Previous month:
July 2008
Next month:
September 2008

17 posts from August 2008

Cat Humor

My wife and I have a female cat named Cleo-Pet-Me. As far as I know, Celo is not an identity thief. Cleo's name is appropriate. Cleo considers herself a queen and all visitors to our condo must pet her. This video highlights some of my adventures with Cleo:

If you enjoyed this episode of Simon's Cat, then you can view another episode here. Then, there's this news oddity:

When Traveling Abroad, Check Your Bags And Your Privacy

As my wife and I prepare for a vacation abroad (Italy, Greece, Croatia, and Turkey), I began to think about the effect identity theft has on family vacations.

In 1965, my family took our first car vacation. That year, my dad bought our family's first car -- a new, dark blue, big, powerful, 4-door 1965 Chrysler New Yorker. I was 10. We didn't have credit cards cards. My mother withdrew from her savings account enough cash for the trip, and away we went. I remember a spectacular car vacation to Portland (Maine), Mt. Washington (New Hampshire), and Halifax, Nova Scotia (Canada).

Fast forward 40+ years. Are things better?

Yes, we have the convenience credit cards provide. Last week, I found myself planning how, when and what payment type I'd use during our vacation. That's a complication my parents didn't worry about. I'd use credit cards to pay for expenses on board the cruise ship. For safe shopping in the port cities we'd visit, I'd use local currency (Euros) or travelers checks at retail stores; not credit cards.

Plus, I wrote to my credit card issuers informing them of my travel dates and the countries to expect charges from. The last thing I wanted to have happen is for my credit card issuers to block my credit card because of charges outside my normal charge area.

But, there's more. If I need more local currency, I'd use my debit card (or a credit card) only at a bank to get the best exchange rate. Then, I went online to see if the foreign exchange fee (e.g., usually one to three percent of the amount withdrawn) applied to my credit cards and debit card. In my opinion, this fee is robbery. It should be a flat fee, not a percentage. My bank doesn't do any more "work" for 1% of US $50 vs. 1% of US $500. It's still an electronic funds transfer... bits and bytes. (Yet, another example of the tilt in the playing field.)

Then, I read several blog posts about a new screening policy by U.S. Homeland Security. I was highly disturbed to learn recently that U.S. citizens traveling outside the United States can basically kiss their right to privacy goodbye, along with their laptop computer, digital camera, and cell phone.

It seems that border security can seize your laptop, cell phone or camera without reasonable suspicion or probable cause for an indefinite period. I am not making this stuff up. You can read the Secretary Chertoff interview and download the new Homeland Security policy (PDF, 5 pages, 161 KB). The new border policy says (bold added for emphasis):

"In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States, subject to the requirements and limitations provided herein...Officers may detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search. the search may take place on-site or at an off-site location."

How long is reasonable? Is it four hours, four days, five weeks, or six months? A year? The policy doesn't say. Nor does the new policy state how Homeland Security will track or notify the affected citizen about where your laptop is and when it will be returned.

Regardless of what the 9th Circuit Court said, this seems to fly directly against the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Notice the part in the new Homeland Security policy about, "absent individualized suspicion." If border agents have general suspicion, they can stop you or me even though we have nothing to do with that general suspicion. "Reasonable suspicion" is not the same as "probable cause."

I know that some people believe that these are extraordinary times that deserve extraordinary actions against our country's enemies. I'm all for strong action, but there has to be a balance. Strong action doesn't mean abandoning the U.S. Constitution and the Bill of Rights by seizing innocent citizens' personal belongings without suspicion or an explanation probable cause. If we abandon the Constitution and our principles, then the terrorists will have won.

Some people will surely say, "If you've done nothing wrong, you have nothing worry about. They won't take your laptop." These people miss the point and don't understand (or haven't read) the U.S. Constitution. Either you live by the Constitution or you don't. It's not an optional thing to skip when times get difficult. The Fourth Amendment was inserted for a reason. The Founders had experienced life without certain rights, which they made sure to include in our country's Founding documents.

Others will say that this is a fuss about nothing since the court deemed this policy Constitutional. What? First, read the Fourth Amendment yourself. Second, I remember our government criticizing "activist judges" when those judges made rulings that conflicted with federal policy or ideology. Prior courts held this policy unconstitutional. This ruling seems like an "activist judge" ruling to me.

In a few days, my wife and I leave for vacation to celebrate her 50th birthday and our 9th wedding anniversary. I am hoping that some over-zealous border security agent doesn't arbitrarily seize my laptop with our vacation photos when we return. We'll see what happens.

If you have a problem with this new border policy (and I sincerely hope that it does bother you), I encourage you to write to your Congressional representatives. Tell them that Congress needs to rein this travel and privacy abuse by the Department of Homeland Security. If you have been harassed by a border security representative or government watch list, you can share your story at this web site.

FTC Warns Consumers About Voter Registration Scams

Identity thieves are very clever about inventing ways to trick consumers to revealing their sensitive identity data. With the upcoming election in November, the FTC warns consumers to be alert for voter registration scams:

"Have you received an unsolicited e-mail or phone call from someone who claims to represent your local election board or civic group and asks for your Social Security or credit card number to confirm your eligibility or registration to vote?"

According to federal officials, organizations can conduct legitimate voter registration drives which  either contact you in person or provide a voter registration form. While you complete the form, they will never ask you to provide your financial information.

If you receive an unsolicited phone call or e-mail scam, report it to the FTC online at, or by phone at 1-877-FTC-HELP. According to the FTC:

"To register to vote – and to find out whether your state requires your Social Security number for registration – contact your local election office, or check the U.S. Election Assistance Commission’s National Voter Registration Form at Most states accept this form. Many states and localities have their own rules about how far before an election you must register to be able to vote, and whether a Social Security number is required."

Google Abuses A Customer Due To Identity Theft

In an August 5 post titled "When Google Owns You," Chris Brogan wrote:

"Nick Saber isn’t happy now. Monday afternoon, after lunch, Nick came back from lunch to find out that he couldn’t get into his Gmail account. Further, he couldn’t get into anything that Google made (beside search) where his account credentials once worked. When attempting to log in, Nick got a single line message:

Sorry, your account has been disabled. [?]

That’s it."

Chris Brogan posted a follow-up on August 6 with a more complete reply from Google:

"Our specialists performed a thorough investigation of your account ID: [email protected]. It appeared that your account was compromised on 08/01, and an unauthorized charge of $490.30 was attempted in your Google Checkout Account. For security purposes, we suspended this account to prevent additional activity and charges. We’d also like to assure you that the security and confidentiality of your personal information, including your credit card number, is our highest priority."

Why didn't Google send Nick this explanatory response in the beginning? It explained an effective response to an important situation. Why did Nick have to write Google repeatedly to get this explanation? That's no way to treat a customer. And, Nick is a paying customer, since he paid for additional storage space.

I'm sure that Google executives see their treatment of Nick as consistent with the Google Terms of Service:

"4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you."

"4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account."

So, Google has hidden behind some nifty legal language. It may help them avoid liability, but is it good customer service? Why take a position that is poor customer service, when it can be easily avoided?

A better first response by Google would have been, "We have noticed some unauthorized activity and charges on your account, probably due to identity fraud. While we are continuing to investigate, we have temporarily suspended your account to prevent further fraud and charges. The data you have with Google has been backed up and will not be deleted. If you believe this account suspension to be in error, please contact us at [email protected] or toll-free at (XXX) xxx-xxxx. Thank you for your patience while we investigate this situation."

Google would have received extra points if its response also explained whether or not Nick's account suspension was related to the data breach at Colt Express Outsourcing Services, which also affected Google employees.

Now, that would have been a more timely, comprehensive, professional, and customer-friendly response. According to InformationWeek:

"It turns out that Nick was able to restore access to his account after several hours of dealing with Google customer support. Until his account was restored, his business was at a loss. Without access to his Google account, he couldn't get anything done."

What lessons can a consumer, or a SOHO business owner, learn from Nick's experience?

  • The old saying, "Don't place all of your eggs in one basket" still applies. Bad stuff will happen, even with state-of-the-art Internet applications. Don't be bamboozled by the new technology
  • Have a backup e-mail address with your ISP, Yahoo, or Hotmail (if you use Gmail), and a second web site measurement tool (if you use Google Analytics)
  • If you must use Gmail and other Google applications, back up important data
  • Supposedly state-of-the-art Internet companies aren't any better than brick-and-mortar retail companies at notifying consumers about a data breach or identity fraud
  • If the application is free, the quality of support you are likely to receive will match what you paid

ISPs Begin To Spy And Abuse Consumer Privacy

Do you see the emerging trend in consumer privacy abuses?

Last month, I reported about how the Internet Service Provider (ISP) Embarq secretly spied upon and never notified its Kansas customers during a test of its behavioral advertising program. Consumers never had a chance to opt out of the behavioral advertising program.

Now, it appears that another ISP in the USA has made the same consumer privacy mistake, and probably broke several laws. According to the Silicon Valley Insider, the Washington Post's Cable One service secretly spied on its customers:

"In a response to a House query, [Washington Post] unit Cable One admitted it collected data on 14,000 subscribers in Anniston, Ala. for 180 days in order to serve targeted advertising. And no, they didn't ask for consent, but argued that customers "opted in to our monitoring of their Internet usage ... when they agreed to our Acceptable Use Policy." In other words, when they signed up for service."

How slimy and dishonest! Cable One didn't bother to offer consumers either opt-in or opt-out mechanisms. Instead, Cable One tries to hide behind the lame excuse that signing up for their service is consent enough. According to Media Post:

"Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content." Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it."

Company executives need to go to jail when they do this. Fines are not enough. Sadly, the Silicon Valley Insider reported that this may be the tip of the iceberg:

"Congressmen John Dingell (D-Mich), Joe Barton (R-Tex) and Cliff Stearns (R-Fla.) and Ed Markey (D-Mass.) sent letters to 33 broadband providers last month asking about their ad-targeting techniques. So far, Charter Communications (CHTR) and former Sprint (S) unit Embarq (EQ) have copped to using NebuAd."

You can read here the replies the Congressional committee has received.

What is it that allows companies to arrogantly treat consumers' personal data like they own it... without giving consumers any notices? Is a general attitude among executives within telecommunications companies? Is it an assessment that they can likely get away with it? Or, is this a result of the spying immunity Congress gave phone companies earlier this year?

Notification of the test and an "opt-in" system default would have been appropriate for these behavioral advertising tests. If behavioral advertising delivers the promised benefits to consumers (e.g., relelvant advertising), then tell consumers! Otherwise, it is just a rush by ISPs to make money and ignore consumer privacy.

An opt-in approach is convenient, since consumers are already trained to remember which web sites they have registered (or opted in) at. This is not difficult. Consumers have been registering at web sites since the mid-1990's.

Why the fuss about behavioral advertising? First, there is the abuse of consumer privacy. Companies have to tell consumers when they perform behavioral advertising and provide an opt-in mechanism, regardless of the indefensible position the FTC has taken to facilitate this rush.

Second, the steady monthly volume of corporate data breaches, which are driven by corporate carelessness and incompetence, mean that companies will lose or have stolen behavioral advertising data. Data that is lost, stolen, or hacked can be abused. Behavioral advertising data includes the sites you visit, the keyword searches you submit at search engine web sites, and the specific site pages you visit at sites that are members of the advertising network -- all highly personal data. Companies must state to consumers how they will protect data collected by behavioral advertising programs.

These behavioral advertising program tests without notifying consumers and without providing consumers with opt-in mechanism, are examples of the current imbalance or "tilt in the playing field" in U.S. commerce, which I wish more consumers recognized. A better balance can and must be achieved between the needs of corporations and the needs of consumers.

In the soon-to-be-released book, Age of Conversation 2008, I wrote a chapter about behavioral advertising as one of the key emerging issues and challenges this year. It appears that ISPs are proving me correct.

Thanks to Congressional representatives for investigating this so far. I encourage you to write to your Congressional representatives today. Demand investigations by Congress and enforcement of consumer privacy laws. Demand that any data collected already from behavioral advertising tests be destroyed.

Class Action Lawsuit Filed Against Facebook And Its Beacon Affiliates

On Tuesday of this week, a class-action lawsuit was filed in U.S. District Court in Northern California against Facebook and several of its Beacon Program Affiliate companies for violating several computer and consumer privacy laws during 2007 -- before Facebook updated its Beacon Program opt-out policy.

The complaint alleges that Facebook and its affiliates (e.g.,,,,,, and others) violated one or several laws:

  • Violation of Electronic Communications Privacy Act, 18 U.S.C. § 2510
  • Violation of Computer Fraud and Abuse Act, 18 U.S.C. § 1030
  • Violation of Video Privacy Protection Act, 18 U.S.C. § 2710
  • Violation of California’s Consumer Legal Remedies Act, California Civil Code § 1750
  • Violation of California’s Computer Crime Law, Penal Code § 502

I've Been Mugged reviewed the complaint, which described the Beacon Program's processes:

"Every time someone visited a Facebook Beacon Activated Affiliate’s website and performed a pre-defined action, that action triggered a script that set the Beacon program into action. The Beacon script contacted Facebook notifying Facebook of the event or action taking place at the Facebook Beacon Activated Affiliate’s website."

The complaint outlined the alleged problems with the Facebook Beacon Program:

"... the Beacon program was not designed to obtain any consent, and indeed, did not obtain any consent prior to the communication of identifying transactional information to Facebook. By the time any user was notified that Facebook was (at a minimum), an observing party to the transaction, and that Facebook was asking for an approval to publicly broadcast identifying information regarding the event, personally identifying information had already been communicated to Facebook."

What I found particularly surprising and troublesome (bold added for emphasis):

"The Beacon program sent information regarding specific user transactions on Facebook Beacon Activated Affiliates’ websites to Facebook regardless of whether the user was a Facebook member or not. Thus, no consent was sought, nor was any consent obtained from persons who utilize the Facebook Beacon Activated Affiliate’s website who were not Facebook members. Thus, non-Facebook persons who utilized the Facebook Beacon Activated Affiliate websites were not told that their transaction, and indeed, every transaction they engaged in upon the website was being communicated to a third party (Facebook) with whom they had norelationship whatsoever."

Yes, you read that correctly. Beacon Program Affiliate company sites allegedly sent consumers' personally identifiable data to Facebook for both Facebook subscribers and users who were not Facebook subscribers. The complaint also outlined how Facebook allegedly used the cookies file on consumers' web browsers:

"What made the Beacon program distinguishable from other forms of website interaction, was the way in which a website that was not open in a user’s browser (in this case, had become actively involved in the exchange between a user and a third-party website. Beacon utilized cookies to obtain information from the user’s computer..."

The complaint also outlined how the Beacon Program processes allegedly used iFrame technology to perform actions unaware to users:

"If the user was not a Facebook member, Facebook still obtained the notification from the Facebook Beacon Activated Affiliate. Facebook then undertook the same action of (theoretically) generating a pop-up on the Facebook Beacon Activated Affiliate website, however, the iFrame was slightly modified – it was a ghost iFrame, so-called because the information was rendered transparent and the viewer did not see anything. But the same data was still sent to Facebook, and Facebook still responded and interacted with the Facebook Beacon Activated Affiliate’s website with respect to the user’s transaction."

This lawsuit is very appropriate. First, it outlined how not to design a behavioral advertising program with an opt-out mechanism:

"... the proffer to obtain that consent made to the user was wholly inadequate, uninformed, misleading, untimely, and deceptive. It was inadequate because, on most Facebook Beacon Activated Affiliate websites, where it was operational at all, it was only available as a quick pop-up for approximately 10 seconds or even less, and if a user missed it, misunderstood it, had another window browser open, or even looked in the wrong direction when it was momentarily available, such actions and a host of other similar non-consensual occurrences were all interpreted as and defaulted to “consent. It was uninformed because the pop up did not explain or specify how, which, or through what means the information concerning the transaction at the Facebook Beacon Activated Affiliate website would be broadcast both to Facebook and to the Facebook user’s friends list. It was misleading because it implied that the user was given some control over information to be communicated when, in fact, no such control was offered or available to the user. It was untimely because by the time the pop up asked for consent to communicate transactional information, the transactional information had already been communicated. It was deceptive because, in almost every instance, the information sharing was contrary to the stated privacy policies of the Facebook website and every other Facebook Beacon Activated Affiliate that had signed up for the program."

Second, the lawsuit highlights the problems when companies rush to develop behavioral advertising with an opt-out system default: all users are included, whether or not they want to be. This system default  places the burden on consumers to opt-out; when opting out can be tricky and complicated. The opt-out mechanism can be difficult to find, and can be complicated -- requiring repeated visits since the opt-out may not apply to all advertisers in the program.

As I've written in prior behavioral advertising posts, the system default should be opt-in: consumers are only included in the program after they explicitly opt-in and give consent. And, as advertisers leave or join the network, the opt-in should be re-presented.

A system default with opt-in is not difficult. Company web sites have employed registration pages since the mid 1990's. And, if the behavioral advertising program actually delivers the benefits promised, that would make the opt-in easy and beneficial for all.

To learn more, select the "Behavioral Advertising" keyword in the tag cloud in the right column, or download a copy of the complaint.

With A Security Freeze In Place, Do Consumers Need A Credit Monitoring Service?

An I've Been Mugged reader, Kalyan, sent to me an e-mail message last week with the following question:

"If one gets his credit reports frozen at all three agencies (for $30), will credit monitoring work ? Will the monitoring service be able to get the changes in the reports? Is it some sort of an oxymoron to say "frozen credit report change monitoring", since there should be no changes to monitor!?"

This is a god question. Before answering it, I want to emphasize for readers that the cost of a Security Freeze varies by state. In Massachusetts, the cost is $5.00 for a consumer to lock down or "freeze" each credit report at the three national credit agencies. Consumers in only a handful of states can lock down their C.L.U.E. insurance reports at ChoicePoint's ChoiceTrust Web site. Choicepoint has ignored several inquiries about why it does not offer a Security Freeze for its reports nationwide.

Now, to answer Kalyan's question.

I have Security Freezes in place on my 3 credit reports, plus credit monitoring from Discover and from Kroll. My logic for having both Security Freezes and credit monitoring:

  1. The Security Freezes are needed since IBM exposed my personal data through its data breach. My personal data could be nowhere or anywhere in the world. The Security Freeze gives me the most protection possible.
  2. A Freeze is also needed because many credit monitoring services (like Discover's offering) don't monitor credit files from all three national credit bureaus. You would think that they would, but many don't
  3. The risk of identity fraud doesn't just magically end after 1 or 2 years, just because most companies provide free credit monitoring services to data-breach victims for that period after a data breach. For me, I feel comfortable assuming the worst... since my data is out there, it could be abused at any time. ID-theft criminals are smart and persistent. While some of IBM's "lost" data tapes were encrypted, it may take time for the thieves to break the encryption.
  4. The free credit monitoring IBM arranged through Kroll gives me very strong credit resolution protection, and fairly strong credit monitoring but doesn't provide access to the full text of my credit reports at the three credit bureaus. I'm inclined to keep Kroll since they seem to be the best at resolution services (something Discover's offering seems weak at)
  5. Similarly, my Discover credit monitoring service provides features which Kroll's service doesn't, like access to the complete text of my credit reports. I will cancel my credit monitoring service with Discover when I find a suitable replacement.
  6. Even with a Security Freeze in place, changes can occur with a consumer's credit reports. By law, many government agencies retain the right to access consumers' credit reports (e.g., law enforcement, courts, child support orders, etc.). I know this having read the text of the Massachusetts ID-theft law. (ID-theft laws vary by state.) Since identity thieves are smart and may manage to trick a valid government agency (e.g., dept of motor vehicles) to make a fraudulent change to my credit reports, I want to know about it. This seems wise also because the Security Freeze tool has key limitations or gaps, like when identity criminals use stolen identity data during a crime, or when criminals attempt medical identity fraud.

If my approach seems like a patchwork quilt of a solution, it is. I'd rather get everything from one service, but I haven't found one service (yet) that provides everything I'm looking for. Getting a credit monitoring services directly from one of the credit bureaus (e.g., Equifax, Experian, and TransUnion) may seem like a good idea, their services and Web sites are poorly designed, difficult to use, and the bureaus offshore outsource their customer support operations, which some consumers have had difficulty with.

What is your logic regarding Security Freezes and credit monitoring? Whether you use both, one, or neither I'd love to hear you decision logic.

They Will Do Anything To Win

I have tried to keep posts about the presidential election to a minimum, but this needed to be said.

Apparently, James Dobson's organization is asking people to pray for rain during Senator Obama's upcoming speech on August 28 at the Democratic National Convention:

Even though the FOF removed this video from their web site after some complaints, one wonders how it was published there to begin with. I now see clearly the conservative Republican mantra... just win. Whatever it takes... just win the election.

It doesn't matter how many lies you tell... just win.

It doesn't matter if you damage education by replacing science with religious ideology... just win.

It doesn't matter how many people you insult... just win.

And if people challenge you about that insult, just claim it was humor.

Shepherd's video is just awful. It reminded me a lot of Senator McCain's recent Paris/Britney video. When both videos didn't go as planned, their creators were quick to explain them away as supposedly humorous.

Can't we just discuss the issues instead?

There used to be a time in this country when people wouldn't accept this disgraceful behavior. If you disagree on the issues, fine. But this video went way past all lines of decency and respect.

Shepherd owes Senator Obama and his campaign an apology. Is he respectful enough to issue one directly? Is Dobson fair enough to hold Shepherd accountable for one?

Or will they pretend like the video never happened?

They can try to pawn this off as humor. Insults disguised as religious humor are still... insults.

Google Revises Its Behavioral Advertising Opt-out For Consumers

Google Advertising Network Opt-out Earlier this year, I wrote a three-part series about behavioral advertising, the role of ISPs, and the threat to consumers' privacy. It's important to monitor and evaluate the actions of key corporations that run behavioral advertising programs.

Like many companies and advertising networks, Google uses the HTTP cookies file on your computer's web browser to monitor which sites you have visited, and to (in theory) serve to you more relevant ads than you'd see otherwise when visiting sites that are part of the Google ad network. While this sounds nice in theory, it's next to impossible for consumers to test this supposed benefit (e.g., more relevant ads).

According to an August 7th post in the Google blog:

"... with one click, users can opt out of a single cookie for both DoubleClick ad serving and the Google content network. (If a user has already opted out of the DoubleClick cookie, that opt-out will also automatically apply to the Google content network.) To learn more, you can check out our updated main privacy policy and a new advertising-specific privacy policy that reflects our integration with the DoubleClick ad serving cookie, and you can visit a section in our Privacy Center devoted to advertising and privacy."

First, kudos to Google for clearly mentioning these policy changes in their blog. Most companies are not this clear and upfront in their web site about changes to their policies; and many don't even have a blog to announce policy changes. However, this approach relies upon consumers to actually visit and read the Google blog. I'll bet that most consumers don't. Who has the time? A better approach would have been to have posted a notice about this policy change on the home page at all relevant Google sites, and link to the blog post for users wanting more information.

Second, the approach still uses the system default that all users are automatically included in Google's behavioral advertising program. Hence, the burden is on consumers -- users must "opt-out" if they don't want to participate. A better approach would have been an "opt-in" system default, where users are included only after they choose to. This would place the burden where it should be: on Google and its advertisers to clearly demonstrate the benefits of behavioral advertising to consumers... and not just make vague, difficult-to-prove promises.

Third, an "opt-in" system default would have made it easier for consumers, since it is easier to remember the web sites where you opted-in (or registered). Instead, the opt-out system default requires consumers to remember each site where they opted-out, to opt-out of each of the advertising networks, and to opt-out for each browser you use.

The "opt-in" system default would have been a more consumer-friendly approach. Google, and most companies, has taken the "opt-out" system default, which is not consumer friendly, but has the company benefit of maximizing immediately the number of consumers participating in their behavioral advertising program (regardless of whether the program actually delivers the benefits promised to consumers).

Some readers are probably wondering: why the fuss about behavioral advertising?

Fourth, in his Between the Lines blog, Larry Dignan summarized the threat to consumers' privacy:

"The good news is that Google makes it easy to opt out with one click. And then the pause comes as a user. Do you buy Google’s pitch that more relevant advertising is more useful? Do you buy Google’s argument that advertising can be good for you? Do you trust Google and its claim that it won’t combine personal information with its cookie data without consent?"

Fifth, the steady monthly volume of corporate data breaches, which are driven by corporate carelessness and incompetence, mean that companies will lose or have stolen behavioral advertising data. Data that is lost, stolen, or hacked can be abused. Behavioral advertising data includes the sites you visit, the keyword searches you submit at search engine web sites, and the specific site pages you visit at sites that are members of the advertising network -- all highly personal data. Consider the last time you were sick and researched a medical condition after visiting your doctor. Would you want that information shared with the public? During a data breach, both you and the advertising company have lost control of that information, and it an be abused by thieves.

So, the system default of "opt-out" is a rush by advertisers to take the easy way to make money without considering all of the issues, factors, and risks. Plus, the FTC seems all too happy and short-sighted by facilitating this rush.

The combination of these events is one example of the current imbalance or "tilt in the playing field" in U.S. commerce, which I wish more consumers recognized. A better balance can and must be achieved between the needs of corporations and the needs of consumers.

By The Numbers: Not A Good Year For Data Breaches

Are there more or less data breaches this year?

To answer this, I downloaded and analyzed the data breach records published by the Privacy Rights Clearinghouse, Since 2005 data breaches have exposed about 234 million records with sensitive consumer personal information (e.g., Social Security Numbers, etc.). For perspective, the U.S. Census Bureau reported the U.S. resident population at 299 million in 2006.

Data breaches occur in all industries: corporations, colleges and universities, hospitals, federal agencies, and state or local governments. This breach activity includes sensitive personal data accidentally released to the public, lost, hacked, or stolen. Some records cover the same individual multiple times.

But what are the latest trends?

In 2007, there were about 329 data breach events, which exposed about 116 million records. In my opinion, both of those numbers are low, since the companies in about 26% of the breach events do not disclose the number of consumers affected or records lost/stolen. So, 329 breaches with 116 million records exposed is the best case or most optimistic scenario.

Through July of 2008, there have been 209 data breach events with about 21.7 million records exposed. If that trend continues, the year-end 2008 totals would be about 358 data breach events... about 9% higher than 2007. If that trend continues, the estimated year-end number of records exposed, lost or stolen would be about 37.2 million, far lower than 2007.

If that seems like good news, it isn't. First, the number of data breach events is still going up; at just under a 9% percent annual increase. You'd think that companies and federal agencies would have learned by now to implement better data security measures. Sadly, this doesn't seem so, especially since the FTC is conducting data security workshops for small business.

Also, the number of records exposed during a breach event varies widely. Remember, the 2007 total of records exposed included about 94 million records from one breach event: the TJX Cos. /T.J. Maxx breach. So, all it would take is another large breach to easily match or exceed last year's total. Remember, that all of the details haven't come out yet about the ID-theft ring arrested recently. This ID-theft ring alone may be responsible for more than 41 million stolen credit cards... not included in the above July month-to-date total.

What troubles me, the percent of breach events where the company refuses to disclose the number of consumers affected or records exposed, has remained constant at about 26%. Here's a list of some of the companies that refused to disclose the number of records lost or stolen in 2008:

  • January 5: New Mexico State University (Las Cruces, NM)
  • January 7: Sears (Cook County, IL)
  • January 16: University of Wisconsin at Madison (Madison, WI)
  • January 23: Baylor University (Waco, TX)
  • January 24: OmniAmerican Bank (Ft. Worth, TX)
  • February 10: Administrative Systems, Inc (Seattle, WA)
  • February 15: Lexmark International (Lexington, KY)
  • February 18: First Magnus Financial (Ft. Lauderdale, FL)
  • March 10: Texas Department of Health and Human Services (Austin)
  • March 15: Sterling Insurance and Associates (Aspen, CO)
  • March 29: Georgia Department of Human Resources (Atlanta)
  • April 14: Utah Department of Workforce Services (Salt lake City)
  • April 15: First Federal Bank of California (Los Angeles, CA)
  • April 15: Fiserv, Inc. (Brookfield, WI)
  • April 20: Helping Homeless Veterans and Families Hoosier Veterans Foundation (Indianapolis, IN)
  • April 22: University of Massachusetts (Boston, MA)
  • April 24: Harmony Information Systems (Madison, WI)
  • June 4: AT&T (San Antonio, TX)
  • June 10: First Source bank (South Bend, IN)
  • June 15: Conn. Department of Administrative Services (Hartford)
  • June 18: Domino's Pizza (Tucson, AZ)
  • June 19: Petroleum Wholesale (Houston, TX)
  • June 19: CitiBank (NY, NY)
  • June 23: bank Atlantic (Tampa Bay, FL)
  • July 9: Wichita Radiological Group (Wichita, KS)
  • July 29: Anheuser-Busch (St. Louis, MO)

What don't these companies understand about honest and transparent communications?

Predict This

The folks over at Predictify, an online polling service, have developed a pretty interesting web site. Users can predict future news, or at least try to. For example: one of the more popular entries allows users to predict the future price of a gallon of gas in the USA on December 31, 2008.

Predictify has obvious appeal. I wish that I'd created it. Questions are arranged by topics such as Politics, Sports, Popular Culture, and Current Events. The site has already partnered with the Washington Post.

Of course, I didn't pass up the obvious opportunity and submitted an entry about identity theft and consumer complaints to the FTC. You can follow the link to submit your FTC complaints prediction.

If you have submitted an entry to Predictify, tell us below. We'd like to know!

FTC and California Office Of Privacy Protection To Co-Host Workshops on Data Security

On August 13, 2008, the U.S. Federal Trade Commission (FTC) and the California Office of Privacy Protection will co-host a half-day public workshop in Los Angeles about how businesses can secure personal information and protect the privacy of consumers and employees:

"The workshop, "Protecting Personal Information: Best Practices for Business," is presented in partnership with the International Association of Privacy Professionals and the Los Angeles Area Chamber of Commerce. It features business people, attorneys, government officials, privacy officers, and other experts who will provide practical guidance for businesses of all sizes on data security, privacy, best practices for developing an appropriate data security program, and responding to data breaches and other privacy and security problems."

Effective data security is critical to consumers' trust in corporate brands. Notable panelists and speakers scheduled for the workshop:

  • Barbara Lawler, Chief Privacy Officer, Intuit
  • Jill Phillips, Chief Privacy Officer, Chevron
  • Shai Samet, President and Founder, Samet Privacy LLC
  • Andrew Serwin, Partner, Foley & Lardner
  • Jonathan Avila, Vice President, Counsel, Chief Privacy Officer, The Walt Disney Company
  • Lt. Robert (Rocky) Costa, Los Angeles County Sheriff's Department and Southern California High Tech Crimes Task Force
  • Richard Purcell, Chief Executive Officer, Corporate Privacy Group

This workshop is timely and especially relevant, since a recent study found that corporate data breaches occur largely due to incompetence. If the FTC continues to do its job, it should co-host workshops in more states. Read about the wide range of sensitive consumer data companies archive.

I am unable to attend this workshop. If any I've Been Mugged readers attend the workshop, please post comments below.

Just How Stupid Are Us Americans?

Information you should know about your fellow citizens of the USA, from the book "Just How Stupid Are We? Facing The Truth About The American Voter" by Rick Shenkman (Basic Books, 2008). Some excerpts from the book:

"About 1 in 4 Americans can name more than one of the five freedoms guaranteed by the First Amendment (freedom of speech, religion, press, assembly and petition for redress of grievances.) But more than half of Americans can name at least two members of the fictional [Simpsons] cartoon family, according to a survey."

Shenkman proposes five characteristics of stupidity:

"First, is sheer ignorance: Ignorance of critical facts about important events in the news, and ignorance of how our government functions and who's in charge. Second, is negligence: The disinclination to seek reliable sources of information about important news events. Third, is wooden-headedness... The inclination to believe what we want to believe regardless of the facts. Fourth, is shortsightedness: The support of public policies that are mutually contradictory, or contrary to the country's long-term interests. Fifth, and finally, is a broad category I call bone-headedness... The susceptibility to meaningless phrases, stereotypes, irrational biases, and simplistic diagnoses and solutions that play on our hopes and fears."

Several examples prove Shenkman's points:

"... only a small percentage of people take advantage of the great new resources at hand. In 2005, the Pew Research Center surveyed the news habits of some 3,000 Americans age 18 and older. The researchers found that 59% on a regular basis get at least some news from local TV, 47% from national TV news shows, and just 23% from the Internet."

"In 1986, only 30% knew that Roe v. Wade was the Supreme Court decision that ruled abortion legal more than a decade earlier. In 1991, Americans were asked how long the term of a United States senator is. Just 25% correctly answered six years. How many senators are there? A poll a few years ago found that only 20% know that there are 100 senators..."

"Which country dropped the nuclear bomb? Only 49% know it was their own country"

And, we only seem to know the basic, easy historical facts:

"What happened at Pearl Harbor? A great majority know: 84%. What was the Holocaust? Nearly 70% know. (Thirty percent don't?) But it comes as something of a shock that, in 1983, just 81% knew who Lee Harvey Oswald was and that, in 1985, only 81% could identify Martin Luther King, Jr."

It's easy to question whether we can elect effective leaders when we don't seem to know who or how our government works:

"Sandra Day O'Connor was the first woman appointed to the United States Supreme Court. Fewer than half of Americans could tell you her name during the length of her entire tenure. William Rehnquist was chief justice of the Supreme Court. Just 40% of Americans ever knew his name (and only 30% could tell you that he was a conservative). Going into the First Gulf War, just 15% could identify Colin Powell, then chairman of the Joint Chiefs of Staff, or Dick Cheney, then secretary of defense. In 2007, in the fifth year of the Iraq War, only 21% could name the secretary of defense, Robert Gates. Most Americans cannot name their own member of Congress or their senators."

For the record: mine are Kerry, Kennedy, and Lynch. I write to them frequently.

"Only 34% know that it is the Congress that declares war (which may explain why they are not alarmed when presidents take us into wars without explicit declarations of war from the legislature). Only 35% know that Congress can override a presidential veto. Some 49% think the president can suspend the Constitution. Some 60% believe that he can appoint judges to the federal courts without the approval of the Senate. Some 45% believe that revolutionary speech is punishable under the Constitution."

Poverty is no excuse:

"... Americans in the middle class who attend college exhibit profound ignorance. A report in 2007 published by the Intercollegiate Studies Institute found that on average 14,000 randomly selected college students at 50 schools around the country scored under 55 (out of 100) on a test that measured their knowledge of basic American civics."

A democracy works when citizens participate. The younger generation isn't doing any better than the older generations:

"In 1972, when 18 year olds got the vote, 52% cast a ballot. In subsequent years, far fewer voted: in 1988, 40%; in 1992, 50%; in 1996, 35%; in 2000, 36%. In 2004, despite the most intense get-out-the-vote effort ever focused on young people, just 47% took the time to cast a ballot."

Should civics be taught in schools? You bet! And it should be required. But don't title the class "Civics" or "American History." Instead, give it a more relevant title like, "How to Participate in a Democracy" or "How to Use A Democracy For Your Benefit" or "Your Rights And Responsibilities In A Democracy."

Unfortunately, this stupidity problem also affects consumers' actions about identity theft and company data breaches. It is difficult for consumers to take effective action to protect their identity information, if consumers don't:

Addendum: you can buy Shenkman's book online at It'll make a wonderful holiday present.

Credit Monitoring E-Mail Alerts (Product Review)

If you are looking for a credit monitoring service, then you have probably encountered the e-mail alert feature promoted at many sites. The alert is a key part of the notice you'll receive; whether everything is fine or their are problems with your credit reports.

So, it seems important to recognize a good e-mail alert feature. Of course, your individual identity protection needs will vary, but there are some key signs to look for at any credit monitoring site:

  1. A clear description of the alert: including sample alert copy. Ideally, the site should display legible alert copy so you can determine if the contains enough information for your identity protection needs
  2. A clear description of the alert feature: including statements about whether the alert is delivered via a secure web site, e-mail, text message, surface mail, or a combination. The site should also describe whether or not the consumer can customize the alert. The more customization control you have, the more relevant and better protection
  3. A clear description of the coverage: includes the credit bureau(s) monitored and the corresponding time period
  4. Alert triggers: includes the types of events that produce an alert. Events include new accounts opened in your name, inquiries into your credit reports, address changes reported in your credit files, account changes reported in your credit files, and new or changed public records reported
  5. Instructions about what to do next if there is a problem or unauthorized activity on your credit report.

Discover Financial Services Below is the actual e-mail alert I received as part of the Discover credit monitoring service. Some limitations are easy to spot:

From: "Identity Theft Protection"
Sent: Saturday, July 26, 2008 12:13 PM
Subject: Identity Theft Protection : No News is Good News

Dear George Jenkins:

As a member of Discover Identity Theft Protection, we monitor your credit file at Equifax every business day for suspicious activity that could indicate identity fraud.

During the past 30 days, we have detected no significant changes or activity in your credit file.

Though you haven’t heard from us recently, we’re still working hard every day to help you protect your identity. We will continue to monitor your credit file and alert you if we detect activity that could indicate fraud.

The threat to your credit is real. Identity thieves not only rob you of your credit, money, and time – they steal your good name. With Identity Theft Protection, we help you stay informed by giving you the tools and information you need to act quickly if potentially negative changes appear in your credit file.

Your identity is important and Discover’s Identity Theft Protection service is your frontline defense against identity theft.


Identity Theft Protection Member Services

As you can see, the alert message is short. There isn't much information in it. And, it is a confirmation that nobody has accessed my Equifax credit report. You can immediately see the limitation of this alert, and one reason why I am looking for a replacement credit monitoring service.

Every consumer has a credit report with each of the three (3) national credit bureaus. An effective credit monitoring service monitors your reports at all three national credit bureaus, not one of three as Discover's service does.

In fairness to Discover, I cannot evaluate its alerts on criteria #4 above because I haven't had a problem (thank goodness!) with my Equifax credit report. I don't know if Discover issues a different alert message when there's a problem... the site doesn't say. Discover's service does allow subscribers to direct alerts to their cell phone or pager.

If your credit monitoring service produces better alerts, please share them below. I've Been Mugged readers what to know.

A Mother's Anger

I just love American politics. Candidates sometimes do some really stupid things.

Senator McCain tried to go on the offensive against Senator Obama and instead insulted one of his rich donors. What did the McCain campaign expect?

You gotta expect a mother to say something when you insult her daughter. I wonder how the McCain campaign couldn't see this response coming. The Huffington Post reported the following statement by Kathy Hilton:

"I've been asked again and again for my response to the now infamous McCain celebrity ad. I actually have three responses. It is a complete waste of the money John McCain's contributors have donated to his campaign. It is a complete waste of the country's time and attention at the very moment when millions of people are losing their homes and their jobs. And it is a completely frivolous way to choose the next President of the United States."

Well said! You can read more about it in this Associated Press story.

Bush McSame would be better off sticking to the issues,... if he can.