Category: Privacy (ID Theft)


How Does the US Rank Among Countries in Privacy Protection?


privacy-intl-ranking-key.jpgHow does the United States rank among countries in privacy protection? Practically at the bottom according to a ranking by Privacy International, a UK-based privacy advocacy group. The ranking is based on Privacy and Human Rights, an annual report about privacy laws around the world published by Privacy International and the Electronic Privacy Information Center. Here’s the ratings table and here’s the briefing paper for the table. Unfortunately, every time I try to access the PDF file of the briefing paper that explains the rankings, it not only fails to load, but it also crashes my browser, whether Firefox or Explorer.

The press release for the rankings states:

Read More


The Digital Person: Now in Paperback

digital-person-1.jpgI’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.


Privacy on the Road

From the New York Times, a nice little piece about privacy (or lack thereof) on the road:

Using a public computer can also mean courting trouble, because data viewed while surfing the Web, printing a document or opening an e-mail attachment is generally stored on the computer — meaning it could be accessible to the next person who sits down. (To remove traces of your work, delete any documents you have viewed, clear the browser cache and the history file and empty the trash before you walk away.)

“You also run the risk that somebody has loaded a program on there that can capture your log-ins and passwords,” Mr. Louderback said, recalling an incident a few years ago when a Queens resident was caught installing this type of “key logger” software on computers at several Kinko’s locations in New York.

As the article points out, it’s a scary, scary world out there. Public computers can be searched for passwords or equipped with malicious keyloggers. Wiireless hot spots can be raided with packet sniffers. There are software solutions for getting around these, but the easiest solution is also the safest:

Absolutely never check your bank account on a public computer. And be careful about checking it on a wireless hotspot.

One thing the article lacked was a real discussion of how prevalent this kind of identity theft is. What are the statistics on this kind of thing, Dan? How much identity theft (or for that matter, data theft) comes out of these kinds of interactions – do we have any ideas?


The Ten Greatest Privacy Disasters

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill

9. VA laptop theft

8. CardSystems hacked

7. Discovery of data on used hard drives for sale

6. Philip Agee’s revenge

5. Amy Boyer’s murder

4. Testing CAPPS II


2. AT&T lets the NSA listen to all phone calls

1. The creation of the Social Security Number

See the Wired article for its explanations. It’s a good list, but there are a few problems. Although we still don’t know all the details of the NSA surveillance program, it’s not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn’t lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.

Some notable omissions: Where’s Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn’t regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I’d definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.

Hat Tip: Bruce Schneier


Privacy, Information, and Technology

Spinoff Cover 2e.jpgMy new casebook, PRIVACY, INFORMATION, AND TECHNOLOGY (ISBN: 0735562548) (with Marc Rotenberg & Paul M. Schwartz) is now hot off the presses from Aspen Publishers. It is an abridged version (300 pages) of our regular casebook, INFORMATION PRIVACY LAW

(2d ed.), which is about 1000 pages in length.

Privacy, Information, and Technology is designed as a supplement to courses and seminars in technology law, information law, and cyberlaw. It will provide between 2-4 weeks of coverage of information privacy issues pertaining to technology, government surveillance, databases, consumer privacy, and government records.

More information about the book is here. If you’re interested in getting a review copy of the book, please send an email to Daniel Eckroad.

The book will sell for $35 and can be purchased on Aspen’s website.

The book consists of four chapters. Chapter 1 contains an overview of information privacy law, its origins, and philosophical readings about privacy. Chapter 2 covers issues involving law enforcement, technology, and suveillance. Chapter 3 focuses on government records, databases, and identification. Chapter 4 covers business records, financial information, identity theft, privacy policies, anonymity, data mining, and government access to private sector data.

The full table of contents is available here.


Data Security Laws, the States, and Federalism

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.

The website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.


I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.

Read More


Panic! More Private Data Lost

The Birmingham News reported, yesterday, that a computer with private employee data from supermarket chain Bruno’s was lost. An employee with Deloitte put his notebook in checked baggage at the airport. Naturally, it did not reappear on the baggage belt. (The story does not clarify whether the bag didn’t appear, or whether the bag arrived sans laptop.) Apparently the folks at Royal Ahold (the owner of Brunos) have ongoing problems in this regard. Last May, another Ahold supplier lost a computer containing private employee data. Nobody thinks this is a good thing, but is it really newsworthy?

We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I suspect that, in most cases, the ultimate recipient of the computer was seeking, well, a computer. In any case, one thing is clear: the media like to find stories that fit into existing news frames. In particular, they like to find stories that fit with growing social anxieties. Thus, a few years back, a couple of drivers went nuts on the road, taking shots at drivers in other cars. Some savvy writer coined the term “road rage”. Suddenly, aggressive acts by drivers – even those that would have been too mundane to report – became newsworthy as proof of surging “road rage.”

So it is, I fear, with misplaced computers containing private data. The good news for Brunos employees is that, given baggage handling norms, the compuer is likely inoperable. And even if does work, it’s probable that the thief – if there be one – simply wanted some additional computing power. On the other hand, maybe that notebook is for sale this very day in at the nation’s lost baggage depot – The Unclaimed Baggage Center – in Scottsboro, Alabama. If so, identity thiefs would be advised to hustle on down before a local farmer buys the unit and accidentally erases pages of highly valuable private information.


Some Interesting Facts About Identity Theft

creditcard-2aa.jpgToday’s Washington Post contains an interesting article about identity theft. Some identity thieves enlist unwitting employees of financial institutions into supplying them with personal information:

An identity-theft ringleader, also known as the “concierge,” recruits an “insider” to steal personal information from work, data that can be used to make bogus credit cards with real names and account numbers.

Often the “insider” is a lonely woman who falls in love with the concierge after he sidles up to her in a bar, orders her a drink, and discovers that she works for a bank or insurance company — at which point he escalates his wooing. After a while, he persuades her to leak him some customer data because he’s “short on cash.” . . .

The concierge then turns that information into cash using various schemes. One involves giving the customer names and numbers to someone who uses machinery in his basement to churn out phony credit cards and IDs — documents that might not fool a cop but do get past many store clerks. Or the ringleader may use the information to open new credit accounts in the names of unsuspecting victims.

Next, he rents a van in someone else’s name, rounds up a bunch of drug addicts, and gives each a bogus credit card and a shopping list, Goldberg said. Dumped at a suburban mall, they make their purchases and return with hot merchandise.

Then they are driven to another mall in a nearby county, where they are sent shopping again. Purchases are kept under $200 and repeated in different counties to keep the dollar value of individual merchant losses below the radar of police agencies. . . .

Another interesting part of the article discusses how drug dealers are increasingly turning to identity theft:

“What I am finding is these people are in fact retired drug dealers who are sick of getting shot at and arrested,” [Richard] Goldberg [a prosecutor in the U.S. Attorney’s office in the Eastern District of Pennsylvania] said at the summit, which drew thousands of security professionals to Washington for four days.

These days, identity theft is almost as lucrative as drug dealing — but safer.

A stolen credit card number can sell for $100 to $1,000 on the black market, Goldberg said, depending on whether it includes the expiration date and other security codes, plus background on its owner.

Perhaps we should be pleased that the federal government is inept at addressing the identity theft problem . . . finally, a way to get drug dealers off the streets. . . .


More Data Lost: 1.3 Million Student Loan Recipients

From CNET:

About 1.3 million customers of a Texas provider of student loans are at risk of ID fraud, after a contractor lost computer equipment with sensitive information on them.

The equipment, which was not identified, contains the names and Social Security numbers of the borrowers, the Texas Guaranteed Student Loan company said in a statement Tuesday. The hardware was lost by an employee of Hummingbird, a enterprise software company hired to prepare a document management system, it said.

This follows a similar pattern to the way that the Veteran’s Administration lost 26 million records — some employee takes home the data and it promptly gets lost or stolen. Security tip: Don’t let your employees go home with the data! The government seems to be able to figure this out when it comes to top secret information; companies have figured it out when it comes to trade secrets. But when it comes to personal data belonging to others, it seems as though employees can just waltz out the door with it.

Hat tip: Deven Desai


Private vs. Public Sector Responses to Data Security Breaches

va1a.jpgI just blogged about the massive data security breach by the Veterans Administration, affecting 26.5 million veterans. Bob Sullivan has a terrific post comparing the government’s response to its data security breach to that of the businesses that have had such breaches in the past:

It’s become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.

So far, the vets haven’t been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.

That’s insufficient. . . .

Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that’s a tepid step at best to spy signs of identity theft after a data leak like this.

The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It’s hardly a perfect solution and doesn’t catch every instance of ID theft, but it’s a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.

The VA should do the same. Anything less is neglectful.

Bob Sullivan is exactly right. More at Sullivan’s excellent post.