Yesterday's post discussed research about how retailers extensively track consumers online. Today, I wanted to explore this further.
So, I secured my Microsoft Internet Explorer browser and its Privacy settings to prompt me every time a Web site or page attempted to place or edit a Web cookie on my computer. This prompt would allow me to note the site requesting the cookie, and either accept or reject that cookie request.
I am not a computer expert, and this is not a formal, academic test. And it doesn't cover Web Beacons. This informal test is limited in that it won't indicate the contents of each Web cookie request; only that a cookie request occurred. I am sure that there are plenty of computer experts that can design a sufficiently rigorous test. Regardless, I felt the need to start somewhere.
For test web sites, I chose two of the credit reporting agencies' sites (Equifax.com and Experian.com) since I use these sites, have discussed them previously, and since these sites contain sensitive personal data about consumers.
It didn't take long for the results to show. When trying to access the Equifax.com home page, I noticed that the site placed a multitude of Web cookies on my computer. The list of companies writing to my Web browser cookie file went far beyond just Equifax:
If you are counting, that was about 22 cookies requests before the home page fully loaded. To me, that seemed like a lot of Web cookie requests. And, who are these companies? Some of the names (e.g., HitBox, Doubleclick) I recognize since I work in the Internet industry. I know some of these are tracking services for advertisements.
I couldn't help but wonder what most consumers would think of this. I couldn't help but wonder what most consumers, who don't have the benefit of working in the Internet industry, would think of this -- if they took the time and knew how to configure their Web browser. This would probably make any consumer pause, and wonder what exactly is going on.
Sure, we all want to be informed consumers, but things seem stacked against consumers. The online tracking at Web sites starts sooner than many consumer probably would expect.
"We use session and persistent cookie technology for several purposes. For example, cookies: Allow you to order more than once during a visit without your having to re-enter your information each time you place an order for a Personal Solutions product; Allow us to gather aggregated statistical data about the use of our website for research purposes; Help us improve your navigation of our web site(s); Enable us to store your preferences for certain kinds of information and marketing offers; Help us to provide features such as personalized greetings; If you're a Member of Personal Solutions, allow us to store your user name and encrypted customer identification number so that we recognize you when you return to our web site; Help us combat identity theft and fraud with more reliable identity verification and authentication data."
"Cookies set by us or our agents are not interpreted or shared with any other third party. We may combine cookie data with personally identifiable information or business organization identifiable information you provide to us... We may sometimes use outside technology companies to set cookies on our web site and collect cookie information for us. We use the cookie information collected by these companies in the same manner as stated above in this section. Those companies may not use these cookies for their own internal purposes or share the information collected with any party other than Equifax."
A, "sometimes use outside technology companies?" 22+ cookie reqests at the home page tells seems far beyond "sometimes use."
And, who are Equifax's "agents" and "outside technology companies?" Who are these "third parties" that are not agents? Are they the list of companies I encountered or some other companies?
This secrecy leaves consumers to guess about what is going on. If everything Equifax is doing is really that good, then it shouldn't be an issue to list the technology companies, agents, and third parties.
The situation was little better at the Experian.com home page. I experienced fewer Web cookie requests from fewer companies:
If this lack of transparency bothers you (and I sincerely hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.
This MediaPost article really caught my attention. It seems that Cathy Dwyer, a professor at Pace University's Seidenberg School of Computer Science and Information Systems, sat students in front a computer and showed them all of the ways companies track their online usage. After witnessing this tracking the students' complacency turned to outrage:
"I do this with 18-, 19- and 20-year-olds, and once they find out this is going on they go ballistic. A few of them in one of my classes canceled their Facebook accounts..."
This online tracking includes a multitude of browser cookies and Web beacons which companies rarely or never disclose in their Web site Terms of Conditions and Privacy policies. To better understand this, Dwyer studied the Levis.com site:
This is important because, a) of the secrecy -- consumers are not informed of both the tracking activity and the wide range of companies involved, and b) it happens without the consumer's consent:
This secret targeted advertising without consent is also important because:
"...anonymity does not equal privacy. Privacy is not just a matter of controlling what information about oneself is disclosed to or by a third party. Dwyer and others contend that undisclosed behavioral tracking compromises our autonomy in the market."
In other words, consumers can't make informed choices about the products and services we buy, when our online experience is shaped and affected without our knowledge. Reportedly, Dwyer will present her research findings at the 15th Americas Conference on Information Systems in a paper titled, "Behavioral Targeting: a Case Study of Consumer Tracking on Levis.com."
If this bothers you (and I hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.
Previously, I wrote about the class-action lawsuit filed against NebuAd. From the Associated Press:
"In court filings this week, NebuAd said it has been winding down its business since last year. It laid off virtually all its employees in July and August, closing its office in Redwood City, Calif..."
NebuAd's clients had been phone companies and ISPs (Internet service providers) who wanted a larger share of advertising revenues. According to the same Associated Press report:
"Among the cable and phone operators that abandoned interest in NebuAd were Charter Communications Inc., Bresnan Communications LLC, The Washington Post Co.'s Cable One Inc. and Embarq Corp."
If you want to read a copy of NebuAd's dissolution filing, it is available at the Wall Street Journal Venture Capital Dispatch blog. That's part of the story. There's a lot more.
In his blog, John Linko wrote a good summary about the NebuAd situation. His post included a response from an executive at Bresnan:
"I think it is important to note that when Bresnan performed the limited test of the NebuAd platform in one market, we strictly adhered to the existing FTC rules whereby we notified all of our customers involved in that test and gave them a choice of opting in or out of the trial. With Congressional scrutiny however, the environment in which we began that trial changed and Bresnan quickly suspended the test."
That may be, but on both sides of the Atlantic Ocean consumers are starting to understand the nature and implications of of data collection by behavioral targeting programs. I think that it's important to remember that NebuAd was promoting a service that included Deep Packet Inspection (DPI) technology, that enables an Internet Service Provider (ISP) to collect everything its subscribers send (e.g., e-mail, web activity, search keywords, instant messages, tweets, etc.) through their ISP connection.
DPI goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used. Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized.
My interest in this is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough.
Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. In the NebuAd and other instances, the ISPs never addressed to my satisfaction the data security concerns when using DPI to collect so much more consumer data. Last summer's Congressional hearings brought to light several behavioral advertising programs by ISPs who performed secret behavioral advertising programs; the ISPs didn't inform their customers and didn't provide consumers with opt-in choices.
The NebuAd closure is part of a larger situation where ISPs rushing for advertising revenues have trampled over and abuse consumer privacy. So, thanks are due to the U.S. Congress and to the Privacy Crusaders -- Alan Himmelfarb, Scott Kamber, and Joseph Malley -- for the pressure applied.
Companies beware! If you abuse consumers' privacy, fail to inform consumers or provide adequate opt-in mechanisms, the Privacy Crusaders will get you.
Meanwhile, there's more work to be done. Some of the former executives at NebuAd have started up another behavioral advertising company. In the U.K., The Register reported:
"Insight Ready Limited was incorporated on March 25 by Paul Goad, the man who had been NebuAd's UK boss... Goad started Insight Ready with the blessing of what remained of NebuAd US, but the two firms have no business or technical relationship beyond having some of the same personnel. Unlike NebuAd, Insight Ready will not seek to collect data from inside ISP networks. Instead, when it launches "in several weeks", it will aim to collect behavioural data in partnership with website owners..."
Want to learn more? Try these sources:
And, as the U.S. FTC releases updates about behavioral advertising guidelines, you can expect the I've Been Mugged blog to cover it.
You've just received a replacement credit card. Perhaps, your new credit card was the result of identity theft, fraud, or a preventative action by your bank after the Heartland Payment Systems or RBS WorldPay data breaches. The questions is: will your replacement credit card affect your credit score? Bankrate.com reported:
"This is one of those instances where an account closure likely won't affect your score at all. With lost or stolen cards or data breach situations, an issuer will usually close the old account and specify a reason, such as reported lost or stolen, and open a new account for you. As long as the new account keeps the original open date and doesn't trigger a hard inquiry, the conversion shouldn't harm your score."
Experts suggest that your new credit card account should have the same open date as your original account, so you retain your payment history. The credit limit and balance for our new card account should remain the same, too.
When a consumer normally applies for a new credit card, the credit card issuer checks the consumer's credit report to see if the consumer is a good credit risk or not. This inquiry can ding (e.g., lower slightly) the consumer's credit score when a lender interprets the closed old card account as:
"... the credit limit loss can increase your credit card use."
If your replacement credit card is an account upgrade, this could affect your credit score.
Experts advise that if the credit report inquiry is issuer-initiated, then your credit score probably won't be affected. If the credit report inquiry is customer-initiated, then it will likely affect your credit score. After you receive your replacement credit card, it's wise to check your credit report to verify that the information in your credit report is accurate.
To me, a consumer should not have to worry about this; especially if the replacement credit card was the result of a data breach at either the credit card issuer, the bank, or a transaction processing firm like Heartland. It seems to me that once again, a company's carelessness causes consumers inconvenience and more work.
There has to be a better way. The current system seems unfairly tilted towards the needs of companies over the needs of consumers.
Over the past 18 months, readership of the I've Been Mugged blog has grown dramatically. Today, the blog gets about 350 hits during weekdays. For this I am grateful and sincerely thank my readers.
Along with this growth has been an increase in reader-submitted comments. Lately, an increasing number of comments have been clearly advertising spam, bigoted, and/or harassment.
If you have any questions or comments about these new policies, please use the e-mail link on the right or the comments section below.
Thanks again for your readership and understanding. Have a good day!
This post deviates from our standard identity-theft because this is important. You rarely hear this amount of honesty and straight talk from a politician, who has military experience:
Also, the Mclatchey newspapers did some excellent fact-checking on Cheney's recent speeches, which are filled with falsehoods. For me, our foreign policy should never be the equivalent of, "the ends justify the means."
When banks and credit card issuers provide replacement debit/credit cards after a data breach, this negatively impacts the restoration of online payment arrangements by consumers. From the Washington Post:
"The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud. For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number."
The WaPost story focuses on a company that is seeing a $1 million impact from the consumer card turnover. Multiply that by thousands of small and medium-sized business and you are describing a huge, on-going financial impact. The article explores some of the reasons why consumers don't restore their online payment arrangements with their new debit/credit cards:
"The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information..."
Like you, I am a consumer. My list of reasons why consumers don't restore their online payments with replacement debit/credit cards after a breach:
As I reread this list, it occurred to me that this is also a pretty good list for consumers to use when deciding whether or not to switch their bank.
What do you think? If you have received a replacement debit/credit card after a breach, did you restore all of your online payments? And why, or why not?
This TechNewsWorld article should make consumers pause before your next visit to the mall to shop with your debit/credit cards:
"It's evident that PCI compliance is not enough to fully protect credit card transaction data. Major fiascos such as the infamous Heartland, RBS WorldPay and TJX data breaches will continue to occur unless the system is fixed. One possible solution? Protection that starts at the database level... Although the exact details of the Heartland breach and compliance issues have not been made public, it is widely believed that credit card data was exposed and non-compliant during its time on the Heartland server. It is staggering that retailers and others processing credit cards are required to protect all transactions in order to be in compliance with the points of PCI, yet once the transactions get to the "super-processors" such as Heartland, these requirements are apparently not systematically enforced -- or even required, at some points. The more data you handle, the lower the security bar, or so it seems."
To address this mess, Heartland is proposing end-to-end data encryption. I am a consumer and not a data security expert, so I have no idea if that will work, or if heartland is blowing more BS. Regardless, this trend seems very important:
"The more sinister threat environment, which has emerged over the past two years, involves well-organized criminal gangs that grab data with the sole purpose of using it fraudulently. The "2009 Verizon Data Breach Investigations Report" outlined the change, finding that 93 percent of all electronic records breaches occurred in the financial services industry, with 90 percent of the breaches tied to organized crime."
Now that consumers have been thoroughly warned and trained about phishing attacks (e-mail and Web sites), identity thieves have focused their attacks on sites where the money is: banks and retailers.
Prior posts in this blog have discussed why banks and credit card issuers are raising the interest rates, lowering the limits, and changing the billing periods on your credit cards. This Sunday New York Times newspaper has a fascinating that explains how banks and credit card issuers make money, and why they do the infuriating stuff that they do to consumers.
Historically, banks and credit card issuers made money by:
"... collecting annual dues and interest payments from cardholders as well as fees from merchants each time a customer used a card."
This money-making approach changed when:
"... the math whizzes arrived. They emphasized that the biggest profits didn’t come from people who always paid off their bills but rather from less-responsible clients who never paid their entire balance, and thus could be milked through silently skyrocketing interest rates, late fees and other penalties."
To make more money, the banks and credit card issuers changed their habits about who they marketed their credit cards to. The result:
"Since 1995, the percentage of the industry’s income from cardholder fees has more than doubled to 40 percent. In 2005, as the push to sign up cardholders peaked, the industry sent out more than 10.2 billion credit-card solicitations, which would cover more than the entire world’s population. Two years later, card companies collected $40.7 billion in profits before taxes... Americans carry an average of 5.3 all-purpose cards in their wallets, and the average household has $10,679 in credit-card debt..."
So, the banks and credit card issuers want as customers people who will steadily pay part of their monthly credit card bills. To find these "right" customers, the banks and credit card issuers needed to distinguish between the less-responsible customers who they could make money from (e.g., people who steadily pay part of their monthly credit card bills), from the less-responsible customers who would be dead-beats (e.g., never pay their credit card bills). To accomplish this:
"The exploration into cardholders’ minds hit a breakthrough in 2002, when J. P. Martin, a math-loving executive at Canadian Tire, decided to analyze almost every piece of information his company had collected from credit-card transactions the previous year... Martin could often see precisely what cardholders were purchasing, and he discovered that the brands we buy are the windows into our souls — or at least into our willingness to make good on our debts. His data indicated, for instance, that people who bought cheap, generic automotive oil were much more likely to miss a credit-card payment than someone who got the expensive, name-brand stuff. People who bought carbon-monoxide monitors for their homes or those little felt pads that stop chair legs from scratching the floor almost never missed payments. Anyone who purchased a chrome-skull car accessory... was pretty likely to miss paying his bill eventually."
How accurate was this analysis?
"Martin’s measurements were so precise that he could tell you the “riskiest” drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent of the patrons who used their Canadian Tire card missed four payments over 12 months. He could also tell you the “safest” products — premium birdseed and a device called a “snow roof rake”... Martin’s predictions, when paired with other commonly used data like cardholders’ credit histories and incomes, were often much more precise than what the industry traditionally used to forecast cardholder riskiness."
Now we know why banks and credit card issuers analyze your credit card purchases. (Bye bye privacy.) Your purchases indicate whether you will be a profitable or unprofitable customer for them; whether you will pay your monthly credit card bills on time and in full, partially, are a slow payer, or a true deadbeat.
Last year, I wrote about how Wall Street considers many consumers as chumps. That still seems to be Wall Street's attitude today, since banks and credit card issuers don't really want as customers people who pay their monthly billls in full and on time. Rather, they want customers who pay part of their credit card bills, often pay it late, never consider that everything costs more when using their credit cards this way, and don't change their financial habits.
From the Chicago Tribune newspaper:
"Wisconsin police can attach GPS to cars to secretly track anybody's movements without obtaining search warrants, an appeals court ruled Thursday... As the law currently stands, the court said police can mount GPS on cars to track people without violating their constitutional rights -- even if the drivers aren't suspects. Officers do not need to get warrants beforehand because GPS tracking does not involve a search or a seizure, Judge Paul Lundsten wrote for the unanimous three-judge panel based in Madison."
The appeals ruling was based on 2003 case where police installed a GPS tracking device on a stalking suspect's car. Police later retrieved the device and obtained a second warrant to search the suspect's home. That search found evidence and the suspect was arrested.
The state already has a law requiring the Department of Corrections to track the state's most dangerous sex offenders using GPS.
"... Robert O. Carr, chairman and CEO of Heartland, has come out swinging... Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance... Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company."
That all sounds very nice. My question is this: why didn't Heartland pursue stronger data security methods sooner? Why did the company wait until after the largest data breach ever to decide to pursue stronger data security measures?
The tough stance by Heartland sounds like that old saying: the best defense is a good offense. It's an attempt to keep people focused on the new PCI-DSS guidelines, rather than focus on the hundreds of millions of consumer records stolen during the Heartland breach.
Remember, after the breach Visa and MasterCard had removed Heartland from their list of PCI-DSS approved vendors. And the notification to consumers has been less than optimal. About May 6, Heartland was added back to the list of PCI-DSS approved vendors. And:
"... at least MasterCard also imposed a hefty fine on banks using Heartland. The company also faces a class action lawsuit. Separately, Carr himself is under investigation from the SEC regarding a stock sale he made late in the 2008."
Don't feel bad for Heartland. The company is getting the appropriate consequences. The breach has cost Heartland $12.6 million so far in legal costs and fines from Visa and MasterCard.
A friend alerted me about this news story in the U.K. Telegraph newspaper:
"Somewhere in Little Rock, Arkansas, there is a database holding 750 billion pieces of information on you, me and everyone we know. John Meyer is the man in charge of these sensitive details in one of the world's largest consumer information databases: approximately 1,500 facts about half a billion people worldwide."
I'll bet you hadn't heard of Acxiom before. Neither had I. The author doubted the accuracy and scope of Axiom's consumer data. Meyer's reply:
"Oh we do have you on our database. I guarantee you... Your name address, phone number. You have a cat. You're right handed. That sort of thing."
Meyer was correct about the author's personal data. How Acxiom collects information worldwide about consumers' personal habits and product purchases:
"All information on the database has been given away freely by the consumer through anything from registering for services online, to questionnaires or buying magazine subscriptions, Mr Meyer claims."
I wonder how precise that statement is. Meyer's explanation sounds intentionally vague, since a company will built its brand and revenues on processes that are more solid, definable, and defensible against competitors. After all, the corporation's sales were about $1.0 billion during the last 12 months.
This news story in The Cabin starts to shed some light on things. After a Conway, Arkansas Rotary Club member asked Meyer how Acxiom gets its data, Meyer replied:
" 'Sorry, that's a trade secret.' But then Meyer relented and said that bit of information is one of 750 billion discrete bits of information collected by Acxiom... The vehicle identification number on [a consumer's] car is one of those bits, Meyer explained, and it shows the color of his car is blue, and that gives Acxiom a clue that Roger probably has an affinity for blue cars... Acxiom collects information from 375 million consumers for 12,000 marketing campaigns and 150,000 background checks a month and the handling of 17 percent of the mail in the U.S... Acxiom's original method of marketing was direct mail, Meyer said, but has now expanded to Global Interactive Marketing Services in 60 countries, including, among other forward-reaching methods, e-mail, product placement in TV and movies and text messaging."
Meyer's statement is interesting about the company's approach with consumers' preferences. I wonder how much of the company's "data" is built on probabilities and not actual preferences. Consider this: our family car is blue. My wife and I both drive it. Does that mean I prefer blue, my wife prefers blue, or both? Or may we are just too lazy to change the color of the used car we bought.
More importantly, this tells me that Acxiom has some definite processes it uses that it doesn't want to disclose. It suggests that companies engage with Acxiom to target and reach specific consumer audiences. And along the way, Acxiom probably adds to its database collection. But I shouldn't have to guess. Consumers deserve a clearer explanation since Acxiom is making money from our personal data.
This also tells me that more companies besides Acxiom may have the VIN data about my car and yours. I wonder how many. I surely didn't give my vehicle VIN number to any companies. I wonder if Acxiom got it from the states vehicle registries or from the manufacturers.
After a little online research, I found this class-action lawsuit against Acxiom which sheds more light on things:
"Taylor et al v. Acxiom Corporation et al : Plaintiffs bring a class action against defendants for unlawfully purchasing Texas' entire database of names, addresses and other personal information from the Texas Department of Public Safety."
Some familiar companies are part of the list of defendants: Choicepoint and Lexis-Nexis. Geez. If feels like whenever I turn over a rock, there isn't a snake underneath but a geyser. This lawsuit started in 2007, included references to the Drivers Privacy Protection Act (DPPA), and worked its way through various dismissal motions by the defendants. Two points I use this to emphasize. First, the lawsuit uncovered relationships between companies and states regarding the sharing of consumers personal data. Second, your vehicle VIN is not considered personal data.
Do you consider your vehicle VIN personal data? I do. And I'll bet you do, too. The DPPA doesn't. That doesn't seem right to me. I hope that it annoys you, too.
"... the company is entirely old fashioned when it comes to letting consumers opt out of its huge database of personal information. To do so, they must visit the firm's Web site and fill out a Web form. Acxiom will then mail a paper “opt-out form,” which consumers must then fill out and mail back."
What?! Experts view this convoluted opt-out process as simply an attempt by the company to discourage consumers from opting out. This is one reason why I prefer opt-in. If the company's service is so great, consumers will opt-in. If companies have to force users to use their service with an opt-out mechanism, then maybe the service isn't as great as the companies claim:
"It's ridiculous to think that in this era these companies require a letter for this," says Pam Dixon, director of the World Privacy Forum, which sent a formal letter of complaint (PDF) to the Federal Trade Commission..."
To me, this is the insidious side of data collection when companies use an opt-out approach. If consumers don't even know that the company is collecting data about them, how can they possibly opt out? And it forces consumers to become an expert of the company's products and services, so they can effectively opt out of the correct services. In my opinion, this is the slimy side of business.
Regardless, the company describes itself this way in its Web site:
"Acxiom works with many of the world’s leading companies, including: 12 of the top 15 credit card issuers, 12 of the top 15 retail banking companies, 9 of the top 10 telecom/media companies, 7 of the top 10 retailers, 9 of the top 10 automotive manufacturers, 6 of the top 8 brokerage firms, 3 of the top 5 pharmaceutical manufacturers, 2 of the top 5 life/health insurance providers, 8 of the top 10 property and casualty insurers..."
You get the idea. When a company collects this much personal data about consumers and makes money from it, it deserves scrutiny. And consumers deserve transparent communication about who has their data and why.
My concerns center around data collection and data security, especially with telecommunications. I checked a couple data bases and so far, Acxiom hasn't had (or reported) a data breach. I hope to explore more in future blog posts.
What are your thoughts and opinions about Acxiom? About the extent companies collect consumers' personal data?