Friday, January 27, 2006

ChoicePoint Hit with Fine for Data Breach

January 27, 2006 – Yesterday, the Federal Trade Commission announced that it had reached a settlement agreement to fine ChoicePoint $10 million. The fine is a result of two data breaches last year that exposed personally identifiable financial data of 160,000 consumers to identity thieves. The exposure led to more than 800 cases of identity theft.

ChoicePoint also agreed to pay $5 million into a fund to compensate those who actually became victims of identity theft due their security breaches.

The FTC said that the fine is the largest single civil penalty it has ever imposed on a company. The agency said that ChoicePoint had violated federal laws by mishandling consumer data and misleading consumers on matters of the company’s privacy policy.

ChoicePoint is one the country’s largest data brokers. Companies engaged in this business buy and sell consumer data including names, addresses and Social Security Numbers. ChoicePoint’s database contains this information on most Americans. The data is highly sensitive and can easily be used for identity theft if it falls into the wrong hands.

Last February, ChoicePoint was forced by a California law to begin notifying consumers that their data had been exposed to potential identity thieves. The company was less than honest in its initial announcement, saying that only the data of 30,000 Californians had been exposed. But due to public pressure and media attention, the company was forced to change its story, revising the announcement to say that the data of 145,000 consumers spread across the entire country had actually been exposed. Later in the year, the company experienced a small breach, exposing another 17,000 people.

This first incident has been the impetus behind an effort to more heavily regulate data brokers. It has lead to the passage of laws similar to California’s in twenty states.

Because of the efforts of the states to regulate the industry, ChoicePoint and their competitors have started lobbying Congress. They want Congress to impose much less stringent federal regulations on the industry, and to take the right to regulate the industry away from the states. Unfortunately, the FTC is backing these efforts.

While a variety of privacy rights organizations have come out in support of the action against ChoicePoint, ACCESS is forced to take a much more cynical view. We believe that the fine may simply be an effort by both ChoicePoint and the FTC to show the public that federal regulators can be tough and that state regulation is really not required.

ACCESS disagrees. If not for California’s law, the ChoicePoint incident never would have come to the public’s attention. And if the standard that Congress is currently discussing becomes law, future data breaches are unlikely to become public. Under the most likely federal proposal to become law, all regulatory authority for data brokers would become the responsibility of the FTC. This is the same organization that is currently responsible for stopping identity theft; something which they already proven that they are incapable of doing.

It should also be pointed out that while ChoicePoint’s fine may be the largest in FTC history, it may be inadequate to deal with this incident. It is quite likely that there will be additional cases of identity theft as a result of these two breaches and that exposed consumers will be at risk for years to come.

ACCESS believes that consumers have the right to know when their personal data is mishandled, and that the states should have the right to continue to regulate industry practices within their borders.

Technorati Tags : , , , , , , , , , ,

Wednesday, January 25, 2006

Patriot Act Hits another Roadblock Due to Privacy Issues

January 25, 2006 – Last month, just prior to the Congressional holiday recess, renewal efforts for the Patriot Act ground to a halt. The law, which gives the federal government sweeping search and seizure powers that many believe to be unconstitutional, had sixteen very controversial clauses that were due to expire at the beginning of this year. The Bush Administration had been pushing Congress to renew the law in its entirety, and to make it permanent. But when four Republican senators (a so-called "gang of four") joined with democrats to demand greater protections for individual privacy, they were able to launch a filibuster to prevent a long term renewal of the law. Instead, the Senate and House of Representatives were forced into a compromise that renewed the law until February 3, 2006.

The short term renewal was controversial by itself. Certain members of the Senate had suggested a three month extension of the existing law, but the White House said that they would not accept such a short term renewal that the President Bush would veto it. Then, a conference committee between both houses reached a compromise. They would renew the law for six months. But Congressman James Sensenbrenner (R-WI) shot that idea down saying that the renewal discussions had "ruined" the Christmas recess and that he was not about to have the renewal discussions ruin the Fourth of July recess too. (As an aside, isn’t it nice to know that our elected officials are driven by the important issues of the day?!)

The idea behind the extension was that once the Christmas recess was over, Congress would return and quickly negotiate a compromise bill that would be acceptable to all parties. But the Senate’s gang of four is back, and they are not happy with the House’s version of the law. In the House of Representative, Sensenbrenner is back and he doesn’t like the Senate version, which provides considerably more protection for personal liberty. This combination means that the most likely outcome will be a second extension of the current law.

The White House would like to see a permanent resolution to the dispute. Originally, the Bush Administration was unbending; saying that they would not agree to any changes in the current law. But it is looking more and more likely that they are not going to get everything that they want, so the Administration is now discussing possible compromise legislation.

The primary disagreement is over secret search powers granted to the government. These powers allow the FBI and other law enforcement agencies to conduct "sneak and peak" searches. In this type of search, the subject of the search is never notified that they are being investigated. They are never told that their property, personal possessions and financial records have been searched. And they have limited powers to appeal such a search if they do become aware of it.

Sneak and peak searches can be used to enter your home, seize financial records, seize library records, and to look at the purchases that people are making. They can also be used for wire-taps of regular phone lines and cell phones. If a warrant for a "sneak and peak" search is served on a third party, like your landlord, that person can be sent to prison if he tells you that your home was searched.

The original law also made it illegal for anyone served with this type of warrant to speak with an attorney or to file suit to quash the warrant. But in a defiant move, at least one person who was served such a warrant when to the ACLU and sued the government over their inability to seek a court review. The federal court case resulted in a ruling that declared this provision of the law unconstitutional. In a great irony, most of the records of that case still remain under seal.

At this point it is unclear what will happen with the Patriot Act but it is likely that the House of Representatives will be forced to reach a compromise with greater civil liberties guarantees or face another filibuster in the Senate.

Technorati Tags : , , , , , , , , , , , ,

Tuesday, January 24, 2006

Ameriquest Mortgage to Pay $325 Million Settlement in Predatory Lending Case

January 24, 2006 – Yesterday, Ameriquest Mortgage agree to pay $325 million in restitution to those who had borrowed money from the company. The agreement settles legal disputes with 49 states and the District of Columbia, and is the second largest in US history.

Ameriquest had been accused of using predatory lending practices when making consumer home loans. The company, which is known for making loans to consumers with low credit scores, had provided incentives to its agents to steer consumers into high priced loans that they could not afford to pay back. In some cases, consumers who qualified for lower interest rates were actually placed in high interest rate loans.

The accusations also included encouraging consumers to lie about their income levels so that they could get more money. According to ABC News, some Ameriquest agents were accused of filling out all loan paperwork and falsifying tax documentation in order to help consumers qualify.

As a result of Ameriquest’s actions, consumers have been forced into bankruptcy, lost their homes, and been saddled with debts that they will never be able to repay.

The settlement will provide affected consumers with an average of $600 in repayment. But some consumers who were badly hurt by the company’s actions with not participate in the settlement pool because they are moving forward with their own law suits.

Under the terms of the agreement, Ameriquest had to agree to abide by certain ethical standards of doing business, as well as to monitoring. If the company does not abide by the agreement, the states can file suit against Ameriquest again.

Ameriquest’s loan officers will also be required to make certain disclosures to consumers when they borrow through the company. These include telling consumers the loan interest rate. If the rate is adjustable, they also need to disclose the cap on the interest rate. Additionally, they will have to inform consumers about any prepayment penalties. And Ameriquest will be forbidden from giving loan officers any form of incentive based on the interest rate of the loans they sell.

The settlement agreement comes just as Ameriquest’s founder and largest shareholder, Roland C. Arnall, is due to be confirmed by the full Senate. Arnall was a major campaign contributor to President Bush, and has been nominated by the President to become US Ambassador to the Netherlands.

Arnall had been urged by several members of the Senate Foreign Relations Committee to settle the suit prior to his confirmation vote. He played a principle role in the negotiation process and issued an apology for his "misdeeds". It should be noted that under the terms of the agreement, Ameriquest itself denied any wrongdoing.

Technorati Tags : , , , , ,

Monday, January 23, 2006

Google Defies Government on Privacy Issues

Google, the 800 pound gorilla of search engines, is defying a subpoena by the justice department. The government is demanding that the company turn over one full week of user search data. But Google has said that it will fight the subpoena "vigorously" because the company fears the ramifications to privacy for the twelve million people who use the company’s website every single day.

The Justice Department’s request for search data is actually several month old, and involves companies other than Google. Yahoo has already admitted to having turned the requested records over the government. MSN and AOL also received similar requests. Only Google has refused to comply.

The original request to each company was for a full two months of data. After extensive negotiations, the government request was narrowed down to a single week of search data which was to be scrubbed of personally identifiable information. But Google believes that even this data could be used to identify certain individuals.

The subpoenas were issued in an attempt to by the Bush administration to overturn a Supreme Court ruling on the Child Online Protection Act (COPA). COPA required that all website that feature adult oriented material require a credit card from those wanting to view the material. The theory behind the law was that anyone with a credit card would be at least 18 years of age.

When the law finally came before the Supreme Court, the court ruled that the credit card provision of the law was a restriction on free speech. But rather than ruling that the provision was unconstitutional, the court left the door open. If the Government could show that internet filtering software was less effective at protecting children from pornography than the credit card requirement in COPA, the government might be able to implement the law as it was originally written.

So the Justice Department decided to subpoena the records of search engines to show that search results routinely contained pornographic materials. They may also be attempting to show that internet users routinely search for online pornography.

"The reason they're asking for the data is that they want to be able to say, 'Look, this is how much porn is potentially reached online,'" says Danny Sullivan, editor of Search Engine Watch, an industry newsletter. "But next time, they might come in and ask for data that does contain personal information. That serves as a wake-up call for people." And this is Google’s fear, along with fears of virtually every privacy advocate in the country.

Kurt Opsahl, a staff attorney for the Electronic Frontier Foundation (

EFF

) told a reporter for NPR that, "All the search engines have created a honey pot of information about people and what they search for. It's a window into their personalities -- what they want, what they dream about. This information gets stored, and that becomes very tempting."

The government’s subpoena can not be taken lightly by anyone who values privacy. Search engines store vast amounts of data on users, including the sites that they visit, how often they search, what they search for and what they click on. Much of this information can be traced back to the computer from which the search was conducted, even if the user has not provided personal data to the search engine.

While it is not unusual for search engines to provide information requested by a subpoena, the scope of the current government request is significantly larger than most. Subpoenas normally order search engines to provide documentation on the user habits of a particular individual. This subpoena could impact virtually all Google users.

For those who want to insure their privacy, there are several services available that can completely mask their user information. The EFF has been pushing the development of

TOR, which provides complete anonymity to internet users for free but which is agonizingly slow even on a broadband connection. There are also a variety of paid services including FindNot, ipEliminator and Anonomizer. The paid services pricing begins at around $10 per month.

Technorati Tags : , , , , , , , , , ,