Previous month:
June 2008
Next month:
August 2008

21 posts from July 2008

It's Time For Some Campaignin'

A coworker, Kerry, returned on Monday from her week-long vacation on an island off the coast of Maine. Kerry felt the need to share her experience with an Incinolet, which gave a whole new meaning to the phrase, "Fire in the hole!" I did not know that there are both electric- and gas-powered waterless toilets. (Another Incinolet product review with plenty of comments.) Thanks, Kerry!

Now, on to today's humor:

Send a JibJab Sendables® eCard Today!

Under Pressure From Congress, ISP Admits To Secret Snooping In Kansas

When I wrote earlier about behavioral targeting and the role Internet Service Providers (ISPs), this news report highlighted exactly the abuse I feared. ISPs sit in a power position with access to massive amounts of very personal and private consumer information. The vast amounts of money ISPs can make from targeted advertising represents a fundamental imbalance in power between ISPs and consmers. Part of Congress recognizes this, and most of the industry doesn't want to admit it.

Where there are shifting imbalances, consumers need to take notice. Consider the story of Embarq. Wired reported:

"Internet service provider Embarq eavesdropped on the web surfing habits of 26,000 customers in Kansas without notifying them personally, as part of its test of new, controversial advertising technology that profiles users, the company told federal lawmakers Wednesday. Embarq, an offshoot from Sprint, tested the service in Gardner, Kansas, saying it was their smallest facility. The secret test ended earlier this year, though no dates were given for when it started or stopped."

Embarq claims that the test was legal and above board. What? Are they serious?

The company's claim stretches believability. Listed below are siz reason why Embarq's claims are a bunch of bull. First, the Embarq was not upfront and honest:

"The letter (.pdf) comes just two days after the company attempted in a Monday letter to justify, rather than explain, the trial to powerful House Commerce members, who have already shown they are highly dubious of any ISP's plan to monitor its customers' web usage for profit. According to one congressional aide, the follow-up letter came after staff made it clear the first letter didn't suffice. The three have already forced Charter Communications to cancel its proposed trial of ISP eavesdropping technology from a NebuAd, the same company that powered Embarq's secret test."

Second, even under a Congressional spotlight, Embarq still hasn't announced the days of the test. Third, the "test" claim is dubious. I have participated in many product market tests; both as a marketing manager and as a consumer participant. If this was a real, sincere test, the company would have surveyed consumers both before and after to determine the effectiveness of the targeted ads. Embarq didn't do this, nor did the company even try to attempt this.

Fourth, Embarq claims that it notified its customers before the test by changing its web site Privacy Policy. What? Please don't insult consumers' intelligence. That is not notice. Notice is sending an e-mail message to your customers informing them of the change in the Privacy Policy. Embarq knows that consumers don't check the web site Privacy Policy. How often do you check the Privacy Policy in the web sites you visit? Rarely, I bet.

Fifth, Embarq (and behavioral advertising proponents) claim that only 15 subscribers opted out of the test. How many of the 26,000 consumers knew about the test? That is the valid comparison: the number of consumers who opted-out compared to the number who knew about the test.

Sixfth, the test should have been conducted on an opt-in basis. An honest and transparent company would have included only those customers in the test that were interested in the behavioral advertising test. An honest and transparent company would have provided opt-in links in both the e-mail notice and in the Privacy Policy before the start of the test. Rather, Embarq selfishly wanted as many consumers in the test as possible, and used a self-serving opt-out basis.

With honest and transparent notice, Embarq could have evaluated customer satisfaction both before and after the test, plus evaluate the copy explaining the benefits of behavioral advertising. A company with smart, honest, and transparent management would have done this, with a focus on customer satisfaction.

Instead, Embarq chose to operate in the shadows. The company showed its real concern... only itself and not its customers... and conducted the test on an opt-out basis without informing its customers and with a difficult-to-find notice. This is not how an honest and transparent company treats its customers.

Embarq tried to operate in the shadows and got caught. Good. Maybe its executives will learn something from this debacle. They made several poor decisions that lacked a customer focus. As a result, at least a couple of the company's executives should lose their jobs.

Congratulations to Congressional Representatives Edward J. Markey (D-Massachusetts), chairman of the House subcommittee on telecommunications and the Internet, John D. Dingell (D-Michigan), and Joe L. Barton (R-Texas). They are representing consumers' interests and I hope that the rest of Congress pays attention. I hope that you'll send them a thank-you note. I also hope that Congress views Embarq's actions as an indication of attitudes throughout the ISP industry, plus and modifications the FTC needs to make to its proposed regulations.

You can easily tell Embarq's deceit this way. The company claimed that 26,000 consumers were affected and only 15 objected. What independent verification is available? None. How many of the 26,000 customers knew about the test? Embarq doesn't say (or worse doesn't know). Beyond a hidden opt-out link, did Embarq provide its customers with a method to provide feedback about the company's plans? No.

In my view: clear notice by any company is an e-mail to each subscriber stating the change to the Privacy Policy. Both the Privacy Policy page and the e-mail message should have an "opt-in" link for consumers who wish to be a part of any behavioral advertising tests.

Citi Credit Monitoring Service and Citi Identity Monitor (Product Review)

Recently, I took a look at Citi Credit Monitoring Service from CitiBank. After reviewing offerings from WaMu and Bank of America, I wanted to see what CitiBank offers.

A Google search with “Citibank credit monitoring” keywords retrieved a results page with the Citi Credit Monitoring Service site listed near the top. I clicked on that link which took me to this page:

Citi Credit Monitoring Service landing page

The landing page copy was a little confusing, since it didn’t provide much information about the service. I clicked on a left-column “Click here if you are not a current member” link, which took me to the following page:

Citi Credit Monitoring Service page for non-members

Apparently, CitiBank no longer accepts new enrollments for its Citi Credit monitoring service. I wonder why. The page didn’t provide an explanation. Was something wrong the service? The page provided a link to the Citi Identity Monitor service. Why the replacement service? Is it any better? I followed that link to this page:

Citi Identity Monitor Service landing page

The landing page clearly summarized key features and benefits of the service, plus its monthly price. (Hear that WaMu?) Features include daily credit file monitoring, alerts, 24/7 access to credit reports and credit scores, access to telephone support and help reps, and online access to credit information and credit tools. This is pretty basic, standard stuff. Nothing unique.

The following copy caught my attention:

“Access to 3-in-1 credit reports, credit scores and monitoring from the 3 leading credit bureaus at no additional cost”

Does the site provide a consolidated summary of consumer credit reports? Or does it provide the full text credit report, a format close to what the credit bureaus provide? I hope that Identity Monitor provides the full text.

The service provides consumers with assistance from, “Fraud and Credit Education Specialists,” but the site did not explain the qualifications of this staff. What experience and training do they have with identity theft? With credit resolution? Or, are they just glorified telephone reps? Unfortunately, the Identity Monitor site is about as poorly designed as most sites I've reviewed so far, since none of the sites I've reviewed explain the qualifications and experience of their fraud and credit resolution staff.

The service offers, “Identity Theft Expense Reimbursement Coverage of up to $25,000” which is about the same as insurance amounts available in some of the credit bureaus. The page also presented some odd copy in bold type:

“No matter what credit cards you have or who you bank with, help protect your identity and manage your credit with Identity Monitor.”

What does that mean? Any quality credit monitoring service helps a consumer manage and protect their credit reports independent of where the consumer banks and independent of what credit cards they use. This seemed odd as it attempted to position Identity Monitor as different from other credit monitoring services. If Identity Monitor is different, the site didn't say. This was my first warning flag that maybe the folks at CitiBank aren’t exactly sure what they are doing.

The Benefits page provided somewhat more detail about the service features and benefits. Many of the images were small and hard to read, even after I clicked on the “larger image” links. The Benefits page didn’t explain the alerts in detail, so you can’t tell if the service offers alerts via e-mail, text messaging, or customized alerts. The Benefits page also didn’t provide a sample of the credit report text, so you can’t tell if the service provides the actual full text of a consumer credit report, or a summary version.

The page included this copy:

“In the event of identity theft, immediate transfer to Citi Identity Theft Solutions”

That sounded interesting. What is Identity Theft Solutions? Is it another service? Must Identity Monitor subscribers sign up for it, or is enrollment included? Is there an additional fee? Is it an online service and web site, or is it just access to customer support reps via the phone? How does it differ from the fraud specialists available in the Identity Monitor service? Is it available to consumers while traveling outside the USA? The page didn't say, nor did it provide any links for more information.

The Benefits page did a reasonable job of explaining in plain English the insurance coverages. Like other services I’ve reviewed, the Identity Monitor insurance covers expenses a consumer incurs to fix damage from identity thieves, but doesn’t cover actual monies stolen. The page contained a link to the full text of the insurance coverage statement. Insurance is provided by s Virginia Surety Company, Inc. and the identity support and resolution services are provided by TWG Innovative Solutions, Inc. of Colorado.

The Enroll page includes a link to more information about the Identity Monitor service in plain English. That’s good, but the page lacked the site navigation presented on other Identity Monitor site pages. Why the omission? Plus, the Enroll page trapped my browser (e.g., Firefox v2) and disabled the browser Back button. CitiBank must be really desperate for new customers. Not a good customer experience.

Would I subscribe to Identity Monitor? It’s not for me. And I wouldn’t recommend it to anyone else.

Why? Too many unanswered questions. I got the impression that CitBank did a quick deal with TWG, and threw up this Web site... perhaps in haste or haphazardly. The site didn’t convince me that this is the best credit monitoring service available. The site lacks key information and service details. I’ll keep looking for another and better credit monitoring service.

If you subscribe to Citi Identity Monitor, please share your experiences. I’ve Been Mugged readers want to know.

During the upcoming weeks, I will review more credit monitoring services. You can access prior reviews at the Product and Service Reviews page, or via "Product Reviews" in the right-column tag cloud. To receive alerts about future reviews, click on either of the e-mail or RSS links in the right column.

University Of Michigan Study Finds Widespread Flaws In Online Banking Sites

Thanks to my coworker, Bill Gonzalez, for alerting me about this item. A University of Michigan news release reported on July 23, 2008:

"More than 75 percent of the bank Web sites surveyed in a University of Michigan study had at least one design flaw that could make customers vulnerable to cyber thieves after their money or even their identity. Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science and doctoral students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006."

They study authors presented their findings on July 25 at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University. How serious are the findings?

"These design flaws aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these Web sites, according to the study. The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited."

The news release added:

"A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking..."

The news release and the study report itemized the specific flaws the researchers looked for. One of the really stupid flaws no bank or web site should include, but the researchers found:

"Allowing inadequate user IDs and passwords... sites that use social security numbers or e-mail addresses as user ids. While this information is easy for customers to remember, it's also easy to guess or find out. Researchers also looked for sites that didn't state a policy on passwords or that allowed weak passwords. Twenty-eight percent of sites surveyed had one of these flaws."

Those interested can download the "Analyzing Web Sites For User-Visible Security Design Flaws" study in PDF format. If you want to learn how to create stronger passwords to better protect your sensitive financial data, read this post.

Federal Reserve Board Seeks Input From Consumers About Unfair Credit Card And Overdraft Practices

The U.S. Federal Reserve Board (FRB) seeks input and feedback from consumers about its proposed new rules to limit unfair credit card practices. According to the press release:

"The proposed changes to the Board’s Regulation AA (Unfair or Deceptive Acts or Practices) would be complemented by separate proposals that the Board is issuing under the Truth in Lending Act (Regulation Z) and the Truth in Savings Act (Regulation DD)."

To make these changes, the FRB is working with the FTC (Federal Trade Commission. The FTC Act includes five protections for consumers who use credit cards:

  • "Banks would be prohibited from increasing the rate on a pre-existing credit card balance (except under limited circumstances) and must allow the consumer to pay off that balance over a reasonable period of time."
  • "Banks would be prohibited from applying payments in excess of the minimum in a manner that maximizes interest charges."
  • "Banks would be required to give consumers the full benefit of discounted promotional rates on credit cards by applying payments in excess of the minimum to any higher-rate balances first, and by providing a grace period for purchases where the consumer is otherwise eligible."
  • "Banks would be prohibited from imposing interest charges using the "two-cycle" method, which computes interest on balances on days in billing cycles preceding the most recent billing cycle."
  • "Banks would be required to provide consumers a reasonable amount of time to make payments."

The proposed new rules also require banks that make credit offers with multiple interest rates or credit limits to disclose in the offer the factors that determine whether a consumer qualifies for the lowest rate and highest credit limit.

I encourage all consumers to submit feedback online to the FRB. Scroll about two-thirds down the page and click on the "Submit Comments" link under all three regulations. The deadline for feedback is August 4, 2008. The FRB has already received a lot of feedback, but more is needed.

The proposed "new" regulations are a good first step in the right direction. Most of these rules were lifted during the 1980's during the Reagan Presidency. The thinking way back then was that there was too much regulation and that business was suffering.

Before 1980, the maximum interest rate was about 18% and consumers didn't have to endure the variety of fees and abuses. Both major political parties parties participated in the removal of key regulations governing banks and financial institutions. 27 years later, we consumers have direct experience with the results of that de-regulation... the myriad of credit card fees, abuses of consumers, and unfair lending practices.

Sure, some consumers need to expect personal responsibility for taking out loans they knew they couldn't pay, or didn't take the time to understand the fine print. Similarly, not all lenders engaged in predatory lending practices. My point: arguments about personal responsibility should not give predatory lenders a free pass. There's enough blame to go around. Both sides need to accept responsibility.

There's that familiar saying that, "total power corrupts totally." Too much de-regulation allows companies to exercise their newly granted power and ultimately abuse consumers, which we have seen. A better balance between regulation and total de-regulation needs to be found. It exists, but do we, as a nation, have the will?

If you are unfamiliar with that history, or want a refresher, watch this Bill Moyers interview with author and journalist William Greider. It's part of the Moyers Journal episode "The Mortgage Meltdown." I strongly encourage everyone to watch it. Check your local PBS affiliate for broadcast times, or get the DVD when it's available.

5 Sneaky Ways To Ruin Your Credit Score

Thanks to my friend Michael in Oakland for alerting me to this Yahoo Money & Finance article. I've Been Mugged readers want to protect and control their identity information, and maintain good financial health. Not only do consumers with low credit scores pay more via higher interest rates, but the FTC is studying how to tie auto insurance rates to consumers' credit scores. (You'd think that your driving record would be a better, more logical way.) Ways to ruin your credit score which you probably aren't aware of:

"2. Accepting credit line increases: Being the responsible, on-time bill-payer that you are, your credit card company rewards you by upping your credit line. This isn’t necessarily a bad thing, but remember how much you can afford to reasonably charge. Resist the urge to spend more or risk being unable to meet your new minimum payments."

"3. Consolidating your accounts: So you’re considering transferring all your credit card balances to one card so you’re only dealing with one bill every month. It sounds sensible, right? A big no-no, according to the keepers of the credit score. Think of it this way: One big balance looks a whole lot worse than multiple low balances."

To read the complete list, visit the Marie Claire site.

Consumers Should Know FDIC Insurance Rules To Protect Their Money

If this blog is about one subject, it is about how to protect yourself... your identity information and your money. Back in May, I wrote about FDIC insurance, but it seems necessary to write about it again. There is an excellent article by Suze Orman at the CNBC Web site about, "What You Need To Know About FDIC Insurance."

Understanding FDIC insurance is important because you do not want to get burned. You do not want to repeat the mistake of the consumers who lost money in the recent IndyMac bank failure. Their mistake: they kept more money in their bank accounts than was insured by the FDIC. So when the bank failed, those consumers will lose money because the FDIC will pay only the amount insured and only half of any amounts over the insurance limit. Orman's article explains how the FDIC insurance limits work:

"The rule is that the combined assets of all accounts that are in one person’s name can not exceed $100,000. It’s $100,000 per depositor per bank. Not $100,000 per account."

Orman's article provides examples, which make it easy to understand since we all have different types of bank accounts: savings, CDs, IRAs, and so forth. I highly recommend that everyone read Orman's article. If you have more than $100,000 in the bank, you should split it up among several banks, not in different branches of the same bank:

"If you have an account(s) in just one name at any one bank, make sure you keep less than $100,000 in total at that bank in just your name. That’s what I do. And please don’t make the mistake of investing $100,000 at Big Bank’s branch in downtown and then another $100,000 at its branch out at the mall, or even in a different state. It doesn’t work that way. The FDIC will say you have $200,000 at one bank."

This also means, when banks merge, you may have to shift around your money. If you and another person (e.g., spouse, child, parent, brother, sister, etc.) have a joint account:

"The FDIC will fully cover a joint account for up to $200,000, meaning you and your co-owner would be eligible for $100,000 each of full coverage. That $100,000 of coverage you each get for the joint account(s) is in addition to the $100,000 you each also get from the bank for accounts that are in your name only."

If you have an IRA at your bank:

"If you have an IRA account at the same bank as your other accounts, the IRA is fully insured by the FDIC up to $250,000. That $250,000 is in addition to the coverage discussed above."

Orman provides clear instructions for you to determine how safe your money at your bank:

"To be super safe I recommend everyone go to the FDIC website and take the time to use their Electronic Deposit Insurance Estimator (EDIE). This free tool will show you exactly what is and is not insured in your personal bank accounts. Click the WALK ME THROUGH button at the bottom of the page and you are on your way to knowing exactly how safe your money is."

FTC Official Testifies Before U.S. Senate Committee About Behavioral Advertising

A prior four-part series covered several issues about behavioral advertising (a/k/a behavioral targeting) and privacy, including the FTC request for input from consumers. I'd like to thank the I've Been Mugged readers that submitted input. The final rules governing how behavioral advertising is administered will directly affect consumers' abilities to maintain some privacy on the Internet, and requirements of advertisers to provide clear and adequate opt-in and opt-out mechanisms.

Only July 9th, Lydia Parnes, the Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), issued a statement before the U.S. Senate Committee on Commerce, Science, and Transportation. Some highlights of the statement:

"I appreciate the opportunity to appear before you today to discuss the Commission’s activities regarding online behavioral advertising, the practice of collecting information about an individual’s online activities in order to serve advertisements that are tailored to that individual’s interests. Over the past year or so, the Commission has undertaken a comprehensive effort to educate itself and the public about this practice and its implications for consumer privacy. This testimony will describe the Commission’s efforts..."

Note this very industry-friendly conclusion:

"The Commission’s examination of behavioral advertising has shown that the issues surrounding this practice are complex, that the business models are diverse and constantly evolving, and that behavioral advertising may provide benefits to consumers even as it raises concerns about consumer privacy. At this time, the Commission is cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed effectively by industry selfregulation."

I added the bold italic highlighting for emphasis. Also, I found the following description of how behavioral advertising works in Parnes' statement particularly interesting:

"In many cases, the information collected is not personally identifiable in the traditional sense – that is, the information does not include the consumer’s name, physical address, or similar identifier that could be used to identify the consumer in the offline world. Many of the companies engaged in behavioral advertising are so-called “network advertisers,” companies that serve advertisements across the Internet at websites that participate in their networks. An example of how behavioral advertising might work is as follows: a consumer visits a travel website and searches for airline flights to New York City. The consumer does not purchase any tickets, but later visits the website of a local newspaper to read about the Washington Nationals baseball team. While on the newspaper’s website, the consumer receives an advertisement from an airline featuring flights to New York City. In this simple example, the travel website where the consumer conducted his research might have an arrangement with a network advertiser to provide advertising to its visitors."

This example included some relatively harmless information. Replace "travel" with "financial" or "medical" and it can be a very different discussion. Do you want companies collecting information about very personal medical conditions? Or an embarrassing financial situation? And, given the large number of continuing corporate data breaches, companies, ISPs, and advertisers haven't earned consumers' trust to adequately protect the information collected via behavioral advertising. A data thief or criminal could use stolen behavioral advertising information in very damaging ways.

Parnes did mention Facebook's privacy problems and the AOL data breach in 2006, which highlighted several privacy concerns:

"Recent high-profile incidents where tracking data has been released have magnified consumers’ concerns. In August 2006, for example, an employee of internet service provider and web services company AOL made public the search records of approximately 658,000 customers. The search records were not identified by name, and, in fact, the company had taken steps to anonymize the data. By combining the highly particularized and often personal searches, however, several newspapers, including the New York Times, and consumer groups were able to identify some individual AOL users and their queries, challenging traditional notions about what data is or is not personally identifiable."

The FTC's statement did go far enough. Parnes soft-pedaled some of the issues. She should have mentioned privacy concerns regarding the newer technologies like deep packet inspection, used by some ISPs which would render the traditional browser cookie method obsolete.

And much of Parnes' statement about the proactive role by the FTC covered either offline efforts from 2006 (e.g., the Do Not Call list, workshops held in 1999), or old issues from the 1990's. Technologies used on the Internet change every few months. What worked in the 1990's or even in 2002 is largely obsolete today.

Parnes said this about the FTC's proposed industry-friendly self-regulatory principles:

"The purpose of the proposed Principles is to encourage more meaningful and enforceable self-regulation... the staff proposal identifies four governing principles for behavioral advertising. The first is transparency and consumer control: companies that collect information for behavioral advertising should provide meaningful disclosures to consumers about the practices, as well as choice about whether their information is collected for this purpose. The second principle is reasonable security: companies should provide reasonable security for behavioral data so that it does not fall into the wrong hands, and should retain data only as long as necessary to fulfill a legitimate business or law enforcement need The third principle governs material changes to privacy policies: before a company uses behavioral data in a manner that is materially different from promises made when the data was collected, it should obtain affirmative express consent from the consumer... The fourth principle states that companies should obtain affirmative express consent before they use sensitive data – for example, data about children, health, or finances – for behavioral advertising."

When I read these principles I think of the privacy policy updates I often receive from banks and other companies I do business with. The policy is often inserted in the billing envelope, and it is a booklet printed in small type that is word dense and many pages long. An intimidating read. I wonder how many consumers read these.

Notice to consumers about behavioral advertising has to be far easier to read and more convenient. It also has to be presented where relevant, not buried in some larger booklet in small font type. It should be presented both in print and at the advertiser's Web site. And it should be presented online whenever the user is completing a transaction at that advertiser's web site (e.g., paying a bill, signing up for a service, enrolling in a loyalty program, etc.). The behavioral advertising program default for consumers should be opt-out and any opt-in or opt-out buttons should be large, conspicuous, and easy to read. The FTC is leaning towards an opt-in program default.

Otherwise, there are no self-regulatory rules for advertisers and it is effectively a free-for-all... free swim like in summer camp. I hope that you will download and read the complete FTC statement about behavioral advertising (Adobe PDF format).

During Their Lawsuit, Viacom & Google Agree To Protect Consumers

Lately, I have followed the Viacom vs. Youtube/Google lawsuit, since it has several implications for consumers' privacy and social media applications. Things seem to be changing fairly quickly. The MediaPost Daily Examiner reported:

"Google and Viacom have reached an agreement to mask the identities of YouTube users before their viewing records are disclosed as part of a copyright infringement lawsuit. The deal calls for Google to anonymize the screennames, IP addresses and visitor IDs of YouTube users before turning over their viewing history to Viacom. In a stipulation signed late Monday night, the parties also said they wouldn't attempt to circumvent the encryption."

This agreement is nice and is a step in the right direction. It still doesn't resolve the judge's poor decision to force Youtube/Google to turn over Youtube users' records and identity data. Let's remember that Viacom's primary concern is the material on Youtube which violates it copyrights. The offending materials should be removed and the users who uploaded the material should pay fees to Viacom.

My concern about the threat to social media applications is summarized by mediaPost:

"With the anonymized user data, the entertainment company is apparently trying to prove that pirated clips are big draws on YouTube. If YouTube benefited from piracy, it could lose the safe harbor protections of the Digital Millennium Copyright Act, which generally immunize sites from liability based on material submitted by users. But there’s a very big leap between showing that, say, a Jon Stewart clip is popular on YouTube and proving that the company built its brand on copyrighted content."

It seems that Viacom is not just pursuing people who infringe on their copyrighted materials, but following the money trail... which points to Google. Maybe as an acquisition of Youtube, maybe to shut it down, or maybe to just slow down Youtube. Turning over all consumer records will definitely help Viacom assess the damage... how many people viewed the copyright-infringing materials.

Viacom's focus should be on a) Youtube removing the offending material, and b) Viacom approaching the users who uploaded copyright-infringing material. I'd like to see Viacom stop the perpetual lawsuits, and instead produce content and develop more sensible online business models. If you want to read a copy of the lawsuit, see this TechCrunch post.

TechCrunch has another post worth reading about this lawsuit: "The Issue of Trust Is With Google, Not Viacom." I disagree. Regarding this lawsuit, both companies' actions have hurt consumers' trust in their brands.

Identity Theft Service From WaMu (Product Review)

Washington Mutual I started looking for a replacement credit monitoring service after Discover changed its credit monitoring vendor. Earlier posts have reviewed credit monitoring services from the national credit bureaus: Equifax, Experian, and TransUnion. Since several banks offer credit monitoring services, Today's post includes a review of ID Theft Inspect from WaMu.

The WaMu site requires users to first enter their home Zip Code, which indicates that the bank's offering may not be consistent nationwide. WaMu provides two options: a free service and a monthly fee service. Both are available only for WaMu deposit customers. (Bank of America customers should read this Privacy Assist review.)

The free service includes a paltry $5,000 of insurance, "toll-free access to Identity Theft Recovery Specialists." There's no credit monitoring, access to credit scores, or any related services with the free offering. The insurance amount is far less than what's available elsewhere. More importantly, the site didn't explain the background of the ID-theft recovery specialists. So, it's unclear what assistance these specialists really provide. I guess you get what you pay for.

For a monthly fee -- the site didn't say -- WaMu customers can upgrade to the bank's "ID Theft Inspect" service, which includes more of the traditional features and services you'd expect in a credit monitoring service:

  • Daily monitoring of your credit reports at the three national credit bureaus
  • Alerts of any activity or changes to your credit reports
  • Quarterly Credit Updates
  • A "three-in-one personal credit report with data from three major credit bureaus"
  • A Card Registry to register your plastic (e.g., debit cards, credit cards and charge cards) in case it is stolen
  • "Toll-free access to Credit Education Specialists, for answers on credit report..."
  • WaMu will help you apply for emergency cash (up to $2,000)
  • Access to the ID Theft Inspect™ web site with credit reports, credit scores, credit analysis tools, and theft prevention tips
  • $15,000 in ID-theft insurance, with no deductible to help cover certain out-of-pocket identity theft related expenses

The "3-in-one personal credit report indicates that consumers don't get the full text of all three of their credit reports, but instead a single, combined summary. I prefer the full text off all three reports. Detail is everything when it comes to monitoring my credit information.

The WaMu site also states the WaMu customers have "toll-free access to the Identity Theft Resource Center" with the ID Theft Inspect service. The site does not explain how, if at all, this is any different from the Identity Theft Resource Center Web site. And, this seems to kick in only after the WaMu customer becomes an ID-theft victim.

All of the above features for the ID Theft Inspect service are pretty standard stuff. Summary credit reports and not the full text. Not much in the way of insurance. Vague descriptions of credit specialists and recovery specialists. No demos or online tutorials. The site does a very poor job of explaining and proving the service benefits and features.

The site didn't offer any explanations of why ID Theft Inspect might be better than other credit monitoring services. The user is left to make their own comparisons and analysis. It seems that WaMu offers its ID-theft services purely as a convenience for its customers, whom it hopes aren't too educated or savvy about the available credit monitoring services.

More importantly, the site fails to state the monthly fee for ID Theft Inspect. How can consumers make a decision about a service when the site doesn't state the price?

Normally, I'd quit at this point since the site failed to provide key information. I decided to probe a little deeper to see if I'd missed anything about WaMu ID Theft Inspect. I downloaded and read the free ID Theft Services PDF document, since the WaMu site didn't provide a link to the agreement for the ID Theft Inspect service.

The PDF document stated that "Identity Theft Recovery Specialists" are provided by a firm called Worldwide Assistance Services. I tried to find this firm's web site. It proved more elusive than I felt comfortable with. It should be easy to find... the first result in a Google search. Instead, the first results page included this broken link:

So, I typed "" into my browser's address field and the link redirected my browser to, a Bethesda Maryland-based division of an international firm which assists consumers with emergencies while traveling abroad. So, this travel firm has diversified its traditional services by adding ID-theft resolution services.

I couldn't find in the Europ Assistance USA site any statements of the training or accreditation these reps have to perform credit recovery services. These travel-assistance phone reps are the credit recovery specialists? That doesn't sound very reassuring. And, if Europ Assistance USA is indeed the correct company name, the the agreement at the WaMu site should be updated to list the company's correct and current name, and not an old obsolete name. It seems that the WaMu site presents an old contract from 2006. Not good.

Let's continue to review WaMu's free ID Theft Services PDF document. It also included some services which consumers can do for themselves for free (with a 5-minute phone call), like placing Fraud Alerts on your credit files. Eligible expenses covered by insurance include:

"Eligible Expense(s) means reasonable and necessary attorney fees or court costs associated in removing any civil suit wrongfully brought against you as a result of identity theft or any suit brought against you by a creditor or a collection agency or other entity for non-payment of goods and/or services as a result of identity theft, actual U.S. wages lost due to time off relating to efforts in resolving your identity theft issues, loan applications fees, notarizing affidavits or other similar document cost, long distance telephone cost, and postage cost you may have incurred as a direct result of identity theft."

Note that this doesn't cover the actual monies an identity thief may have stolen. And, to file a claim WaMu requires ID Theft Inspect customers to also:

  1. Report the theft to WaMu
  2. Contact the 3 national credit bureaus and place a fraud alert
  3. File a police report in your local jurisdiction
  4. File a complaint with the Federal Trade Commission (FTC)
  5. Follow the instructions and requests by any other companies involved
  6. Keep copies of all receipts, bills or other records
  7. Take all reasonable steps to protect your identity from any further fraud

It's important to note that the WaMu site does not mention whether WaMu or Worldwide Assistance Services offshore outsource any of their services to additional companies, especially their credit monitoring services. Clearly, WaMu outsources its credit monitoring and recovery services to at least Worldwide Assistance Services. I read Privacy Policy at the WaMu site:

"We only grant access to nonpublic personal information about you (such as your name, address, Social Security number and credit history) to company employees and affiliated and nonaffiliated service providers so that they can provide or offer products and services to you, process and service your accounts, and administer our business. Our Code of Conduct requires that your information remain confidential. Even if you are no longer our customer, we will continue to treat your nonpublic personal information in the same way as if you were still a customer."

The policy explains what sensitive customer information the bank shares with both "Affiliated" and "Non-Affiliated" companies, the latter being marketing companies. The former includes banks and other financial institutions.

Is WaMu's ID Theft Inspect service for you? You'll have to decide for yourself. Remember, you have to already be a WaMu depost customer. It's definitely not for me, I will continue to look at other credit monitoring services. WaMu's offering is weak in several areas. The credit recovery specialists are suspect. Other credit monitoring services provide more features and benefits. For example, see the Suze Orman Identity Theft Kit. Many consumers may consider these additional features important.

During the upcoming weeks, I will review more credit monitoring services. You can access prior reviews at the Product and Service Reviews page, or via "Product Reviews" in the right-column tag cloud. To receive alerts about future reviews, click on either of the e-mail or RSS links in the right column.

Bank Data Breach via Coin Wrappers

Way back during the holidays, my wife and I visited our daughter, son-in-law, and grandson who live in Florida. (My son-in-law works at one of the state parks.) During our visit, my daughter shared a surprising data breach experience.

Like many people, they collect their spare change during the year, then sort and insert pennies, nickels, dimes, and quarters into the appropriate coin wrappers. As a young family with infant children, they are on a tight budget and exchange the coins for paper bills at their local bank branch. The nearby supermarkets and big box stores have vending machines which charge a fee.

While depositing their last collection of coins, thee bank teller asked them to write their name and account number on the coin wrappers. They did that and thought nothing about it.

The state park, where my son-in-law works, regularly gets its supply of coins from a local bank. My son-in-law noticed that coins the park received were delivered in coin wrappers that had bank customers ' account information written on the coin wrappers: name and checking account number. It was unclear who wrote the account information on the coin wrappers: the bank's customers or employees.

While I appreciate the bank's environment-friendly spirit to recycle, it should not be a the expense of data security. This is a data breach since cashiers at the state park had access to bank customers' account information via coin wrappers. Clearly, the bank should destroy and not recycle coin wrappers that have customers' bank account information written on them.

So, a word to the wise. when you deposit coins at your bank branch, ask the teller how they handle used coin wrappers. Does your bank branch write sensitive account information on its coin wrappers? And if so, do they destroy those wrappers afterwards? If you can't get a answer, ask to speak with the bank's branch manager. Tell the branch manager that you are concerned about maintaining the security of your account information.

TrueCredit From TransUnion (Product Review)

After Discover changed its credit monitoring vendor, I have looked for a replacement service. Since the three national credit bureaus all offer credit monitoring services, I have already reviewed the credit monitoring services by Equifax and Experian. Today's post covers TransUnion's service: TrueCredit.

Since I already knew the name of TransUnion's service, I performed a Google search with "TrueCredit" and easily found the site. The first search result included a link to the TrueCredit home page, and that's where I went:

TrueCredit home page

First impressions mean a lot. The site presented easy-to-read bulleted lists of the benefits and features of TrueCredit. Moreover, each bullet item included a link to examples of the:

  • Credit report formats from all 3 national credit bureaus
  • Credit scores from all 3 national credit bureaus
  • Security freeze tool (e.g., lock and unlock TransUnion credit report)
  • Alerts and notification about changes to a consumer's credit reports
  • Details about the ID-theft insurance in easy-to-read language
  • Details about credit management tools and advice

The site didn't offer any explanations of why the TrueCredit service is better than others. The user is left to make their own comparisons and analysis. For example, TrueCredit offers more insurance than Equifax and Experian. The TrueCredit site did not make confusing claims about getting a free credit report. Simply, the TrueCredit site explained the service.

I found the TrueCredit site far easier to use than both the Equifax and Experian sites. I didn't have to hunt for the information. The site delivered it easily and quickly. The main page didn't provide a confusing array of services. the main page provided information only about the TrueCredit service.

Consumers need access to the full text of all three credit reports, not just one. And the TrueCredit service delivers on this need, unlike the Equifax "3-in-1 Monitoring" service. (To learn more, read my review of the Equifax service.)

My first impression: the site main page did not detract from the brand. The site page gave the impression that TrueCredit and TransUnion might be a satisfactory brand to do business with.

If I've learned one thing when evaluating credit monitoring services it's this: closely read the page content. It would have been better if the TrueCredit site also presented the full text of the insurance agreement and coverages. It didn't, so the user is left to rely on the summary information. This is needed to fully understand exactly what type of performance a consumer can expect from TrueCredit insurance and credit resolution. As a wise person once said, "the devil is in the details."

It's important to note that the TrueCredit site does not mention outsourcing and whether TrueCredit or TransUnion offshore outsources any of its operations. I read both the Service Agreement and the Privacy Policy. The Privacy Policy does mention that TrueCredit may share consumers' information with "third parties," but the statement doesn't specify if those parties are within or outside the USA.

I know from prior research that all three national credit bureaus announced offshore outsourcing in 2003, and continue to do so today. (I haven't seen any evidence since to the contrary.) To stay competitive and to manage costs, credit bureaus currently offshore outsource portions of their credit reporting operations, and likely do the same for their credit monitoring services. I would expect TransUnion to mention its offshore outsourcing arrangements so consumers can make a truly informed purchase.

I find it very interesting that none of the sites (e.g., Experian, Equifax, and TrueCredit) provide quotes from satisfied users. I can only assume that either the services don't have any satisfied users, or the services consider this content irrelevant. To me, it's very relevant. I want to understand if other consumers like me found the TrueCredit service helpful. Nor do I want to wait or rely solely upon on the results of the proposed FTC survey.

The bottom line: while the TrueCredit service presented itself far better than both Equifax and Experian, I have the advantage of knowing somebody who has had poor experiences with TrueCredit's customer service center, which seems to be located outside the USA. So, consumers should assume that TrueCredit uses customer service call centers located outside the USA; and hence your personal information crosses country borders, too.

Is TrueCredit for you? You'll have to decide for yourself. For me, I will continue to look at the credit monitoring services from the independents before making a decision. I say this partly because of the offshore outsourcing activities by the three national credit bureaus, but also because I'm not convinced that TrueCredit is indeed the best service available. For example, the Suze Orman Identity Theft Kit contains several features which the TrueCredit service lacks. Many consumers may consider these additional features important.

During the upcoming weeks, I will review more credit monitoring services. You can easily follow the reviews by signing up for either e-mail alerts or the RSS feed. Links for both are in the column on the right.

Viacom - Google/Youtube Lawsuit Now Affects Consumers

I must admit that I haven't been following the Viacom - Google/Youtube lawsuit until I read this TechCrunch post by Michael Arrington:

"The ongoing Google/YouTube-Viacom litigation has now officially spilled over to users with a court order requiring Google to turn over massive amounts of user data to Viacom... Louis L. Stanton, the senior judge on the United States District Court for the Southern District of New York, issued the opinion and order, which is here (PDF). That data includes every YouTube username, the associated IP address and the videos that user has watched on YouTube. Google will also be required to hand over copies of every video removed from Youtube for any reason (DMCA notices or user-initiated deletions). Stanton dismissed Google’s argument that the order will violate user privacy, saying such privacy concerns are merely 'speculative.' ”

While reading the court order, it was important to me to understand what efforts Viacom made to identify copyright infringing videos and to request remvoal by Youtube of those videos. I found this buried in a footnote in the court order:

"Viacom is currently using fingerprinting technology provided by a company called Auditude in order to identify potentially infringing clips of Viacom’s copyrighted works on the YouTube website. The fingerprinting technology automatically creates digital “fingerprints” of the audio track of videos currently available on the YouTube website and compares those fingerprints against a reference library of digital fingerprints of Viacom’s copyrighted works. As this comparison is made, the fingerprinting technology reports fingerprint matches, which indicate that the YouTube clip potentially infringes one of Viacom’s copyrighted works."

It seems that the court order allows Viacom to take the shortcut or easy way to identify copyright infringers, rather than Viacom use the existing video search tools which Google/Youtube was willing to provide to Viacom. Between the video search tool and Viacom's own fingerprinting technology, Viacom has plenty of resources to identify copyright-infringing videos. The court order went too far, and it seems Viacom was intent on punishing Google/Youtube.

I agree with Arrington that the judge's decision protects Youtube while throwing "consumers to the wolves." Arrington wrote:

"... the judge denied Viacom’s request that Google turn over YouTube’s source code as it could 'cause catastrophic competitive harm to Google by sharing them with others who might create their own programs without making the same investment.' ”

Viacom's possesion and use of consumers' usernames and IP addresses won't cause any harm? In my opinion, the court order confused people who uploaded copyright-infringing videos with people who only watched the copyright-infringing videos. The court order confused people who embedded copyright-infringing videos in their site or blog with people who only watched the videos. The The judge's decision went too far.

I can understand and agree with Viacom's need to understand exactly how many people watched unauthorized videos at the Youtube site. Youtube's "Logging Database" would tell them that. Turning over IP addresses and usernames goes beyond that. It gives Viacom a means to solicit fines from consumers in general. Again, the people who uploaded the copyright-infringing videos should pay the fines, not everyone who watched them.

And, Youtube users had no representation in court. The court didn't hear the concerns of youtube users. That reason alone should be enough to overturn the court order during appeals.

Arrington correctly noted the concerns by the Electronic Frontier Foundation (EFF):

"The court’s order grants Viacom's request and erroneously ignores the protections of the federal Video Privacy Protection Act (VPPA), and threatens to expose deeply private information about what videos are watched by YouTube users. The VPPA passed after a newspaper disclosed Supreme Court nominee Robert Bork's video rental records. As Congress recognized, your selection of videos to watch is deeply personal and deserves the strongest protection..."

If Youtube ultimately turns over this data to Viacom, it could damper usage of social media applications, if consumers have the burden to first determine if a site has copyright-infringing materials before watching any content in a site. That seems difficult to do, since one usually doesn't know exactly what's in a video until after you watch it.

If Youtube turns over the data to Viacom, the company will have sufficient data to solicit fines from consumers, since it is possible to match IP addresses with e-mail addresses in an ISP's records. If Youtube finally does turn over the records to Viacom, we'll see exactly what Viacom's true motives and ethics are. Will it solicit fines from users who uploaded the copyright infringing material, or will it seek the easier way out to solicit fines from all consumers who watched those copyright infringing videos?

Carnegie Mellon Researchers: Breach Notification Laws Don't Reduce Data Breaches

Last month, three researchers from Carnegie Mellon University released the results of their study about data breach notification laws. This study received a fair amount of attention in the news media because of its sensation conclusion. According to the study:

"Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft..."

It seems to me that these researchers asked the wrong question. The data breach notification laws were designed to alert consumers when their personal data was stolen or exposed. Prior to these state laws, companies rarely, if every, notified consumers, customers, and/or employees. The notification laws were never intended nor designed to reduce data breaches by companies, higher education institutions, and government agencies.

Instead, the researchers could have investigated an important issue: how does the increase in offshore outsourcing by companies and financial institutions affect data breach notifications?

Or the research could have studied an even better topic: what is the optimal duration (e.g., years) companies should provide their data-breach victims with free credit monitoring services? Today's common practice is one or two years, a duration totally divorced from reality. Identity thieves will use or resell consumers' identity information as long as they find it useful. Hence, consumers bear the long-term risk and financial burden.

Perhaps, the researchers should have studied this issue: what would it take for companies, and higher education institutions, to reduce (or stop) data breaches? Based on my study of the problem: as long as the consequences are minimal, data breaches will continue. When the consequences (e.g., fines, jail time, new liability laws, a combination of these, etc.) become significant, then we'll see a change in behavior by companies, higher education institutions, and their executives.

Brooklyn Man Sentenced For Identity Theft

In April I wrote about a trial where the jury convicted an identity thief, Lamar Whitehead, of stealing the identities of several consumers and businesses. Last week, Robert Clifford, the Director of Communications for the Suffolk County New York District Attorney Thomas Spota, provided a copy of the following news release:

July 1, 2008

Brooklyn man sentenced for ID Theft

A Brooklyn man was sentenced Monday, June 30, to ten to 30 years in prison for running an ID theft scheme that victimized local and out-of-state residents and businesses. Lamar Whitehead of 6 Macon Street in Brooklyn was convicted in April of stealing credit information and applying for loans from online banks using his victims’ names. The investigation by the ID theft Unit of the Suffolk County police department unraveled a complex tangle of Whitehead’s cell phone and internet communications. The investigation found the defendant filed credit applications to purchase Land Rover SUV’s and secure equity lines of credit from online banks.

During a trial that lasted from February 4 until April 1 of this year, jurors reviewed bank, Internet and phone records. After four days of deliberations, Whitehead was convicted of fourteen counts of first degree identity theft, a class “D” felony punishable by two and one-half to seven years incarceration, three counts of identity theft in the third degree, a misdemeanor, and one count of scheme to defraud, a felony punishable by a prison term of one and one-third to four years.

For those who are interested, the Suffolk County New York DA web site contains a photo of the identity thief.

10 to 30 years is definitely a hefty prison term. It is good to read news items about law enforcement catching identity thieves. It's even better to read news items about significant sentencing results. Thanks to the Suffolk County New York DA's office.

FTC To Study ID-Theft Victims' Experiences With National Credit Bureaus

Right before the July 4th holiday, the U.S. Federal Trade Commission (FTC) announced plans to conduct a study of ID-theft victims' experiences with getting help from the three national credit bureaus: Equifax, Experian, and TransUnion. According to the FTC press release:

"The proposed survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge. The survey will seek information from identity theft victims who contacted the FTC between January 1 and May 30, 2008, and will inquire about their experiences when they contacted one or more credit reporting agencies and when they sought to use their FACT Act rights".

The FTC site provides a copy of the proposed survey. I read it and it asks several direct questions about how well the three credit bureaus assisted ID-theft victims with fraud alerts, credit freezes, obtaining free credit reports, and blocking items on their credit reports caused by identity thieves. Survey participants will be able to indicate their (dis)satifaction with the ease of contact and quality of customer service they received from the credit bureaus.

The proposed study will include only those ID-theft victims who have filed complaints with the FTC between the dates above. So, if you filed a complain with the FTC before January 1st, or didn't file a complaint at all, you won't be approached by the FTC. This is one reason (among several) why it is important for ID-theft victims to report incidents to local police, the FBI, and the FTC. If you have been the victim of identity theft and haven't filed a complaint with the FTC, I encourage you to file a complaint today with the FTC. The FTC site has forms in English and Spanish.

To learn more about the three national credit bureaus, you can browse the Credit Bureaus section of this blog.

Data Breach At Colt Express Outsourcing Services. Vendor Leaves Data Breach Victims Hanging

According to PC World, a data breach occurred Colt Express Outsourcing Services when thieves broke into the company's Walnut Creek, California offices and stole several computers. Colt Express administers the benefit plans for C/NET and other companies. About 6,500 C/NET employees have been notified.

The computers contained very sensitive personal information including names, birth dates, Social Security numbers and employment information. This story highlights the fact that outsourcing vendors can be identity theft targets, since these vendors are a rich source of sensitive data about employees and contractors.

Four days after the break-in, Colt Express installed a security system with an alarm. It is unclear whether the information was encrypted or not. According to the PC World news story:

"Customers looking for free credit-monitoring services from Colt Express should not get their hopes up, however. Colt's letter included some marketing materials for Kroll, a company that helps companies respond to data breaches, but the information was provided "only out of courtesy and to give you an idea of the types of services available... By this letter and enclosures we are providing you with all the information we believe you need and that we are able to give you. We do not have the resources financial and otherwise to assist you further."

Apparently, Colt Express is going out of business. Regardless, I encourage the affected companies to look for a benefits plan administrator with strong data security processes in place. Or, the affected data breach victims should pressure their employers to select a benefits plan administrator with strong data security. Colt Express is not very responsive to the needs of its data breach victims. I've Been Mugged readers are well aware of the damage identity thieves can do with stolen Social Security numbers.

Breach Notification: The State Of Maryland Does It Right

The Maryland Attorney General's Office serves consumers well by publishing online the data breach notifications it receives from companies and higher education institutions. Notices date from 2008 only. The site also includes resources to assist consumers.

In my opinion, more states should do this. There is no downside. The State of New Hampshire also publishes breach notifications at its web site. Massachusetts currently does not. If your state does, let us know by including the web site address in a comment below.

Most Popular Posts At I've Been Mugged

Which posts do I've Been Mugged readers read the most? Here they are:

  1. Suze Orman Identity Theft Kit Debuts
  2. Bank Of New York Mellon's Offer To Its Data Breach and ID-Theft Victims
  3. Kroll's Offering From IBM Deserves Scrutiny
  4. Experian Triple Alert Credit Monitoring Service (product review)
  5. Debix, LifeLock, and TrustedID
  6. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  7. Bank of New York Mellon Data Breach Affects At Least 4.5 Million Consumers
  8. Security Freeze: Peace Of Mind And Protection For Your Credit Reports
  9. Sidejacking: What It is and How to Protect Yourself
  10. Consumer Reports On LifeLock