FCC Probes Selling of Cell Phone Records
By Arshad Mohammed
The Federal Communications Commission said yesterday
that it is investigating the sale of private cell phone records, a move
privacy advocates said was welcome but long overdue.
Numerous Web sites say they are able to provide records of incoming and outgoing cell phone calls, some for less than $100. While such records are routinely used by law enforcement agencies, experts warn that they can be exploited by criminals, such as stalkers or abusive spouses. The practice of using trickery to obtain the records from phone companies has been the subject of news reports for months.
FCC Chairman Kevin J. Martin disclosed the investigation in a Jan. 13 letter to Rep. Edward J. Markey (D-Mass.), and it drew wider notice after the FCC's two Democratic commissioners issued statements about it yesterday. "The commission . . . is very concerned about the availability and sale of such records, and is looking into the troublesome practices described in recent media reports," Martin wrote in the letter, which was released by Markey's office.
The FCC's enforcement bureau is investigating how companies obtained such records and whether phone companies had not followed rules designed to prevent such information from getting into the wrong hands, Martin said.
Experts say such records are sometimes obtained by people who impersonate cell phone customers and dupe their wireless providers into releasing the data despite safeguards designed to prevent this. The use of fraud to obtain such information is subject to the jurisdiction of the Federal Trade Commission, which told Markey in a separate letter that it had brought cases against firms that sell such information but would not comment on any current investigations. "Finding out who people are calling and for how long can be like picking someone's brain about their friends, plans or business dealings," FCC Commissioner Jonathan S. Adelstein said in a written statement.
Marc Rotenberg, executive director of the Electronic Privacy Information Center nonprofit group, called the FCC's action "overdue." "Clearly there is a problem with the failure to provide adequate privacy safeguards," he said. "The FCC is late to the issue, but it's a good thing that they are now focused on the need to change practices."
Datenschutz - ein vernachlässigtes Grundrecht
Vor einem Monat hat die Tageszeitung «The New York Times» enthüllt, dass das amerikanische Finanzministerium und die CIA unter dem Zeichen der Terrorbekämpfung während Jahren die Finanzströme der Banken-Clearingstelle Swift in Belgien überwachten. Dort werden täglich rund elf Millionen Zahlungsanweisungen für internationale Geldtransfers verarbeitet - auch solche aus der Schweiz. Gewusst von dieser Praxis haben die Schweizerische Nationalbank, die Eidgenössische Bankenkommission und das Eidgenössische Finanzdepartement, nicht aber die in der grossen Mehrheit unbescholtenen Bankkunden.
Beim Schweizer Krankenversicherer CSS sollen 150 Mitarbeiter Einblick in vertrauensärztliche Patientendaten gehabt haben, die nicht für ihre Augen bestimmt waren. Der eidgenössische Datenschutzbeauftragte und das Bundesamt für Gesundheit untersuchen zurzeit, ob in diesem Fall das Datenschutzgesetz und das Berufsgeheimnis verletzt worden sind. Und soeben fand die Eidgenössische Datenschutzkommission scharfe Worte: Die Auskunftspflicht der Staatsschützer gegenüber nicht registrierten Bürgern sei «irrational und zweckwidrig» geregelt. Wer Einblick in seine Fiche haben möchte, wird mit einer «nichtssagenden, ja irritierenden» Mitteilung abgespeist. Die in der Bundesverfassung und der Europäischen Menschenrechtskonvention festgehaltenen Grundrechte würden verletzt. Der Gesetzgeber müsse die entsprechenden Bestimmungen ändern.
Man könnte ohne Mühe Dutzende von weiteren Fällen fragwürdigen Umgangs mit persönlichen Daten und finanziellen Angaben anfügen. Die dieser Tage erschienenen Tätigkeitsberichte des eidgenössischen und der kantonalen Datenschutzbeauftragten sind voll davon, und etliche ausländische Bürgerrechtsbewegungen berichten laufend über unerwünschte Einblicke in die Privatsphäre.
Die Beispiele zeigen vor allem, dass der Einzelne kaum noch weiss, wo seine ihn betreffenden Daten gespeichert sind, wer Zugang zu ihnen hat, wofür sie verwendet und ob und an wen sie allenfalls weitergegeben werden. Oft schadet dieses Unwissen nicht. Die Speicherung und Weitergabe von personenbezogenen Daten ist nicht per se bedenklich. Im Gegenteil: Ein unkomplizierter Umgang mit Daten verflüssigt administrative Vorgänge, ermöglicht kundennahe Serviceleistungen und senkt Kosten. Zudem ist der Zugriff - auch auf sensitive Personendaten - durch Dritte erwünscht, um notwendige Kontrollen auszuüben, sei dies im Polizei- oder auch im Gesundheitsbereich. Das Funktionieren von Wirtschaft und Staat hängt entscheidend von einer störungsfreien Datenbearbeitung ab.
Gerade deshalb geniessen Datenschützer nicht immer den besten Ruf. Ihnen wird vorgeworfen, die Polizeiarbeit mit übertriebenen Auflagen behindern zu wollen oder der Wirtschaft unnötige Steine in den Weg zu werfen, wenn es etwa darum geht, Unternehmen zu verpflichten, die Kunden über Datenbearbeitungen zu informieren. Die im März beendete Datenschutzgesetz-Revision legte Zeugnis davon ab. Die wenigen Auflagen, die zulasten der Wirtschaft gehen sollten, stiessen bei den bürgerlichen Parteien auf wenig Verständnis und wurden meist verworfen.
Das nicht gerade innige Verhältnis zwischen Datenschutz und Wirtschaft prägt die Diskussion seit Beginn der Bemühungen um ein Datenschutzgesetz in den 1970er Jahren. Es waren denn auch vor allem linke Parlamentarier, welche die entsprechende Gesetzgebung vorangetrieben hatten. Nach langem Feilschen trat 1993 ein Datenschutzgesetz in Kraft, dem sowohl bürgerliche Wirtschaftskreise wie auch linke Politiker zustimmen konnten. Doch die kommunikationstechnologischen Möglichkeiten der Datenbearbeitung haben sich seither stark erweitert, und der Fortschritt nimmt kein Ende. Damit verändern sich auch die Ansprüche an einen Datenschutz, der den Schutz nicht nur im Namen trägt, sondern ihn auch zu leisten imstande ist.
EIN LIBERALES GRUNDRECHT
Den Blick bei der Anpassung des Datenschutzes nur auf mögliche Missbräuche zu richten, genügt dabei nicht. Will man die Bedeutung des Datenschutzes erfassen, darf man sich deshalb nicht von der missglückten Formulierung in der neuen Bundesverfassung leiten lassen. Dort steht lediglich, dass jede Person «Anspruch auf Schutz vor Missbrauch ihrer persönlichen Daten» hat. Die Idee des Datenschutzes reicht jedoch viel weiter: Er ist Teil der persönlichen Freiheit. Und genau daran muss eine bürgerlich-liberale Datenschutzpolitik anknüpfen.
Datenschutz umfasst das sogenannte Recht auf informationelle Selbstbestimmung. Hinter dem unschönen Juristenjargon verbirgt sich ein liberales Grundrecht: Jeder soll selber darüber bestimmen, wem und aus welchen Gründen er Persönliches offenbart, seien dies Lebensdaten, Gedanken oder Empfindungen. Jedem kommt ein Recht auf Privatheit zu, das man verteidigen darf und das einen dazu berechtigt, Einblick in die einen betreffenden Datensammlungen zu verlangen. Informationelle Selbstbestimmung bedeutet aber auch, dass es jedem freigestellt sein soll, seine Identität öffentlich zu entblössen, etwa im Internet, wo dies täglich tausendfach geschieht. Entscheidend ist, dass Eingriffe - insbesondere seitens des Staates - in dieses Recht eine Grundrechtsbeschränkung darstellen und daher entsprechend gerechtfertigt werden müssen.
Sich für dieses Recht einzusetzen, ist ein urliberales Anliegen. Leider spürt man aber von Seiten bürgerlicher Parteien kaum ein diesbezügliches Engagement; die meisten datenschützerischen Vorstösse - ob sinnvoll oder nicht - stammen aus dem links-grünen Lager. Der aus wirtschaftlichen Bedenken genährte Vorbehalt gegenüber dem Datenschutz hat den liberalen Kräften den Blick auf das ihm zugrunde liegende Grundrecht getrübt. Dies kann etwa dazu führen, dass staatsschützerischen Begehrlichkeiten allzu unkritisch begegnet wird. Man vermisst bisher mahnende Worte von Seiten bürgerlicher Politiker zur Gesetzesrevision über die innere Sicherheit. Auch nachdem eine aus liberaler Sicht völlig unhaltbare erste Version mehrmals überarbeitet worden ist, geht der vorliegende Entwurf noch immer sehr weit, was die präventive Überwachung der Privatsphäre betrifft.
EINE LOBBY FEHLT
In solchen Fällen macht sich der Mangel einer bürgerlich-liberalen Lobby für den Datenschutz - oder weiter gefasst: für die Verteidigung der Privatheit - bemerkbar. Einzelne Stimmen verhallen meist ungehört. In Deutschland ist dies anders. Die deutsche FDP bekennt sich dazu, dass «Datenschutz vor allem ein Schutz der Bürgerrechte» ist - und sie trifft damit den Kern der Sache. In der Schweiz haben die Bürgerlichen das Thema «Datenschutz» hingegen weitgehend an die Linken verschenkt (Ausnahme ist der Einsatz für das Bankgeheimnis).
Symptomatisch dafür steht der «höchste» Datenschützer der Schweiz, der eidgenössische Datenschutzbeauftragte, Hanspeter Thür, ein ehemaliger Nationalrat der Grünen und in jungen Jahren Mitglied der linksoppositionellen Poch. Thür macht regelmässig darauf aufmerksam, dass auch im Bereich der Sicherheit neues Recht nur dann geschaffen werden müsse, wenn adäquate Gesetze fehlten und es nicht nur am Vollzug derselben mangle. Wieso hört man dies nicht öfters aus dem Munde bürgerlicher Politiker?
Es ist Zeit, dass die Bürgerlich-Liberalen den Datenschutz zurückerobern und sich damit als glaubwürdige Verteidiger der persönlichen Freiheit in ihrem umfassenden Sinn zeigen. Gelegenheiten dazu bieten sich genug: Neben der Revision des Staatsschutzes verursachen auch die Massnahmen gegen den Hooliganismus aus datenschützerischer Sicht mehr als ein Stirnrunzeln. Grundrechte sind nicht einfach per Verfassung gegeben. Sie müssen dauernd verteidigt werden, auch in einem Land wie der Schweiz, dessen Freiheitsrechte gesichert scheinen.
U.S., E.U. Miss Deadline on Data-Sharing Agreement
By Ellen Nakashima
The United States and the European Union failed to meet a Saturday deadline to conclude a permanent new agreement on the sharing of airline passenger data, an issue that has raised serious privacy concerns in Europe. But both sides said talks will continue and flights will not be affected.
In the aftermath of Sept. 11, 2001, terrorist attacks, the U.S. government began requiring all airlines flying to the United States to share passenger data, such as name, address and credit card information, with Customs and Border Protection.
The European Court of Justice, the highest European court, annulled the deal on a technicality in May but gave the E.U. and the United States until yesterday to replace it.
Homeland Security Department Secretary Michael Chertoff on Saturday said in a statement that he had initialed a draft formal agreement that "ensures the appropriate security information will be exchanged and counter-terrorism information collected by the department will be shared, as necessary, with other federal counter-terrorism agencies."
Under the post-Sept. 11 data-sharing agreement, Europe allowed the United States to keep the data for up to 3 1/2 years, but the United States wants to be able to hold onto the information longer. Europe also allowed the United States to share the data, part of a database called the Passenger Name Record, with other U.S. counterterror agencies on a restricted, case-by-case basis. The United States wants to be able to share the data more liberally.
The United States has said it could take steps, including fining airlines $6,000 per passenger or revoking landing rights, if data are not turned over.
Chertoff told the Associated Press that he had been assured the United States would continue to receive data from European airlines and that he did not think the airlines would be penalized by their home governments.
Telmo Baltazar, counselor to the E.U. delegation, said there was no final deal reached yesterday because E.U. negotiators said they needed to consult with E.U. authorities, according to the Associated Press.
The talks have broken down before, and the struggle to reach an agreement underscores the difficulty in reconciling the U.S. government's growing appetite for information in a post-Sept. 11 world with other countries' desires to protect their sovereignty and their citizens' privacy, analysts said.
"You have a situation where the United States is increasingly data-hungry, even though it has no idea what it wants to do with this data, and the European Union is increasingly waking up to its obligations under its founding principles, including data protection and privacy," said Gus Hosein, a senior fellow with Privacy International in London.
David Sobel, senior counsel of the Electronic Frontier Foundation, a privacy organization, said that since Sept. 11, the U.S. government has put an emphasis on the collection of passenger data and has "generally ignored the serious privacy issues that arise both under E.U. law and domestic law."
"The problems that the Department of Homeland Security has encountered internationally are similar with respect to the privacy concerns that have hampered the development of domestic systems," Sobel said.
The United States requires all airlines flying to the country to submit data. The European Union objected because it has stronger data-protection laws than many nations, including the United States.
The dispute could easily have been resolved if the United States had adopted privacy protection for passenger reservation data that satisfied the European standards, said Edward Hasbrouck, an expert on travel data privacy in San Francisco. The standards include giving the person whose data is shared the right to have access to and to review the data and putting limits on its use and on its retention.
Keeping Your Enemies Close
By GARY RIVLIN, Alpharetta, Ga.
IF you found yourself running a company suddenly branded one of the most reviled in the country — if, for example, you noticed that visitors to Consumerist.com, a heavily visited consumer Web site, voted yours as the second “worst company in America” and you had just been awarded the 2005 “Lifetime Menace Award” by the human rights group Privacy International — you might feel obliged to take extraordinary steps. You might even want to reach out to your most vocal critics and ask them, “What are we doing wrong?”
So it was in early 2005 that Douglas C. Curling, the president of ChoicePoint, a giant data broker that maintains digital dossiers on nearly every adult in the United States, courted two critics whom he had accused just months earlier of starting “yet another inaccurate, misdirected and misleading attack” on his company.
Mr. Curling also contacted others who had spent years calling for laws requiring better safeguarding of personal information that ChoicePoint and other data brokers assemble — records such as Social Security numbers, birth dates, driver’s license numbers, license plate numbers, spouse names, maiden names, addresses, criminal records, civil judgments and the purchase price of every parcel of property a person has ever owned.
“It was sort of like when I talk with my wife when she’s not happy with me,” Mr. Curling said of his dealings with some of ChoicePoint’s harshest critics. “It’s not exactly a dialogue I look forward to, but I can’t deny it’s important.” He also could not deny his motivations for engaging in these conversations: in the public’s mind, ChoicePoint had come to symbolize the cavalier manner in which corporations handled confidential data about consumers.
In January, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. Under the settlement, it also required ChoicePoint to set aside an additional $5 million to help those suffering financial harm because of its failure to provide adequate safeguards against data breaches.
But the financial penalties were nothing compared to the rehabilitation project confronting this hitherto invisible player in the global marketplace.
For years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: Our systems are bulletproof. Intruder-proof. Believe us.
But then, in February 2005, the company had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists strolling unnoticed through the front door.
Ultimately, ChoicePoint found that in 2005 alone, more than 40 phony businesses — thieves masquerading as bill collectors, private investigators, insurance agents and the like — had opened accounts that gave them unfettered, round-the-clock access to the vital data ChoicePoint maintains. And, suddenly, the same privacy advocates that ChoicePoint had generally cast as shrill and ill-informed — a group that those inside the F.T.C. sometimes refer to as the “privacy posse” — proved crucial to its plans to both shore up its security and tend to its tattered image.
“I have to give them a lot of credit,” said Daniel J. Solove, a posse member in good standing who had long been counted as one of ChoicePoint’s most persistent critics. Mr. Solove, an associate professor at the George Washington University Law School, is among those whom ChoicePoint contacted shortly after its public relations debacle crested. “ChoicePoint had the attitude: ‘We want to make our privacy practices exemplary,’ ” Mr. Solove said. “They wanted to find out what kinds of things they could do better and get feedback about some of the ideas they were thinking about.”
For ChoicePoint, said James Lee, the company’s chief marketing officer, the entire episode has proved an important learning experience. “The reality is, we were never as evil as people thought we were,” Mr. Lee said, “but we were never as good as we thought we were.”
Inside ChoicePoint, situated in a leafy office park in this suburb north of Atlanta, employees whistle with wonder over the talents of the various con artists — or “fraudsters,” as company executives tend to call them — who finessed their way into their systems. According to the company, the fraudsters were wise enough to secure business licenses, thereby lending them a patina of legitimacy. They knew precisely what to write on their applications to convince ChoicePoint that their credentials made them fit for access to its databases.
“These guys were more sophisticated than anyone thought,” Mr. Lee said, echoing the sentiment of many inside the company.
But the F.T.C. seemed to reach the opposite conclusion in a 33-page report it released earlier this year, after it completed an investigation of ChoicePoint. The commission found that ChoicePoint ignored “obvious red flags” because the company “did not have reasonable procedures to screen prospective subscribers.” The report cast ChoicePoint’s criminal interlopers as sloppy and amateurish — but ultimately successful because their prey, a major company in the business of handling sensitive information, was alarmingly lax in its protection of its data repositories.
Signs that it was amateur hour inside ChoicePoint abounded, according to the F.T.C. report. The fraudsters faxed applications to ChoicePoint from a neighborhood Kinko’s, listed post office boxes as primary business addresses and offered cellphone numbers as sole telephone contacts — which no one at ChoicePoint ever bothered to call anyway to establish the numbers’ legitimacy. In at least one case, an approved applicant failed even to provide a last name, the F.T.C. found.
As ChoicePoint executives say, the fraudsters sometimes took the trouble to register their businesses with the state — but those documents should have set off alarms rather than justify the granting of an account.
The F.T.C. found that ChoicePoint accepted articles of incorporation that had been suspended or had expired, and “tax registration materials that showed that the business’ registration was canceled.” Then there were the contradictory addresses in the submitted documents — discrepancies that ChoicePoint employees accepted “without conducting further inquiry to resolve the contradiction,” according to the commission’s report.
“It was a well-known fact back then that ChoicePoint would do business pretty much with anyone who came along,” said Robert Douglas, an information security consultant and editor of PrivacyToday who has done consulting work for ChoicePoint for several years. “They were making all the right noises about security but there wasn’t any follow-through to back up their words.”
Inside ChoicePoint, they like to say that the company is in the business of helping customers make informed decisions about whom they can trust. Insurance companies and banks use its databases to help them decide who is a good credit risk and who is not. ChoicePoint sells its services to employers screening new hires, to landlords running background checks on new tenants, and to the 7,000 law-enforcement agencies and governments worldwide that the company counts as clients. Other customers include bill collectors, private investigators and media outlets, including The New York Times.
Yet a company with the snappy motto — “smarter decisions, safer world” — failed to use its resources to assess and then protect itself from some of its own customers. In some cases, the F.T.C. found, individuals were granted accounts “notwithstanding the fact that ChoicePoint’s own internal reports on the applicant linked him or her to possible fraud.” The company continued to furnish consumer reports to customers, the commission said, “even after receiving subpoenas from law enforcement authorities between 2001 and 2005 alerting it to fraudulent accounts.”
Finally, in September 2004, ChoicePoint began to recognize that it had a major problem on its hands, when an employee in the company’s new-accounts office realized that someone in the Los Angeles area, a Nigerian, was trying to set up multiple accounts, each time in the name of a different business. The employee recognized the Nigerian’s voice and alerted the company’s security department, which in turn notified the local police. Although weeks would pass before senior executives learned of the troubling transactions with the Nigerian, the unfolding scam — and others like it — opened the eyes of outsiders to dangerous security lapses inside the company.
“I can assure you that now we learn immediately about this kind of problem,” said ChoicePoint’s chief executive, Derick V. Smith.
CHOICEPOINT was created in 1997 when Equifax, one of the big three credit reporting agencies — the others are TransUnion and Experian — spun off one of its divisions. Back then, the unit that would become ChoicePoint was involved in the labor-intensive and barely profitable business of maintaining claims histories on behalf of insurance companies. It also administered physicals, drug tests and the like for clients. Mr. Smith and Mr. Curling, who together ran what was then called the Insurance Services Group, foresaw a promising market in peddling data about individuals to a wider group of customers, and they convinced higher-ups that their unit should venture off on its own.
Since then, ChoicePoint has acquired more than 70 smaller companies and bought whatever databases it could get its hands on, including motor-vehicle reports from counties around the country, police records, property records, birth and death certificates, marriage and divorce decrees and criminal and civil court filings. These records had long been publicly available, but automation and superfast computers meant that comprehensive data dossiers could be assembled in seconds.
“It used to be that a business would have to go to 10 or 20 different vendors to get the same information that ChoicePoint sells in a single report,” said Chris Jay Hoofnagle, a senior researcher at the Boalt Hall School of Law at the University of California, Berkeley, and a privacy advocate.
That approach has certainly proved lucrative. The company’s stock price has quadrupled in nine years, and its revenue has, too, topping $1 billion in 2005. That growth has come despite stiff competition from two other companies of similar size that market background information about ordinary Americans: Acxiom, a publicly traded company based in Little Rock, Ark., and the LexisNexis Group, a division of Reed Elsevier. Many smaller companies are also in the business.
ChoicePoint sees itself as playing an essential, if not noble, role in the information economy. It has — at a reduced rate — helped nonprofits working with children identify registered sex offenders who applied for jobs, and it has provided the data that allowed the police to track down hundreds of missing children. Mr. Curling and others inside ChoicePoint argue that if there were no data brokers, home loans would take that much longer to secure and insurance rates would be based not on a person’s driving record but on broad demographic categories, such as age and gender. Sure, breaches have been a problem, but theirs is still a young industry, ChoicePoint executives say.
“It takes time to establish best practices,” Mr. Smith said.
It also took a state law. The data thieves who conned their way into ChoicePoint’s system downloaded information about at least 166,000 individuals. In years past, the company would alert law enforcement officials when it suffered a data breach, according to Mr. Lee, and leave it at that. But under a California disclosure law passed in 2003, the company was required to notify every Californian whose personal details might have fallen into criminal hands.
“No one knows for sure, and no one can say, how many breaches occurred before California,” Mr. Hoofnagle said. “This is an ‘known unknown,’ as Donald Rumsfeld would say.”
RATHER than send letters only to the 42,000 Californians whose records had been downloaded by the fraudsters, ChoicePoint mailed a notice to all affected consumers, telling them that their personal information might have fallen into the hands of identity thieves. Critics chided ChoicePoint for waiting about five weeks to contact consumers, but the company said it first needed to set up and staff a call center to handle the anticipated deluge of complaints.
“We knew that in all likelihood the first time that they were ever going to hear of ChoicePoint was in this letter,” Mr. Lee said.
That would hardly be the last they would hear of ChoicePoint, however. Over the coming months, a long list of corporations and governmental agencies took their turn in the spotlight after they were obliged to acknowledge fumbling people’s personal data: LexisNexis, Bank of America, Time Warner, Boeing, the Department of Veterans Affairs. And with each new breach, media accounts invariably mentioned the company whose breach had spurred a great awakening about the vulnerability of every individual’s personal data — even if that company, ChoicePoint, had nothing to do with the other companies’ woes.
Privacy critics were initially dubious when ChoicePoint contacted them in the wake of its February 2005 announcement. “Most gave us the Heisman,” said Mr. Lee, who held out his forearm like a running back pushing away a would-be tackler to demonstrate his point. Yet, over time, most though not all of the privacy posse would agree to meet with Mr. Curling and other ChoicePoint executives, and walk away impressed by what they heard and saw.
That would include Professor Solove at George Washington (“They’ve implemented quite a number of measures to protect privacy”), Chris Hoofnagle at Berkeley (“ChoicePoint now has model security practices”) and Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego (“They’ve put in place practices that I wish all the data brokers would adopt”).
Senator Charles E. Schumer, Democrat of New York, became an honorary member of the privacy posse when he declared the F.T.C. overly lenient for levying only a $10 million fine against ChoicePoint. But he, too, has changed his tune.
“I was worried that a fine would be seen as the cost of doing business,” Mr. Schumer said in an interview. “But I have to say, ChoicePoint has become a model company.”
Even Marc Rotenberg, a privacy posse member who refused to meet privately with Mr. Curling or anyone from ChoicePoint out of concern that doing so would undermine his credibility, begrudgingly gave ChoicePoint some praise. “While I’m prepared to give them credit for a series of positive steps, I don’t think it would be accurate to say that they got to this position on their own,” said Mr. Rotenberg, the executive director of the Electronic Privacy Information Center, a privacy rights group in Washington. “It took a lot of work by EPIC and other organizations.”
When ChoicePoint started its makeover campaign, it first offered to rain down freebies on possible victims of identity theft, a protocol that others would follow. It invited them to join a credit monitoring service at no charge for one year, and provided them with free reports from the big three credit bureaus. To actual victims of identity theft, it offered its expertise to help correct the problem.
The company also gave a $1 million, four-year grant to the Identity Theft Resource Center, a nonprofit group in San Diego.
ChoicePoint then overhauled its security measures, a move that began with the hiring of Carol A. DiBattiste, who ultimately would fill the new position of chief privacy officer. Ms. DiBattiste is a no-nonsense lawyer whose résumé includes 20 years in the Air Force and turns as an assistant United States attorney. To send the message that both security and privacy were a priority, Ms. DiBattiste was named the company’s general counsel one year into her tenure
Over the years, ChoicePoint had done a modest but lucrative business working with private investigators and other smaller enterprises. Shortly after its February 2005 announcement, the company said that it would no longer provide full Social Security numbers, birth dates or other sensitive information to these customers — data that Ms. DiBattiste called “keys to the castle.”
That decision, Mr. Curling said, cost the company $15 million to $20 million last year. But inside ChoicePoint, executives saw that this small sliver of business threatened its overall reputation.
Until 2005, ChoicePoint had left credentialing to people in individual business units. It now has a centralized credentialing department. “The salespeople play no role in credentialing anymore,” said Ms. DiBattiste, who deployed dozens of people to take on the painstaking chore of recredentialing every client that was not either a law-enforcement agency or a public company. ChoicePoint had 120,000 accounts before February 2005; it now has 104,000.
It also performs random audits of its customers, to ensure that they are conducting searches appropriate for their type of business, and it uses its computer systems to monitor accounts for suspicious activity.
“We look for any anomalies,” said Darryl Lemecha, the company’s chief information officer. “So if we see a 50-person company that typically does a background check like once a month suddenly do 20 in one day, we lock down that account so we can investigate.”
ChoicePoint has endured roughly 100 outside audits, most of them conducted by long-term corporate customers, “and we passed them all,” Ms. DiBattiste said. As part of its settlement, ChoicePoint agreed to submit to an F.T.C. audit every other year for the next 20 years.
It is not yet clear how many people were actually harmed by ChoicePoint’s negligence. ChoicePoint says it knows of only 46 people who have been defrauded because of its data breach. But law enforcement officials have identified at least 800 people who have been identity theft victims because of ChoicePoint’s missteps, said Betsy Broder, an assistant director at the privacy and identity protection unit of the F.T.C. But, she said, that number could rise.
“If data was stolen,” Ms. Broder said, “nothing prevents the thieves from holding on to it for a period of time and using it perhaps when consumers let down their guard, or when the alert on their credit expires.”
ChoicePoint also set up a Web site for consumers who, at no cost, want to check and challenge possible inaccuracies in their dossiers (www.choicetrust.com). “It’s hard to overstate the significance of this,” Ms. Givens said. “This is an important step forward in moving us to transparency.”
Whether other companies follow suit remains to be seen. Michael Dores, founder of Merlin Information Services, a ChoicePoint competitor based in Kalispell, Mont., said he would offer free consumer reviews of its dossiers — but the cost, he said, “would put me out of business.”
STILL, Mr. Dores said, ChoicePoint’s own woes have had a big impact on Merlin, whose customers tend to be smaller businesspeople like debt collectors and private investigators. Like ChoicePoint, Merlin was fooled into providing an account to a fraudster.
So the company has recredentialed all its customers, Mr. Dores said, and created a new two-person compliance department. He said that Merlin now gives detailed personal data only to a small fraction of those to whom it provided such sensitive information in the past, much to the chagrin of many longtime customers.
Mr. Dores said he felt that he had no choice but to put these changes into effect, because “the Federal Trade Commission is in a bad mood over this stuff.”
Members of the privacy posse still have their complaints about ChoicePoint. Roughly 60 percent of its business falls under the Fair Credit Reporting Act, which regulates the collection and use of consumer credit information. But to Mr. Hoofnagle and other privacy advocates, that is not enough. “If I had a magic wand I would make all of ChoicePoint’s data fall under the Fair Credit Reporting Act,” Mr. Hoofnagle said.
Even so, those who previously reserved most of their criticisms for ChoicePoint now aim their harshest words at some of its competitors. The same private investigators and others who formerly obtained Social Security numbers from ChoicePoint and Merlin are now simply seeking the services of other data brokers — companies such as Tracers Information Specialists of Spring Hills, Fla.
Yet Terry Kilburn, the chief operating officer of Tracers, said he was not worried about the hazards of providing such sensitive information. “We weren’t the ones who were breached,” Mr. Kilburn said. “Our security and compliance are strong, and so we are choosing to continue to do business the way we always have.”
In Washington, legislators have proposed more than 20 bills to monitor data brokers more closely. According to Senator Schumer, ChoicePoint — in contrast to other large data brokers — has supported legislation he has proposed that would establish stricter security standards for any entity handling sensitive personal information.
“ChoicePoint, to its credit, got right behind our legislation and lobbied for it,” Senator Schumer said. But the bill, which he and Senator Bill Nelson, Democrat of Florida, introduced in April 2005, has not passed, he said, “because a lot of other companies, quietly and behind the scenes, killed it.”
New Guidelines Do Little to Protect Established
Rights, White House Board Told
By Ellen Nakashima
The Bush administration's new privacy guidelines fail to protect the rights of Americans, and the board created to guarantee those rights lacks the independence to do the job, civil libertarians told the White House privacy board yesterday at its first public forum. The guidelines, released Monday, are intended to protect the personal privacy and civil liberties of U.S. citizens as the government attempts to strengthen its intelligence-sharing to fight terrorism.
But, said privacy advocate Marc Rotenberg, the guidelines pale in comparison to protections offered under the Privacy Act of 1974. "What struck me about the guidelines when compared with the federal privacy act was the absence of transparency, the absence of oversight and the inability for individuals to know what information about them is being collected by the federal government," said Rotenberg, executive director of the Electronic Privacy Information Center. Rotenberg was one of 10 panelists yesterday at a forum held by the White House Privacy and Civil Liberties Oversight Board, a panel created by Congress in 2004.
The new guidelines, issued by the Office of the Director of National Intelligence, direct agencies to develop procedures to ensure that information on "U.S. persons" is lawfully obtained, is shared only if it relates to terrorism or law enforcement, and that data errors are corrected. They do not require the people affected to be notified. James Dempsey, a member of a Markle Foundation task force on privacy, said the guidelines lack substance and specificity. They do not address data-collection standards or set up appropriate redress mechanisms for people erroneously targeted in counterterrorism programs, he said.
Democrats, about to take control of Congress, have promised stronger oversight over the Bush administration's terrorism surveillance program and its push for stronger data-mining programs to identify terrorists. The five-member privacy board, which started work in March, lacks subpoena power and has only four full-time staff members. President Bush appointed all five members, four of whom are Republicans, including Theodore B. Olson, the administration's former solicitor general. "What we have established here is an oversight mechanism within the executive branch of government," Rotenberg said at the forum at Georgetown University. "To be effective, the agency has to be independent because even well-intended people seeking to protect privacy will necessarily be under institutional pressure to move in the direction the . . . institution wishes it to go."
Caroline Frederickson, legislative director of the American Civil Liberties Union, said the board lacked any power to change policies on crucial issues such as citizen redress on terrorist and criminal watch lists. "It's all bark and no bite," she said. Frederickson called on Congress to give the board subpoena power and remove it from the executive branch. She also urged the board to be more aggressive in reviewing the government's surveillance program, which she said violates the Constitution.
Alexander W. Joel, the civil liberties and protection officer for the Office of the Director of National Intelligence, said the 1974 Privacy Act is "an important foundation" and will continue to be. "We have to be both safe and free," Joel said. "How do we do both? Sometimes by not doing as much on one side. Sometimes it's by adding work on the privacy and civil liberties side."
Board members, including Chairman Carole E. Dinkins, noted that the panel has visited the major agencies combating terrorism and met with senior officials, including the directors of national intelligence, the FBI and the National Security Agency. They received good cooperation and their questions were answered, board members said. "We want to do this job conscientiously, and we're going to continue," Olson said. Lanny J. Davis, the board's only Democrat, said he was puzzled about why Congress had placed what was supposed to be an independent oversight board under the president. "That's an open question that none of us up here have been able to quite figure out," he said.
Air Passenger Data Program Concerns European Officials
By Ellen Nakashima
European officials yesterday joined the chorus of concern over a U.S. screening program that creates risk profiles for every air traveler entering or leaving the United States, and sought assurances that the system does not violate European privacy rights.
The European Commission sent a letter to the United States requesting confirmation that air passenger data shared with the United States are in accordance with a U.S.-European Union agreement signed in October, commission Vice President Franco Frattini told the European Parliament.
"I have always taken the position that travelers must be informed when their . . . data may be transferred to competent authorities of third countries," Frattini said.
At issue is the Automated Targeting System, a computerized screening program in which U.S. Customs and Border Protection personnel make risk assessments on air cargo and passengers entering and leaving the country. The system allows authorities to retain the data for 40 years, with a goal of eventually making risk assessments on all travelers to and from the United States.
International air travelers have been profiled for about 10 years, Customs officials said, but that was not widely known until the passenger profiling system was described last month in a notice in the Federal Register.
Concerns quickly emerged on both sides of the Atlantic. U.S. privacy advocates charged that the profiling infringes on the privacy rights of U.S. citizens, a concern that Europeans are echoing.
Sophie in't Veld, a Dutch member of the European Parliament, said this month that passengers are not told their travel data are recorded and made accessible to a wide range of agencies. "We cannot accept this excessive appetite for personal data without any kind of protection against mistakes and abuse by public authorities," she said.
In October, the E.U. and the United States renegotiated an agreement on passenger data that gave U.S. law enforcement agencies slightly more access to the data but set limits on its retention and sharing among agencies.
Jarrod Agen, a spokesman for the Department of Homeland Security, which includes the Customs agency, said that Customs is abiding by the October agreement, including a provision that data about passengers arriving from Europe be held for only 3 1/2 years.
Staff researcher Richard Drezen contributed to this report.