Many of the popular news media have got the most recent ChoicePoint scandal all wrong.
The following are a few headlines (culled from Google News) of stories regarding this issue, including the other similar past incidents now surfacing:
Hackers crack ChoicePoint (The Glove and Mail/AP, Feb. 16, 2005, reg. req'd)
Californians warned that hackers may have stolen their data (USA Today/AP, Feb. 16, 2005)
Report: SoCal thieves stole ChoicePoint records years ago (SignOnSanDiego.com/AP, Mar. 2, 2005)
The persons, admittedly criminals, who gained access to "critical personal data" on hundreds of thousands of U.S. citizens did not steal the data--ChoicePoint sold it to them.
The inaccuracies and inconsistencies in these stories go far beyond the headlines. For instance, the above cited AP article states that "hackers penetrated the company's computer network" and that "several hackers broke into its computer database and purloined data." However, the article continues to describe that the so-called hackers used stolen identites to establish businesses and create about 50 "accounts" with ChoicePoint. This line of explanation stops there, leaving out the next event in the chain, in which ChoicePoint granted these accountholders access to intimate and valuable personal information on hundreds, thousands, millions of U.S. citizens. Some articles, however, get the details mostly right. MSNBC, for example, broke the story as "Database giant gives access to fake firms."
Now, I do not mean to say that what these persons did was right, or legal. First, the use of the personal data to defraud or steal from individuals is certainly illegal, and second, their actions in gaining the data might be criminal under theories of theft by fraud or false pretenses (see, e.g., Cal. Penal Code § 487 (" Every person who shall... fraudulently appropriate property which has been entrusted to him or her... is guilty of theft."). But there was certainly no case of of "hacking" as we normally understand this activity--no skilled computer users breaking through technological security measures to gain access to information they have no "right" to see. In this case, ChoicePoint voluntarily granted access to these accountholders. The real "wrongdoing" here is very complex--it is entwined with ChoicePoint's business practices, practices about which the public remains primarily unaware.
To be fair, ChoicePoint itself is technically honest about the nature of the incident--in an online statement (that I only found through Googling, not through any intuitive or easily discovered link on ChoicePoint's website), ChoicePoint points out that "[t]his incident was not a breach of ChoicePoint's network or a 'hacking' incident, and did not involve any of ChoicePoint's customer information." By customer information, it means information about ChoicePoint accountholders, businesses who purchase consumer information from ChoicePoint. Despite this technical honesty, ChoicePoint has done nothing to widely publicize this popular misconception, and is overall pretty "squishy" about addressing this incident, and more broadly, about discussing how they do business.
So what went wrong here, putting aside the use the criminals made of the information gained from ChoicePoint? The criminals did not hack into ChoicePoint databases, nor did they, by common definition, "steal" any information. The main problem was arguably on ChoicePoint's end--the criminals successfully circumvented ChoicePoint's "tests" for legitimacy of purpose.
To understand what really happened here, you have to know a little bit about ChoicePoint's normal course of business. According to the Electronic Privacy Information Center's ChoicePoint page, the following is a partial list of the information that ChoicePoint sells to businesses (among other entities):
claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services...
Some of this information contains such sensitive information as Social Security Numbers and Drivers License Numbers. According to an interview with ChoicePoint CEO Derek Smith from a Georgia NBC television news affiliate, when a business comes to ChoicePoint requesting to purchase such data, ChoicePoint subjects this business, as a requirement for opening an account, to a "credentialing" process, one he claims is among the most rigorous in the market. Smith characterizes this process as one that is aimed at determining whether the company is a "legitimate business" with a "permissible purpose" in accessing U.S. consumer information. This credentialing process can involve such activites as making sure the business is properly licensed in the state in which it is located, checking to see if the business receives and pays utility bills for business facilities, and sometimes a site inspection, activities which let ChoicePoint know if the entity has a "real likelihood of being a business capable of accessing the information."
This interview with Smith, linked from ChoicePoint's website and clearly intended to inform consumers about the issues and alleviate concerns, leaves many questions unanswered, and Smith is less than thorough in his responses to many of the interviewer's questions. For example, when asked how a company like ChoicePoint could let something like this happen, Smith defends their rigorous credentialing standards, and chalks the fiasco up to the "sophistication of organized crime to infiltrate all American businesses." Although little information has been released about the perpetrators in this case, a similar scam has been revealed to have taken place in 2002--are the "Nigerian-born brother and sister" convicted as a result of that incident the sophisticated members of organized crime Smith refers to?
In fact, Smith has boldly claimed that "ChoicePoint's core competency is verifying and authenticating individuals and their credentials." Yet it appears, from statements he makes later in the interview, that these individuals were able to pass muster by presenting California business licenses alone. Smith gives no indication that of any of the additional safeguards he described earlier were employed.
Smith also stresses the fact that "we were the ones that identified the fact that there appeared to be fraudulent activity taking place, and we notified the California authorities to the fact that we thought something in fact was awry." He does not mention that ChoicePoint was required by law to notify California residents if certain pieces of their personal information are "leaked" or disclosed improperly. It was only after this required disclosure that ChoicePoint voluntarily notified the hundreds of thousands of consumers in other states that their information had been compromised as well.
More importantly, it is VERY unclear what qualifies as a "permissible purpose." When asked, Smith states that permissible uses of information are outlined in regulatory guidelines, without identifying these regulations or what uses they deem permissible. Later in the interview, when asked what he believed to be legitimate uses of the personal data they sell, he gives only one primary concrete example--doing background checks on applicants for employment or volunteer positions, to determine that they are "who they say they are," and that they don't have any criminal record. He also refers vaguely to several cases of ChoicePoint assisting in the tracking of missing or kidnapped children, without giving details about how personal information was used to accomplish this task. Smith makes no mention whatsoever of the activites that make up the great majority of ChoicePoint's business: selling data to direct marketers and law enforcement agencies. Unlike the examples given by Smith, these activities have little to do with the lofty and emotionally resonant purposes of protecting consumers' personal safety.
While the compromising of so many thousands of persons' personal data is truly a tragedy, many hope that this incident will raise awareness of the serious privacy problems presented by the actions of modern commercial data brokers. But the spin put on these issues by ChoicePoint, and picked up by the popular media, is standing in the way of a deep public awareness of the problem. Unspinning these reports is the first step to a solution! As a next step, consider the following--ChoicePoint considers direct marketing and law enforcement investigations to be legitimate uses of your aggregated personal data. Do you agree?
For more information on the various dangers presented by ChoicePoint and similar commercial data brokers, see EPIC's ChoicePoint Page.Posted by Tara Wheatland at March 03, 2005 07:35 PM | TrackBack