Category: Privacy (ID Theft)


The Year in Privacy Books 2010

Here’s a list of notable privacy books published in 2010.

Previous lists:

Privacy Books 2009

Privacy Books 2008

This list contains a few books published late in 2009 that I missed on the 2009 list.

Adam D. Moore, Privacy Rights: Moral and Legal Foundations (Penn. St. U. Press 2010)

My blurb: “Privacy Rights is a lucid and compelling examination of the right to privacy.  Adam Moore provides a theoretically rich and trenchant account of how to reconcile privacy with competing interests such as free speech, workplace productivity, and security.”

Cass Sunstein, On Rumors (Farrar , Strauss and Giroux 2009)

A very short essay on the damage wrought by false online rumors and a discussion of how and why such rumors spiral out of control, such as the phenomena of social cascades and group polarization.  The book is worth reading, but quite short for a book (only 88 pages of primary text, in a very tiny book the size of a paperback).

Stewart Baker, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism (Hoover Institution Press 2010)

A provocative argument for stronger security protections and a vigorous attack on privacy.  The arguments against privacy are often glib and dismissive, but the book is worth reading for Baker’s extensive personal experience dealing with the issues.

Christena Nippert-Eng, Islands of Privacy (U. Chicago 2010)

A fascinating sociological account of people’s attitudes toward privacy and their behaviors with regards to preserving their privacy.  It contains numerous interviews, quoted copiously, of people in their own voices discussing how they conceal their secrets.  Engaging and compelling reading.

Hal Niedzviecki, The Peep Diaries: How We’re Learning to Love Watching Ourselves and Our Neighbors (City Lights Press 2009)

This book is an extended essay on self-exposure online.  It is filled with many interesting anecdotes.  The book has a journalistic style and raises observations and questions more than it proposes solutions or policies.  The “notes” at the end consist only of a brief bibliography for each chapter, and there are no indications of which facts in the book came from which particular sources — a pet peeve of mine.

Bill Bryson, At Home: A Short History of Private Life (Doubleday 2010)

An extensive history of the home, which as I’ve explored in some of my own writings, plays an important role in the history of privacy.  Bryson’s narrative reads well, but he only supplies a bibliography at the end — no endnotes or indications of the sources of particular facts and details.  I find this practice to be quite problematic for a work of history.

Shane Harris, The Watchers: The Rise of America’s Surveillance State (Penguin 2010)

An engaging narrative that chronicles the surveillance and security measures the United States undertook after 9/11.  Filled with interesting facts, the book reads like a story.

Robin D. Barnes, Outrageous Invasions: Celebrites’ Private Lives, Media, and the Law (Oxford 2010)

There are some very interesting parts of this book, but it at times seems like a grab bag of topics relating to celebrities and its central argument could use more development.  Nevertheless, it is worth reading because it discusses some interesting cases and explores comparative legal perspectives on the issues.

David Kirkpatrick, The Facebook Effect (Simon& Schuster 2010)

A fascinating account of the rise of Facebook.  There are times when Kirkpatrick seems too sympathetic to Mark Zuckerberg and Facebook, but overall, this book is illuminating and engaging.

Viktor Mayer-Schonberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton 2009)

An interesting discussion of the “right to be forgotten.”  Some of the ground in this book appears to be already well-trodden, but Mayer-Schonberger’s keen insights on data retention and destruction make it a worthy addition to the literature.


People Want Strong Punishments for Privacy Violations

People believe that privacy violations should be punished — and quite stringently.  There are interesting survey results in a new report by Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow, How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?

The report focuses primarily on comparing the attitudes of the young with older people and concluding that there isn’t much of a divergence.  I blogged about it here.

There is other data in the report worth talking about that I fear will be lost in the headlines about how the young are similar to the old.  And this data is quite interesting:

“If a company purchases or uses someone’s personal information illegally, about how much—if anything—do you think that company should be fined?”

The vast majority of people of all ages (69%) said the fine should be greater than $2500.  They were given choices of $100, $500, $1000, $2500, and more than $2500.

“Beyond a fine, companies that use a person’s information illegally might be punished in other ways. Which ONE of the following ways to punish companies do you think is most important?”

“The company should be put out of business.”  — 18%

“The company should fund efforts to help people protect privacy.”  — 38%

“Executives who are responsible should face jail time.” — 35%

“The company should not be punished in any of those ways.” — 3%

“It depends.”  — 2%

“Don’t know/refused.” — 4%


How Identity Theft Is Like the Ford Pinto

A hapless victim of identity theft

Professor James Grimmelmann likes to shop at Kohl’s.  So much so that he applied for credit at Kohl’s.  And he got it.

The problem is that James Grimmelmann didn’t really apply for anything.  It was an identity thief.

Grimmelmann was a participant in Chris Hoofnagle‘s study about identity theft.  In a really eye-opening paper, Internalizing Identity Theft, 2010 UCLA J. of L. & Tech (forthcoming), Hoofnagle has concluded that one of the main reasons identity theft happens is because companies let it happen.  It is an economic decision.

Back in 1981, in the famous case involving an accident due to a defect in a Ford Pinto, it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.

Hoofnagle illustrates that the same phenomenon is happening with identity theft.  Companies grant credit carelessly because it is cheap to do so.  Much of the losses are sloughed off on victims because the companies aren’t forced to internalize them.

To illustrate how sloppy the granting of credit is, Hoofnagle supplies a copy of the Kohl’s credit application Grimmelmann’s identity thief used.

Notice how many errors are on the application.  There’s a ton of missing information.  And Grimmelmann’s name is even spelled incorrectly — though, in all fairness, it’s got way to many m’s and n’s to keep track of.

In his paper, Hoofnagle examines several case studies in addition to Grimmelmann’s to show how many obvious red flags in credit applications are ignored.

Hoofnagle demonstrates that identity theft is a product not of carelessness on the part of the credit industry, but the product of planned carelessness — more akin to intentional decisions than to foolish blunders.

Read More


Data Security: When Will the Thick Skulls Learn?

The Wall Street Journal reports the theft of 3.3 million student loan records, including Social Security numbers:

Company and federal officials said they believed last week’s theft of identity data on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowers.

Names, addresses, Social Security numbers and other personal data on borrowers were stolen from the St. Paul, Minn., headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans, during the weekend of March 20-21, according to the company.

ECMC said the stolen information was on a portable media device. “It was simple, old-fashioned theft,” said ECMC spokesman Paul Kelash. “It was not a hacker incident.”

What is particularly frustrating was that the records were stored on a portable media device.  Given all the incidents where data was stolen from flash drives and laptops, one would think that companies would learn that storing millions of records on such devices isn’t a wise thing to do.

Since 2005, we’ve been hearing about a barrage of data security breaches.  As the WSJ states:

All told, more than 347 million records containing sensitive information have been compromised in the U.S. since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer group.

The problem is that despite all the attention data security has been receiving, it’s not getting any better.  Skulls remain thick, and we keep learning of data security breaches that really shouldn’t be happening anymore.  At some point, the excuse “Oops!  We made a blunder” shouldn’t cut it.

It is unfortunate data security isn’t getting much better and the number and extent of data breaches isn’t diminishing.  It is really problematic that we see the same types of bad security practices again and again and again.  These trends suggest that we need stronger laws against bad data security practices.

3 Gets Its Due

It’s about time!  Finally, after a protected battle, the FTC is making the credit bureau Experian stop misleading people with its website. I blogged about this site several years ago:

This strikes me as “deceptive” advertising. True, the fine print discloses that the report isn’t free and provides the URL to But Experian seems to be exploiting the FACT Act, which required the credit reporting agencies to provide free credit reports. A statutory responsibility to protect consumers is turned into a money-making opportunity for Experian. This practice strikes me as deeply problematic.

As Bob Sullivan at MSNBC reports:

The singer of those jingles might sound a bit less peppy now that the Federal Trade Commission is making the company behind the ads — credit bureau Experian — face the music. Heavy-handed disclosures aimed at ending years-long confusion over free credit reports will begin to appear in the ads next month. The changes are among new consumer protections enacted by Congress in the 2009 Credit Card Accountability Responsibility and Disclosure Act.

In one disclosure viewed by, the top of the Web site was covered with a large grey block with type that read:  “You have the right to a free credit report from … the only authorized source under federal law,”  with an obvious link to the site.  Consumers who still want to sign up with would have to scroll down and enroll in the paid service offered by Experian. . . .

Many Web sites, including, claim to offer free credit reports, but do so only as a come-on for costly credit monitoring subscriptions services.

Market leader Experian, which owns the coveted Web address, began advertising heavily in 2003 after Congress mandated that U.S. consumers were entitled to a free copy of their credit reports every year. The FTC has been in a legal battle with the site ever since. Experian has been forced to issue refunds and pay more than $1 million in fines, but that didn’t quiet the crooning of Eric Violette, the star of the ads.


How To Lose Yourself (Or Not) in 30 Days: Wired’s Identity Loss Experiment

Wired magazine ran an interesting competition starting on August 13. Writer Evan Ratliff who had written about how people disappear tried to disappear from the world and everyone he knew while Wired encouraged and helped people try and find him. The winner would receive $5,000. Ratliff explained his motivation:

It’s one thing to report on the phenomenon of people disappearing. But to really understand it, I figured that I had to try it myself. So I decided to vanish. I would leave behind my loved ones, my home, and my name. I wasn’t going off the grid, dropping out to live in a cabin. Rather, I would actually try to drop my life and pick up another.

The article is here. Anyone interested in privacy, manhunts, and technology should enjoy the read which I recommend. For one thing, the tale reminded me of Hitchcock thrillers where everyone is looking for an innocent man. Like Roger O. Thornhill in North by Northwest, Ratliff uses buses and trains to evade his pursuers (of course Ratliff asked for this one but the feel is quite similar). And like the movies there were sides. In this case, teams formed to hunt Ratliff down and much smaller ones tried to help him (the details about how folks used technology to track and coordinate the hunt (down to finding out who is cat sitter was and contacting the sitter) while Ratliff used it to fool the hunters is another fun part of the story). An interesting point comes from the romantic quarter. I started with a emotional response that the author and others expressed. It would be nice to drop out of one’s life; escape for a bit. I like the idea that one might be able to reinvent one’s life. I also think that our society does a poor job of letting people claim a new beginning and instead embraces a Inspector Javert approach to identity. I rooted for Ratliff. I wanted to believe that if you really said let me alone, it could work. But, as I read on, something else became clear. Ratliff missed his social life. That sense of absence was heightened because of Facebook and Twitter. Insofar as we like some of our lives, we probably like the people in them. Furthermore, when Ratliff has a triumph, he laments that he cannot share it.

In short, the article shows how easy it is to track someone. It also shows that once the spotlight is off, a type of obscurity returns. The problem may be that the spotlight can be turned on all too easily.


Understanding Privacy in Paperback

Cover 5 medium.jpgI’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.


Predicting Social Security Numbers from Public Data

ssnAlessandro Acquisti and Ralph Gross have recently published their provocative article, Predicting Social Security Numbers from Public Data in the Proceedings of the National Academy of Sciences.  According to the abstract:

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.

Acquisti and Gross’s study has generated significant media attention.  Here’s an article by Bob Sullivan for MSNBC and by Hadley Leggett for Wired.  As Sullivan writes:

The two say they can guess the first 5 digits of the Social Security number of anyone born after 1988 within two guesses, knowing only birth date and location. The last four digits, while harder to guess, can be had within a few hundred guesses in many situations — a trivial hurdle for criminals using automated tools.

SSNs are currently used by numerous businesses and organizations to allow access to accounts – they function as a kind of password. They are also used to verify identity when people sign up for a new credit card or other account. They are thus a very useful tool for identity thieves and fraudsters who want to impersonate people to improperly access their accounts or obtain credit cards in their name.

The current focus of policymakers has been to provide better protections against the disclosure of SSNs.

Acquisti and Gross’s paper provides a powerful demonstration that protecting against the disclosure of SSNs is not providing enough protection to consumers.  The article shows that no matter how much protection against the disclosure of SSNs, SSNs can be determined with other public information.

Congress or the FTC should prohibit companies from using SSNs as a means to verify identity. Companies, organizations, and government entities should be prohibited from using SSNs as a means of verifying identity to provide access to accounts or to create new accounts. Merely protecting against the disclosure of SSNs is insufficient since Acquisti and Gross demonstrate they can readily be predicted.

The government and businesses are at fault here.  Too many business and organizations use the SSN improperly as a means to verify identity.  And the government is at fault for creating the SSN and allowing it to be used improperly in ways that harm people.


Lessons from the Identity Trail

lessons-from-the-identity-trail.jpgThere’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on or on our special Concurring Opinions Oxford University Press promo page for 20% off.

Here’s the table of contents:

Read More


Big Breaks in the Palin E-mail Breach Investigation

The odds that the Feds will find the person who broke into Sarah Palin’s e-mail account are considerably better than I had thought they would have been, because someone who claims to have committed the crime has bragged about it to the infamous 4chan image hosting site. (Quick CoOp aside, every day I better appreciate how the paper by new permablogger Danielle Citron–who first introduced me to 4chan–on Cyber Civil Rights will be a must-read in this day of 4chan and Jason Fortuny.) Although the posts have been deleted, Kim Zetter has reproduced them for Wired’s Threat Level blog. First, the user known as “Rubico” bragged about how he had breached the Yahoo account by providing Governor Palin’s supposedly private answers to the questions posed by Yahoo’s password recovery scheme:

it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Oh, and about Rubico’s screenshots? They apparently reveal the URL bar of Rubico’s browser, which in turn reveals that Rubico had not been browsing Yahoo directly but had instead been using an anonymizing proxy service called Ctunnel. Good idea, right?, because Yahoo no doubt captures and preserves the IP addresses used to recover passwords. But although using Ctunnel may have been a good idea, advertising that fact on a screenshot, it turns out, was not:

Gabriel Ramuglia who operates Ctunnel, the internet anonymizing service the hacker used to post the information from Palin’s account to the 4chan forum, told Threat Level this morning that the FBI had contacted him yesterday to obtain his traffic logs. Ramuglia said he had about 80 gigabytes of logs to process and hadn’t yet looked for the information the FBI was seeking but planned to be in touch with the agents today.

Apparently, providing the screenshot in this case was a particularly dumb move. In another interview Ramuglia notes:

Usually, this sort of thing would be hard to track down because it’s Yahoo email, and a lot of people use my service for that . . . . Since they were dumb enough to post a full screenshot that showed most of the [] URL, I should be able to find that in my log.

There are more lessons here than are worth listing. A few, after the jump:

Read More