Data Firm Deal Won't Protect Your Privacy
I finally found out the truth about my wife. Along the way, I also found out the truth about the ever-expanding data-collection industry, which has detailed files of personal information on tens of millions of Americans. In response to a recent public flap about the availability of Social Security numbers on the Internet, 14 of the nation's top data companies recently promised to keep personal data out of the hands of prying cybersnoops. It's a promise they will not able to keep. With a little bit of effort and a few bucks to spend, I was able to pry quite easily into the personal affairs of someone I know quite well -- my wife -- and of someone I don't know at all: namely, Sandy Berger, Director of President Clinton's National Security Council (NSC).If a prominent, powerful person like Sandy Berger can have his privacy invaded, how safe are the rest of us? Answer: not very. The personal data I dug up on my wife wasn't anything I didn't know already. It's the kind of thing I could have checked easily by opening her top desk drawer: her social security number, her driver's license number, her address, her date of birth, who her neighbors are. What's unnerving is that any unscrupulous busy-body with 28 bucks and a modem could surf the internet for the same secrets.Who's peeking in your drawers? I'm a bit queasy about the prospect of someone peeking, so to speak, into my wife's drawers. But aside from offending my sense of propriety, such easy info-access raises the specter of a dangerous phenomenon: identity theft. Armed with the information listed above, a thief could potentially acquire bank accounts, credit cards, and utilities accounts in my wife's name. The thief could ruin her credit rating and ensnare her (and me!) in endless court battles.One Journalist's On-Line JourneyAfter writing about this new breed of cyber-crime in last month's ScamWatch column (NNR, January 1998, p.16), I decided to find out just how simple it could be to capture someone's identifying numbers by surfing the net. A search of investigative services on Yahoo (a popular internet search engine) led me to a multitude of credit-report agencies, database managers, and, surprisingly, sites for singles. Checkmate, a service of Infotel Corporation, is a computer site that allows you to do just that: check your mate. The idea is that, after a pleasant first date, you can use Checkmate's services to find out if your potential beau is a Norman Rockwell or a Norman Bates. Infotel, it turns out, has not signed up to participate in the data collection industry's voluntary plan to restrict access to personal information about private citizens. Their policy is to sell information to whoever pays for it, no questions asked. I filled out Checkmate's on-line form requesting "level one" checks on my wife and for NSC chief Samuel R. "Sandy" Berger. I figured that if I could download sensitive data about the man in charge of our nation's security, I could probably get information about anyone. The level one check promised the info described above along with household income, valuation of residence, and a list of household members. The fact that sensitive information was being divulged was never mentioned at Checkmate's web site. And unlike other services, their order form contained no warning about how I could legally make use of the information they provided.I later touched base with Arthur Frank of Infotel, who hotly defended his service. "The basis we go on," he told me, "is that this information was once private and the person that owns it gave it out freely somewhere along the line and made it public."Frank's theory, apparently, is that if you've ever put your Social Security number on a credit card application, you have made the information "public" and the credit card firm then has the right to sell your personal data to whoever it pleases. "As long as it's public information," says Frank, "the public has the right to access to it. That's the way this country has become great."But I didn't feel so great when fourteen pages of information about my "targets" came rolling off my fax machine. Not all the info they promised on my wife was there, but what there was -- i.d. numbers, past addresses, neighbor's phone numbers -- was dead-on accurate. As for Mr. Berger, the personal history of Bill Clinton's close buddy and top advisor was equally easy to access. Through press material, I was able to determine that the Infotel Corporation had correctly reported his birth date (October 28, 1945) and his address in Washington, DC. They also told me his driver's license number and a list of his neighbors and their addresses and phone numbers. And they let me in on a curious fact: according to Checkmate's databases, Sandy Berger has three Soc-ial Security numbers, issued in New York, California, and Florida between 1962 and 1965. P.J.Crowley, a spokesperson for the National Security Council, tried to ask Berger directly about this data discrepancy, but was unable to get in touch with him in time for our deadline. But the facts of Berger's background, Crowley told me, suggest that Checkmate didn't really check its facts before they sold us a report on "Samuel R. Berger." "Between 1962 and 1965, Mr. Berger would have been in high school in New York," Crowley told us, "and then matriculating from Cornell [University in Ithaca, New York.] So I think that adds additional credence to the theory that there is some spurious information on that report."Maybe Sandy Berger picked up an extra identity during his teen years in order to facilitate later undercover missions in remote parts of the globe. But it's more likely that Checkmate has somehow merged the personal files of three different people named Samuel R. Berger. Which goes to show just how insecure even the head of our nation's Security Council can be in the information age. If one of those other Samuel Bergers turns out to be a deadbeat dad, or defaults on a loan, the NSC's Berger could get blamed. Identity mistakes can be just as much of a headache as identity thefts. And as long as companies like Infotel are around to sell their services, these headaches appear to have become a permanent part of modern life. "I don't have any problem," says Arthur Frank, "giving out stuff the owner has already made public himself."Sidebar OneHow a Cybersnoop Can Outsmart the Information Industry When the nation's leading data collection companies announced a "self-regulatory" plan to protect consumer privacy in mid-December, their effort was greeted with great acclaim. Robert Pitofsky, chairman of the Federal Trade Commission, called the industry plan "innovative and far-reaching," and said it "would go a long way" toward addressing privacy concerns. Representative Billy Tauzin (R-LA), chair of the House Telecommunications, Trade and Consumer Protection Subcommittee, was "pleased that industry has stepped up to the plate with serious self-regulation that protects individual privacy." And Timothy Davies, chief operating officer of Lexis-Nexis, one of the companies that developed the plan, called it a "great milestone." It was Lexis-Nexis that set off the controversy about privacy in cyberspace in 1996, when the company introduced a service called P-Trak which allowed its subscribers to look up Social Security numbers and dates of birth on individual consumers. Since then, more than 80 bills have been introduced in Congress which would restrict the ever-growing data collection industry. December's announcement of a "self-regulatory" plan by the industry was intended, in part, to head off the threat of such legislation. Judging by the comments from the FTC and Congress, that objective appears to have been achieved. But will the industry plan really protect privacy? Our little exercise with Infotel -- a data-gathering firm that is not part of the industry agreement -- indicates that the industry "self-regulation" plan is full of loopholes and offers little real protection against the invasion of privacy. Here's why:* Because it's a "self-regulatory" plan, not a law, it doesn't apply to everyone The plan announced in December includes 14 major industry players, who together provide 90 percent of the market for the purchase of personal information about individual consumers. It includes well-known data and credit-reporting firms such as Lexis-Nexis, Equifax, and TransUnion, as well as lesser known companies like Acxiom Corp. and Experian. But it doesn't include Infotel, the firm the News Reporter used to track down personal data about NSC chief Sandy Berger. So any snoop who's unhappy with the "voluntary" restrictions on information access imposed through industry "self-regulation" can simply find a company that has not volunteered to obey the restrictions.* Consumers have to "opt out" to protect privacy Under the terms of the industry's "self-regulatory" plan, if you want to keep a member of the "general public" from looking up information about you, you have to write each one of the 14 companies involved and ask them to block access to your data. Such a plan is wildly impractical, according to privacy advocates, since most people don't even know who the 14 firms are, much less how to track them down to file privacy requests. "You could spend the rest of your life opting out of data bases," says Mark Rotenberg of the Electronic Privacy Information Center, "and you still won't be able to protect your privacy."* You can't opt out of some data searches. Even if you find all 14 data firms and tell them to keep quiet about you, they will only block access to data requests from the "general public." "Qualified subscribers" could still get access to your social security number and other private information, so long as the firm selling the data determined it was for an "appropriate use." "Qualified subscribers," according to the industry plan, "might include law enforcement agencies and private investigators." So if cybersnoops find themselves cut off from the data they want, they can simply hire a private investigator to get the information for them. The rules, says Carole A. Lane, author of "Naked in Cyberspace," "don't protect the consumer, because nothing prevents you from hiring a business to do your search. If you really want someone's Social, you just have to jump through a few more hoops and pay more." The bottom line: There ought to be a law, says Mark Rotenberg. There are too many inherent conflicts, he says, in allowing the information industry to "self-regulate" access to the very data that it sells to earn a profit. "The best privacy policies," he says, "are the ones that are backed up by law."