Recently, Choicepoint sent warning letters to hundreds of thousands of consumers all across the nation, warning them that their personal information may have fallen into the hands of criminals who can now use this information to commit the crime of identity theft, a crime that this year will strike at least 1.5 million Americans. The question that needs to be raised is why, and how, do companies like Choicepoint amass this information, and who or what gives them the right to sell our most personal of data to anyone they choose to?
Information brokerages obtain much of their information from the myriad of public records that most people must generate to simply live in our society. Open public records, in fact, are a fundamental part of American democracy. A good example of open public records are property tax records. The property tax record of almost any piece of property in the United States can be readily obtained by a visit to the county recorder/assessor. The property tax records will contain the name of the property owner, the assessed value, the amount of the annual property taxes, the address where the property tax bill is sent, the purchase price of the property, and if there is a mortgage on the property. Public record property tax records allow the citizenry to make sure that a neighbor or powerful individual is not able to get a special deal on their taxes because they know someone on the county commission, or have other influence most people do not.
The same reasoning is why criminal and civil court actions are as a general rule open to the public, and the court decisions rendered in these trials must be made public. Public records force government actions to be performed under scrutiny. But public records extend far beyond property tax and court records. Public records are also such things as drivers license records, motor vehicle registrations, military service records, business licenses, employment licenses, university and college degrees or registrations status. The list can go on and on.
But there are other types of records that these companies are able to compile. These records are not public records per se, but loopholes in the law do not give them any privacy protections. These are records that are generated when dealing with private businesses – such as banks, credit card companies, retail stores and credit bureaus. In most states these records have no privacy protection, and with few exceptions, there is a complete lack of federal regulation. In the case of credit bureaus, the federal government actually made it easier for personal information to be accessed without your authorization.
The most disturbing users of firms such as Choicepoint are government agencies, particularly law enforcement agencies.
The best way to illustrate how a company like Choicepoint works is to play the role of one of their clients. Choicepoint has many thousands of clients who want personal data for different reasons. These range from corporations who perform pre-employment screening of new hires, to marketing firms who want to obtain more information about potential sales prospects. The most disturbing users of firms such as Choicepoint are government agencies, particularly law enforcement agencies. The use of information brokers by government agencies allows them to do what they explicitly cannot do by law – compile dossiers of information about citizens which have nothing to do with their law enforcing or regulatory function.
The use of information brokers by government agencies allows them to do what they explicitly cannot do by law – compile dossiers of information about citizens which have nothing to do with their law enforcing or regulatory function.
Choicepoint clients can access Social Security numbers, birthdates, current and previous addresses, telephone numbers, names of others residing in a household, and employer information, just to start. Where does this information come from? All of the data just mentioned comes from your credit report. Choicepoint is able to access the files of all three major credit bureaus, and their clients are able to then access those bureau files as customers of Choicepoint. The information just mentioned can be accessed even if you never applied for credit and never signed anything.
How can this be, you ask? Back in 1990, the first president Bush decided that the only part of your credit report that actually had any privacy protection was the part that listed the actual creditors and your payment history. All the other information on the credit report was now considered to be public record information and could be resold to anyone. The data mentioned above is known as credit header data, because it is usually listed at the top of the credit report.
The founding fathers never intended open public records to be used by profit making entities to compile vast dossiers on anyone they chose.
The use of government collected public record information becomes more insidious when it is put into the context of what is truly going on. Companies like Choicepoint market their services by saying that they allow their clients to better know their current or potential customers. The founding fathers never intended open public records to be used by profit making entities to compile vast dossiers on anyone they chose.
Let's assume we are a grocery store chain with a loyalty card program. You know, you give the store your name and address, and they give you a card that gives you some discounts. But name and address is not very much data. So the grocery store goes to an information broker and says that they want the whole story – your birthdate, SSN, marital status, name of others in the household, where you work, value of your house, how many cars you own, where you lived before, etc. But it does not stop there. Maybe they are going to start a new credit card, and they only want to spend money sending pre-approved offers to those customers whose credit will allow them to qualify. Choicepoint can then arrange to do a mass credit prescreening – and make sure your credit meets the requirement. Once again, your consent is not required for such a prescreening.
The net result of this "getting to know their customer better" is that your most sensitive of personal information has been compiled and transferred any number of places, and any number of people have access to it. This now allows for the crime of identity theft, and the most dangerous variant of identity theft. Most identity thieves are content to simply destroy the victim's credit. Identity theft that results when the thief has a complete dossier of personal and financial information, can be much more dangerous. In this situation the identity thief can actually live as the victim – renting apartments, opening bank accounts, obtain a drivers license, work or even get married. In the worst nightmare, an identity thief can get arrested as the victim, not show up for the trial, and then an arrest warrant will be issued in the name of the victim. This has already happened on many occasions.
Information brokerages disclaim any liability for damages to you because of their resale of wrong information. At the Choicepoint website, this is stated very clearly.
Another danger posed by information brokerages is when they report false or erroneous data. Information brokerages disclaim any liability for damages to you because of their resale of incorrect information. At the Choicepoint website, this is stated very clearly. Thousands of people are denied employment, professional licenses, credit, and other services in society because of wrong information resold by these firms. The problem is that even if the false information is corrected at the source, say a government agency, there is usually no way you find all of the places that have purchased the information from the broker. Frequently clients of the broker themselves are then resellers a second time to their customers.
So the question must be – what can be done to prevent future Choicepoints, and what can individuals do to make themselves much less likely to be a victim of identity theft?
One central thread whenever a large compromise of personal data occurs is the role of the Social Security number. This number has become the Achilles' heel of the protection of personal information in America. The Social Security number has become the file-indexing tool for banks, credit bureaus, motor vehicle departments, health insurance companies, universities and colleges, utility companies, and a myriad of other businesses. In many states the Social Security number appears as an identifier after the name on public records such as divorces, marriage licenses, civil lawsuits, etc.
What comes as a shock to most people is that all of the uses just mentioned have nothing to do with the actual purpose of the Social Security number. The Social Security number itself doesn't identify a particular person – the number identifies the retirement account number of that person. In fact, for nearly 50 years, Social Security cards had the statement "not for identification purposes" written across the bottom. Using a Social Security number to identify a person would be akin to using an individual's checking account number to identify the person. So what are the legally necessary uses of the Social Security number? They are amazingly few. Your employer needs the number only for reporting your Social Security contributions and your taxes to the IRS. Banks are required to have the number for reporting your interest income on interest bearing bank accounts. The number is used by the IRS to positively identify your tax return. This is it – these are the only uses where the Social Security number is actually required and necessary. If this is the case, then why has the SSN become such a universal identifier whose use has grown far beyond this limited scope?
The nine digit SSN was developed to allow each individual to be identified uniquely. A system had to be created that would allow many different people who shared identical first, middle and last names, and birthdates, to be uniquely identified. The numbering system also needed to be expandable, so that numbers would never need to be reused. Private industry seized upon using the SSN as a file indexing and retrieval tool because of this very quality. This "bracket creep" in uses of the number can most easily be seen with private employers. Larger employers then started assigning the SSN as the employee identification number. This number, with the advent of computerization, became the way that employee files could be retrieved.
Banks and credit bureaus began to use the SSN as a file identification and retrieval tool, particularly with the advent of computerization. The importance of this is that when the SSN is used as file retrieval tool – just that number must be provided to retrieve information about a particular person. This now begins the process where just knowing the SSN will yield all sorts of data about an individual.
The SSN has now become the universal identifier in American life. When a consumer calls an insurance company, bank, credit card company, utility provider, college, etc., the first question will usually be "What is your SSN?" This is what allows companies like Choicepoint to build dossiers on Americans with amazing speed. With only a Social Security number, Choicepoint can access numerous databases and retrieve any record stored in those databases that use the SSN as a file retrieval tool. Companies like Choicepoint can also retrieve an individual's SSN from simply a name and address, and then rifle through numerous other databases to compile the personal dossier. How can Choicepoint and their other corporate ilk do this? Much of their information comes from the nation's credit bureaus.
Once the federal government had removed the privacy protection from all data on the credit report except for actual account numbers and payment history, an entire new market was created where outside companies and firms could purchase access to this now public information. Credit bureaus make arrangements with information brokers such as Choicepoint. The information broker gets direct access to the credit bureau database. The broker then resells access to any number of its clients. In some cases, these are other corporations, but these clients can also be private investigators, attorneys, or even nosy individuals.
The credit bureaus were happy with this new market for expanded access to non-payment data because it created a new, lucrative market. But this new market also eliminated an important safeguard. Prior to the change in the law, any time any data was retrieved from a credit bureau, a notation had to be made on the "inquiry" section of the report. This notation would have to give the name of the requestor and a phone number or address where they could be contacted. This now does not happen when the unrestricted information is requested. So, there is no way for the individual to know who has requested their credit bureau header information. The most obvious evidence of this is all of the information brokers who advertise on the Internet. Most of them offer background searches and they promise the requestor that the target of the investigation will not be informed of their search.
The only significant limitation placed on these searches of credit bureau header information has to do with the Social Security number lookup search. Previously, anyone could purchase the Social Security number of anyone. As long as they had an address where the person had lived in the past seven years, and the person had applied for credit, or had a credit check done with this address, the Social Security number could be found. Federal legislation now restricts who can request a credit bureau based Social Security number lookup search. This search can now only be performed by someone with certain reasons – enforcement of a child support order, a civil judgment, finding a witness in a civil case, etc. But this prohibition has a lot of loopholes. The law only restricts the actual disclosure of the Social Security number. So the public can still access this search to locate the subject's new address and telephone number, it is just that the SSN will not be disclosed to a nonqualifying requestor. This law also places no limit on information brokers who can obtain Social Security numbers from non credit bureau sources. In many states Social Security numbers can be obtained from motor vehicle registration, voter registration, civil court cases, and other sources. Obtaining SSNs from these sources may take a bit longer, but it is unregulated.
The real problem is that all of these information brokers have direct access to this data on their computer systems, with no say of the people. It is also proof of the real problem of the Social Security number becoming the defacto national identifier. If you give an information broker just a Social Security number, in a matter of a few hours he can obtain the following information:
There are many other records not even listed, but it is very clear that these information brokerages give the ability for nosy individuals and corporations to essentially know everything about almost anyone. It is also why it is so dangerous when these databases are hacked into, or are legally accessed by corrupt enterprises – as was the situation with Choicepoint. So much information is available that it is quite easy for someone to steal an individual's complete identity. With this amount of information available, the identity thief can easily "become" you, and because he knows nearly everything about you, he can pass most simple tests of identity verification used by businesses and government agencies – your address, phone number, SSN, birthplace, etc.
So, what can be done to make Choicepoint-like incidents a thing of the past? Legislation needs to be passed at the federal level to restrict and regulate data collection and dissemination by information brokers. One needed reform is to restore the privacy protections to all the data on the credit report. This would immediately curtail much of the worst abuses of personal data. Information brokers, private detectives, etc., would lose unfettered access to credit report information. A recent regulation, the Graham-Leach-Bliley Act, restricts Social Security number lookup searches. This search now can only be done with a permissible purpose – collection of overdue child support, a court judgment, etc. But this law's protections are filled with holes, and it still allows access to credit report information without attribution by information brokers and those who are involved directly in the extension of credit. This third party access by outside firms via information brokers is the source of most of the abuse of personal data. State laws need to be changed prohibiting the use of Social Security numbers as identifiers on civil court records. Divorce case filings, civil court filings and judgments, etc., should now be stripped of this identifier. States where the driver's license number is the Social Security number or derived from the number, would end this practice. Federal legislation would need to require that banks, credit bureaus, and other businesses that use the Social Security number as a file identifier would be prohibited from doing so. There would be a time period – say five years, over which systems would have to be changed. A fund would be established by the federal government to defray some of the costs involved.
Each year all holders of personal information need to obtain consent from their customers before they can share their data with other firms or government agencies. Finally, information brokerages should be financially liable for the damages that occur when they disseminate inaccurate or erroneous data. This would force information brokers to use due diligence to verify the accuracy of information they sell to third parties, even when this data originated from public records, such as criminal conviction histories. The damage that occurs when inaccurate public records are widely disseminated can be uncorrectable. A person falsely identified with a criminal record to potential private employers can face effective blacklisting. Many times a criminal record belonging to another individual with a very similar name and birthdate is attributed to an innocent person. The victim never knows why his employment application or apartment lease application has been rejected. Even if the victim is able to identify the wrong record, because it has been sold and resold numerous times, there is no way to undo the damage.
Until these legislative changes happen, is there anything that the individual can do to protect himself from the misuse of their personal information? The good news is that the answer to this question is yes. The bad news is protection of your personal data requires an entirely different approach to personal information. The first step is to regard your actual name, address and telephone number as privileged information. With just your name and address or name and telephone number, an information broker can purchase all your other data.
Only a small number of people and organizations need to have this information. Obtain a mailing service address – notice that I did not say a Post Office box.
Although the post office may balk at giving an individual someone's new address, they have no such compunction when it comes to selling off forwarding address information in bulk. Most information brokers offer a national change of address search. They compile it from post office files along with those from fifty or so different mail order catalogs, national magazines, and other mail businesses. They usually can find anyone. A mailing service address will give you a street address that can be provided on all sorts of paperwork and forms. At the same time, obtain a voicemail telephone number that either links to a pager or is forwarded to your cell phone or home phone. This number should be obtained in a dummy name. Many services allow you to do this with no credit check – you simply pay monthly and start service with a small deposit.
This voicemail number can now be provided to banks, credit card companies, doctors, schools, supermarket loyalty card programs, etc. Your actual home phone number is restricted to close friends those who really need it. Your home telephone number needs to be a nonlisted, nonpublished number. This is now easier to do. There are telephone companies that specialize in providing low cost service to those who have poor records or unpaid bills with the larger phone companies. Many of these services will start service, and include a certain amount of long distance, for under 50 dollars per month. Many of them do not require any identification or a credit check. Many people have gone even further, and do not have a wired telephone at home. A prepaid cell phone, or a regular cell phone that uses direct billing to a bank account or credit card, allows for cellular service without a credit check.
A dummy name should also be chosen. For years I used the name of my dog. It is amazing how many magazine subscriptions, preapproved credit offers and other junk mail my four-legged friend received. When you get your automobile serviced, this name, address and telephone number is provided. When you sign up for a grocery loyalty card, etc., same procedure. Gradually, your actual address will drop out of circulation. If you currently receive magazine subscriptions and catalogues from mail order merchants at your real home address, do not call and have these transferred to your mail service. This would now give them your new address. Call and have new catalogs, subscriptions, etc., started in the dummy name at the new address. Cancel any current subscriptions, etc.
Restricting the dissemination of sensitive financial and credit information is more difficult. Although there is nothing you can do about the disclosure of your credit header information, you can stop the privacy invading practice of prescreening. Prescreening is what results in the receipt of mailings of preapproved offers for credit cards and other loans. The theft of these from the mail by criminals is a major source of identity theft. You can have your credit report restricted from prescreening. This can be done by calling 1-888-5-opt-out. This stops this practice with your credit report at all three bureaus. You can also require that your bank or credit union not share your financial information with outside firms. This requires you to affirmatively request non-disclosure of your personal information. Financial services companies send a mailer out each year to their customers about their privacy policies. This mailer will explain how to prevent the selling of your personal data to other firms. You can also call your financial institution and get information on how to do this.
There is not much you can do to remove your current address out of credit bureau files, if it is already listed in them. But if you move, you can avoid getting your new address in their files. If you know you are going to move in the near future, obtain a PO box, and have all of your credit card statements, bank statements, etc., sent to this address. When you move to the new address, do not file a change of address card with the post office – yes, the post office sells off change of address information to third parties. If the landlord needs to do a credit report, he will use the address you are living at now to retrieve the report. When you arrange for utilities at the new address, use the dummy name, and just pay a deposit, to avoid a credit check. This way there will be no record of utility services in your name at the new address, because yes, utility companies also sell out your data.
The address on your driver's license and vehicle registration should be a dummy address. You could go the extra step of arranging the sale of your car to the dummy name.
The address on your driver's license and vehicle registration should be a dummy address. You could go the extra step of arranging the sale of your car to the dummy name. This way a search for automobile registrations in your name will yield no information. If you attend a university or community college, you can have school directory information – your name, birthdate, major, graduation date, home address, etc, restricted from access. This is important because many universities across the country have made their enrollment and graduation records available to a third party database vendor so that they no longer bear the expense of verifying attendance and graduation requests by outside employers.
Other common sense actions are to never carry your Social Security card on your person, and to not have the number appear on any identification document – drivers licenses, health insurance cards, etc. Never provide this number to anyone who calls you on the telephone. If your bank uses this number as a way to access your account online or via telephone, call them and have this number changed. Your current bank account can easily be raided by an identity thief with knowledge of your account number and SSN. This is also why you should not write checks at local merchants. Nearly all merchants use a third party check approval service, such as Telecheck or Chexsystems. Every time you write a check these companies do more than just approve it. They download into their database your bank account number, drivers license number and amount of check, check number and the name and type of merchant. This information is then resold to marketing companies who can then sell a "personal shopping" profile. The only way to avoid this is to not write checks at stores. Checks can still be used to pay bills by mail. It is also a good idea to not have your actual address on your checks.
The actions you can take as an individual are limited, but the good news is that as more people have their identities stolen and lose access to credit, employment, or even face false arrest, Congress will be forced to address this issue. Until then you can only be careful and hope for the best.
Loompanics Unlimited l
2005 Summer Supplement
LOOMPANICS UNLIMITED Online Catalog
Order Toll-Free 1-800-380-2230
YOUR ORDER IS SHIPPED WITHIN 24 HOURS OF RECEIPT!
(Monday Through Friday, 8am to 4 pm)
So, what can be done to make Choicepoint-like incidents a thing of the past? Legislation needs to be passed at the federal level to restrict and regulate data collection and dissemination by information brokers. One needed reform is to restore the privacy protections to all the data on the credit report. This would immediately curtail much of the worst abuses of personal data. Information brokers, private detectives, etc., would lose unfettered access to credit report information. A recent regulation, the Graham-Leach-Bliley Act, restricts Social Security number lookup searches. This search now can only be done with a permissible purpose – collection of overdue child support, a court judgment, etc. But this law's protections are filled with holes, and it still allows access to credit report information without attribution by information brokers and those who are involved directly in the extension of credit. This third party access by outside firms via information brokers is the source of most of the abuse of personal data. State laws need to be changed prohibiting the use of Social Security numbers as identifiers on civil court records. Divorce case filings, civil court filings and judgments, etc., should now be stripped of this identifier. States where the driver's license number is the Social Security number or derived from the number, would end this practice. Federal legislation would need to require that banks, credit bureaus, and other businesses that use the Social Security number as a file identifier would be prohibited from doing so. There would be a time period – say five years, over which systems would have to be changed. A fund would be established by the federal government to defray some of the costs involved.
Each year all holders of personal information need to obtain consent from their customers before they can share their data with other firms or government agencies. Finally, information brokerages should be financially liable for the damages that occur when they disseminate inaccurate or erroneous data. This would force information brokers to use due diligence to verify the accuracy of information they sell to third parties, even when this data originated from public records, such as criminal conviction histories. The damage that occurs when inaccurate public records are widely disseminated can be uncorrectable. A person falsely identified with a criminal record to potential private employers can face effective blacklisting. Many times a criminal record belonging to another individual with a very similar name and birthdate is attributed to an innocent person. The victim never knows why his employment application or apartment lease application has been rejected. Even if the victim is able to identify the wrong record, because it has been sold and resold numerous times, there is no way to undo the damage.
Until these legislative changes happen, is there anything that the individual can do to protect himself from the misuse of their personal information? The good news is that the answer to this question is yes. The bad news is protection of your personal data requires an entirely different approach to personal information. The first step is to regard your actual name, address and telephone number as privileged information. With just your name and address or name and telephone number, an information broker can purchase all your other data.
Only a small number of people and organizations need to have this information. Obtain a mailing service address – notice that I did not say a Post Office box.
Although the post office may balk at giving an individual someone's new address, they have no such compunction when it comes to selling off forwarding address information in bulk. Most information brokers offer a national change of address search. They compile it from post office files along with those from fifty or so different mail order catalogs, national magazines, and other mail businesses. They usually can find anyone. A mailing service address will give you a street address that can be provided on all sorts of paperwork and forms. At the same time, obtain a voicemail telephone number that either links to a pager or is forwarded to your cell phone or home phone. This number should be obtained in a dummy name. Many services allow you to do this with no credit check – you simply pay monthly and start service with a small deposit.
This voicemail number can now be provided to banks, credit card companies, doctors, schools, supermarket loyalty card programs, etc. Your actual home phone number is restricted to close friends those who really need it. Your home telephone number needs to be a nonlisted, nonpublished number. This is now easier to do. There are telephone companies that specialize in providing low cost service to those who have poor records or unpaid bills with the larger phone companies. Many of these services will start service, and include a certain amount of long distance, for under 50 dollars per month. Many of them do not require any identification or a credit check. Many people have gone even further, and do not have a wired telephone at home. A prepaid cell phone, or a regular cell phone that uses direct billing to a bank account or credit card, allows for cellular service without a credit check.
A dummy name should also be chosen. For years I used the name of my dog. It is amazing how many magazine subscriptions, preapproved credit offers and other junk mail my four-legged friend received. When you get your automobile serviced, this name, address and telephone number is provided. When you sign up for a grocery loyalty card, etc., same procedure. Gradually, your actual address will drop out of circulation. If you currently receive magazine subscriptions and catalogues from mail order merchants at your real home address, do not call and have these transferred to your mail service. This would now give them your new address. Call and have new catalogs, subscriptions, etc., started in the dummy name at the new address. Cancel any current subscriptions, etc.
Restricting the dissemination of sensitive financial and credit information is more difficult. Although there is nothing you can do about the disclosure of your credit header information, you can stop the privacy invading practice of prescreening. Prescreening is what results in the receipt of mailings of preapproved offers for credit cards and other loans. The theft of these from the mail by criminals is a major source of identity theft. You can have your credit report restricted from prescreening. This can be done by calling 1-888-5-opt-out. This stops this practice with your credit report at all three bureaus. You can also require that your bank or credit union not share your financial information with outside firms. This requires you to affirmatively request non-disclosure of your personal information. Financial services companies send a mailer out each year to their customers about their privacy policies. This mailer will explain how to prevent the selling of your personal data to other firms. You can also call your financial institution and get information on how to do this.
There is not much you can do to remove your current address out of credit bureau files, if it is already listed in them. But if you move, you can avoid getting your new address in their files. If you know you are going to move in the near future, obtain a PO box, and have all of your credit card statements, bank statements, etc., sent to this address. When you move to the new address, do not file a change of address card with the post office – yes, the post office sells off change of address information to third parties. If the landlord needs to do a credit report, he will use the address you are living at now to retrieve the report. When you arrange for utilities at the new address, use the dummy name, and just pay a deposit, to avoid a credit check. This way there will be no record of utility services in your name at the new address, because yes, utility companies also sell out your data.
The address on your driver's license and vehicle registration should be a dummy address. You could go the extra step of arranging the sale of your car to the dummy name.
The address on your driver's license and vehicle registration should be a dummy address. You could go the extra step of arranging the sale of your car to the dummy name. This way a search for automobile registrations in your name will yield no information. If you attend a university or community college, you can have school directory information – your name, birthdate, major, graduation date, home address, etc, restricted from access. This is important because many universities across the country have made their enrollment and graduation records available to a third party database vendor so that they no longer bear the expense of verifying attendance and graduation requests by outside employers.
Other common sense actions are to never carry your Social Security card on your person, and to not have the number appear on any identification document – drivers licenses, health insurance cards, etc. Never provide this number to anyone who calls you on the telephone. If your bank uses this number as a way to access your account online or via telephone, call them and have this number changed. Your current bank account can easily be raided by an identity thief with knowledge of your account number and SSN. This is also why you should not write checks at local merchants. Nearly all merchants use a third party check approval service, such as Telecheck or Chexsystems. Every time you write a check these companies do more than just approve it. They download into their database your bank account number, drivers license number and amount of check, check number and the name and type of merchant. This information is then resold to marketing companies who can then sell a "personal shopping" profile. The only way to avoid this is to not write checks at stores. Checks can still be used to pay bills by mail. It is also a good idea to not have your actual address on your checks.
The actions you can take as an individual are limited, but the good news is that as more people have their identities stolen and lose access to credit, employment, or even face false arrest, Congress will be forced to address this issue. Until then you can only be careful and hope for the best.
(Monday Through Friday, 8am to 4 pm)