Category: Privacy (ID Theft)


People Want Strong Punishments for Privacy Violations

People believe that privacy violations should be punished — and quite stringently.  There are interesting survey results in a new report by Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow, How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?

The report focuses primarily on comparing the attitudes of the young with older people and concluding that there isn’t much of a divergence.  I blogged about it here.

There is other data in the report worth talking about that I fear will be lost in the headlines about how the young are similar to the old.  And this data is quite interesting:

“If a company purchases or uses someone’s personal information illegally, about how much—if anything—do you think that company should be fined?”

The vast majority of people of all ages (69%) said the fine should be greater than $2500.  They were given choices of $100, $500, $1000, $2500, and more than $2500.

“Beyond a fine, companies that use a person’s information illegally might be punished in other ways. Which ONE of the following ways to punish companies do you think is most important?”

“The company should be put out of business.”  — 18%

“The company should fund efforts to help people protect privacy.”  — 38%

“Executives who are responsible should face jail time.” — 35%

“The company should not be punished in any of those ways.” — 3%

“It depends.”  — 2%

“Don’t know/refused.” — 4%


How Identity Theft Is Like the Ford Pinto

A hapless victim of identity theft

Professor James Grimmelmann likes to shop at Kohl’s.  So much so that he applied for credit at Kohl’s.  And he got it.

The problem is that James Grimmelmann didn’t really apply for anything.  It was an identity thief.

Grimmelmann was a participant in Chris Hoofnagle‘s study about identity theft.  In a really eye-opening paper, Internalizing Identity Theft, 2010 UCLA J. of L. & Tech (forthcoming), Hoofnagle has concluded that one of the main reasons identity theft happens is because companies let it happen.  It is an economic decision.

Back in 1981, in the famous case involving an accident due to a defect in a Ford Pinto, it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.

Hoofnagle illustrates that the same phenomenon is happening with identity theft.  Companies grant credit carelessly because it is cheap to do so.  Much of the losses are sloughed off on victims because the companies aren’t forced to internalize them.

To illustrate how sloppy the granting of credit is, Hoofnagle supplies a copy of the Kohl’s credit application Grimmelmann’s identity thief used.

Notice how many errors are on the application.  There’s a ton of missing information.  And Grimmelmann’s name is even spelled incorrectly — though, in all fairness, it’s got way to many m’s and n’s to keep track of.

In his paper, Hoofnagle examines several case studies in addition to Grimmelmann’s to show how many obvious red flags in credit applications are ignored.

Hoofnagle demonstrates that identity theft is a product not of carelessness on the part of the credit industry, but the product of planned carelessness — more akin to intentional decisions than to foolish blunders.

Read More


Data Security: When Will the Thick Skulls Learn?

The Wall Street Journal reports the theft of 3.3 million student loan records, including Social Security numbers:

Company and federal officials said they believed last week’s theft of identity data on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowers.

Names, addresses, Social Security numbers and other personal data on borrowers were stolen from the St. Paul, Minn., headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans, during the weekend of March 20-21, according to the company.

ECMC said the stolen information was on a portable media device. “It was simple, old-fashioned theft,” said ECMC spokesman Paul Kelash. “It was not a hacker incident.”

What is particularly frustrating was that the records were stored on a portable media device.  Given all the incidents where data was stolen from flash drives and laptops, one would think that companies would learn that storing millions of records on such devices isn’t a wise thing to do.

Since 2005, we’ve been hearing about a barrage of data security breaches.  As the WSJ states:

All told, more than 347 million records containing sensitive information have been compromised in the U.S. since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer group.

The problem is that despite all the attention data security has been receiving, it’s not getting any better.  Skulls remain thick, and we keep learning of data security breaches that really shouldn’t be happening anymore.  At some point, the excuse “Oops!  We made a blunder” shouldn’t cut it.

It is unfortunate data security isn’t getting much better and the number and extent of data breaches isn’t diminishing.  It is really problematic that we see the same types of bad security practices again and again and again.  These trends suggest that we need stronger laws against bad data security practices.

3 Gets Its Due

It’s about time!  Finally, after a protected battle, the FTC is making the credit bureau Experian stop misleading people with its website. I blogged about this site several years ago:

This strikes me as “deceptive” advertising. True, the fine print discloses that the report isn’t free and provides the URL to But Experian seems to be exploiting the FACT Act, which required the credit reporting agencies to provide free credit reports. A statutory responsibility to protect consumers is turned into a money-making opportunity for Experian. This practice strikes me as deeply problematic.

As Bob Sullivan at MSNBC reports:

The singer of those jingles might sound a bit less peppy now that the Federal Trade Commission is making the company behind the ads — credit bureau Experian — face the music. Heavy-handed disclosures aimed at ending years-long confusion over free credit reports will begin to appear in the ads next month. The changes are among new consumer protections enacted by Congress in the 2009 Credit Card Accountability Responsibility and Disclosure Act.

In one disclosure viewed by, the top of the Web site was covered with a large grey block with type that read:  “You have the right to a free credit report from … the only authorized source under federal law,”  with an obvious link to the site.  Consumers who still want to sign up with would have to scroll down and enroll in the paid service offered by Experian. . . .

Many Web sites, including, claim to offer free credit reports, but do so only as a come-on for costly credit monitoring subscriptions services.

Market leader Experian, which owns the coveted Web address, began advertising heavily in 2003 after Congress mandated that U.S. consumers were entitled to a free copy of their credit reports every year. The FTC has been in a legal battle with the site ever since. Experian has been forced to issue refunds and pay more than $1 million in fines, but that didn’t quiet the crooning of Eric Violette, the star of the ads.


How To Lose Yourself (Or Not) in 30 Days: Wired’s Identity Loss Experiment

Wired magazine ran an interesting competition starting on August 13. Writer Evan Ratliff who had written about how people disappear tried to disappear from the world and everyone he knew while Wired encouraged and helped people try and find him. The winner would receive $5,000. Ratliff explained his motivation:

It’s one thing to report on the phenomenon of people disappearing. But to really understand it, I figured that I had to try it myself. So I decided to vanish. I would leave behind my loved ones, my home, and my name. I wasn’t going off the grid, dropping out to live in a cabin. Rather, I would actually try to drop my life and pick up another.

The article is here. Anyone interested in privacy, manhunts, and technology should enjoy the read which I recommend. For one thing, the tale reminded me of Hitchcock thrillers where everyone is looking for an innocent man. Like Roger O. Thornhill in North by Northwest, Ratliff uses buses and trains to evade his pursuers (of course Ratliff asked for this one but the feel is quite similar). And like the movies there were sides. In this case, teams formed to hunt Ratliff down and much smaller ones tried to help him (the details about how folks used technology to track and coordinate the hunt (down to finding out who is cat sitter was and contacting the sitter) while Ratliff used it to fool the hunters is another fun part of the story). An interesting point comes from the romantic quarter. I started with a emotional response that the author and others expressed. It would be nice to drop out of one’s life; escape for a bit. I like the idea that one might be able to reinvent one’s life. I also think that our society does a poor job of letting people claim a new beginning and instead embraces a Inspector Javert approach to identity. I rooted for Ratliff. I wanted to believe that if you really said let me alone, it could work. But, as I read on, something else became clear. Ratliff missed his social life. That sense of absence was heightened because of Facebook and Twitter. Insofar as we like some of our lives, we probably like the people in them. Furthermore, when Ratliff has a triumph, he laments that he cannot share it.

In short, the article shows how easy it is to track someone. It also shows that once the spotlight is off, a type of obscurity returns. The problem may be that the spotlight can be turned on all too easily.


Understanding Privacy in Paperback

Cover 5 medium.jpgI’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.


Predicting Social Security Numbers from Public Data

ssnAlessandro Acquisti and Ralph Gross have recently published their provocative article, Predicting Social Security Numbers from Public Data in the Proceedings of the National Academy of Sciences.  According to the abstract:

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.

Acquisti and Gross’s study has generated significant media attention.  Here’s an article by Bob Sullivan for MSNBC and by Hadley Leggett for Wired.  As Sullivan writes:

The two say they can guess the first 5 digits of the Social Security number of anyone born after 1988 within two guesses, knowing only birth date and location. The last four digits, while harder to guess, can be had within a few hundred guesses in many situations — a trivial hurdle for criminals using automated tools.

SSNs are currently used by numerous businesses and organizations to allow access to accounts – they function as a kind of password. They are also used to verify identity when people sign up for a new credit card or other account. They are thus a very useful tool for identity thieves and fraudsters who want to impersonate people to improperly access their accounts or obtain credit cards in their name.

The current focus of policymakers has been to provide better protections against the disclosure of SSNs.

Acquisti and Gross’s paper provides a powerful demonstration that protecting against the disclosure of SSNs is not providing enough protection to consumers.  The article shows that no matter how much protection against the disclosure of SSNs, SSNs can be determined with other public information.

Congress or the FTC should prohibit companies from using SSNs as a means to verify identity. Companies, organizations, and government entities should be prohibited from using SSNs as a means of verifying identity to provide access to accounts or to create new accounts. Merely protecting against the disclosure of SSNs is insufficient since Acquisti and Gross demonstrate they can readily be predicted.

The government and businesses are at fault here.  Too many business and organizations use the SSN improperly as a means to verify identity.  And the government is at fault for creating the SSN and allowing it to be used improperly in ways that harm people.


Lessons from the Identity Trail

lessons-from-the-identity-trail.jpgThere’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on or on our special Concurring Opinions Oxford University Press promo page for 20% off.

Here’s the table of contents:

Read More


Big Breaks in the Palin E-mail Breach Investigation

The odds that the Feds will find the person who broke into Sarah Palin’s e-mail account are considerably better than I had thought they would have been, because someone who claims to have committed the crime has bragged about it to the infamous 4chan image hosting site. (Quick CoOp aside, every day I better appreciate how the paper by new permablogger Danielle Citron–who first introduced me to 4chan–on Cyber Civil Rights will be a must-read in this day of 4chan and Jason Fortuny.) Although the posts have been deleted, Kim Zetter has reproduced them for Wired’s Threat Level blog. First, the user known as “Rubico” bragged about how he had breached the Yahoo account by providing Governor Palin’s supposedly private answers to the questions posed by Yahoo’s password recovery scheme:

it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Oh, and about Rubico’s screenshots? They apparently reveal the URL bar of Rubico’s browser, which in turn reveals that Rubico had not been browsing Yahoo directly but had instead been using an anonymizing proxy service called Ctunnel. Good idea, right?, because Yahoo no doubt captures and preserves the IP addresses used to recover passwords. But although using Ctunnel may have been a good idea, advertising that fact on a screenshot, it turns out, was not:

Gabriel Ramuglia who operates Ctunnel, the internet anonymizing service the hacker used to post the information from Palin’s account to the 4chan forum, told Threat Level this morning that the FBI had contacted him yesterday to obtain his traffic logs. Ramuglia said he had about 80 gigabytes of logs to process and hadn’t yet looked for the information the FBI was seeking but planned to be in touch with the agents today.

Apparently, providing the screenshot in this case was a particularly dumb move. In another interview Ramuglia notes:

Usually, this sort of thing would be hard to track down because it’s Yahoo email, and a lot of people use my service for that . . . . Since they were dumb enough to post a full screenshot that showed most of the [] URL, I should be able to find that in my log.

There are more lessons here than are worth listing. A few, after the jump:

Read More


Justice Breyer’s Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.