Previous month:
February 2008
Next month:
April 2008

25 posts from March 2008

House Stealing: The Newest Identity Theft Scam

On March 25, the Federal Bureau of Investigation (FBI) issued a warning to consumers about a new form of fraud. The new threat:

House Stealing = Identity theft + Mortgage Fraud

According to the FBI, here's how the scam works:

"The con artists start by picking out a house to steal—say, YOURS. Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. Then, they go to an office supply store and purchase forms that transfer property. After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS."

With the deed, criminals can sell the house right from under you and pocket the cash. According to the Boston Herald newspaper:

"It’s happened in Dorchester. Police last year arrested three people at the Suffolk County Registry of Deeds after they tried to sell the home of a former nun and Catholic school teacher out from under her. Andre J. Lamerique, 25, of Sharon, Carmella F. Lassegue, 26, of Hyde Park, and Judy A. Bonas, 51, of New York, were charged with conspiracy, identity fraud and aiding and abetting after they allegedly stole the identity of Judy Melody, 65, of Dorchester. A federal postal inspector accuses the trio of using Melody’s identity to purchase homes in Brockton and Halifax. They were caught on Jan. 23, 2007, when they allegedly attempted to use the same scheme to sell Melody’s home. Lamerique is in custody awaiting trial, federal court papers show. Lassegue and Bonas are free on bail."

I find it odd when researchers claim that identity theft instances are decreasing. New trends like House Stealing are direct evidence otherwise. Identity criminals constantly change their tactics, which provides a challenge for researchers and government agencies to track the appropriate statistics to accurately measure identity theft instances. According to the Boston Herald:

"While the FBI does not maintain statistics for specific types of mortgage fraud, they know the crime of home theft is on the rise. In Fiscal 2007, financial institutions alerted law enforcement to 46,717 examples of mortgage fraud suspicious activity reports... Just a part of the way through Fiscal 2008, that figure has nearly reached the 30,000 mark."

Experts predict that mortgage fraud could increase to 60,000 in 2008. The FBI recommends the following to protect yourself from this new scam:

  • If you receive a payment book or information from a mortgage company that’s not yours, whether your name is on the envelope or not, don’t just throw it away. Open it, figure out what it says, and follow up with the company that sent it.
  • From time to time, it’s also a good idea to check all information pertaining to your house through your county’s deeds office. If you see any paperwork you don’t recognize or any signature that is not yours, look into it.

According to the FBI, this new scam is rare. Of course, contact your local police, the FBI, and file a complaint with the FTC if you have been victimized.


Thoughts on Privacy, The Constitution, 'Heavy-Handed' Government, And the Presidential Candidates

Like many people, I've done some research and soul-searching about whom to vote for in the 2008 presidential campaign. My preferred candidate, John Edwards, dropped out of the presidential race before the primary in my state. During the Massachusetts primary, I voted for Edwards anyway with the hope of giving him some clout to influence the party platform at the Democratic convention this summer.

Last year, i read Naomi Wolf's book ("The End of America: Letter of Warning To A Young Patriot"), which I believe should be required reading for all Americans; especially youth. Then, I read Wolf's recent article, "Why Barack Obama Got My Vote" which also resonated with me.

After doing some research, I can tell you that both NSPD-51 and HR 1955 scare the living daylights out of me. If you read about these two items, I think that they will scare you, too. These are not partisan issues, since politicians and citizens and both sides of the aisle find this legislation extremely troubling. I've written to my Congressional House representative, Stephen Lynch (D-MA), a couple times and so far he refuses to reply about why he voted for HR 1955.

I fully understand why the Bush administration would craft something like NSPD-51, and would this administration would love for the House and Senate to approve something like HR 1955. (The Senate version of HR 1955 -- S 1959 - is under discussion.) It's no surprise given the Vice President's interest in Executive Privilege. (If you want to learn more about HR 1955 -- or S 1959 --, Ronnie Bennett has written an excellent description in her Time Goes By blog.)

Regardless, I worry that our Congress is not functioning as a co-equal third branch of our federal government, while the Executive branch has co-opted the Judicial branch, which has lost its independence. To me, all of this combined spells bad times for a government that is supposed to be of-, by-, and for people -- not of-, by-, and for- the rich or corporations.

If you haven't read the United States Bill of Rights, and the Declaration of Independence, please take a moment to read them. They are wonderful documents.

What does all of this have to do with identity theft? Plenty. As government agencies collect more and more personal data bout citizens, that data must be stored someplace. And, government often contracts out many functions to private companies. Which means our personal data ends up in lots of places. We citizens have a right to expect our government to be responsible and to explains what it's doing (and not hide behind "we can't discuss that due to national security"). Many call this "transparency." For me, part of transparency is an explanation of where our personal data is collected, used, shared, and archived; plus adequate data security protections, and timely notice after a data breach.

A government that isn't open, honest, and transparent with the explanations it provides, basically treats its citizens like children... or slaves. I do not want to be treated like a child, or a slave.

To me, Barack Obama seems most trustworthy with balancing the needs of government, consumers, and corporations. Barack Obama seems to provide a healthy balance of trust and competence without going overboard with a hawkish, pro-war tendencies while returning our government to a government of-, by- and for the people. I feel that if we don't bring some order, sense, and accountability to our government now, we may lose the chance forever.


The State Of Missouri Launches New Anit-Fraud Web Site For Consumers

According to the Springfield News-Leader:

"Missourians concerned about fraud have another resource to protect themselves, according to the Missouri Secretary of State’s office. It is a new Web-based Missouri Investor Protection Center, www.MissouriSafeSavings.com created to help educate investors about potential scams... The Web site provides information on wise investing, recognizing and avoiding fraud and exercising investor rights."

The Missouri Secretary of State Office (SOS) built the web site to address the need for increased protection of Missouri seniors and their investments. The site also features:

  • Senior Investor Protection Unit: a staff of attorneys, investigators, auditors and education specialists who investigate "new cases with senior-specific issues, provides investor education and holds outreach and education events"
  • An online game to raise awareness about fraud scams and threats/li>
  • Additional print publication and online resources

Congratulations to the Missouri SOS for providing this site to their residents. A good next step for the Missouri SOS would be to display online companies' data breach notification letters like New Hampshire does, so Missouri residents have a reliable source to see which companies aren't protecting their sensitive data.


NSA's Domestic Spying Grows As The Agency Sweeps Up Data

For consumers to effectively protect their personal data, means knowing where your personal data is. Both companies and government agencies archive consumers' personal data. For consumers to judge the effectiveness of their government, requires knowledge of their government's data collection activities. The Wall Street Journal reported:

"Five years ago, Congress killed an experimental Pentagon anti-terrorism program meant to vacuum up electronic data about people in the U.S. to search for suspicious patterns... But the data-sifting effort didn't disappear. The National Security Agency, once confined to foreign surveillance, has been building essentially the same system. The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people's communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks."

Name the Department of Homeland Security Privacy Pig An important point:

"Largely missing from the public discussion is the role of the highly secretive NSA in analyzing that data, collected through little-known arrangements that can blur the lines between domestic and foreign intelligence gathering. Supporters say the NSA is serving as a key bulwark against foreign terrorists and that it would be reckless to constrain the agency's mission. The NSA says it is scrupulously following all applicable laws and that it keeps Congress fully informed of its activities... the spy agency now monitors huge volumes of records of domestic emails and Internet searches..."

A cautionary note:

"A number of NSA employees have expressed concerns that the agency may be overstepping its authority by veering into domestic surveillance. And the constitutional question of whether the government can examine such a large array of information without violating an individual's reasonable expectation of privacy "has never really been resolved," said Suzanne Spaulding, a national-security lawyer who has worked for both parties on Capitol Hill. NSA officials say the agency's own investigations remain focused only on foreign threats, but it's increasingly difficult to distinguish between domestic and international communications..."

All of this rests on a legal foundation that:

"... relies largely on the government's interpretation of a 1979 Supreme Court ruling allowing records of phone calls -- but not actual conversations -- to be collected without a judge issuing a warrant. Multiple laws require a court order for so-called "transactional'" records of electronic communications, but the 2001 Patriot Act lowered the standard for such an order in some cases, and in others made records accessible using FBI administrative subpoenas called "national security letters." (Read the ruling.)

To learn more, you can read this analysis at DailyKos, which includes the ACLU's response to the Wall Street Journal article. As if all of this wasn't enough, last week we learned that at least three U.S. Senators' passport records were breached. If a U.S. Senator can't expect data privacy, what can citizens expect?

The question to ask yourself is: are you comfortable with your government's disclosures about its data collection activities? If you are uncomfortable, then ask the same of your elected officials. Oversight and transparency are critical.


Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

  • Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
  • Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

  1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
  2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
  3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
  4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

A New Service Idea From Comcast

About a week ago, the I've been Mugged blog explored the consumer data security issues with behavioral advertising: companies want to serve online ads by tracking all of the web sites you have visited and the keywords you entered at search engine web sites. The NewTeeVee blog reported this new service idea from Comcast:

"At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room. The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes."

Comcast claims that the cable box camera won't actually use facial recognition and take a picture of you. Instead it would just take a picture of the "form" of viewers: one, several, and their relative sizes.

Yeah, right.

Yikes, indeed! This is a really bad idea... a stupid one, too. I see "mission creep" as any cable box camera might start with the viewers' "form" and migrate to actual photos using facial recognition. This invasion of privacy is not worth any amount of convenient, free, or relevant ads promised by any network/cable television provider.

My impression... Comcast executives have concluded that since the NSA, FBI, and phone companies already spy on citizens by tracking the web sites consumers visit, e-mails and text messages sent, and phone calls made, then Comcast can make more money by tracking viewers sitting in the privacy of their living room and charge advertisers more for this new service.

And this new idea from Comcast was preceded by a comment from an IBM executive that a total surveillance society is inevitable. Seems to me like many corporations are ready to make money by exploiting our country's focus on security after 9-11.

What do you think? Share your comments below. I hope that you will also write to your elected officials today and tell them your privacy concerns.


Help Name The DHS Privacy Pig

The Wired Privacy, Security, Politics, and Crime Online blog seeks name suggestions for the Department of Homeland Security's new "Privacy Pig:"

"Homeland Security's Privacy Chief Hugo Teufel III likes THREAT LEVEL more than we could ever have imagined. On Wednesday, at a press conference at the 2008 National Fusion Center Conference Wednesday, Teufel gave us a pig. A pink, squishy pig with wings and sunglasses. We assume the Privacy Office created the flying pig as a way to publicize or remind people about  its Privacy Incident Handling Guidance booklet. PIHG, get it?"

Several people have already posted names. The new DHS Privacy Pig:

Name the Department of Homeland Security Privacy Pig

Name the Department of Homeland Security Privacy Pig


Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?


Anti-Real ID Rebellion Spreads To California

On March 10, 2008, Wired magazine reported:

"Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally...Howard Posner, a policy consultant to the Transportation Committee, said that last year the committee contemplated moving legislation to accept Real ID, but reconsidered after 'looking at the cost, and the incredible inconvenience for driver's license holder and the privacy issues.' "

The Real ID Act and the proposed rules by DHS have important implications about how the federal government and states will manage, store, and update citizen's identification data -- and consumer privacy. How such an expensive, unfunded piece of federal legislation happened:

"Congressman James Sensenbrenner (R-WI) added the Real ID mandate to a must-pass defense spending bill in 2005, leaving the details to be determined by the Department of Homeland Security. After much delay, the final regulations were issued in February of 2008."

If the California legislature passes this resolution, then California would join a group of 17 states that have expressed opposition to the unfunded mandate:

"Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes."

Consumers should notify their elected officials of any concerns you have with the Real ID Act. Learn more about the Real ID Act at this web site.


A Free And Easy Way To Test The Security Of Your Wireless Home Network

At the ZD Net SOHO Networking blog (Small Office Home Office), Rik Fairlie provided a really good tip for consumers to check the security on their home wireless (WiFi) network. Security is important because we all (or at least many of us) do online banking, access our financial accounts online, and want to protect our personal data from abuse by both spammers and identity theives.

Rik tested his home wireless network with the Network Magic management tool by Pure Networks. Network Magic has a free diagnostic scan that provides a report on the security status of your home wireless network:

The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic... Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found... Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date... This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

Sounds like a valuable tool for consumers to improve the security of their home wireless networks, and protect sensitive data.


'Amazing Amount Of Sensitive Data' Stolen During Pentagon Data Breach

In case you have been distracted by what passes as news: Britney Spears, Lindsay Lohan, the Mills-McCartney divorce, which celebs' have a baby bump, American Idol, college basketball, and/or the Spitzer sex scandal -- you should know that the Pentagon, perhaps the most important U.S. military facility, suffered a data breach. On March 6, London-based The Register reported:

"A network intrusion at the Pentagon nine months ago resulted in the theft of an "amazing amount of data" that continues to pose a threat to national security, the CIO of the Defense Department said earlier this week... Over the course of two months leading up to the attack, malicious code infiltrated several systems belonging to the Pentagon's network and culminated in an exploit of a known Microsoft Windows vulnerability, Clem said. That allowed attackers to send spoofed emails that appeared to come from Pentagon personnel in Clem's division."

In the war on terror, the Pentagon is one facility you know our enemies will attack... repeatedly. And it's one facility you definitely don't want to have a data breach. So you plan on that. Dennis Clem, the CIO of the Office of the Secretary of Defense (OSD), said:

"This was a very bad day... "We don't know when they'll use the information they stole, [which was] an amazing amount."

The Government Executive publication reported:

"A June 2007 network intrusion at the Pentagon resulted in the theft of an "amazing amount" of data, and the incident remains a national security concern, a top Defense Department technology official said this week. The Office of the Secretary of Defense detected malicious code in various portions of its network infrastructure while consolidating information technology resources in the middle of last year. Over the course of two months, the code infiltrated multiple systems, culminating in an intrusion that created havoc by exploiting a vulnerability in Microsoft Windows... spoofed e-mails containing recognizable names were sent to OSD employees. When they opened the messages, user IDs and passwords that unlocked the entire network were stolen; as a result, sensitive data housed on Defense systems was accessed, copied and sent back to the intruder."

The government's response to the cyber attack:

"The portion of the network infrastructure under assault was shut down soon after the attack was detected. Recovery, which took three weeks and cost $4 million, involved the introduction of a new process of "checking out" temporary IDs and passwords for access to the network, stricter requirements about the use of common access cards for identity verification, and introduction of digital signatures to ensure that information comes from a valid source."

Interestingly, about a week later the Wall Street Journal reported:

"The top U.S. commander in charge of cyberspace said that American military networks are coming under increasing attack from hackers seeking to steal classified information, and that many of the incidents appear linked to China. Gen. Kevin Chilton, who heads the military's Strategic Command here, stopped short of formally accusing Beijing of responsibility for the attacks. But he said there was significant evidence to suggest that China was behind many of the incidents... In a report released earlier this month, the Pentagon said that the Chinese People's Liberation Army was expanding its military power from 'the land, air and sea dimensions of the traditional battlefield into the space and cyber-space domains.' "

Meanwhile, this ad has appeared on network television:


Data Breach At Harvard University

Several news sources have reported a data breach at Harvard University. From ABC News:

"... at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web. Harvard officials began notifying thousands of students and applicants this week... According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained summary information from applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers. Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

The Chronicle Of Higher Education reported:

"Harvard has sent notices to all affected people and is offering, at the university’s expense, to help them obtain credit reports, set up credit-monitoring services and fraud alerts, and take other steps to guard against identity thieves."

If that's all Harvard is offering, then Harvard's identity theft victims are getting much. First, free credit reports are already available online for consumers. Second, the credit bureaus already provide free Fraud Alerts for consumers. There is some value in free credit monitoring services, provided the services include flexible and timely alerts, access to credit reports throughout the year, two or more years of free services, and credit restoration services.

Since news stories don't provide much detail about the credit monitoring services offered, I checked the Harvard news release:

"In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves."

That is good news. Harvard is offering its identity theft victims credit restoration services from Kroll. the restoration service helps identity theft victims clean up accounts that have been taken over or new accounts established by criminals. The monitoring services helps identity theft victims check their credit repors frequently to discover abuse as soon as possible. I hope that all of harvard's identity theft victims take advantage of both services.

While 10,000 records is a sizable data breach, other colleges and universities have had far larger data breaches:

  • George Mason University: January 2005: 32,000 records
  • University of California at Berkeley: March 2005: 98,400
  • Boston College: March 2005: 120,000
  • Tufts University: April 2005: 106,000
  • University of Hawaii: June 2005: 150,000
  • University of Connecticut: June 2005: 72,000
  • University of Utah: August 2005: 100,000
  • University of Colorado: August 2005: 49,000
  • Kent State University: September 2005: 100,000
  • Metropolitan State College (Denver): March 2006: 93,000
  • Georgetown University: March 2006: 41,000
  • University of Texas McCombs School of Business: April 2006: 197,000
  • Ohio State University: April 2006: 300,000
  • Western Illinois University: June 2006: 180,000
  • University of Tennessee: July 2006: 36,000
  • University of California at Los Angeles: December 2006: 800,000
  • University of Idaho: January 2007: 70,000
  • East Carolina University: February 2007: 65,000
  • Community College of Southern Nevada: May 2007: 197,000
  • University of Colorado at Boulder: May 2007: 45,000
  • Georgetown University: January 2008: 38,000

There are many more smaller data breaches at colleges and universities. Some schools don't announce the number of total records exposed. In my opinion, academia as a whole still does a poor job with data security. It'll be interesting to see if the number of records exposed in Harvard's data breach remains at 10,000 or goes up.

[Editor's note: in the interest of full disclosure, from 1992 to 1997 I worked in Baker Library at the Harvard Business School as a business analyst researching business and economics topics.]


Woman Claims Salem Clinic Mishandled Patient Records

Portland, Oregon-based KATU reported the following about the Salem Clinic:

"The records of some patients were apparently included in an employee handbook, according to an ex-employee. A former worker, who wishes to remain anonymous, told KATU News that everything from actual Social Security numbers to records revealing patient's ailments were part of the clinic's training binder. She also said employees were allowed to take the handbooks home. The woman said she was fired after pointing out the problem on Wednesday."

If true, this is a big data breach. It just shouldn't happen in a well-managed company. It is wrong in several ways.

First, the whistle blower should not lose their job after a company's data breach. Second, it's better to insert fake or dummy patient records in an employee training handbook that the company knows will be taken into homes.

I hope that the Salem Clinic gives all of the data breach victims at least 5 years of free credit monitoring services. I'm sure an enterprising lawyer will represent the former employee.


Behavioral Advertising: What Consumers Must Do (Part Four)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.

So, what next?

For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.

From InformationWeek:

"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."

And some of these data breaches have already included ISPs, like AOL; and major advertisers, like TJ Maxx, AIG Insurance, and IBM.

Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.

This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:

  • For behavioral advertising/targeting programs, companies (including advertisers and ISPs) should include the default as all consumers opted out. Consumers should be given the option to opt-in to a companies behavioral advertising program
  • The behavioral advertising rules for companies, advertisers, and ISPs must specify an exhaustive list of consumer data that's collectible and sensitive personal data excluded
  • Web sites designed for primarily for children (e.g., age 17 and under) should be excluded from any and all behavioral advertising. Children don't have the means to handle opt-in/out for behavioral advertising programs. Ideally, parental controls software should provide parents with the tools to prevent opt-in by their children at all children's web sites
  • There must be clear, minimum standards for companies for data security of the personal data collected for behavioral advertising programs
  • There must be specific time limits for how long companies can archive personal data collected for behavioral targeting. "Forever" is not an acceptable answer. Consumer data should be purged at three (3) year intervals
  • There must be specific rules for ISPs, since ISPs have a unique position providing Internet access for consumers. ISPs must treat their members' IP Address as sensitive  personal data similar to a Social Security Number or e-mail address. ISPs should never match personal-identifying data (e.g., name, address, phone #, e-mail address, cell #, fax #, SS#, birth date, driver's license #, etc.) to behavioral advertising data
  • The rules must include timely disclosure to consumers when a company, advertiser, and ISP: a) starts a behavioral advertising program; b) modifies an existing behavioral advertising program; c) trades behavioral advertising data with other companies; and d) merges or acquires other companies, within the USA or globally. These rules must apply to the entire company, not just its US-based divisions. It should also apply to business units, divisions, contractors, or outsourcing firms based outside the USA
  • Medical data should be excluded from all behavioral advertising programs for a couple reasons. First, many consumers consider this highly sensitive data not to be shared under any circumstances. Second, let's "walk first before we run." That is, let's see how behavioral advertising performs with other types of available consumer data first, before deciding whether to extend it to medical information
  • All advertisers, companies, and ISPs must disclose to consumer their behavioral advertising program in both their web site legal "Privacy" or "Terms and Conditions" pages, and via print materials (similar to the way companies today provide consumers with a revised Privacy Policy every time this document changes).
  • The FTC must publish a clear, detailed plan about how it will implement oversight to monitor compliance and penalize violators
  • The behavioral advertising rules must include clear, strong penalties for companies, ISPs, advertisers, and their senior executives for violators. I'd like to see fines starting at $10,000 per consumer record and jail time for fines exceeding $250k
  • Violators (e.g., companies, ISPs, and advertisers) must provide consumers with ten (10) years of free credit monitoring and credit restoration after a data breach

Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.

All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.

For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.

If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.

As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.

You should send comments and feedback to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.


Behavioral Advertising: The Role Of Internet Service Providers (Part Three)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising.

In December 2007, the Wall Street Journal profiled CenturyTel Inc., a Louisiana phone company, and its attempt to enter the Internet Service Provider (ISP) business. Along the way, CenturyTel decided to also enter the online advertising business:

"The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy. CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network."

Pretty soon, advertisers will no longer need to install software or use the HTTPs cookies file on consumers' computers to perform behavioral advertising (a/k/a behavioral targeting). Instead, they can get all the consumer data they'd ever want from ISPs -- who are happy to install the behavioral targeting software and equipment on their servers for a piece of the new revenue stream. How it will work:

"NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad."

The description of the new server software and equipment:

"The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers."

Companies already see the new revenue opportunity:

"... new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, Front Porch Inc., and Phorm Inc. to provide the gear to help them along."

Well, this is just peachy. Every ISP knows a lot about its subscribers... personally identifiable information such as name, address, birth date, phone, credit card, e-mail address, IP address, and in some cases Social Security Number. It doesn't take much effort to match this personally-identifiable data to a subscriber's web surfing activity.

This new technology fundamentally changes the relationship between ISPs and their subscribers. As ISPs get more or most of their revenue from advertising, and a decreasing amount from subscribers' fees, it logical to question whether ISPs will continue to operate in the best interests of consumers. In a weird way, ISPs can now make (a lot of) money through surveillance.

This makes it more important now for consumers to express their privacy and data security concerns. It is reasonable for consumers to demand legislation requiring ISPs to provide clear, easy, free, opt-in mechanisms for consumers who wish to participate in that ISP's behavioral advertising program.

Now is also an opportunity for consumers to specify the data they consider sensitive and should be excluded from any ISP behavioral advertising programs. See these prior posts about why consumers' IP addresses should be considered sensitive personal data, and why consumers' personal data should be treated (and protected) like nuclear fuel.


Behavioral Advertising: What It Is And The Proposed FTC Rules (Part One)

This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Behavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.

In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.

When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.

Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.

Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.

So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:

"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."

In my opinion, the Decision Science News blog offers a better definition:

"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."

In its proposed rules document, the FTC described the benefits as:

"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."

The FTC proposed several rules to solve several concerns:

ConcernProposed FTC Rule
1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites. Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers. Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data. Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses. A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members. Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so. FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.