Shostack + Friends Blog Archive


What to do, What to do?

Over at Open Society Paradox, Dennis Bailey challenges me:

Emergent Chaos documents some problems but ends with a personal slam against ChoicePoint’s CEO. [Ed Note: Technically, we call that the “middle,” not the end.] What would Emergent Chaos have us do? Should we follow the Fair Information Practices and allow 300 million citizens to be able to verify their data? This may be manageable when you are talking about a single company. But what about the thousands upon thousands of companies that are holding personal data? What would be the cost for companies to start complying with new privacy regulations that would allow individuals to verify their data in company databases?

It’s a fair question, and I suppose the first question is “Who is us?” I’ve been deeply ambivalent about new laws. However, given what Choicepoint is now facing, I think that pursuing a Fair Information Practices driven approach, and pushing for their industry to do the same, may be one of the few ways that they can stave off legislation. But if us is the American people, it seems to me that 145,000 angry citizens have called their legislators and said “What are you going to do about this?” Unless the industry acts, and acts credibly, then there will be new laws. Not because of the blogosphere, but because of the democratic process in action.

What would the cost be? Its another good question. But what are the costs of not allowing access? It’s jobs denied, homes not bought, cars not financed, because of inaccuracies in the database.

I actually really don’t get this argument, coming from a fellow who talks about a need for a more open society. How are we going to have openness with closed databases?

Now instead of the Choicepoints of the world having to verify the data of a few thousand businesses, now they have to verify the identity of millions of individuals who are asking for access to personal information. For an identity thief this becomes a false identity paradise.

This argument has been raised against every privacy law ever passed. I’m not aware of any company, anywhere, having exited their business because of an inability to solve it. These companies have lots and lots of data about you, and can use it to ensure that (for example) only someone living at your address can get your records.

Or take the notification law. Does this really solve the problem? How many companies have their databases violated without even knowing about it? Would it make a dent in the number of cases of identity theft?

It’s about openness. It really does help people if they can get a jump on ID theft quickly. It may not prevent the crime, but it can limit the damage very substantially.

I’m working on a longer post about other things that can be done. It turns out there are some interesting opportunities.

5 comments on "What to do, What to do?"

  • I am all about openness. But you can’t just open the floodgates of a thousand ChoicePoints unless you know who you are giving access to. The problem is the other side of the equation – there is not enough openness in terms of people’s identities. If the top data aggregator can’t adequately validate the identities of businesses, when credentials for businesses are more exacting, how are smaller businesses going to verify the identity individuals. We need to improve identification at the individual level before we start to call to open up thousands of databases.
    Which brings us to the point of who owns this data in the first place? ChoicePoint would argue that they’ve collected this information and thus are the owners of it. The courts have long supported that once information is turned over to a third party, you no longer own it. For many people on my side of the fence, (see Eugene Volokh), the exchange of information between companies that make a ChoicePoint possible is a free speech issue.

  • Also you say:
    “What would the cost be? Its another good question. But what are the costs of not allowing access? It’s jobs denied, homes not bought, cars not financed, because of inaccuracies in the database.”
    How many cases of identity theft have been reported from the ChoicePoint case? Compare that to 145,000 or probably more, let’s say a million people who want to start looking at their records. How many customer service reps would that take? How many IT upgrades would be required? How much mail would have to go back and forth. Do some quick math and I think you’ll see where the preponderance of costs are. Now take a thousand companies which store personal data and the scales separate exponentially.

  • adam says:

    The big three credit agencies haven’t gone out of business, despite facing these costs.

  • Looking for Answers with ChoicePoint

    No one that I’ve seen has provide more coverage on the web on the ChoicePoint case than Emergent Chaos. This issue resonates with Adam as it probably does with a lot of individuals. But after reading a lot of his…

  • Here’s an example of when identity theft puts limits on openness:
    Identity theft concerns limit open records

Comments are closed.