Category: Privacy (Consumer Privacy)

1

Ranking Banks Based on Incidents of Identity Theft

Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.

In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don’t currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.

For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years’ worth of data, so “the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims.” Chris’s paper is based on an analysis of this data.

From the abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.

This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.

Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.

hoofnagle-rate-banks.png

0

Coming Back from the Dead

lazarus2.JPGLazarus had it easy. Not so for Laura Todd, who has been trying to come back from the dead for nearly a decade. According to WSMV News in Nashville:

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.

“One time when I (was) ruled dead, they canceled my health insurance because it got that far,” she said.

Todd’s struggle started with a typo at the Social Security administration. She said the government has assured her since the problem that they have deleted her death record, but she said the problems keep cropping up.

On Wednesday, the IRS once again rejected her electronic tax return. She said she’s gone through it before.

“I will not be eligible for my refund. I’m not eligible for my rebate. I mean, I can’t do anything with it,” she said.

Channel 4’s Nancy Amons first reported about Todd’s ordeal last week, but Amons has since found out more about how common the problem is.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

The audit said the lack of documentation in the Social Security computer makes it impossible for the government’s auditors to determine if the people are dead or alive.

But some of those who are alive have found more complications after their resurrection.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.

One of the problems with modern recordkeeping is that although computers make things more efficient, they compound the effects that errors have on people’s lives. The difficulty is that the law currently does not afford people with sufficient power to clean up mistakes in their records. Since information is so readily transferred between entities, an error that is corrected in one database has often migrated to another database before the correction. The error doesn’t die. Instead, you do.

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

Right now, we’re living in a bureaucratic data hell, and that’s because that there aren’t sufficient incentives for entities to be careful with the records they keep about people.

Image: The Resurrection of Lazarus by Vincent van Gogh, 1889-90, from Wikicommons.

2

Facebook Applications: Another Privacy Concern

facebook3.jpgRecently, I’ve been complaining about Facebook’s mishaps regarding privacy. Back in 2006, Facebook sparked the ire of over 700,000 members when it launched News Feeds. In 2007, Facebook launched Beacon and Social Ads, sparking new privacy outcries. An uprising of Facebook users prompted Facebook to change its policies regarding Beacon. For more about Facebook’s recent privacy issues, see my post here.

But that’s not all. Over at CNET, Chris Soghoian reports about some severe privacy concerns with Facebook applications. An application (or “app” for short) is a program that is created by a third party that adds interesting features to one’s profile. These apps have become quite popular with Facebook users. But they come with some very serious potential dangers. Soghoian writes:

[A] new study suggests there may be a bigger problem with the applications. Many are given access to far more personal data than they need to in order to run, including data on users who never even signed up for the application. Not only does Facebook enable this, but it does little to warn users that it is even happening, and of the risk that a rogue application developer can pose. . . .

In order to install an application, a Facebook user must first agree to “allow this application to…know who I am and access my information.” Users not willing to permit the application access to all kinds of data from their profile cannot install it onto their Facebook page.

What kind of information does Facebook give the application developer access to? Practically everything. . . .

The applications don’t actually run on Facebook’s servers, but on servers owned and operated by the application developers. Whenever a Facebook user’s profile is displayed, the application servers contact Facebook, request the user’s private data, process it, and send back whatever content will be displayed to the user. As part of its terms of service, Facebook makes the developers promise to throw away any data they received from Facebook after the application content has been sent back for display to the user.

So when you use a third party application, you basically must put your trust in that third party to follow Facebook’s rules in good faith. In other words, Facebook users use applications at their own risk.

But what if an application is created by some hacker in Russia? Or is designed by a creepy child molester to harvest people’s personal information? Should Facebook be doing more to protect users against the bad-apple application developers?

Soghoian notes that in many cases, applications are being given access to much more personal data than they actually need to function:

Read More

6

Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

facebook3.jpgblockbuster-video.gif

The news has been buzzing lately about Facebook’s Beacon, where participating websites share personal information with Facebook. Beacon originally had a poor notice and opt-out policy, but after significant public criticism, Facebook changed to an opt-in policy. Even under the new opt-in policy, however, the participating companies are still turning data over to Facebook, and that spells potential trouble for at least one of the 40 companies in the Beacon program — Blockbuster Video.

Over at Laboratorium, Professor James Grimmelmann (NY Law School) has an excellent post arguing that Blockbuster’s participation in Facebook’s Beacon violates the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. James writes:

The VPPA states:

A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable….

18 U.S.C. § 2710(b)(1). The important first question is who’s a “video tape service provider.” That’s defined in paragraph (a)(4):

[T]he term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials. . . .

Blockbuster clearly qualifies as a video tape service provider. To the extent it transmits information to Facebook about a customer’s video purchases — no matter what Facebook ultimately does with that data (i.e. regardless of whether it appears in a person’s profile, is stored by Facebook in a database, or is deleted), Blockbuster could be liable under VPPA. The statute is an opt-in statute, requiring that the customer provide “informed written consent . . . at the time the disclosure is sought” in order for the disclosure to be permissible.

James also analyzes whether Facebook could be liable as well:

There’s the joint enterprise theory; since Facebook and Blockbuster acted together, and Blockbuster is liable, so too is Facebook. There’s a split in the VPPA caselaw as to whether liability runs only against the video tape service provider, or can run also against the person who induced the disclosure.

James concludes:

Put this all together, and the legal situation looks a bit bleak for Facebook and Blockbuster. The VPPA provides damages of $2,500 per violation, plus punitive damages and attorneys’ fees. I have no idea how many movies wound up in people’s news feeds, but it doesn’t have to be too many for the total to hurt. Class action lawyers, start your engines.

1

Facebook — the New DoubleClick?

facebook3.jpgI previously complained about Facebook’s Beacon and Social Ads, and last week Facebook appeared to back down (at least from Beacon) by changing its policy and having users opt-in before their activities on other websites is broadcast on their profiles. I applauded Facebook’s change of heart.

But there are more disturbing aspects of Beacon that have not been changed. According to Macworld:

If you think that just because you have never signed up for Facebook you’re immune to the tracking and collecting of user activities outside of this popular social networking site, think again.

Facebook’s controversial Beacon ad system tracks activities from all users in its third-party partner sites, including from people who have never signed up with Facebook or who have deactivated their accounts, CA has found.

Beacon captures detailed data on what users do on these external partner sites and sends it back to Facebook along with users’ IP addresses, Stefan Berteau, senior research engineer at CA’s Threat Research Group, said Monday in an interview.

This happens even if users delete the Facebook cookie. “The Facebook Javascript [code] is still called by the affiliate site and the information is passed in,” he said. In the case of users without accounts or with deactivated accounts, the data isn’t tied to a Facebook ID, he said.

However, it is well-known that IP addresses provide a variety of information about users, and have in some cases been used to identify individuals.

The information captured by Beacon in these cases includes the addresses of Web pages visited by the user and a string with the action taken in the partner site, Berteau said. . . .

Over the weekend, Facebook confirmed that Berteau’s report on Friday was accurate, but said that it deletes the data it gets under these circumstances.

Still, Friday’s findings deepened the privacy concerns surrounding Beacon since its introduction several weeks ago. And the admission Monday added to the concerns, since it contradicted what had, until then, been the official company line about this issue.

For more, see Michael Zimmer’s post.

A while back, DoubleClick generated many privacy complaints. DoubleClick used information about people’s websurfing habits to target ads on various websites. Facebook’s Beacon appears to be a related incarnation of the DoubleClick advertising model.

Facebook is not the only one to blame with Beacon. About 40 websites participate in the Beacon program, including:

Read More

0

Facebook Listens and Responds

facebook3.jpgI’m quite pleased to learn that Facebook has come to a privacy epiphany. I’ve been blogging a lot lately about the privacy problems with Facebook’s new features — Beacon and Social Ads:

* Facebook’s Beacon: News Feeds All Over Again?

* The Facebook-Fandango Connection: Invasion of Privacy?

* Facebook and the Appropriation of Name or Likeness Tort

* The New Facebook Ads — Starring You: Another Privacy Debacle?

Facebook recently announced that it is changing the way it obtains people’s consent before it uses or discloses their personal information. In particular, its change in policy involves Beacon. According to the AP:

More than 40 different Web sites, including Fandango.com, Overstock.com and Blockbuster.com, had embedded Beacon in their pages to track transactions made by Facebook users.

Unless instructed otherwise, the participating sites alerted Facebook, which then notified a user’s friends within the social network about items that had been bought or products that had been reviewed.

Facebook thought the marketing feeds would help its users keep their friends better informed about their interests while also serving as “trusted referrals” that would help drive more sales to the sites using the Beacon system.

But thousands of Facebook users viewed the Beacon referrals as a betrayal of trust. Critics blasted the advertising tool as an unwelcome nuisance with flimsy privacy protections that had already exasperated and embarrassed some users.

Some users have already complained about inadvertently finding out about gifts bought for them for Christmas and Hanukkah after Beacon shared information from Overstock.com. Other users say they were unnerved when they discovered their friends had found out what movies they were watching through purchases made on Fandango.

Peter Lattman of WSJ blog was one of the ones caught off guard by Beacon, when he discovered to his dismay that Facebook announced to his friends that he bought tickets to Bee Movie on Fandango.

According to the New York Times:

Under Beacon, when Facebook members purchase movie tickets on Fandango.com, for example, Facebook sends a notice about what movie they are seeing in the News Feed on all of their friends’ pages. If a user saves a recipe on Epicurious.com or rates travel venues on NYTimes.com, friends are also notified. There is an opt-out box that appears for a few seconds, but users complain that it is hard to find.

The New York Times story explains Facebook’s change in policy:

Read More

0

Facebook’s Beacon: News Feeds All Over Again?

facebook3.jpgI recently blogged about Facebook’s Beacon, where it adds information to user profiles of their purchases at participating external websites such as Fandango. Beacon is starting to spark a privacy outcry among Facebook users. From the AP:

Some users of the online hangout Facebook are complaining that its two-week-old marketing program is publicizing their purchases for friends to see.

Those users say they never noticed a small box that appears on a corner of their Web browsers following transactions at Fandango, Overstock and other online retailers. The box alerts users that information is about to be shared with Facebook unless they click on “No Thanks.” It disappears after about 20 seconds, after which consent is assumed.

Users are given a second notice the next time they log on to Facebook, but they can easily miss it if they quickly click away to visit a friend’s page or check e-mail.

Back in 2006, Facebook rolled out a new feature called News Feeds that sparked a privacy outcry among its users and prompted Facebook to issue a letter of apology. Perhaps it is deja vu all over again with Beacon. According to the AP story:

Users are able to decline sharing on a site-by-site basis, but can’t withdraw from the program entirely. . . .

Liberal advocacy group MoveOn.org formed a protest group Tuesday and had more than 6,000 members by Wednesday. The group is calling on Facebook to stop revealing online purchases and letting companies use names for endorsements without “explicit permission.”

“We want Facebook to realize that their users are rightly concerned that private information is being made public,” MoveOn spokesman Adam Green said, adding that Facebook could quell concerns by seeking “opt in” consent rather than leaving it to users to “opt out” by taking steps to decline sharing.

Maybe Facebook should realize something that strikes many as common sense — if people want something to appear in their profiles, they’ll put it there themselves.

3

The Facebook-Fandango Connection: Invasion of Privacy?

facebook3.jpgfandango.jpg

Facebook recently rolled out a new advertising program called Social Ads, where Facebook users’ images, names, and words are used to help advertise products and services. I blogged about Facebook’s Social Ads here and here, contending that they are likely a violation of the tort of appropriation of name or likeness as well as the right to publicity tort.

Peter Lattman at the WSJ Blog has a great new post about Facebook that throws in another even more troubling wrinkle:

Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”

Huh? Did we want everyone on Facebook to know our movie-buying habits? Not really. But it seems we agreed to this. According to Fandango’s privacy policy, which we agreed to by using the site, “If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango . . . Fandango may share information regarding your activities . . . with those third parties pursuant to your authorization.”

Then we checked out our privacy settings on Facebook. Under “Privacy Settings for External Websites,” there’s a Fandango icon, indicating that we’ve agreed to have our actions on Fandango sent to our Facebook profile. We changed our profile, mandating that they never — never! — do this again.

This case illustrates why the current legal regime regulating personal information at most websites is so deeply flawed. The default settings are set to allow information sharing and disclosure, with users often completely unaware of how their information is going to be used. Businesses frequently tout how they are protecting privacy by providing users with “notice and choice” about how their information will be collected, used, and disseminated. Yet the system rarely results in informed consumers or meaningful choices.

So imagine: You go to Fandango and buy tickets to see a movie — and then all of a sudden your purchase is being revealed publicly to everybody you know on Facebook. You probably didn’t even know that Facebook had this deal with Fandango. What if more websites like Fandango start to collude with Facebook? Does this mean that every time we visit a website, every time we make a purchase, the information starts showing up in our Facebook profiles and on our friends’ Facebook profiles?

At least Social Ads, as I understood it, involved people publicly stating they liked or used a product. This is still problematic, for the reasons I discussed in my posts — being used in an ad unwittingly is a harm even if one has publicly praised the things being advertised in the past. But now Facebook is taking things one step beyond by exposing people’s personal information to the public. Perhaps Peter Lattman doesn’t want the world to know that he saw Bee Movie. Perhaps he does. But this is something he should decide, not the corporate officials at Facebook or Fandango.

“Poor Peter,” Fandango and Facebook will say, “But you should have read our privacy policies! It’s all your fault Peter.” Fandango’s privacy policy states:

Read More

4

Facebook and the Appropriation of Name or Likeness Tort

facebook.jpgA few days ago, I posted about Facebook’s new Social Ads and I argued that they might give rise to an action under the appropriation of name or likeness tort. The most common formulation of the appropriation tort is defined in the Restatement (Second) of Torts § 652C: “One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.”

A related tort, a spin-off of appropriation, is the “right of publicity” which as defined by the Restatement (Third) of the Law of Unfair Competition § 46: “One who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purpose of trade is subject to liability for [monetary and injunctive] relief.”

These two torts have sometimes been confused with each other, but the basic difference is that appropriation protects one’s dignitary interests in not desiring to have one’s identity exploited and used for another’s benefit whereas the right of publicity protects a person’s property interest in the commercial value of her identity.

Both torts are potentially applicable to Facebook’s Social Ads.

Over at Digital Daily, John Paczkowski discusses my post and adds:

Now Facebook claims no personally identifiable information is shared with an advertiser in creating a Social Ad. “Facebook has always empowered users to make choices about sharing their data, and with Facebook Ads we are extending that to marketing messages that appear on the site,” the company explains. “Facebook users will only see Social Ads to the extent their friends are sharing information with them.” That’s certainly a thoughtful assurance. But it doesn’t exactly address the issue of Facebook appropriating user identities for its own benefit.

At the NYT”s Bits, Saul Hansell discusses the response of Chris Kelly, the chief privacy officer of Facebook:

Mr. Kelly said the advertisements are simply a “representation” of the action users have taken: choosing to link themselves to a product. He added that in many states, consenting to something online is now seen as the equivalent of written consent.

And he argued that it would be difficult for someone used in one of these ads to object because that person had already chosen to publicly identify themselves with the brand doing the advertising.

“We are fairly confident that our operation is well presented to users and that they can make their own choices about whether they want to affiliate with brands that put up Facebook pages,” Mr. Kelly said.

I don’t agree with Kelly’s take on the law. Suppose Michael Jordan says on national TV that he likes Wheaties. Does this allow Wheaties to use his image on its cereal box or in a commercial? The answer is no. The fact that Jordan says he likes Wheaties can be used in a news story; it can be used in a biography of Jordan. But it cannot be used in a commercial advertisement. Comment (c) to the Restatement’s section on appropriation states that “the defendant must have appropriated for his own use or benefit the reputation, prestige, social or commercial standing, public interest or other values of the plaintiff’s name or likeness.” That’s exactly what’s being done with Social Ads. They are not merely reporting facts (which is ok under appropriation and publicity); instead, they are using the reputation and standing of people to promote commercial products and services.

The fact that a person publicly states that she likes a product is not equivalent to that person’s consent to be used in an advertisement. Otherwise, Coca Cola could snap a photo of a celebrity drinking a can of Coke and then use the photo in its ad campaign without paying the celebrity. That celebrity’s lawyers would be licking their chops if that were to happen.

Read More

14

The New Facebook Ads — Starring You: Another Privacy Debacle?

facebook.jpgFacebook recently announced a new advertising scheme. Instead of using celebrities to hawk products, it will use . . . you! That’s right, pictures of you and your friends will appear on Facebook ads to make products more enticing to Facebook customers.

As Facebook’s website describes its new “Social Ads” program:

Facebook Social Ads allow your businesses to become part of people’s daily conversations. Ads can be displayed in the left hand Ad Space — visible to users as they browse Facebook to connect with their friends — as well as in the context of News Feed — attached to relevant social stories. The social stories, such as a friend’s becoming a fan of your Facebook Page or a friend’s taking an action on your website, make your ad more interesting and more relevant. Social Ads are placed in highly visible parts of the site without interrupting the user experience on Facebook.

Here’s the sample ad that Facebook includes on its social ad description page:

facebook-social-ad.jpg

According to the NY Times:

Facebook wants to put your face on advertisements for products that you like.

Facebook .com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

For example, going forward, a Facebook user who rents a movie on Blockbuster.com will be asked if he would like to have his movie choice broadcast out to all his friends on Facebook. And those friends would have no choice but to receive that movie message, along with an ad from Blockbuster.

At this point in reading the article, it seems as though participation in the ads (by the person being used in the ad) is fully consensual. But the article goes on to say:

Read More