Category: Privacy (ID Theft)


Justice Breyer’s Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.


My New Book, Understanding Privacy

Cover 5 medium.jpgI am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what “privacy” means and why it is valuable. Professor Arthur Miller once wrote that privacy is “exasperatingly vague and evanescent.” In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here’s a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn’t focus on the nature of the information, the individual’s preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I’ve updated the taxonomy in the book, and I’ve added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.


The Digital Person Free Online!

Digital-Person-free.jpgLast month, Yale University Press allowed me to put my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet online for free. The experiment has gone quite well. The book’s website received a big bump in traffic, with many people downloading one or more chapters. The book’s sales picked up for several weeks after it was placed online for free. Sales have now returned to about the same level as before the book went online.

I’m delighted to announce that NYU Press has allowed me to put my book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, 2004) online for free.

Here’s a brief synopsis of The Digital Person from the book jacket:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. These databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases–which Daniel J. Solove calls “digital dossiers”–has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. In THE DIGITAL PERSON, Solove engages in a fascinating discussion of timely privacy issues such as spyware, web bugs, data mining, the USA-Patriot Act, and airline passenger profiling.

THE DIGITAL PERSON not only explores these problems, but provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Book reviews are collected here.


Ranking Banks Based on Incidents of Identity Theft

Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.

In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don’t currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.

For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years’ worth of data, so “the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims.” Chris’s paper is based on an analysis of this data.

From the abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.

This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.

Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.



Coming Back from the Dead

lazarus2.JPGLazarus had it easy. Not so for Laura Todd, who has been trying to come back from the dead for nearly a decade. According to WSMV News in Nashville:

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.

“One time when I (was) ruled dead, they canceled my health insurance because it got that far,” she said.

Todd’s struggle started with a typo at the Social Security administration. She said the government has assured her since the problem that they have deleted her death record, but she said the problems keep cropping up.

On Wednesday, the IRS once again rejected her electronic tax return. She said she’s gone through it before.

“I will not be eligible for my refund. I’m not eligible for my rebate. I mean, I can’t do anything with it,” she said.

Channel 4’s Nancy Amons first reported about Todd’s ordeal last week, but Amons has since found out more about how common the problem is.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

The audit said the lack of documentation in the Social Security computer makes it impossible for the government’s auditors to determine if the people are dead or alive.

But some of those who are alive have found more complications after their resurrection.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site

One of the problems with modern recordkeeping is that although computers make things more efficient, they compound the effects that errors have on people’s lives. The difficulty is that the law currently does not afford people with sufficient power to clean up mistakes in their records. Since information is so readily transferred between entities, an error that is corrected in one database has often migrated to another database before the correction. The error doesn’t die. Instead, you do.

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

Right now, we’re living in a bureaucratic data hell, and that’s because that there aren’t sufficient incentives for entities to be careful with the records they keep about people.

Image: The Resurrection of Lazarus by Vincent van Gogh, 1889-90, from Wikicommons.


Information Privacy Law Casebook Update

casebook2.jpgI’m pleased to announce that Paul Schwartz and I have just completed an update to our casebook, Information Privacy Law (Aspen 2006). The update is 111 pages, and is available for download (free of charge) at the casebook’s website. Among other things, it includes excerpts of many new cases: Bonome v. Kaysen, Barrett v. Rosenthal, MacWade v. Kelly, US v. Andrus, Warshak v. US, Doe v. Cahill, US v. Ellison, Gonzales v. Google, Georgia v. Randolph, Copland v. UK, and more. It also includes discussions of the NSA surveillance program, the litigation regarding the NSA surveillance, the Protect America Act of 2007 (amending FISA), national security letter litigation, the Virginia Tech shooting and privacy laws, data security breaches, US-EU sharing of airline passenger data, and more. Additionally, it includes excerpts from many new scholarly books and articles.

A new edition is in the works, and it will be ready for use in the spring 2009 semester. The book will be available in late 2008 so instructors can plan their courses. If you’re a professor currently using the book or are considering using the book in a class, please email me with any comments and suggestions for the next edition.


Requiring Banks to Disclose Identity Theft Statistics

creditcard-6a.jpgKudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:

The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .

The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.

The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.

Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:

Read More


How Should Data Security Breach Notification Work?

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

For anybody interested in data security, this article is definitely worth checking out.


Is Identity Theft Really Declining?

creditcard-2b.jpgA study by Javelin Strategy & Research finds that identity theft declined by 11.5% in 2006:

According to the study, 8.4 million adult Americans, or one in 27, learned last year that criminals committed fraud with personal data such as credit card or Social Security numbers. That’s down from 8.9 million in 2005 and 10.1 million in 2003.

Adults under 25, African-Americans, and people who make more than $150,000 were among the groups most likely to suffer fraud, the study said. The youngest adults were also among the least likely to take steps to stop it, the study said.

Consumers on average spent $535 to clear up a fraud, though more than half spent nothing, the study said. Many businesses excuse customers from liability for certain frauds.

Results were based on a phone survey last fall of 5,006 people, including 469 who said they were fraud victims.

The survey was sponsored by Wells Fargo & Co., the fifth-largest U.S. bank; Visa, the credit card association; and CheckFree Corp., which makes bill paying software.

What is probably intended by the study is to stave off legislatures from calling for greater regulation of the identity theft problem. After all, the problem is declining. Self-regulation must be working. Or is it?

Chris Hoofnagle (senior staff attorney, Samuelson Clinic at Berkeley Law School) disputes the study:

2007 brings another identity theft survey from Javelin Strategy. As usual, it strives to conclude that identity theft is on the decline and that most identity theft is the result of information being stolen from the victim. Both conclusions are dead wrong. Why?

Read More


Verifying Identity: From One Foolish Way to Another

money-2a.jpgFor quite some time, banks and financial institutions have been using people’s Social Security Numbers (SSNs) to verify their identities. Suppose you want to access your bank account to check your balance, change addresses, or close out the account. You call the bank, but how does the bank know it’s really you? For a while, banks were asking you for your SSN. Your SSN was used akin to a password. If you knew this “secret” number, then it must be you. Of course, as I have written about at length, a SSN is one of the dumbest choices for a password. Not only is it a password that can readily be found out, but it is a password that’s very hard to change. Not a wise combination. People’s SSNs are widely available, and the data security breaches in the past two years exacerbated the exposure. A lot of legislative attention has focused on the leakers of the data, and rightly so, but not enough attention has been focused on the businesses that use people’s SSNs as passwords. If SSNs weren’t used in this way, leaking them wouldn’t cause the harm it does.

But now, it seems, banks are starting to rethink the use of SSNs. According to a USA Today story:

A growing number of banks and retailers are moving beyond Social Security numbers to verify your identity. They’re relying on such personal details as your car color, your father-in-law’s name and the city you lived in five years ago.

No, you never gave them this information; rather, they pulled it from public and private databases. These private details are increasingly being used to approve you for credit at a store, give you access to your account online or to verify that you — rather than an impostor — are making a purchase.

It’s the latest effort by financial institutions to fight a growing threat of identity theft from online “phishing” and other scams. Chase, HSBC, Vanguard, American Express and Barclaycard US use this customer-verification technique. Mellon Financial is testing it. In the past two years, the technology has been adopted by six of the top 10 U.S. banks and thrifts, says Verid, a provider of the technology.

The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you — after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people’s backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.

The story continues:

Read More