up-to-date list of states that have enacted security freeze and security breach laws and a downloadable fact sheet on credit report mistakes and identity theft are all available at http://www.pirg.org/consumer/credit. The downloadable fact sheet also provides the only comprehensive list of so-called specialty credit bureaus, which are also required to provide free credit reports, by toll-free phone.

A strong NCPIRG-backed security freeze and security breach law has been sent to the governor's desk in North Carolina where it will be signed.

We've updated our state freeze and breach law page. The bill is based on the state PIRG/Consumers Union model law. The bill's security breach notification provision does not require a harm trigger, as most of the weak federal proposals do. Its freeze applies to all consumers, not only to victims. It includes Social Security Number protections. It allows consumers to sue violators. These are all good ideas.

The San Diego Union Tribune has posted a nice editorial and a nice op-ed column by our colleagues Linda and Jay Foley of the Identity Theft Resource Center, supporting strong identity theft reforms. Says the paper: the banking "industry loses credibility when it touts national rules that are far weaker than those already adopted in California."

Chris Hoofnagle of EPIC has posted a blog describing an Australian TV investigative story showing how easy it is to obtain confidential customer information from Indian data processors.

We've updated our list of state security freeze and breach laws. The page links to legislative pages of the 10 state legislatures that have enacted freeze laws and the 19 states that have enached breach notification laws. NJ has both sitting on the governor's desk. The NJ laws will be signed in September. Our main identity theft and credit reporting page includes a lot more detailed information, including information about free credit reports. We also have a detailed list of specialty credit bureaus on our downloadable short id theft fact sheet. These tenant, employment, check clearing and similar bureaus also must provide free reports-- through 800#s.

UPDATE: Corrected old urls: 2/07] [A few comments before the actual news release: (1) See also our related recent blog entry on "free to pay scams. (2) Note also that the FTC cites a complaint by EPIC's Chris Hoofnagle (his blog) that helped lead to this settlement." (3) See PIRG's identity theft website for more information on how to avoid these scams.]

FOR IMMEDIATE RELEASE 16 Aug 2005
CONTACT Ed Mierzwinski, 202-546-9707x 314

Statement of U.S. PIRG Consumer Program Director Ed Mierzwinski on FTC Settlement with Experian over Deceptive Free Credit Report Offers

“While we wish the penalty imposed on Experian were much higher than $950,000, we hope that this important FTC settlement serves as a wake-up call to credit bureaus and others that preying on consumers seeking their government-mandated free reports is wrong and will be punished. Experian deserves greater punishment for three reasons:

First, Experian took advantage of consumers scared of identity theft and credit reporting mistakes. These two major problems are partly caused by sloppy practices of Experian and the other credit bureaus, so Experian shouldn’t be allowed to run a kind of protection racket based on its inability to do a better job keeping credit reports accurate and safe from use by thieves.

Second, Experian stooped so low as to take advantage of consumers seeking to invoke government-ordered rights to get credit reports for free and tricked them into paying for its own over-priced and unnecessary credit monitoring service.

Third, Experian used the widely discredited trial offer gimmick known as “free to pay.�? Consumers thought that they were receiving their government-mandated free credit reports, but worse, they were instead signing up for a deceptive trial offer for an over-priced credit monitoring service that required them to cancel or be billed $79 or more.

For these reasons, we commend the FTC for its important action and for alerting consumers about numerous other scam sites offering free credit reports. Because Experian, however, is one of the nation’s largest credit bureaus, and has been fined for violating credit reporting laws before, it should have been punished more harshly for its abuse of the public’s trust.�?
-30-

U.S. PIRG is the national lobbying office for state Public Interest Research Groups, which are non-profit, non-partisan public interest advocacy organizations. U.S. PIRG’s consumer website is www.uspirg.org/consumer

We can think of at least one deceptive site that might be the subject of next Tuesday's FTC news conference "to announce settlement of FTC charges that an Internet marketer used the lure of a free credit reports to deceive consumers." Looking forward to it.

Privacy expert Chris Hoofnagle has commented on our recent post on his new blog.

Last night, we appeared in a DC Fox-5 (WTTG) investigative story (transcript) exposing how web sites share credit card numbers with third parties and the third parties bill the credit cards for products the consumer didn't knowingly order. It's an old scam that's moved from telemarketers to the Internet.

According to the story, one of the victims bought a ticket from Ticketmaster.Com, then clicked on a "Rewards" popup, looked at the site that appeared -- thought "No Thanks" -- and then left it. Some time later she found that her credit card had been billed. In small print on the first site, she'd allegedly "agreed" that if she clicked the popup her credit card would be billed for a trial offer for a $7/month club under terms described partly on the screen. The small print, supposedly buttressed by more small print in the "Privacy Policy" and "Terms and Conditions" pages apparently told her that Ticketmaster could share her credit card information with the rewards firm if she used the site to buy a ticket. Two other victims had stories about other web merchants in the Fox piece, called "Terms and Conditions."

Identical scandals associated with so-called "free-to-pay" scams by telemarketers (some obtaining the information not from merchants but, incredibly, from regulated banks), resulted in hefty regulatory activity. "Free-to-pay" means a trial offer-- where you must cancel your credit card within a certain period of time or you are billed. The problem is exacerbated where a consumer hasn't given out his credit card number in the first place and is unaware that the telemarketer has it. State Attorneys General call this "pre-acquired account telemarketing" and it turns a purchase upside down. If you haven't given out a credit card number or handed anyone cash, how you have entered into a transaction?

After pressure was brought by state Attorneys General (their comments), the Federal Trade Commission amended the Telemarketing Sales Rule (TSR) prohibiting telemarketers from billing consumer credit cards in a similar way. The telemarketers are now required to ask consumers to read back at least part of their credit card number as a way of documenting that they have actually agreed to a transaction.

As the AGs argued in their comments to FTC: "The essential characteristic of [preacquired account telemarketing]is the ability of the telemarketer to charge the consumer’s account without traditional forms of consent."

So, in its final rule, the FTC said the following, for telemarketers:

"(i) In any telemarketing transaction involving preacquired account information and a free-to-pay conversion feature, the seller or telemarketer must: (A) obtain from the customer, at a minimum, the last four (4) digits of the account number to be charged;(B) obtain from the customer his or her express agreement to be charged for the goods or services and to be charged using the account number..."

Now we need a similar rule for the web that is based on real understanding and real consent, not simple clicking.

Today the Senate Commerce Committee did report out its bi-partisan data privacy bill, S. 1408 (see previous blog for details and press statement). A positive Dorgan (D-ND)-Bill Nelson (D-FL) amendment banning sale of Social Security Numbers was added. Unfortunately, no action was taken to roll back the bill's onerous preemption regime.

While approving the bill, the committee then agreed to hold the bill (not sending it to the floor) pending August jurisdiction negotiations with the Banking Committee. Senate Judiciary once again met, but did not bring up S. 1332, its own bi-partisan data privacy bill.

Here is our statement urging opposition to final passage of S 1408, being considered in Senate Commerce today, unless it is improved and preemption is removed. See yesterday's blog entry for more details.

Tomorrow, Thursday, 28 July, the U.S. Senate Commerce Committee will likely vote on a well-intentioned but fatally flawed bi-partisan bill, S. 1408, to respond to data security breaches. Our legislative fact sheet points out that the bill is weaker than nearly every state security breach law, but preempts them all.

Similarly, while it would extend the PIRG-backed right to place a security freeze on your credit report, its protection is weaker than most of the 10 (soon to be 11) state freeze laws and preempts them all. See our "Protecting Privacy" blog archive for more information. Also see our State Freeze and Breach Laws page.

A MASSPIRG survey of 500 Massachusetts consumers finds that 14 percent of consumers had been victims of identity theft and 71 percent were concerned about becoming a victim. In addition, consumers overwhelmingly supported (93%) a "security freeze" to protect them against identity theft.

Meanwhile a report by the business-oriented Progress and Freedom Foundation rationalizes its support for weak, targeted preemptive security breach notification laws with the assertion that "A true federalist approach is not possible with markets and firms that are national, and even international, in scope." Very tough to do more than pay lip service to supposed federalist, conservative views when the corporate money wants weak, anti-consumer national laws that permanently preempt the right of the several states to act as laboratories of democracy.

In a speech in California this week reported on in Wired Magazine "Equifax CEO Thomas Chapman called the legislation [providing free credit reports] unconstitutional and un-American." That's an absurd statement.

If it were true, Equifax would have sued to overturn the Fair Credit Reporting Act (FCRA). But Mr. Chapman's lawyers probably told him that the DC Circuit, US Court of Appeals recently found the FCRA constitutional -- rejecting a plethora of unsubstantiated constitutionality claims and finding that the government's interest in "protecting the privacy of consumer credit information is substantial." That was just a few years ago in a case brought by his fellow credit bureau Trans Union. [Trans Union Corp. v. FTC (Trans Union I), 245 F.3d 809, reh'g denied, 267 F.3d 1138 (D.C. Cir. 2001), cert. denied, 122 S. Ct. 2386 (June 10, 2002).]

The whole notion that consumers are customers of credit bureaus is spurious as well. What consumers are to the bureaus is two things. First, some consumers have recently become a revenue stream as they purchase over-priced products, like credit monitoring, that should also be free. Second, all consumers with files are data subjects. The products (credit reports) that bureaus sell to their actual customers (businesses) are derived from consumer data.

Congress, in granting the annual free report right (after 7 states already had done so), finally recognized that data subjects deserve to know about and correct products that are based on their lives. Inaccurate credit reports hurt consumers in the marketplace and credit issued sloppily to identity thieves hurts consumers as well. Further, credit bureaus have a duty under the FCRA to ensure "maximum possible accuracy" and the consumer self-audit through the "free" report helps the bureaus accomplish that Congressionally-mandated and constitutional requirement.

Another reason it is spurious of the credit bureaus to consider consumers as customers is they've never actually treated us as customers (just cash streams) -- have you ever been trapped in one of their voice mail jails? Indeed, in 2000, the Federal Trade Commission fined the big three bureaus a total of $2.5 million for failing to have enough customer service staff to answer the phones and help their "customers." A few years later, in 2003, they fined just one of those three bureaus, one named Equifax, an additional $250,000 for violating that consent decree-- for its continued failure to answer the phones.

In referring to the 2003 legislation known as the FACT Act (PIRG's FACT Act archive), which established annual free credit reports and other identity theft protections at the unacceptable price of permanent preemption of most state authority to regulate the industry, Chapman's written speech claims that "You should know that before this new legislation was ever considered, we provided credit reports, free of charge, to those denied credit, victims of id theft, welfare recipients and to the unemployed…that’s just responsible corporate citizenship…it wasn’t required, we just did it."

Actually it was required. Since 1971, when the original act passed, Congress had required credit bureaus to provide free reports after credit denial. Since 1996, Congress had also required free reports to the indigent, the unemployed looking for work, and anyone who suspected fraud.

Oh, according to published reports, Chapman did say in the speech, apparently in answers to questions, that we should move on from using Social Security Numbers as unique identifiers. That's a shocking statement from one of the bureaus and one we agree with. More to follow in this blog on the wrongheadedness of using SSNs to link all the bits and pieces of our financial, medical, workplace and other experiences together.

We've posted a State Security Freeze and Breach Laws page summarizing all the state successes in protecting privacy this year. We're watching Congress carefully for preemption threats to these state laws. Today, Connecticut Governor Rell signed breach and freeze legislation. Yesterday, on overwhelming votes, the New Jersey Assembly and Senate each passed what will become the nation's strongest security freeze law when it is signed very soon. Here's the NJPIRG release. Excerpt: The bill's marquee provision is the "security freeze", the right to control access to your credit report.

If used, the security freeze prevents identity thieves from getting new credit in your name. "Other states have created security freezes that are expensive or difficult to use," said New Jersey PIRG Consumer Advocate Abigail Caplovitz, "so very few consumers choose to use the freeze. The freeze is like the lock on your front door; if you don't use it, it doesn't keep thieves out. There's no point in creating a freeze that people won't use. The legislature recognized that, and created the best, most consumer friendly security freeze in the country. All consumers are going to wish they were lucky enough to be New Jerseyans."

We often say: never ever click on an email link in any allegedly security-related email message that appears to be from your bank (or from E-Bay or anywhere you have an account).

After all, your bank already knows your confidential information-- why would they contact you to ask about it? If you are worried that a security email or security phone call may be about a real problem -- hang up, or go offline, and call the number on the back of your credit or debit card-- that way, you know you are reaching the bank.

The bad guys use "PH-ony" PHishing emails to take you to a page that may include a frame so the edge of the page actually is your bank's home page-- but the window where you give up your confidential data links to some hacker's computer, possibly in Russia. Neal Walters of the AARP Public Policy Institute has a new factsheet Gone Phishing, latest in his series on id theft and credit reporting issues.

New Jersey's legislature could today enact the nation's toughest security freeze bill, giving consumers real control over their financial DNA, according to a story running on the AP wires. Find our more from New Jersey PIRG.

The credit bureaus hate the security freeze, because it requires them to cede control of credit reports to consumers. Security freeze laws allow consumers to decide when new creditors may have access to their credit reports. A frozen credit report is one where new credit cannot be issued, until "thawed" or "unfrozen." Conversely, the industry's touted defense is the "fraud alert," which can only be imposed by some consumers (either after fraud, or suspicion of fraud) may only last a short time, and won't totally prevent credit issuance. Bureaus and creditors attack the freeze laws because they claim they are clunky and slow instant credit offers, which would create hassles for the consumers who use them. Well, freezes create peace of mind for those consumers, too. Importantly, New Jersey's strong bill includes a performance standard requiring the bureaus to offer "instant thawing," a consumer-oriented counterpart to "instant credit." The New Jersey proposal would also provide for security breach notification and other protections.

Now that 50 million Americans or more have had their data lost, stolen or sold to thieves by sloppy corporations, you'd think Congress would be gearing up to protect consumers. You'd be wrong. With some exceptions, most of the latest bill drafts seem to be about weakening once-worthwhile proposals and preempting the visionary states where the landmark security breach and security freeze laws have been engineered over the last several years.

Most of the draft bills flying around Capitol Hill look like they've been written with industry interests, not consumer protection, in mind. We're shocked, but not surprised. Just like water wants to flow downhill, Congress wants to legislate, even if it must rationalize passing a bill that makes us worse off than we were before. Don't forget, we're pretty well off now, since many companies are complying nationwide with California's strong disclosure law. Congress could act, but it doesn't need to.

This week, bank, credit card company and other special interests are scurrying around the hill seeking to convince Senators on the powerful Judiciary Committee that any breach legislation must include loopholes and must also eviscerate state authority to enact stronger state laws, else they will oppose it. The same companies that offer us 50 different credit cards (or more) can't deal with 50 state laws? It isn't that they cannot, as they certainly can and can do so easily.

Their goal is more strategic. They are using their whining about patchwork quilts and balkanization for two purposes: first, to enact a lowest-common-denominator (weak) federal bill and second to convince Congress to destroy our federal system by eliminating the ability of state legislatures to participate in the marketplace of public policy ideas. The best part of the federal system is that it is competitive-- there are many ideas to choose from. A system where Congress (along with a few uninspired, mostly captive and certainly unelected federal bureaucrats) comes up with all the ideas is not a good system of government to strive for. States have also demonstrated an ability to respond more quickly to new consumer problems.

Even if balkanization mattered, and it doesn't, the only law the companies that lost our data would really need to deal with is the strongest one-- if they complied with that one, they'd have structural compliance with the rest. What the industry lobbyists are really trying to do is take the states out of the privacy policy and all other policy debates, completely. Such efforts should be opposed, and opposed strongly, by all members who value privacy, clean air, and fair, non-discriminatory lending, among other things.

Reporters and consumers are calling after the big (up to 40 million credit card and (don't forget!!) checking accounts) security breach reported by the third-party credit card processor Cardsystems Friday. When will the banks actually notify their customers if they are at risk? Probably not soon enough.

The big question we have is this: how come the banks aren't talking about how many checking accounts are at risk because the fraud occurred with ATM debit cards switched through the credit card networks? It isn't only credit cards, and it is worse when it's debit cards. I am shocked that no story I’ve seen on the Cardsystems breach mentions that many of the transactions were likely debit card transactions, where fraud could occur in checking accounts. Even though your bank promises to limit your debit card liability to zero or $50, by law you could lose all the money in your account, and meantime you are fighting to get it back. Other checks could bounce. Other hassles could occur.

The next question we get-- is this identity theft? Sort of, but not really. More precisely, it is merely credit card, or checking account, fraud. The bad guys got your account number, expiration date and your security code (from the back of the card or the stripe). They didn't get your Social Security Number, which is the key that unlocks your financial identity and allows them to open totally new accounts in your name. But fraud on this scale is bad enough. It can ruin your life, too.

The next question and the one we keep getting asked: Will this keep happening? Yes. Until Congress gives consumers adequate control over their personal information – something at least 85%-90% or more of consumers want in every poll – and the right to enforce those rights in court, it will keep happening. Adequate control isn't merely breach notification. To some extent, we already have that, since California law is largely being enforced nationwide. We also need the right to control access to our credit reports through a security freeze. We also need the right to control the sale or sharing of our information. And we need the right to go to court to enforce our rights.

But remember, breaches did not just start happening recently. We know more about them only because California’s security breach notification law took effect in 2004, and some companies, under pressure from other state Attorneys General, are complying with it nationally. Meanwhile, the state PIRGs are pushing our PIRG/CU Model Identity Theft Law to passage in numerous states.

My view by the way is that this is actually your bank’s fault, even if Cardsystems dropped the ball. When your bank -- through its network -- decides to do business with Cardsystems, it has a responsibility to hold its subcontractor accountable. Banks can outsource labor, but not their responsibilities under the Gramm-Leach-Bliley Safeguards rule.

Tips for consumers? (1) Review your checking and credit card statements regularly, including online if you have that capability, and certainly on the day you receive your statements, and dispute immediately, (2) never ever use your debit card on the Internet, only your credit card because it is better protected by law (here's our fact sheet on debit cards) and (3) if you get the breach notification letter from your bank, that’s when to worry about closing your account, not before.

Next, fight PHISHING, on the web or phone: if someone calls you OR emails you and asks for confidential account related information as part of a security check—-- hang up or don’t reply to the email. Either way, if you think it might be real, pull out your card, and call that number. Ask if there is a problem with your card. Think about it—if your bank, not some hacker in Russia, were calling you, they’d already know your information, wouldn’t they?

What does Congress need to do? First, upgrade the debit card laws - all plastic should have the same strong protections, but that upgrade is not even on Congressional radar. Second, Congress could adopt a security breach notification law nationwide. This has been proposed by, among others, Sen. Dianne Feinstein (CA) and separately, by Sens. Chuck Schumer (NY) and Bill Nelson (FL). Sen. Feinstein's latest bill, S 751, would preempt state breach laws and that preemption could pose risks to other state protections. It's a good bill on the merits of what else it does, except for this preemption, but that's enough reason it shouldn't become law. Congress should plain and simple get out of the business of eliminating state rights to protect their consumers better. (Expect to see a lot more posts on this blog about the laboratories of democracy and preserving stronger state laws.) S 768 (Schumer-Bill Nelson, would not eliminate stronger state laws. That bill also regulates data brokers such as Choicepoint, something else Congress should do. We have some material on the "unregulated parallel universe" of the data brokers at our Identity Theft pages. Congress should give consumers control of their information, as many states have done, through their enactment of the security freeze part of the PIRG/CU model Identity Theft law.

What else should consumers do? Be ready to fight back when id theft hits. Even if you remove your Social Security Number from circulation by taking it off your checks, off your drivers license, and out of your wallet, and even if you are careful, you may at some point become a victim. If you see any signs of identity theft, go immediately to the FTC for help. Their first tip is this—make a call to any of the big 3 credit bureaus and ask for a fraud alert. They will tell the other two for you. They will send you more info.

Finally—of course——what else should Congress do? Give consumers privacy rights, but don’t take away the right of the states to protect their consumers better. Federal law should be a floor, not a ceiling. Without leadership from the states, Congress never acts. For more information, see PIRG's (anti) preemption web page.
Ed