Friday, February 10, 2006

Secure Flight Dies Again


Yesterday, the Transportation Security Administration suspended work on Secure Flight; the agencies long awaited and very expensive airline passenger screening system. Development work on the system has been plagued with trouble for the past four years. And the system has faced stiff opposition from consumers concerned about privacy. But if Secure Flight has proven anything, it’s been that it has more lives than most cats. So is this the end of the program? Unfortunately the answer is, “Probably not.”

Secure Flight is supposed to replace the current airline passenger screening system known as CAPPS. The CAPPS system is simply a watch list provided to the airlines by the government to screen for terrorists. Airlines check passenger names against the watch-list. If your name matches one on the list, then you are pulled aside and searched. You may even be barred from flying.

But CAPPS is not known for being accurate. In fact, Senator Ted Kennedy has been stopped and searched on numerous occasions because his name is similar to someone else who is on the list. The same has been true for several other members of Congress. Airlines have even prevented some babies from flying with their parents because their names are similar or identical to the names of known terrorists.

In the days after 9/11, Congress authorized the development of a new and supposedly better system that was to be known as CAPPS II. The new system was supposed to be more accurate and faster. The CAPPS II quickly ran into grass roots opposition when it was discovered that the TSA was populating the system with data from credit reports and commercial databases, and then testing it against actual passenger records provided by jetBlue.

A firestorm of controversy ensued. Congress put in place a ten point privacy test that CAPPS II had to be able to pass for any further testing to be done. But even though CAPPS II failed the test on two separate occasions, the TSA continued to test and then lied to Congress about it. This eventually led to the demise of the program.

But within a couple of months of CAPPS II’s death, Secure Flight was born. Secure Flight actually got its name because a lot of people in Washington thought that CAPPS II’s name had a lot to do with opposition to the program. So the marketing geniuses at the TSA came up with “Secure Flight” in the hopes that the public would support it.

Secure Flight was built on exactly the same technology that CAPPS II had tried to use. The only real difference between the programs was that the TSA announced that Secure Flight would not use credit report or commercial database data in the initial roll out of the program. But they reserved the right to use that data at a later time.

Grass roots opposition was almost immediate. Once again, Congress implemented its ten point privacy test. And again the program failed multiple times. And again, the TSA tested it in violation of the law and then lied to Congress about it.

Just last week, the TSA announced that it would begin commercial testing of Secure Flight with two airlines this coming summer. The only thing holding that plan up was certification by the Government Accountability Office (GAO) that the program now met the congressional litmus test standards for privacy. But there were apparently some problems there.

Apparently it was discovered that hackers had gained access to the Secure Flight database, even prior to the programs roll out. We say apparently because the TSA will not confirm that this actually occurred, but in their announcement that placed the program on hold, they said it was a possibility. When pressed further, a spokesperson for the TSA, Amy von Valter, told reporters, “We don’t believe any passenger information has been compromised.” One can only speculate that this means the system has already been hacked.

Cathleen Berrick, the investigator for the Government Accountability Office, said in written testimony that “TSA may not have proper controls in place to protect sensitive information.”

And the lack of privacy controls surrounding Secure Flight has been the programs biggest problem. The TSA has refused come up with a privacy policy for the program. They have refused to say that the program will not be expanded and used for other purposes. And they have refused the idea of excluding commercial database data and credit reports as data to scan. This type of data is notoriously inaccurate.

Beyond these things, the TSA hasn’t even been able to come up with policies to define how Secure Flight would be used in a commercial airline environment.

So far, the TSA has wasted $150 million tax payer dollars on Secure Flight. They also wasted more than $100 million on CAPPS II. It’s time for Congress to kill Secure Flight for good. Whether or not they will remains to be seen.

Technorati Tags : , , , , , , , , , , ,

Thursday, February 09, 2006

Illinois Becomes First State to Launch Identity Theft Hotline

February 9, 2006 – Illinois Attorney General Lisa Madigan has announced that her office has launched an identity theft hotline. The hotline will be staffed with consumer advocates, with the specific task of assisting victims with repairing their credit. It is the first service of its kind offered by any state in the country.

 

Use of the hotline will not cost consumers anything and they can use it as often as needed. The advocates answering calls have been specifically trained to assist consumers in disputing fraudulent charges and in dealing with creditors. They are also trained to help consumers avoid any further victimization by helping them place fraud alerts on their credit files, or providing information about how to enact a credit freeze. Advocates will also assist consumers with filing police reports with the appropriate law enforcement agencies.

 

"Identity theft victims are faced with an overwhelming recovery process…” Madigan said. "The new Identity Theft Hotline is intended to provide immediate counseling to help victims navigate a safe path to restored credit. The goal of this hotline is to provide direction, help and peace of mind."

 

In 2005, the FTC received 11,157 identity theft complains from citizens of Illinois. This accounted for 43% of the total consumer complaints that the FTC received from citizens of the state.

 

The hotline is part of a more comprehensive plan by Madigan’s office to combat identity theft. Her office is distributing brochures to consumers to inform them of all of the identity theft services available through the Attorney General, and they have prepared an Identity Theft Resources Guide. The guide provides consumers specific instructions to help them through the credit repair process.

 

Illinois citizens can reach the hotline by calling 1-866-999-5630.

 

Technorati Tags : , , , , , ,

Wednesday, February 08, 2006

Canadian Data Protection Laws Significantly Stronger than U.S.

In the United States we have the Social Security Number. Unfortunately, access to Social Security Numbers is all too common, and the results can be devastating. Identity theft and ruined credit. The inability to get or keep a meaning full job. In the worst cases, severe stress that leads to breakup of families.

 

Because the banking lobby has its hand so deep in Congressional pockets that it may never see the light of day again, federal lawmakers have been unwilling to implement laws to protect consumers. In fact, late in 2003 both Congress and the White House significantly weakened the ability of the states to protect the personal privacy of their citizens. That’s when a President Bush signed the Fair and Accurate Credit Transactions Act. This law specifically forbids the states from passing any privacy laws that prevent credit grantors from sharing consumer data with their affiliates.

 

But our neighbor to the north is setting a different example. Like the United States, Canada has its version of the Social Security Number. In Canada it is called a Social Insurance Number (SIN) and there are strict limitations on those who can demand to see it.

 

Banks, brokerage houses, trust companies and credit unions are required to ask customers for their SIN. The government uses is for tax reporting purposes. In fact, according to the Canadian Privacy Commission, an official branch of the Canadian Government, “No private-sector organization is legally authorized to request customers' SINs for purposes other than income reporting.”

 

Even credit reporting companies can’t demand a SIN to generate a credit report. Trans Union Canada and Equifax Canada both have the ability to generate such reports without a SIN. If you ask these same companies to generate a credit report in the United States, they both require a Social Security Number.

 

Companies without a need for access to a Canadian consumer’s SIN can still ask for it. They are however supposed to tell consumers that the information is optional. And they are not allowed to deny consumers services or to refuse sale simply because a SIN is not supplied.

 

All of this begs the question of whether or not these data protections actually help Canadians control cases of identity theft. The answer is largely dependent upon who you ask. Like Americans, Canadians will tell you that identity theft is out of control. And, just as in the United States, identity theft is the fastest growing form of financial crime. This however appears to be where the similarities end.

 

Canada is a country with roughly 10% of the population of the United States. Based on that figure, roughly 80,000 Canadians would have had to become identity theft victims last year for them to keep pace with the United States. As it turns out, Canada has not consolidated its statistics for identity theft. Even so, estimates are that Canada only experienced around 20,000 cases of identity theft last year. Moreover, the costs to the Canadian economy are still measured in millions of dollars, rather than the $54 Billion price tag associated with US cases.

 

The reason for the discrepancy is most likely due to the difficulty that would-be thieves have in getting their hands on Canadian SINs. The black market rate in Canada right now for a SIN along with a copy of a birth certificate is $50,000 CAN (approximately $30,000 US dollars). This means that to be an ID thief in Canada, you have to invest some money to get started. In the United States however, anyone can get their hands on a Social Security Number for less than $100. Experienced thieves can gain access to this information for nothing.

 

If the United States is serious about wanting to control cases of identity theft, perhaps our legislators should look north of the boarder for assistance. Canada may not have been able to stop all cases of ID theft, but they are far ahead of the United States in enacting policies that favor their citizens rather than caving to business interests.

 

Technorati Tags : , , , , , , ,

Tuesday, February 07, 2006

Property Casualty Insurers of New York Take Chicken Little Approach to Fight Credit Freeze Law

If you remember the story of Chicken Little, when walking through the woods she was hit on the head with an acorn. She immediately jumped to the conclusion that the sky was falling and ran to inform the king. She obviously overreacted and was dead wrong. But Chicken Little’s approach of jumping to the wrong conclusion still holds merit according to the Property Casualty Insurers (PCI) of New York. PCI has chosen the Chicken Little argument as a means to fight proposed credit freeze legislation in the state. And just like Chicken Little, PCI is dead wrong too!

 

Insurance Journal reported that Kristina Baldwin (a.k.a. Chicken Little) said, “enacting credit freeze provisions in New York would most likely result in increased costs, burden and inconvenience both for the consumer and for businesses operating in New York State with only minimal resulting consumer benefits." Baldwin, who is the regional manager for PCI made her comments to a joint meeting of the New York Senate Consumer Protection Committee and the Assembly Consumer Affairs and Protection Committee.

 

Baldwin argued that federal law offers enough in the way of consumer protection; allowing consumers to have their accounts flagged for 90 days using a fraud alert and to have errors removed from their credit reports. Her comments are erroneous, misleading and ignore a number of facts recently published in an FTC study.

 

Credit freeze laws are currently in place in 11 states. None of these states have experienced an economic collapse (also known as a “falling sky”) as a result. These laws are widely viewed as the only reliable way to prevent identity theft.

 

Baldwin is correct in asserting that federal law allows consumers to flag their accounts for fraud. But as if speaking in half-truths, she failed to mention that merchants are not bound to stop credit applications simply because a flag exists. Many merchants simply ignore these flags. They are not provided with that luxury when a credit freeze is in place because they can’t gain access to the consumer’s credit file unless the consumer lifts the freeze.

 

Her contention that consumers can have falsely or fraudulently reported items removed from their credit report is also true. But she failed to be completely honest and tell the entire story. When fraudulent items wind up on a person’s credit report, it is up to the consumer to prove that he or she is a victim of fraud. In cases of identity theft, victims can be hit with dozens of fraudulent purchases and forced to prove that each purchase was due to fraud. It is a process that can take more than a year to complete, and in the mean time the consumer has to deal with the consequences of bad credit.

 

Within the past month, the FTC has published 2005 identity theft statistics that indicate that the tide may be turning on identity theft. Nationwide, the increase in the number of identity thefts dropped to just 3.5%. In California, one of the few states that had a credit freeze law in place for the entire 2005 calendar year, the growth rate was held to just 3%.

 

The fact is that strong consumer legislation at the state level, allowing credit freezes and forcing companies to notify consumers when their personal data is inadvertently exposed, is having a significant impact on the growth rate of identity theft. According to the FTC, the growth rate in 2004 for this form of fraud was 15% and in 2003, it was 33%.  Unfortunately, companies and industry groups have fought virtually every one of the laws that are responsible for this reduction in the identity theft growth rate. PCI appears to be making the same mistake.

 

PCI’s position is based on the idea that consumer’s are stupid. That they will not make necessary purchases if they have to lift a credit freeze. The evidence in states that currently have such laws does not support their position. PCI’s argues that credit data is required by so many companies in order to conduct business that it should be freely available to them, doesn’t hold water either. It ignores the fact that consumer’s should be able to protect their privacy, even if companies don’t like it.

 

As New York legislators consider their positions on credit freezes, ACCESS would like them to make note of the words of Utah State Senator Sheldon Killpack as they make up their minds. He said, "My wife had her purse stolen out of her vehicle. What a treat that was. It was like a month-long root canal." Utah is also moving forward with credit freeze legislation.

 

Technorati Tags : , , , , , , ,