29 posts categorized "Data Brokers" Feed

Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.

LeapLab And Other Defendants Settled With FTC

Recently, a reader wrote via e-mail with feedback about this December 2014 blog post which discussed a lawsuit filed by the U.S. Federal Trade Commission (FTC) against a data broker, LeapLab, and other defendants. The suit alleged that the defendants sold consumers' sensitive personal information to fraudsters.

The reader was unhappy because he was unable to submit a comment on that blog post. The policy of this blog is to close comments on all blog posts after a year. The reader seemed to interpret that policy as a slight against one of the defendants. No. The closing of comments after a year is equal, consistent treatment.

The reader was also unhappy with comments posted by other readers to that 2014 blog post. Like other blogs, readers freely share their opinions and feedback in the comments section. Like other blogs, I am not responsible for readers' comments. Nor do I censor comments for content. I remind everyone to read the Terms of Service.

The reader's e-mail feedback claimed the blog post was incomplete and one sided. Today's blog post reports the rest of the story.

LeapLab and the other defendants settled the lawsuit with the FTC in February, 2016. The February 18, 2016 FTC announcement stated:

"A group of defendants have settled Federal Trade Commission charges that they knowingly provided scammers with hundreds of thousands of consumers’ sensitive personal information – including Social Security and bank account numbers. The proposed federal court orders prohibit John Ayers, LeapLab and Leads Company from selling or transferring sensitive personal information about consumers to third parties. The defendants will also be prohibited from misleading consumers about the terms of a loan offer or the likelihood of getting a loan. In addition, the settlements require the defendants to destroy any consumer data in their possession within 30 days.

The orders include a $5.7 million monetary judgment, which is suspended based on the defendants sworn inability to pay. In addition to the settlement orders, the court entered an unsuspended $4.1 million default judgment with similar prohibitions against SiteSearch, the remaining defendant in the case."

You can follow the above links to the settlement agreements between each defendant and the FTC, which were approved by the court. Links are also available on the FTC-Leaplab proceedings page.

As a solo blogger with limited resources, I do my best to get it right. There's plenty of privacy news to cover, and I should have reported the above settlement agreements sooner. Hopefully, today's blog post corrects that oversight. I sincerely thank all readers for their feedback and comments.

Facebook Doesn't Tell Users Everything it Really Knows About Them

[Editor's note: today's guest post is by reporters at ProPublica. I've posted it because, a) many consumers don't know how their personal information is bought, sold, and used by companies and social networking sites; b) the USA is capitalist society and the sensitive personal data that describes consumers is consumers' personal property; c) a better appreciation of "a" and "b" will hopefully encourage more consumers to be less willing to trade their personal property for convenience, and demand better privacy protections from products, services, software, apps, and devices; and d) when lobbyists and politicians act to erode consumers' property and privacy rights, hopefully more consumers will respond and act. Facebook is not the only social networking site that trades consumers' information. This news story is reprinted with permission.]

by Julia Angwin, Terry Parris Jr. and Surya Mattu, ProPublica

Facebook has long let users see all sorts of things the site knows about them, like whether they enjoy soccer, have recently moved, or like Melania Trump.

But the tech giant gives users little indication that it buys far more sensitive data about them, including their income, the types of restaurants they frequent and even how many credit cards are in their wallets.

Since September, ProPublica has been encouraging Facebook users to share the categories of interest that the site has assigned to them. Users showed us everything from "Pretending to Text in Awkward Situations" to "Breastfeeding in Public." In total, we collected more than 52,000 unique attributes that Facebook has used to classify users.

Facebook's site says it gets information about its users "from a few different sources."

What the page doesn't say is that those sources include detailed dossiers obtained from commercial data brokers about users' offline lives. Nor does Facebook show users any of the often remarkably detailed information it gets from those brokers.

"They are not being honest," said Jeffrey Chester, executive director of the Center for Digital Democracy. "Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well."

When asked this week about the lack of disclosure, Facebook responded that it doesn't tell users about the third-party data because its widely available and was not collected by Facebook.

"Our approach to controls for third-party categories is somewhat different than our approach for Facebook-specific categories," said Steve Satterfield, a Facebook manager of privacy and public policy. "This is because the data providers we work with generally make their categories available across many different ad platforms, not just on Facebook."

Satterfield said users who don't want that information to be available to Facebook should contact the data brokers directly. He said users can visit a page in Facebook's help center, which provides links to the opt-outs for six data brokers that sell personal data to Facebook.

Limiting commercial data brokers' distribution of your personal information is no simple matter. For instance, opting out of Oracle's Datalogix, which provides about 350 types of data to Facebook according to our analysis, requires "sending a written request, along with a copy of government-issued identification" in postal mail to Oracle's chief privacy officer.

Users can ask data brokers to show them the information stored about them. But that can also be complicated. One Facebook broker, Acxiom, requires people to send the last four digits of their social security number to obtain their data. Facebook changes its providers from time to time so members would have to regularly visit the help center page to protect their privacy.

One of us actually tried to do what Facebook suggests. While writing a book about privacy in 2013, reporter Julia Angwin tried to opt out from as many data brokers as she could. Of the 92 brokers she identified that accepted opt-outs, 65 of them required her to submit a form of identification such as a driver's license. In the end, she could not remove her data from the majority of providers.

ProPublica's experiment to gather Facebook's ad categories from readers was part of our Black Box series, which explores the power of algorithms in our lives. Facebook uses algorithms not only to determine the news and advertisements that it displays to users, but also to categorize its users in tens of thousands of micro-targetable groups.

Our crowd-sourced data showed us that Facebook's categories range from innocuous groupings of people who like southern food to sensitive categories such as "Ethnic Affinity" which categorizes people based on their affinity for African-Americans, Hispanics and other ethnic groups. Advertisers can target ads toward a group 2014 or exclude ads from being shown to a particular group.

Last month, after ProPublica bought a Facebook ad in its housing categories that excluded African-Americans, Hispanics and Asian-Americans, the company said it would build an automated system to help it spot ads that illegally discriminate.

Facebook has been working with data brokers since 2012 when it signed a deal with Datalogix. This prompted Chester, the privacy advocate at the Center for Digital Democracy, to filed a complaint with the Federal Trade Commission alleging that Facebook had violated a consent decree with the agency on privacy issues. The FTC has never publicly responded to that complaint and Facebook subsequently signed deals with five other data brokers.

To find out exactly what type of data Facebook buys from brokers, we downloaded a list of 29,000 categories that the site provides to ad buyers. Nearly 600 of the categories were described as being provided by third-party data brokers. (Most categories were described as being generated by clicking pages or ads on Facebook.)

The categories from commercial data brokers were largely financial, such as "total liquid investible assets $1-$24,999," "People in households that have an estimated household income of between $100K and $125K, or even "Individuals that are frequent transactor at lower cost department or dollar stores."

We compared the data broker categories with the crowd-sourced list of what Facebook tells users about themselves. We found none of the data broker information on any of the tens of the thousands of "interests" that Facebook showed users.

Our tool also allowed users to react to the categories they were placed in as being "wrong," "creepy" or "spot on." The category that received the most votes for "wrong" was "Farmville slots." The category that got the most votes for "creepy" was "Away from family." And the category that was rated most "spot on" was "NPR."

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

Big Data Brokers: Failing With Privacy

You may not know that hedge funds, in both the United Kingdom and in the United States, buy and sell a variety of information from data brokers: mobile app purchases, credit card purchases, posts at social networking sites, and lots more. You can bet that a lot of that mobile information includes geo-location data. The problem: consumers' privacy isn't protected consistently.

The industry claims the information sold is anonymous (e.g., doesn't identify specific persons), but researchers have it easy to de-anonymize the information. The Financial Times reported:

"The “alternative data” industry, which sells information such as app downloads and credit card purchases to investment groups, is failing to adequately erase personal details before sharing the material... big data is seen as an increasingly attractive source of information for asset managers seeking a vital investment edge, with data providers selling everything from social media chatter and emailed receipts to federal lobbying data and even satellite images from space..."

One part of the privacy problem:

“The vendors claim to strip out all the personal information, but we occasionally find phone numbers, zip codes and so on,” said Matthew Granade, chief market intelligence officer at Steven Cohen’s Point72. “It’s a big enough deal that we have a couple of full-time tech people wash the data ourselves.” The head of another major hedge fund said that even when personal information had been scrubbed from a data set, it was far too easy to restore..."

A second part of the privacy problem:

“... there is no overarching US privacy law to protect consumers, with standards set individually by different states, industries and even companies, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society..."

The third part of the privacy problem: consumers are too willing to trade personal information for convenience.

Data Breach Of Online Database Affects 154 Million U.S. Voters

An online database of voter profiles about 154 million Americans suffered a data breach. A security researcher discovered the unprotected online database. HelpNetSecurity reported:

"It was a CouchDB database that required no authentication to be accessed, hosted on Google’s Cloud services. Luckily, an ID associated with each record pointed [the security researcher] in the right direction regarding the owner of the data... the data was originally collected by a data brokerage company named L2... The client told us that they were hacked, the firewall was taken down and then the probing began..."

The voter profiles include full names, addresses, phone numbers, age, gender, marital status, estimated income, political party, congressional district affiliation, state senate district affiliation, and more:

"Some of the records also contained information about the voters’ marital status, whether they had children or owned a gun, their stance on gay marriage, the language(s) they speak, and their email address."

This is the type of information a political party would collect. The report did not state which political organization. The security researcher also discovered that the unprotected online database was accessed by others, including a user in Europe. The database is no longer online.

The report did not state who would notify affected persons, or when this might happen.

Emotional Technology: The Coming Products, Services, And Apps

A reader shared the video below with this comment:

"I don't know George, this sort of creeps me out."

My comments appear below the video:

My thoughts and reactions to the video:

  1. It should creep you out. Do you want technology between you and your spouse? During very private, intimate, face-to-face conversations? I think not.
  2. We consumers are already experiencing the beginnings of emotional technology. To make that tech work, companies must collect data about our moods and emotions. Some examples of this data capture: a) Facebook's expanded list of emojis; b) Facebook saves your unpublished and unedited comments and posts before final posting,
  3. Consumers decide when and where you want technology in your relationships. That line is already blurred. (Examples: devices with voice-recognition interfaces, such as Amazon Echo and Hello Barbie, that listen 24/7/365.)
  4. If I was a data broker, of course I'd want to capture your moods and emotions and link them to certain geo-locations and at times of day. Why? It's an opportunity to make more $$$ by selling to advertisers that emotional data so they can serve up supposedly relevant ads responding to your moods in those locations and/or times,
  5. Wearables, fitness trackers and smart homes outfitted with certain Internet-of-things devices will perform this mood data capture.
  6. Whenever somebody uses technology to offer convenience, watch out. There is usually are accompanying data capture, tracking, and privacy issues (e.g., notice, consent) embedded. Will companies adequately protect emotional information from data breaches? How will your government and law enforcement acquire, archive, and use moods information?

What are your opinions?

Voter Tracking, Data Collection, Analysis, And Privacy

While the New Hampshire primary and Iowa caucuses have passed, there are many more upcoming primaries this year before the general election in November. These primaries represent data collection opportunities for companies to learn more about voters. Marketplace reported:

"One company is tracking voter characteristics through some likely sources — their phones. Dstillery is a big data intelligence company that sells targeted advertising information about consumers to big companies like Microsoft and Comcast. But in the Iowa primary, the company tried its hand at compiling voter traits... people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa... people who watched and supported NASCAR also happened to support Donald Trump and Hillary Clinton..."

Dstillery's has an impressive list of clients: AT&T, Cablevision, Comcast, DirecTV, Hulu, Sprint, T-Mobile, Verizon, Vonage, and many more. If you remember your college statistics classes, then you know that a correlation does not man causation. Things may happen together but it doesn't mean one causes the other. Being a NASCAR fan doesn't mean a voter will vote for certain candidates. Voting for certain candidates does not mean you will be a NASCAR fan.

This "big data" collection is also a reminder of how much we consumers share on social networking sites. All a consumer has to do is "Like" a brand (e.g., NASCAR, one of these top-10 barbeque grills, a particular politician, etc.) on Facebook.com, or "Follow" that brand (or politician) on Twitter and it is pretty easy for a big data intelligence company to collect, analyze, and compare voters preferences. (Facebook knows far more about you than you realize.) Even if you didn't "Like" or "Follow" a brand, the data collection is still pretty easy. All a big data intelligence firm has to do is troll through the metadata attached to photos you took with your phone and posted online: racetracks on Instagram, NASCAR cakes on Pinterest, or whatever else. You get the idea. The metadata attached to your photos recorded where and when you were (e.g., geo-location of the racetrack), the background scene (e.g., stands, pits, etc.), and the people (e.g., emblems on their clothes). This blog post explains what happens when you stop "Liking" posts and comments on Facebook.

The data analysis is also pretty easy because many most of you gave your mobile phone numbers to social networking sites so you could use their mobile apps. Both social networking sites and data brokers have two crucial data elements (e.g., your birth date, your phone number) to match, merge, and purge data about you. So, political campaigns (via data brokers and big data intelligence firms they hire) can understand pretty easily who actually voted, and for whom, at a particular voting location.

Is this a good thing? I guess your answer to that depends upon how much privacy you want associated with your voting activity. What you do within the voting booth may be private, but there are many players performing surveillance outside the booth to reveal what you did in the booth. And, if you aren't careful what you say in front of Internet-of-Things devices installed in your home (e.g., toys, smart televisions, smart speakers or search robots, etc.), then the data collection is probably even more extensive.

Is this a good thing?

Political Campaigns In The USA: Privacy And Security Issues

The Los Angeles Times provided a good primer about the privacy issues in the political system in the United States:

"... data for politics is not a new phenomenon. Presidential candidates began pioneering the approach more than a decade ago, and it was a key part of Barack Obama’s winning strategy in 2008 and 2012. But technological advancements, plunging storage costs and a proliferation of data firms have substantially increased the ability of campaigns to inhale troves of strikingly personal information about voters... as presidential campaigns push into a new frontier of voter targeting, scouring social media accounts, online browsing habits and retail purchasing records of millions of Americans, they have brought a privacy imposition unprecedented in politics. By some estimates, political candidates are collecting more personal information on Americans than even the most aggressive retailers... The campaigns and the data companies are cagey about what particular personal voter details they are trafficking in..."

Reportedly, one firm collected 500 data elements about each voter. That means, they know a lot about you.

What might those data elements be? Let's use Facebook.com as an example, since many consumers use the social networking services. If you are a member, you can see for yourself. Sign into your account with a web browser, select SETTINGS and then ADS. You'll see a page that looks similar to this:

Image of Facebook Ad Settings page. Click to view larger image

Chances are, your account settings were preset to automatically display targeted advertisements based upon your interests (e.g., what you "Liked," posted about, friends' posts you commented upon, even when you don't click "Like" buttons, music and fitness apps linked to your account, edited and unpublished posts, etc.). I'd already modified my account settings to suppress targeted ads, but that doesn't stop the data collection. Now, select the EDIT link next to "Ads based upon my preferences." When prompted, select the "View Ad Preferences" button. You will see a page that looks similar to this:

Image of Facebook Ad Preferences Categories page. Click to view larger image

Facebook has neatly arranged your preferences into several categories: Education, People, News and Entertainment, Travel, and more. Click on any category to view the items for that category. After selecting the "Lifestyle and Culture" category, I saw this:

Image of Facebook Lifestyle and Culture Ad Preferences view. Click to view larger image

You can click on each item to see details about that item. You can also mouseover an item to display a button to toggle on or off each item. That tells Facebook to either display or suppress targeted advertisements to you about that item. (I turned 95 percent of mine off.) If you "Like" the Facebook page for a specific brand, product, service, newspaper, organization, event, or person then the site is happy to catalog that and serve targeted ads from that entity, or other companies in that category.

This provides a huge clue as to the data elements Facebook has collected and shared with data brokers and its partners. Chances are, some of this information has already made its way via data brokers into the databases of political campaigns. You can read in this blog about data brokers and tech companies that have assisted social networking sites.

I've used Facebook.com as an example to highlight for consumers the data elements. The above images make it real. Data collected by social networking sites is so valuable, at least one credit reporting agency wanted it. As The Los Angeles reported:

"The data companies are required by law to keep the names of individuals separate from the pile of data accumulated about them. Instead, each voter is assigned an online identification number, and when a campaign wants to target a particular group – say, drivers of hybrid vehicles or gun owners – the computers coordinate a robocall, or a volunteer’s canvassing list, or a digital advertisement with relevant accounts. Since campaigns are ultimately in the business of finding particular people and getting them to show up to vote, some scholars are dubious their digital targeting efforts offer the same level of anonymity as those of corporations."

So, campaigns will re-assign names to information the data brokers have supposedly anonymized. Are you happy with that? Are you happy with political campaigns knowing this much about you? Are you confident that political campaigns adequately protect your personal information? Do you believe that you should have some say in what political campaigns collect and archive about you? Do you want control over your personal information?

Again, from the Los Angeles Times article:

"There is a tremendous amount of data out there and the question is what types of controls are in place and how secure is it,” said Craig Spiezle, executive director of the nonprofit Online Trust Alliance. The group’s recent audit of campaign websites for privacy, security and consumer protection gave three-quarters of the candidates failing grades... An exhaustive paper [New York University School of Law researcher] Rubenstein recently published on voter privacy found that “political dossiers may be the largest unregulated assemblage of personal data in contemporary American life.” Basic privacy guidelines that apply to other industries don’t appear to apply to candidates. Some do not even have clear privacy policies posted on their websites..."

Now you have an idea of what data is out there about you. If you want to turn off targeted ads displayed by Facebook, you can. You can't stop the data collection though. The data collection, archiving, and resale is part of most social networking sites' business models.

Are political campaigns reselling data to make money? Are you interested in what political campaigns have collected about you? Do you think it's accurate?

Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."

Class-Action Lawsuits Filed Against Medical Informatics Engineering And Experian

Medical Informatics Engineering logo One result of the Medical Informatics Engineering (MIE) data breach has been a class-action lawsuit filed against MIE. The Journal Gazette reported on July 31:

"James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne. The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit... Young alleges that MIE failed "to take adequate and reasonable measures to ensure its data systems were protected," failed to stop the breach and failed to notify customers ina timely manner."

In a Sunday, August 2 article, the Fort Wayne, Indiana-based Journal Gazette described the wide range of companies that access consumers' medical records:

"A lot more people than you realize, including your employer, your bank, state and federal agencies, insurance companies, drug companies, marketers, medical transcribers and the public, if your health records are subpoenaed as part of a court case. All those entities can access your records without getting special permission from you, according to Patient Privacy Rights."

Austin, Texas-based Patient Privacy Rights is an education, privacy, and advocacy organization dedicated to helping consumers regain control over their personal health information.

The Journal Gazette news article was the first report I've read disclosing the total number of breach victims. Reportedly, MIE sent 3.1 million breach notices to affected consumers nationwide. Help Net Security reported a total of nearly 5.5 million consumers in the U.S. affected. That includes 1.5 million consumers affected in Indiana, and 3.9 million consumers in other states. Compromised or stolen data goes as far back as 1997. Reportedly, the Indiana Attorney General's office has begun an investigation.

The Journal Gazette news article also discussed some of the ways stolen medical information can be misused:

"An unethical provider could bill an insurance company or the federal government for health care that it never gave you. Any amount not covered would then be billed directly to you, which could affect your credit score... Then there’s the issue of using sensitive medical information for marketing – or even for blackmail. Let’s say someone was treated for AIDS, hepatitis C or a sexually transmitted disease. A company selling prescription drugs or other products might like to target that patient for advertising. But sending brochures or coupons in the mail could tip off others about the condition. Someone with those or similar medical conditions could face discrimination in hiring..."

Experian logoIn a separate case, a class-action was filed against the credit reporting service Experian. The Krebs On Security blog reported on July 21:

"The suit alleges that Experian negligently violated consumer protection laws when it failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves... The lawsuit comes just days after a judge in New Hampshire handed down a 13-year jail sentence against Hieu Minh Ngo, a 25-year-old Vietnamese man who ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures— a company that Experian acquired in 2012. He got access to some 200 million consumer records by posing as a private investigator based in the United States... The class action lawsuit, filed July 17, 2015 in the U.S. District Court for the Central District of California, seeks statutory damages for Experian’s alleged violations of, among other statutes, the Fair Credit Reporting Act (FCRA)..."

I included information about both class-actions in a single blog post since both companies are of interest to consumers affected by MIE's data breach. MIE has offered breach victims two years of free credit monitoring services from Experian.

FTC Sues Data Broker For Selling Consumers' Sensitive Information To Fraudsters

Federal Trade Commission logo Do you know how much your bank account information is worth to fraudsters? Read on.

Just before the Christmas holiday, the U.S. Federal Trade Commission (FTC) announced that it had charged a data broker with selling consumers' sensitive personal information to fraudsters to commit theft and fraud:

"... LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization."

Defendants named in the lawsuit include Sitesearch Corporation (doing business as LeapLab), LeapLab, LLC (based in Arizona), Leads Company (based in Nevada), and John Ayers. LeapLab's Twitter account seems dormant, and its website is not operating. BusinessWeek lists John Ayers as Chairman of the Board of LeapLab.

In its complaint, the FTC alleged that LeapLab:

"... collected hundreds of thousands of payday loan applications from payday loan websites known as publishers. Publishers typically offer to help consumers obtain payday loans. To do so, they ask for consumers’ sensitive financial information to evaluate their loan applications and transfer funds to their bank accounts if the loan is approved... The defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead... the defendants sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information."

So, your bank account information is worth 50 cents to fraudsters. The sensitive consumer information LeapLab allegedly sold to non-lender third parties included consumer’s names, addresses, phone numbers, employers, Social Security numbers, bank account numbers, and bank routing numbers. Who were these non-lender third parties? They included:

"... marketers that made unsolicited sales offers to consumers via email, text message, or telephone call; data brokers that aggregated and then resold consumer information; and phony internet merchants like Ideal Financial Solutions. According to the FTC’s complaint, the defendants had reason to believe these marketers had no legitimate need for the sensitive information they were selling..."

In a separate complaint, the FTC sued Ideal Financial Solutions (based in Las Vegas, Nevada), for allegedly buying information about 2.4 million consumers between 2009 and 2013 from data brokers and using that information:

"... to make millions of dollars in unauthorized debits and charges for purported financial products that the consumers never purchased. LeapLab provided account information for at least 16 percent these victims."

The New York Times reported:

"The complaints are part of a multiyear government crackdown on fraudulent debt collection and other scams that target people in financial distress. But the case against LeapLab indicates that federal regulators are now widening their investigation to include the middlemen who traffic in the kind of closely held consumer details that can make consumers vulnerable to financial scams... Frederick G. Gamble, a lawyer in Tempe, Ariz., who was listed as a statutory agent of LeapLab, did not respond a voice mail message seeking comment..."

Thanks to the FTC staff for enforcing credit laws. I look forward to the FTC pursuing more data brokers and non-lender third parties who engage in similar behaviors.

Thee has to be strong consequences for this type of wrongdoing. I hope that the defendants pay fines, pay the credit monitoring and resolution costs for affected consumers, and serve time in prison. That sounds about right for the amount of damages inflicted upon consumers.

What are your opinions?

Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit AnnualCreditReport.com to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.

Senators Propose A New Bill To Help Consumers And Hold Data Brokers Accountable

Senators John D. "Jay" Rockefeller IV (D.-W.Va.) and Ed Markey (D-Mass.) recently proposed the Data Broker Accountability and Transparency Act of 2014 (DATA Act, S2025) to provide accountability for companies that make money by collecting and selling information about consumers that are not their customers. The Electronic Privacy Information Center (EPIC) explained the proposed legislation:

"Under the DATA Act, consumers would be able to access their personal information, make corrections, and opt out of marketing schemes. The DATA Act would empower the FTC to impose civil penalties on violators, and would prohibit data brokers from collecting consumer data in deceptive ways."

A variety of companies collect, and sell, information about consumers. During the past 6+ years, this blog has reported about some data brokers, including ChoicePoint, Acxiom, Intelius, US Search, Spokeo, and Lexis-Nexis. Several data brokers have experienced data breaches, and some have sold consumers' sensitive personal data to organized crime. Data brokers collect a wide variety of information about consumers including but not limited to: current and past residential addresses, landline and mobile phone numbers, financial records, products and services purchased, autos purchased, retailers you shop at, and a lot more. With the growth of smart phones, mobile devices, and wearable devices, this data collection is growing quickly to also incude consumers' geo-location information and movement in the real world, health information, and exercise/workout information.

With the rise of data mining (a/k/a "big data"), companies seek to collect as much information as possible about their customers as possible. By analyzing this data, companies can deduce your favorite colors, tastes, and related preferences; including whether you are right- or left-handed. Your personal information is bought, sold, and traded between banks, data brokers, retail stores where you shop, telemarketing firms, collections agencies, and your local government.

Senator Markey said:

"“Consumers have the right to access to their personal data, the ability to correct it, and opt-out from marketing purposes, and Chairman Rockefeller’s legislation ensures these critical consumer controls... The data broker industry has for too longer operated in the shadows, compiling dossiers on millions of Americans. It is time to shine a light on this industry, and Chairman Rockefeller’s legislation helps put in place a system of rules that puts consumers in control of their information. I am proud to co-sponsor this bill...”


"The Data Broker Accountability and Transparency Act of 2014 (DATA Act) comes on the heels of an investigation and majority staff report by the Commerce Committee into the multibillion-dollar industry. Released in December 2013, the report revealed the breadth and scope of the sensitive data – including financial, health, and other personal information – that is routinely amassed by data brokers on consumers without their knowledge or consent. The Committee also held a hearing on Dec. 18, 2013, to examine the privacy and accountability concerns with the industry."

Kudos to Senators Markey and Rockefeller for looking after the needs of consumers. The Direct Marketing Association (DMA) opposed the proposed legislation:

"Though similar bills have died on the Senate floor previously, the Direct Marketing Association says it intends to fight the DATA Act's progress “tooth and nail” due to the high profile it receives from Rockefeller... The section of the DATA Act that most offends marketing stakeholders would compel data brokers to grant consumers access to their data with the ability to correct it at least once a year at no cost. The cost would fall on the so-called data brokers."

You would think that an industry that wants to sell accurate information would welcome corrections by consumers, who know their personal information best. It seems that accuracy takes a back seat to profitability. And, the companies making profits with the information they sell are in the best position to absorb the costs of corrections. If they can't do so profitably, then get out of the business.

Read the full text of the proposed DATA Act (Adobe PDF). Contact your elected officials and tell them to support the DATA Act.

In the interest of full disclosure, I worked for Lexis-Nexis in its Dayton, Ohio headquarters from 1984 to 1986.

LexisNexis And Other Major Data Brokers Hacked By Identity Theft Service

Lexis Nexis logo Late last week, the Krebs On Security blog reported that several major data brokers were hacked by ID Theft Service, with malware planted on their Internet-connected computers to steal consumers' sensitive personal information. These major data brokers sell information such as consumers' address, Social Security Numbers, dates of birth, credit information, and background reports -- information often used by potential employers for verification tasks.

The whole sordid affair revolves around this identity theft service's website:

"... ssndob[dot]ms... has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks..."

Ssndob[dor]ms (a/k/a SSNDOB) never revealed the sources of the information in its database, but after a series of hacks during 2013:

"... the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for exposed.su, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities... But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet... This botnet appears to have been in direct communications with internal systems at several large data brokers..."

A botnet is a group of hacked computers controlled remotely by identity thieves. Each hacked computer in the botnet has malware installed on it, which allows the thieves to direct the computer to perform certain tasks. Often, the victims are unaware of the malware and activity performed by their hacked computers.

In this instance, the tasks appear to have been to copy and transmit consumers' sensitive personal and financial information. In this instance, the hacked computers, or servers, are owned by three major data brokers: Lexis-Nexis, Dun & Bradstreet (D&B), and Kroll Background America.

Krebs On Security described the sophisticated botnet malware on the hacked servers:

"... it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using Virustotal.com... gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal)."

Consumers should know that all three companies collect consumers' sensitive personal and financial information. Reportedly, the data brokers are working with both law enforcement and technology vendors to investigate the extent of the data breaches. So, this story is far from finished.

These data breaches and data brokers -- where plenty of consumers' sensitive personal and financial information are stolen -- are huge problems because of a lot of today's business, including online activity, rests upon the assumption that only the real you knows your Social Security Number and related identifying information. The background verification systems sold by data brokers have been built upon this assumption. The Washington Post's Andrea Peterson summarized the problem:

"... anyone who has access to a comprehensive database that contains this kind of information can impersonate you."

This make data security by data brokers even more important. So, the data security failures in these breaches are huge and not to be under-estimated. Unfortunately, this is not the first data breach at LexisNexis. A 2005 data breach at LexisNexis included the theft of 310,000 records about consumers. A 2009 breach at LexisNexis affected 40,000 persons. Another, separate data breach in 2009 allegedly had ties to organized crime.

Readers of this blog may remember that during 2007, after my sensitive personal information was exposed/stolen during a 2007 data breach at IBM. IBM hired Kroll for its post-breach response. During the mid-1980's i worked for three years at Lexis-Nexis headquarters in Dayton, Ohio as a marketing manager. Attorneys, in both law firms and corporation legal departments, use Lexis-Nexis frequently for both legal and business research.

In 2007, this blog reviewed ChoicePoint. LexisNexis acquired ChoicePoint in 2008.In 2006, ChoicePoint settled with the FTC and paid about $15 million, the largest civil fine at that time for a data breach. At least 800 cases of identity theft and fraud resulted from the breach. The fine resulted from an investigation where the company sold the credit histories of 163,00 consumers to business clients that didn't have a legitimate purpose to use that information; and the company failed to provide adequate data security -- both as required by federal law.

I was surprised that Kroll's servers were hacked. Kroll's reputation is based upon it being a knowledgeable and technically savvy vendor skilled at data security.

{October 2, 2013 update: the Russian hackers also accessed stole data from the National White Collar Crime Center.]

The State Of Texas Made $2.1 Million In 2012 Selling Drivers Personal Information

The CBS television network affiliate in the Dallas/Ft. Worth area reported that the State of Texas made $2.1 million in 2012 by selling the personal information of Texas drivers. Who buys this information collected by the Texas Department of Motor Vehicles:

"CBS 11’s I-Team Investigator Mireya Villarreal discovered nearly 2,500 agencies or businesses purchased the DMV’s data in some form last year. On this list there are towing companies, collection agencies, insurance companies, hospitals, banks, schools, city governments, and even private investigators."

The Driver Privacy Protection Act (DPPA) limits who can buy this information and what they can do with it. The report also highlighted the situation that Texas drivers cannot opt out of these sales.

CBS 11 provided a spreadsheet file which listed the companies that purchased information about Texas drivers. I spent some time reviewing the spreadsheet file and found:

  • What happens in Texas doesn't stay in Texas. Companies from 30 different states purchased the information about Texas drivers
  • Information about Texas drivers is popular. About 2,450 companies purchased information from at least 12 different business types
  • Expected the unexpected. Businesses that purchased driver data included some you'd expect (e.g., auto dealers, banks, finance companies, title services), but also some you might not expect. The list of business types included auto actions, auto dealers, banks/credit unions, city agencies, collection agencies, finance companies, private investigators, salvage yards, title services, universities and colleges, and wrecker services
  • Other who? The "Other" business type seemed to include some interesting organization names from the legal, oil, healthcare, software, and telecommunications industries; plus federal government agencies and some high schools.

The report did not mention the number records each company purchased, the total number of records purchased, or who the largest purchasers were. Knowing this would have enabled a deeper analysis. Then, you could compute an implied value to an average Texas driver's record.

The best comparison I can make is that the State of Florida made about $63 million in 2010 by selling drivers information, with an average value per record of about $ .01. This makes one wonder if Texas government officials did a poor job of selling driver information, or Florida government officials did an exceptional job.

While I didn't see in the Texas list of purchasers the high-profile names of data brokers from the Florida sales, I assume that intermediaries were used.

After reading the Texas DMV webpage about the DPPA, I felt that this page could do a far better job of informing consumers what is really happening. Other states say little in their websites about the money they make from DPPA sales.

What do you think of your state making money by selling your personal information?

Unclear About Data Brokers But Wanting Control And More Disclosure

While the U.S. Senate probes data brokers and consumer privacy issues, a recent study by Trusted ID provides some insights into how consumers view data brokers:

  • 80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information
  • About 80% of respondents state that it is important to control their data collected and archived by data brokers
  • 76% of consumers feel that it is important to be notified about information that data brokers collect
  • 80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Download the Trusted ID survey results in the, "Consumer Perspectives - Data Brokers In Review" report (Adobe PDF).

How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

  • Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
  • Banks regularly collect and resell both debit-card and credit-card purchases,
  • Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
  • Consumers share product preferences and travel vacation habits through loyalty program memberships,
  • State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
  • Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
  • Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
  • Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

  • Name, address, age from the store loyalty program registration
  • Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
  • Favorite colors from the colors of clothes purchased
  • Left-handed preference from types of products purchased
  • Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
  • Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
  • Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
  • Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
  • Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
  • Auto and electronics owned from purchases, either the item or related accessories purchased
  • Approximate ages of children by types of toys purchased or from photographs at social networking websites
  • Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
  • Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
  • Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

The Frenzied World Of Companies Collecting Consumers' Financial Histories

Many consumers believe that if you pay your bills on time, keep your (Experian, Equifax, and TransUnion) credit reports accurate, and keep your credit scores high, then all is well. Not necessarily. There are many more companies that track and collect data about consumers financial history.

Chances are, you haven't heard of their names. The Washington Post reported:

"But little attention has been paid to the firms that target consumers outside the mainstream financial system. Often they are students, immigrants or low-income consumers who do not qualify for traditional loans or choose not to use them... they carry particular weight for the estimated 30 million people who live on the margins of the banking system."

Who are some of the smaller firms? Some of them this blog has covered: ChoicePoint, Innovis, RapLeaf, Quantcast, First Data, Acxiom, Intelius, US Search, and Spokeo. Some are data brokers. Some collect website visitation statistics. Others focus on finance or insurance. Some are technology vendors working with ISPs. A prior blog post discussed the variety of brands of credit scores. Some other firms' names you may not have heard about:

"LexisNexis, whose parent company bought ChoicePoint three years ago, handles background checks, tax assessments and criminal histories. Bounced checks can be tracked through Chex Systems, TeleCheck or SCAN. Payday lenders report to a company called Teletrack. Alliant Data compiles information on so-called “installment payments,” industry jargon for recurring monthly fees such as gym memberships. The National Communications, Telecom and Utilities Exchange collects account information for 63 of that industry’s largest firms..."

The accuracy of the information collected by these firms is suspect:

"Arkansas resident Catherine Taylor didn’t learn about the fourth bureau until she was denied a job at her local Red Cross several years ago. Her rejection letter came with a copy of her file at a firm called ChoicePoint that detailed criminal charges for the intent to sell and manufacture methamphetamines. The information was incorrect... Taylor said she has identified at least 10 companies selling reports with the inaccurate personal and financial information, wrecking her credit history so badly that she says she cannot qualify to purchase a dishwasher at Lowe’s. Taylor must apply for loans under her husband’s name and has retained an attorney to force the firms to correct the record..."

And all of these firms do not include social networking websites, advertising networks, and mobile device marketers -- all collect information and profiles about consumers.

Given the long list of companies across several industries collecting consumers' personal information, you could call this a feeding frenzy.

The State of Florida Made $63 Million in 2010 Selling Drivers' Personal Data. What About Your State?

Business Insider reported that the state of Florida sells the personal information of drivers:

"... to private investigators and research services for years with last year's sale bringing in almost $63 million. Reported by News Channel 5 in Tampa, the state sells nearly all the information on every license including birth dates and drivers license numbers."

The news report listed the price at $ .01 price per drivers record. That sounds awfully low -- too low -- given the data elements purchased and the reliable data source (e.g., the State of Florida). Do you think your personal information is worth more than a penny? I do and guess that you do, too.

The companies that purchase Florida drivers' information include some familiar names: Acxiom Information Securities Service, Inc., Choice Point, E-Funds, Explore Information Services, LexisNexis, Line Barge, Goggan, Blair, & Simpson, Inc., SC Services, ShadowSoft, TLO LLC, and West Services Inc..

The Driver Privacy Protection Act (DPPA) is Federal law enacted in 1994, long before corporate data breaches, digitized profiles, and privacy became the problems we have today. The DPPA regulates what personal information must be protected, and can (cannot) be sold by states. According to the Electronic Privacy Information Center (EPIC):

"The DPPA was passed in reaction to the a series of abuses of drivers' personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer's address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars..."

Some states have laws providing greater protections for drivers' personal information. There have been at least two class-action lawsuits for alleged DPPA violations.

Does your state sell drivers' personal information? Probably. It can be difficult to determine. Often, there is a disclosure in your state government motor vehicle registry website about the DPPA and what your state does (and does not) sell. For example, the Massachusetts RMV website:

"The DPPA restricts the disclosure of personal information, as defined in 18 U.S.C §2725. Personal information is information that identifies an individual, including name, address, driver's license number, social security number*, photograph* and medical information... The DPPA only restricts personal information. Information on vehicular accidents, driving violations and driver's status is not personal information. Also, information that does not pertain to an individual would not be considered personal information."

Like other states, only "Permitted Users" can buy this drivers personal information, and the state supposedly verifies both the purchasers' identities and whether the purchasers' usage post-sale complies with the law. So, drivers personal information is being sold. I wasn't able to find a disclosure about the annual total amount of revenues from DPPA sales.

Another example from the New York State DMV:

"You must have a DPPA permissible use to request DMV records that contain personal information. Personal information includes name, address, or Client ID Number (Driver License Number). You must certify that you have a permissible use when you request records that contain personal information... The DMV records that are frequently requested are driver abstracts, registration abstracts, title abstracts, and accident reports... The DMV normally does not provide a history of the ownership or the mileage of a vehicle... To request a vehicle ownership history, you must certify that you have a DPPA permissible use for the information... The National Driver Register (NDR) is a database maintained by the Federal government. The NDR lists: the drivers from each US state who have a driver license that is suspended or revoked, and the drivers who were convicted of a serious traffic violation like DWI or a drug-related violation. Motor vehicle bureaus in the US provide the NDR with the names of persons who lose the privilege to drive or who were convicted of serious traffic violations... You can use form NDR-1 to search the NDR. Information from the NDR must comply with the DPPA."

Another example from Texas:

"... the Driver’s Privacy Protection Act (DPPA), makes it illegal for the general public, including the media, to obtain, publish or confirm personal information about you from the state motor vehicle database. The law does provide exceptions for certain entities, such as courts and police. Texas law provides additional protection under the Motor Vehicle Records Disclosure Act, and the Public Information Act (Section 552.130)."

Personally, I don't believe that Florida (and other states) should sell drivers personal information to information brokers, regardless of the uses claimed by the data brokers. It effectively, makes the data publicly available to everyone, "permitted uses" or not.

The states' DPPA disclosures which I have read are often long, difficult to read, and at times confusing. The information could be presented far better with pages containing separate summaries, instructions, and forms for each target audience (e.g., individuals/residents, companies, state/local agencies, law enforcement/courts, etc.). When there are additional state laws providing broader protections, you almost have to be an attorney in order to reconcile the multiple laws to understand exactly what is protected and sold.

Kudos to News Channel 5 in Tampa for the good investigative journalism.

What is your opinion? Should states sell drivers personal information? Is the price Florida charged too low?

How Telemarketers Get Your Mobile Phone Number

In May, I wrote about how easy it is to find online consumers' mobile phone numbers at websites like Intelius. A natural question from that blog post: how do these data-mining websites and telemarketers obtain consumers mobile phone numbers? That's a relevant question, since consumers have reportedly registered about 200 million phone numbers with the Do Not Call registry since 2004.

There is a good article at TMC.net that answers this question. First some surprising statistics:

"... despite the registry, an estimated 150 million telemarketing calls are made each day in the United States, an estimated 20 percent, or 30 million, of which are potential violations..."

So, a lot of the calls you receive at home are potential violations if you have registered at the Do Not call registry. Many are not violations since there are a multitude of ways your mobile phone number can leak out to telemarketers and data brokerage companies:

  1. Debt Collection Agencies: will contact you whether or not your phone is listed in the Do Not Call registry. Debt collectors will contact you directly or will contact a family member to find your address and phone number.
  2. The United States Post Office: will sell for a small fee a box holder's residential address, if available.
  3. Social media sites: will display your phone number and e-mail, especially where many consumers haven't made their profile page private and accessible only by friends.
  4. Product warranty cards: when you register online or via snail mail that new product you've purchased, you have helped the manufacturer assemble a database of names, addresses, e-mails, and phone numbers that can be sold to marketers and data brokers
  5. Data brokers: regularly sell consumer information, including residential addresses, e-mail addresses, and phone numbers to telemarketers

What consumers can do to minimize this leakage of your mobile phone number:

  • Don't be so quick to disclose your mobile phone number. Ask yourself if you really want this company to know your mobile phone number. Maybe your-email address or landline phone number is enough
  • Register your mobile phone number at the Do Not Call registry, if you haven't already
  • Be careful about the sweepstakes and contests you enter. Read the fine print or contest terms closely, as that document will indicate whether the contest operators will sell your information to other companies
  • Read the privacy policy at websites you visit and have registered at. This document will indicate whether the website operator will sell your personal information to other companies
  • Read the privacy policy for mobile phone apps before you install the app. If the app developer does not have a privacy policy, then that should be a strong clue
  • If you owe money, know your rights regarding debt collection
  • You can file a complaint at the Do Not Call website

To read the full list of ways your mobile phone number can leak out to telemarketers and data brokers, see the TMC.net article.

The author of the TMC.net article suggested that consumers with the Droid and Blackberry brand smart phones use the PrivacyStar app to block and report unwanted telemarketing calls. I have not used this app and cannot verify its accuracy. If you use PrivacyStar app, let us know what you think of it.