Previous month:
January 2013
Next month:
March 2013

11 posts from February 2013

Fraudsters Target Police Chief With Check Scam

Wicked Local warned consumers about a check scam that targeted the Police Chief at Hingham, Massachusetts. Like many other check scams, the a package arrived snail mail -- in this case, UPS. The package included a letter and bogus $3,000.00 check which appeared to be from a legitimate business. The letter includes instructions to wire money, about $250, to cover supposed taxes and fees.

Police Chief Michael Peraino was suspicious and called the business first to verify the check. The receptionist at the business verified that the check was a fake, as the business had already received many phone calls from consumers.

Fraudsters attempt check scams like this because they receive real money wired to them from each victim long before the victim realizes that the bogus check they deposited in their bank account has bounced. Each victim is out the $250 they wired, the amount of the bogus check, and any bounced-check fees from their bank.

Check scams like this are a reminder for consumers to verify first any check you receive from an unknown organization or person.The Identity Theft Resource Center (ITRC) advises consumers to follow these steps to verify a suspected scam:

  1. Contact the company involved directly, using a customer service number you find in the phone book or that you have used in the past.
  2. If you were solicited online, contact the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Or, contact your local State Attorney General's office.
  3. Contact the Federal Trade Commission via phone (877-FTC HELP) or e-mail
  4. Avoid scams that appear to use expensive out-of-country telephone numbers. If you are unsure about a telephone number's location, look the number or Area Code using this free decoder.

If you are unsure who the attorney general is in the state where you live, then browse this list. Readers of this blog are familiar with a similar check scam that targeted Craig's List website users.


21 Fung Wah Buses Removed From Service After Failed Inspections

WBZ-TV, the CBS network affiliate in Boston, reported yesterday evening about the results of an investigation by both the station and the State of Massachusetts. After several bus inspections by state officials, 21 of 28 Fung Wah buses have been removed from service.

Reportedly, bus inspectors found:

"... multiple oil leaks from different parts of the engine, and nuts and bolts that weren’t secure. There were also faulty lights, a door with a broken latch and the lack of proper registration on the charter bus hired by Fung Wah... Three of those buses had cracked frames. Inspectors found they had been re-welded and the work wasn’t done properly..."

The bus company had hired charter buses to replace its buses that had been removed from service. The Boston Globe reported:

"The frame cracks, located in the drive axle, rear axle, engine cradle, and other locations, posed serious safety issues, said Ann Berwick, chairwoman of the utilities department."

State inspectors are so concerned, they have asked the Federal government to suspend Fung Wah's operating license until repairs have been made. The Massachusetts Department of Public Utilities (DPU) oversees transportation and public safety.

Fung Wah operates low-cost passenger bus service between Boston and New York City. Some ticket prices are as low as $15 each way. A check of the company's website did not find any mentions of the failed bus inspections.

[Update, 3:15 pm EST: the U.S. Department of Transportation has ordered Fung Wah to cease passenger operations until safety concerns are addressed.]


FTC Studies The Accuracy Of Consumer Credit Reports. Plenty Of Errors To Be Fixed By Credit Reporting Agencies

The blog post on Monday discussed the 60 Minutes report about the failures in the dispute process at credit reporting agencies to fix mistakes in consumers' credit reports. Today's post discusses the recent U.S. Federal Trade Commission (FTC) survey, which prompted that news report.

The FTC survey analyzed the accuracy and completeness of consumer credit reports. This was the agency's fifth such report. Section 319 of the 2003 FACT Act requires the FTC to conduct a study of the accuracy and completeness of consumer credit reports.

Major findings from this FTC study:

  1. 26% of consumers (262 of 1,001 participants) identified errors on their credit reports that might affect their credit scores. 19% of credit reports (572 of 2,968 reports) had an alleged error reported by participants
  2. 20% of consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports
  3. Of the 572 credit reports where an error was submitted, 399 reports (70%) were modified by a credit reporting agency, and 211 (36%) had a credit score changed. Those same 211 credit reports are 7.1% of all credit reports in the study
  4. Of the 262 consumers who identified alleged inaccuracies in their credit reports and filed disputes, 206 consumers (80%) had a modification made by a credit reporting agency to their credit report in response to the dispute. Of these, 129 consumers (12.9% of all 1,001 participants) experienced a change in credit score following the dispute process
  5. Slightly more than 10% of consumers saw a change in their credit score after the credit reporting agencies fixed errors on their credit reports
  6. Approximately 5% of consumers had a maximum credit score change of more than 25 points, while 0.4% of consumers had a maximum score change of more than 100 points

If you skimmed or quickly read the high-level findings or the FTC press release, then you might assume that there is no problem -- and you would be wrong for a several reasons. First, that 20% of consumers found an error in at least one of their credit reports means that about could be as many as 40 million people (20% of the 200 million Americans with credit reports) have at least one error in one of their three credit reports with Experiran, Equifax, or TransUnion. That seems to be a huge error rate.

Second, this error rate is based on a percentage of consumers. Some credit reports had multiple errors in them. So, a more accurate error rate would be based on the number of credit reports with errors compared to the total number of credit reports. Or, an even better error rate would be the average number of errors in a credit report. Third, the report doesn't seems to measure the percentage of error items that credit reporting agencies don't fix which they should have fixed (that's another type of error).

Fourth, that 20% error rate is the number of consumers who reported errors and the credit reporting agencies fixed them. (Explanation below.) A much higher rate of consumers reported errors: 26%. It seems that the real error rate is far higher.

I waded through the 370-page FTC report because credit reports are critical documents. Consumers need them to be accurate do business with lenders, and lenders use these documents constantly. Plus, credit reports contain a lot of important, sensitive, personal information about you, your lifestyle, and the purchases you've made:

"... (1) Identifying information including name, address, birth date, SSN, and previous/alternate names and addresses; (2) Credit account information including information about current and past credit accounts such as mortgages, car loans, credit cards, and installment payments; (3) Public records such as bankruptcies, foreclosures, civil judgments, and tax liens; (4) Collection accounts, which include unpaid debts (such as medical bills) that have been turned over to collection agencies; and (5) Inquiries (subscriber requests to access a consumer credit report)."

When you apply for credit or when a potential lender requests to view your credit report to make a lending decision, a "hard inquiry" results. Too many "hard" inquiries and your credit score can go down. The study identified different types of errors (bold emphasis added):

"... we define a ‘potential error’ as an alleged inaccuracy identified by the participants with the help of the study associate... Lenders often use the credit score associated with a credit report to assess the credit risk of a particular consumer. Therefore, we define a ‘potentially material error’ as an alleged inaccuracy in information that is commonly used to generate credit scores. Information used to generate credit scores include the number of collections accounts, the number of inquiries (hard pulls on a credit file), the number of negative items such as late or missed payments, and other factors. An alleged error is considered potentially material prior to the dispute process simply by its nature as an item used to generate credit scores... We define a ‘confirmed material error’ in several ways, though all rely on a confirmed error being determined as a result of the FCRA dispute process..."

If you are reading this closely, then you realize that credit reports contain errors both in the information used to calculate consumers' credit scores, and in the information not used to calculate credit scores:

"Errors in header information (current/previous address, age, or employment) are not considered in determining a FICO credit score and thus are not defined as material in the context of this study."

In my opinion, this distinction does a disservice to consumers. It tolerates a certain level of sloppiness; that it is okay for credit reporting agencies to get their credit reports mostly correct. Header information elements are no less important than other credit report elements. These header elements could be used to match credit reports for a person with input submitted by lenders and/or within dispute investigations. Second, a credit report is such an important document that it needs to be correct. Period. Credit reports are important because:

Errors are errors. Period. They all are important. Fix them all. Decades ago and early in my business career, I learned an important lesson about producing a quality product or service:

"Why spend all this time finding and fixing and fighting when you could prevent the incident in the first place?... It is much less expensive to prevent errors than to rework, scrap, or service them... It is always cheaper to do the job right the first time."

Either the credit reporting agencies haven't learned these lessons about quality, or they intentionally choose not to pursue a goal of zero defects.

To the good, the FTC study looked at error rates among header information from credit reports:

"In cases where a participant identified only an error in header information, the participant was instructed to dispute the error directly with FICO and the participant’s credit report was not redrawn. For the individuals with material errors and header information errors, the outcome for the header information disputes is known. The third most common alleged inaccuracies occur in the data on header information (154 alleged errors on 127 reports, comprising 4.3% of the sample). Note this represents a lower bound of the frequency of header information errors, as reports with errors only in header information are not included. The modification rate for header information is higher than that of other alleged material error types (99 modifications, comprising 64.3% of the disputed header information items)."

In other words, in this study 127 credit reports had 154 alleged errors in the header information, or 1.2 errors on average per credit report. The credit reporting agencies fixed 99 of these 154 alleged errors -- what I would calculate as a 64.3% correction rate for header items. Still, this is still a best-case correction rate, because the above excluded instances where the only error reported by the consumer was in the header information.

The study found that the main types of confirmed material errors (that could affect a consumer's credit score) that were fixed by credit reporting agencies were:

"... errors in the tradeline (consumer accounts) or collections information. The most common alleged inaccuracies occur in the data on tradelines (708 alleged errors on 409 reports, comprising 13.8% of the sample) or collections accounts (502 alleged errors on 223 reports, comprising 7.5% of the sample). The most commonly modified errors are tradeline information errors (395 modifications) and collections information errors (267 modifications)."

The supporting details:

Error Type # of Alleged Errors Items Modified #(%) # Reports with Alleged Errors Avg. # Alleged Errors / Report Reports with Errors Modified #(%)
Collections 502 267 (53.2%)
223 2.3 146 (4.9%)
Duplicate Entries 65
30 (46.2%) 39 1.7 27 (0.9%)
Header Information 154
99 (64.3%)
127 1.2 90 (3.0%)
Inquiries 88 48 (54.5%)
48 1.8 34 (1.1%)
Derogatory Public Records 44 25 (56.8%) 35 1.3 20 (0.7%)
Tradeline Information 708 395 (55.8%) 409 1.7 267 (9.0%)
Total 1,561 864 (55.3%) -- -- --

Note: the report did not provide totals. I calculated that row. Overall, slightly more than half (55.3%) of error items reported by consumers are fixed -- and this chart includes only the material errors that could affect a consumer's credit score. What I found interesting: regardless of the error type, there is consistently more than one error per credit report.

The following chart highlights how often credit reporting agencies co-mingle your information with other persons' information:

Error Type # of Alleged Errors # Items "Not Mine" Alleged Items "Not Mine" Corrected #(%) # Reports With This Alleged Error # Reports With "Not Mine" Alleged Reports With "Not Mine" Corrected #(%)
Collections 502 413 209 (50.6%) 224 190 116 (61.1%)
Inquiries 88 88 48 (53.9%) 48 48 33 (68.8%)
Tradeline Information 708 246 133 (54.1%) 409 144 81 (56.3%)
Total 1,561 747 390 (52.2%) -- -- --

Again, the report did not calculate the total row. I did. As you can see, credit reporting agencies fixed slightly more than half of errors consumers reported as not theirs. How the researchers calculated the effects on consumers' credit scores from credit report errors:

"After the disputes were filed and completed, the study associate drew new credit reports for the consumer and analyzed whether there were changes to the report in response to the dispute. If there were no changes to the report, the original FICO score is relevant for our calculations and if all the alleged inaccurate items were modified by the CRA, the provisional FICO rescore is the relevant credit score. If only some of the disputed items were changed, the modified report was sent to a FICO analyst for a second rescoring to assess the impact of the modifications. The relevant FICO score at the conclusion of the dispute and rescoring process is then compared to the original FICO score to determine how the credit report inaccuracies affected the consumer credit score."

The reports shared a brief explanation of why credit reporting agencies don't fix errors as consumers who reported errors expect:

"... There are a number of reasons, however, why a CRA may make changes to a credit report that differ from the consumer’s instructions. For example, a consumer may dispute an account balance and instruct the CRA to change the balance to a specific amount (i.e., the consumer alleges what is incorrect and what action by the CRA would set it right). If the CRA cannot confirm the existence of the account with the data furnisher, the account is removed from the consumer’s credit report; in this case the outcome is not what the consumer requested. In addition, a consumer may dispute multiple items on a credit report as inaccurate and the CRA may only modify a subset of the disputed items, thus suggesting that the consumer was correct regarding some of the inaccuracies on the report but not all."

The report shared a brief explanation of why credit reporting agencies may not fix at all any errors reported by consumers:

"... there are some consumers who file disputes and yet the CRA makes no modification to their report. For the purpose of the analysis within this report, these consumers are not defined as having a confirmed material error. It is important to note that these consumers with alleged potentially material errors that are not confirmed through the FCRA dispute process may still have inaccurate items on their credit reports; however, we are unable to verify the inaccuracy within the design of this study..."

So, the 20% error rate (percentage of consumers who reported errors and credit reporting agencies fixed them) in the study is probably the best-case scenario; and the real-world error rate is higher. How? If an error discovered and reported by a consumer cannot be verified via the FCRA dispute process, then the credit reporting agencies does nothing and that error remains in the consumers' credit reports. The 60 Minutes show documented real-world examples where consumers fully documented errors in their credit reports; which the credit reporting agencies proceeded to ignore (sometimes setting a lawsuit later out of court).

This best-case error rate problem is also backed by the research methodology. The research team included members from the University of Missouri, St. Louis (UMSL), the University of Arizona, and the Fair Isaac Corporation (FICO). The research methodology included consumers selected at random:

"... from the population of interest (consumers with credit histories at the three national CRAs). Ultimately, 1,001 study participants reviewed 2,968 credit reports (roughly three per participant) with a study associate who helped them identify potential errors. Study participants were encouraged to use the Fair Credit Reporting Act (“FCRA”) dispute process to challenge potential errors that might have a material effect on the participant’s credit standing (i.e., potentially change the credit score associated with that credit report). When a consumer identified and disputed an error on a credit report, the study associate informed FICO of the disputed items, and FICO generated a provisional FICO score for the report under the assumption that all consumer allegations were correct. After the completion of the FCRA dispute process, study participants were provided with new credit reports and credit scores. Using the provisional FICO score, the new credit reports and credit scores, and the original credit reports and credit scores, we are able to determine the impact on the consumer’s credit score..."

Descriptive information of the study participants:

FICO Credit ScoreAgeEducationRace
589 and below: 18.2%
590 - 679: 20.2%
680 - 749: 21.0%
750 - 789: 19.5%
790 and above: 21.2%
18 - 30: 21%
31 - 40: 20%
41 - 50: 15%
51 - 60: 21%
61 and older: 22%
HS diploma or less: 12%
Some college: 31%
College degree: 30%
Graduate study: 26%
White: 78%
Black: 12%
Other: 9%

The study never looked at credit report accuracy in the regional and smaller credit reporting agencies. So, there are more than three credit reports per person on average, when you include those smaller and regional agencies. More credit reports and probably more errors.

What do I think of this study by the FTC? It highlights several important concepts:

  • How you define an "error" matters. In the study, a conservative definition yielded a 9.7% error rate (defined as the as the percentage of consumers) while a more expansive definition yielded a 21% error rate.
  • How you define an "error" matters. The study calculated the much-publicized error rate based on the percentage of consumers who reported errors. To me, a better method is to calculate the error rate based on the percentage of credit reports with errors. This lets you proceed to the next level to calculate which which credit reporting agency has the higher (or lower) error rate.
  • How you label an "error" matters. While caclulating the percentage of credit reports with errors fixed and/or the percentage of error items fixed by credit reporting agencies, what you label these is important. The study used what I consider to be clumsey labels:  "Percent of All Reports Examined With This Error Modified" and "Percent of Items With Any Allegation of this Type Modified," respectively. Let's call them what they really are: "Report Correction Rate" "Report Item Correction Rate," respectively. Then, we can examine which credit reporting agency does a better job of fixing credit reports. Sadly, the study did not provide this level of detail.
  • How you define "investigation" matters: this includes both the FCRA dispute process and what credit reporting agencies actually do (or don't do) to investigate error disputes reported by consumers. The 60 Minutes report mentioned low-wage staff in other countries simply assign code numbers to error reports without performing a substantial, comprehensive investigation -- which most consumers probably expect.
  • Which brand of credit score matters: this study used FICO credit scores, while many credit reporting agencies and other retailers sell different brands of credit scores to consumers
  • Where you place the "responsibility" matters. The study is consistent with general practice -- for better or worse -- that places the responsibility for finding and reporting errors with consumers. Why aren't the credit reporting agencies held responsible for finding, reporting and fixing errors on their own? Would they find the same errors that consumers found? Or more? Or fewer?

This FTC study is half a loaf at best. Why?

First, it didn't analyze the real problem of actual errors already reported by consumers that were never fixed -- what I call the correction rate. A better study would investigate both error rates and correction rates, by perhaps using an independent third-party to analyze the dispute process and the supporting documents submitted by consumers to credit reporting agencies. This would get at the true heart of the matter: how accurate credit reporting agencies are (or are not) with using the documentation consumers provide. In other words, lets better understand the errors that weren't fixed which should have been fixed by credit reporting agencies.

Second, it is better to define error rates not as a percentage of consumers, but instead based on either the number of credit reports with errors, or the average number of error items in a credit report. Each consumer has at least three credit reports -- one with each of the three major credit reporting agencies: Experian, Equifax, and TransUnion. Some consumers have more credit reports with the smaller, regional credit reporting agencies.

Third, the study perpetuates a current bias that distinguishes between errors used to make credit score decision and errors not used in this calculation. Errors are errors. Period. Credit reports are so important, that they need to be correct. Fourth, the study ignored the smaller and regional credit reporting agencies.

Fourth, the study methodology had 100% of participants review their credit reports. In the real-world, far fewer consumers check their credit reports for accuracy. In its report, the FTC said:

"... In 1992, the Associated Credit Bureaus (later Consumer Data Industry Association, or “CDIA”) commissioned Arthur Andersen & Company to perform a study about credit report accuracy. Using credit applicants who had been denied credit, the Andersen Study found that only 8% requested a copy of their report and 2% of those denied credit disputed information contained in their report. Following the dispute, 3% of the people who received copies of their report had the original decision to deny credit reversed...."

While the report cites other studies, the important point is this: if only 8% or consumers request copies of their credit reports, then it makes sense to pursue ways to engage more consumers with checking their credit reports for accuracy. Business as usual means a lot of errors go unreported and undiscovered. In a truly open market with credit reports, each credit reporting agency would tout its accuracy levels; unlike the current mess. The FTC needs to make it real for consumers by explaining the real-world costs of inaccurate credit reports with real examples of denied credit and loans with higher interest rates.

Fifth, I found the language in the report and study methodology needlessly confusing. It could have been simplified with clearer labels, such as:

  • Consumer Dispute Rate: the percentage of consumers that submitted error reports
  • Credit Report Dispute Rate: the percentage of credit reports with at least one error reported by consumers
  • Credit Report Average Item Dispute Rate: the average number of error items per credit report submitted by consumers
  • Gross Credit Report Correction Rate: the percentage of credit reports with (all or some) error items fixed by credit reporting agencies
  • Net Credit Report Correction Rate: the percentage of error items in credit reports where all items are fixed by credit reporting agencies
  • Gross Item Correction Rate: the average number of error items fixed (all or partial) per credit report
  • Net Item Correction Rate: the average number of error items where all items are fixed per credit report

What is your opinion of credit reporting agencies? Of their dispute process? Of the FTC study? Share you thoughts below.

Download the 2013 FTC FACTA report (Adobe PDF, 20.8 Mbytes).


Google Shares Personal Data Of App Purchasers With App Developers

Over at his Internet Hughbox blog, Dan Nolan raised a startling and huge privacy issue for Google Play users. After developing an Android app, Nolan found that Google had shared with him the sensitive personal information of purchasers of his app:

"I jumped over to the ‘merchant account’ section to see the orders and realised one absolutely insane thing. If you bought the app on Google Play (even if you cancelled the order) I have your email address, your suburb, and in many instances your full name. Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical."

While the personal data shared includes a flag whether or not the consumers wants to receive marketing offers via email, Nolan wonders how many app developers will comply with that. The implications of this detailed data sharing:

"... I could track down and harass users who left negative reviews or refunded the app purchase... This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it..."

Google Play is a cloud-based service offering. According to the MediaPost blog:

"... the data-sharing was intentional. Google designed its platform so that people who purchase apps do so from the developer. That model differs from the iTunes platform, where people purchase apps from Apple."

And, the Chicago Tribune reported:

"... Joel Reidenberg, Director of the Center on Law and Information Policy at Fordham University School of Law, said Google and other online and mobile services needed to be more transparent about what personal information was being shared with third-party firms."

Well said Mr. Nolan. Users should always be in control, with programs asking users to opt-in. Too many websites do the opposite: automatically include users and force users to opt-out.

Some app developers may use this personal information responsibly to provide product support and service, while others may not. Already, there are problems with consumers getting harassed about negative reviews posted online. Some physicians already try to stifle online discussion by forcing their patients to sign a "Mutual Agreement To Maintain Privacy" contract, which prohibits patients from posting negative comments on social networking websites.

Positive and negative reviews are part of a healthy, functioning marketplace, that helps users make informed choices. A 2011 survey found that 89% of consumers said they found online reviews trustworthy.


Facebook Hacked. Site Says User Data Not Compromised

In case you were away for the long weekend and missed it, on Friday Facebook.com announced via its website that it had been hacked:

"Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues... We have found no evidence that Facebook user data was compromised."

This means that the old saying still applies: a chain is only as strong as its weakest link. In this case, your sensitive personal information on a social networking site is only as secure as the weakest (mobile or website) app developer.


60 Minutes: Dispute Processes At Credit Reporting Agencies Fail To Fix Errors in Consumers' Credit Reports

Recently, the 60 Minutes television news magazine reported about the credit reporting industry. The report focused on problems with the dispute process: failures by the largest three credit reporting agencies to correct errors reported by consumers on their credit reports.

Basically, one out of every five Americans has an error on their credit report. That is a massive amount of credit reports with errors, since the companies archive credit reports for about 200 million Americans and since each person has at least three credit reports (e.g., one report each at Equifax, Experian, and TransUnion, plus regional credit reporting agencies). That is an unacceptably high error rate.

Few other businesses would remain operating with such a high error rate. Think of it this way: if one out of every five airplane passenger was killed or injured during a crash, then that airline would be out of business. At a minimum, the public wold demand changes and accountability. If one out of every five credit card purchases were incorrect or lost, that bank would be out of business. And, consumers would demand changes and accountability. But somehow, credit reporting agencies remain in business despite high error rates. If you made an error in one out of five projects at your job, your employer would likely suspend or fire you.

If you are unfamiliar with what credit reporting agencies do, here's what you need to know. The banks and lenders you already have loans or credit accounts with, provide your history to the credit reporting agencies about your loans, payments you've made (or failed to make), outstanding loan balances, and the associated dates. When a loan is paid off, your credit report should indicate that. Like social networking websites, you are the product since credit reporting agencies make money by selling your credit reports to potential lenders (e.g., banks, retail stores, phone companies, educational loan companies), both when you apply for credit and when potential lenders request credit reports in order to send out offers via e-mail or snail mail.

Credit reporting agencies also make money by selling to consumers both credit scores and credit monitoring services, whose monthly fees can be as high as $18. 60 Minutes reported that these credit monitoring services don't provide consumers with the exact same credit reports that the credit reporting agencies sell to potential lenders. I'd like to hear more about that.

Your credit report is the basis of future lending decisions made by potential lenders. A bad or inaccurate report will affect and lower your credit score, the overall number used to indicate your credit worthiness. A low credit score can cost you money: denied credit applications, or approved loans but with a far higher interest rate. Bad reports can include valid late or non-payments on your loans. The errors in credit reports can include another person's data co-mingled with yours (obviously, that should never happen), a dead person's data co-mingled with yours, or a credit report that doesn't accurately reflect a loan you truly paid off on time and/or in full.

The $4 billion credit reporting industry is dominated by three huge companies: Equifax, Experian, and TransUnion. What 60 Minutes didn't mention is that credit reporting agencies regularly do business with data brokers, such as Acxiom, to buy and sell your personal information. Credit reporting agencies experience data breaches, just like other companies.

The reality is that information in your credit report is transmitted around the globe, since much of the credit report maintenance and customer service operations are outsourced to firms in other countries (e.g., Argentina, Brazil, Canada, Chili, Costa Rica, El Salvadore, Honduras, India, Ireland, Jamaica, Peru, Portugal, Spain, United Kingdom, Uruguay). The work is often performed by low-wage workers. Readers of this blog are already know this, since this blog reported a 4-part series in 2008 about offshore outsourcing within the industry. The 60 Minutes reporter interviewed several former credit reporting agency workers in Chile, who admitted that they really didn't have any way to investigate errors, and were directed to simply assign number codes to error disputes submitted by consumers, and then rubber-stamp inputs from lenders; regardless of whether that input was correct or incorrect.

If this makes you mad, it should. The 60 Minutes report included concerns by the Attorney General for the state of Ohio, Mike DeWine. He is concerned that the credit reporting agencies don't fix mistakes in consumers' credit report, that the high error rates are the industry's fault (and not the banks'), and that the industry violates the Fair Credit Reporting Act (FCRA). While the industry claims that it adequately protects the credit reports of children, DeWine's office has taken action to check the accuracy of the credit reports of youth in the state's foster care system.

60 Minutes reported that some consumers have sued credit reporting agencies to get a resolution and errors fixed. Consumers shouldn't have to go to that extreme to resolve errors in their credit reports. Perhaps, some enterprising class-action attorney will take up the challenge.

You can watch the report below. After watching it, report any credit problems you have had to the CFPB. You should also contact your elected officials and demand action:

Want to learn more? Read:


For Consumers Who Believe Their Apple Products Are Immune From Malware

Finally, somebody has said it loud and clear. As part of its 2013 predictions about identity theft and fraud, the ProtectMyID blog stated:

"As Apple products have become a growing part of the electronic market, cybercriminals have taken aim at the brand. They have developed malware specific to Apple Products and have taken advantage of the fact that everyone believes their Apple product is immune. In 2013, we suspect these attacks will continue to grow and soon the Apple App Store will be as seedy as that of its competitors."

Want to learn about more threats to your privacy? Read:


Most Trusted Companies For Privacy Study

Recently, the Ponemon Institute released the results of its annual study of the companies consumers trust the most to maintain their privacy. The study asked consumers to name and rate the companies they trust the most to protect their personal information. Key findings from the study:

"New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20). Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy."

The only government organization in the top 20 is the U.S. Postal Service (#5). Some noteworthy findings about consumers' habits:

"78% of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation... 63% of respondents admit to sharing their sensitive personal information with an organization they did not know or trust... 59% percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. 55% say their privacy has been diminished by virtue of perceived government intrusions."

These findings should be a wake-up call to companies operating within the Internet industries, namely app developers and social networking website operators. About data breaches:

"49% of respondents recall receiving one or more data breach notifications in the past 24 months. 70% of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident."

About consumers' expectations of data security (bold emphasis added):

"73% of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59%), the ability to be forgotten (56%) and the option to revoke consent (55%)."

Companies and their lobbyists would be wise to comply with these findings about important privacy features. Some troubling findings from the Ponemon study:

"Only 35% of respondents believe they have control over their personal information and this result has steadily trended downward over seven years. Less than one-third (32%) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese."

Study respondents said that the most significant threats to their privacy were:

  • 61% - Identity theft
  • 56% - government surveillance
  • 42% - notice of data breaches
  • 40% - violations of civil liberties
  • 36% - annoying background chatter
  • 32% - spam
  • 30% - employer intrusions
  • 28% - stalking
  • 23% - annoying advertising
  • 19% - children abuses

Ponemon has conducted this study for the past seven years, and noted that the importance of privacy by respondents has increased during this time. The study, conducted during October through December 2012, included responses from 6,704 adults in the United States. About 217 companies were named by respondents from 25 industries. 47% of respondents were male. The average age of all respondents was 34.6 years, with an average income of $55,900. The study defined "personal information" as:

"Information about yourself and your family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, purchases, website preferences, health information, account activity and many other pieces of data about you and your household."

Maybe the next study will include photographs, video, and other items posted on social networking websites.

The top 20 most trusted companies from the 2012 study:

  1. American Express
  2. Hewlett Packard
  3. Amazon
  4. IBM
  5. US Postal Service
  6. Procter & Gamble
  7. USAA
  8. Nationwide
  9. eBay
  10. Intuit
  11. Verizon
  12. (Tie) Johnson & Johnson and FedEx
  13. 13. WebMD
  14. Weight Watchers
  15. U.S. Bank
  16. Disney
  17. Microsoft
  18. (Tie) United Healthcare and VISA
  19. AT&T
  20. Mozilla

I was surprised that respondents ranked the banking industry so favorably. Companies I noticed that did not make the top 20 list: Apple and Google. I suspect that the perception of "children abuses" as a privacy threat will increase in the future.

Download the Ponemon report, "2012 Most Trusted Companies For Privacy" (Adobe PDF).


17 Privacy Groups Tell US To Stop Lobbying The European Union As It Considers Stronger Privacy Protections For Consumers

Yesterday, about 18 privacy advocacy groups sent a letter to U.S. Government officials which asked for a meeting and requested assurances that the U.S. not hinder new consumer privacy protections being considered by the Europe Union. The group believes that both the U.S. and Europe need to update and modernize their privacy protections for consumers.

The letter, addressed to the U.S. Attorney General, the Secretary of State, the Acting Secretary of Commerce, and two ambassadors who oversee trade with Europe, was signed by the ACLU, the Center For Digital Democracy, the Electronic Privacy Information Center (EPIC), the Patient Privacy Rights Foundation (PPR), the Privacy Rights Clearinghouse, and a dozen other advocacy organizations. The letter (Adobe PDF, 67k bytes) stated:

"Users around the world are experiencing increases in identity theft, security breaches, government surveillance, and secretive, discriminatory profiling. Users find that personal information given for one purpose is often used for another purpose, often without their knowledge or consent. Our personal data -­‐ our privacy -­‐ is being abused by both the commercial sector and governments... Europeans are working together to update and modernize their framework for privacy protection... There are many important, innovative proposals, as well as the recognition that the process of data protection can be simplified to the benefit of all. Europe is considering both an overarching Data Protection Regulation and a Directive on Law Enforcement..."

After a meeting in Brussels with several of the privacy groups, European Parliament members expressed concerns:

"... that both the US Government and US industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide... They were concerned about the absence of safeguards for personal data stored in the Cloud..."

The Telegraph reported in February 2012 about the intensive lobbyingby U.S. companies. Reportedly, U.S. lobbyists represent several tech companies including Google, Facebook, and Apple. Earlier this month, a leading privacy expert warned citizens in Europe not to use U.S.-based cloud services due to privacy and spying concerns with the FISA Amendments Act of 2008.

As I see it, the privacy letter accurately described the threats to consumers' information and privacy. This blog has reported about numerous instances of corporate data breaches, mobile apps that collected consumers' sensitive data without notice nor consent, developers that fail to provide privacy policies with their mobile apps, app developers that failed to provide privacy notices for parents about apps for their children, secret tracking of online users, software foisted on users without notice during maintenance updates, and a variety of technologies (e.g., Zombie HTTP cookies, Flash cookies, Zombie E-tags, behavioral exchanges, deep packet inspection, e-readers) used by a variety of companies to snoop and track users' online habits often without notice and consent.

More recently, a company has allegedly collected, stored, shared, and manipulated the metadata associated with photos and videos shared at social networking websites. Data privacy laws clearly have not kept pace with Internet and digital technologies.

The group's letter stated several principles in the proposed EU laws that should guide privacy efforts in both the U.S. and Europe:

"... (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability... These principles reflect many of the same goals contained in the European privacy initiative. But the key is that these principles must be given legal force..."

A copy of the letter is also available here (Adobe PDF, 67k bytes). Visit the CPDP website to learn more about the meeting held in Brussels last month.


What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 


Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps

This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:

"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."

The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:

"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."

The complaint also alleged:

"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. Kudos to the FTC for this settlement, although I wish the fine was far more.

However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.

To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).