Choicepoint Roundup, June 30

  • We open with two articles from “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter:

    “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday.

    The Alpharetta, Ga.-based data broker is clarifying its position after a spokeswoman told on Friday that the transition process was ongoing and that it would be some time before the company could announce its completion.

    “ChoicePoint has absolutely fulfilled its obligation to do what it said it would do in the 90-day period,” McGinn said, noting that the company has actually gone beyond the goals it initially set for itself.

  • Techdirt reports that “IRS Hires ChoicePoint To Leak Your Info.”

    In related news, Choicepoint announced that they didn’t even have to notify Calfornia customers, because the law says to notify when “any one or more” of the data elements, not “all.” (Speaking of Choicepoint announcements, we never hear from spokesperson Chuck Jones anymore.)

  • Finally, Declan McCullagh reports on the predictable effect of six months of “self-regulation,” in “Senators propose sweeping data-security bill.” It’s a probably a nasty law that will be expensive to implement and cause large amounts of collateral damage. But its probably also better than what we have now. I have not yet read the proposed law yet. [Updated for clarity, fixed URL. Thanks, RS!]
  • On the bright side, I bet Choicepoint would do a better job than the U.S. Citizenship and Immigration Service, who think that fingerprints expire every 18 months. Read the “Fingerprint Mystery:
    They Don’t Change,
    But They Do Expire
    ” in the Wall St Journal. (Thanks, DM!) [Update: See extended entry for excerpts of WSJ article.]

Continue reading

Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes:

“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”

And now, the law:

(e) For purposes of this section, “personal information” means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual’s financial account.

That seems remarkably clear to me. Many other states have similar laws, some of which have trap-doors such as “if the institution doesn’t think the consumer will be affected.” As I’ve commented before, the institution has just demonstrated their security competence, so why we’re letting them compound it is beyond me.

Must be a side effect of living in upside-down land, where the law is what we want it to be, not what the text clearly states.

Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless:

In December 2003, CardSystems hired Cable and Wireless America as its outside computer systems security auditor.

“We followed the Visa rules to the letter and the people who did the work are longtime security experts,” said Bill Hancock, a security executive who oversaw the audit. He said CardSystems spent months upgrading its systems before the auditors submitted a report to Visa; CardSystems was certified in June 2004.

The Funeral of an American Soldier

I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member.

The behavior of a dozen assholes from Kansas at the funeral of Army Staff Sgt. Christopher Piper was despicable:

The 14 demonstrators from Westboro Baptist Church in Topeka, Kan., picketed Monday on a corner near the Old North Church, a Congregational parish founded in 1635, soon after Marblehead was settled. The followers of the Rev. Fred Phelps, who blame American tolerance of homosexuality for the Sept. 11 attacks and the resulting U.S. military casualties in Iraq and Afghanistan, have targeted Massachusetts for protests because it is the only state where same-sex marriage is legal.

Shirley Phelps-Roper, a lawyer for the Kansas church, said Monday that the funeral demonstration was nothing personal against Piper, who was not gay.

“We are protesting the sins of this nation,” Phelps-Roper said. “That doesn’t exclude him.”

On the corner of a narrow street lined with Colonial-era buildings, the Kansas contingent tried shouting its anti-homosexual message at mourners who overflowed from the church. But every time demonstrators spoke out, the 14-man Boston Police Department bagpipe band broke into thunderous sound.

The Kansas group, which had been issued a two-hour protest permit, was escorted out of town by police minutes before the horse-drawn caisson carrying Piper’s flag-draped coffin arrived at the church.

“When we heard about the protesters, we became very angry,” said Bill Audette, a retired police officer and organizer of a central Massachusetts group called Blackstone Valley Nam Vets. Audette, 55, said even though he did not know Piper, he considered it his duty to attend the funeral.

From the LA Times, “Protest at Soldier’s Funeral Brings a Massachusetts Town Together.” Via Sivacracy.

Iran's New President a "Moderate"

“After all, he didn’t kill his hostages…”

London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979.

Prior to the first round of the presidential elections on June 17, Iran Focus was the first news service to reveal Ahmadinejad’s role in the seizure of the U.S. embassy in Tehran.

The identity of Ahmadinejad in the photograph was revealed to Iran Focus by a source in Tehran, whose identity could not be revealed for fear of persecution.

Oh, wait, he didn’t kill hostages, but did he help execute political prisoners?

Defectors from the clerical regime’s security forces have revealed that Ahmadinejad led the firing squads that carried out many of the executions. He personally fired coup de grace shots at the heads of prisoners after their execution and became known as “Tir Khalas Zan” (literally, the Terminator).

I have no idea what biases Iran Focus may be bringing to this story, which quotes mainly anonymous sources.

(From Iran Focus, via JihadWatch. Photo credited to AP, November, 1979. IranFocus has a larger version.)

[Update: If this is of interest, be sure to see The Jawa Report, who has more photos and links in “State Sponsor of Terror Has Terrorist as President: President Elect of Iran Involved in U.S. Embassy Hostage Takings.”]

The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah Platt Majoras’ testimony before Congress, saying that a company should only have to notify customers of mistakes if the company thinks it could be a problem. Now, the companies in these cases have just, prima facie, demonstrated a lack of security competence. Which the FTC would like to allow them to compound, at your expense.

So BJs, under the consent decree is allowed to continue things like saying “PHOTO ID REQUIRED upon first visit” (from their “Join the Club” page) Or, from their new privacy policy, “We collect personally identifiable information (such as your name, Membership number, address, e-mail address, telephone number and driver’s license number).”

BJs has demonstrated that they could not protect this information. That’s why they’ve entered into a consent decree. So why not forbid them from collecting such information? Why not say “You can’t collect information beyond what is needed to execute a transaction?” If I show up and say my name is John Doe, and I’d like to pay cash, why can BJ’s turn me away?

Sure, they have a “business model” that they’d like to preserve. And they’ve demonstrated that they are not responsible with the data that they collect. The information they collect is issued by, and certified by, the government, and the FTC should say, “Sorry, you must be at least this competent to maintain a collection of this sort of data.”

A second problem with the consent decree is the use of a security auditor. The auditor will look at issues from the company’s perspective. But the issue here is externalities, where the company is making poor choices for their customers, not for themselves.

Finally, there is no requirement that the auditor’s report be made public, and given past comments by Majoras about “public confidence,” every reason to believe that they will be kept private, however bad they are.

If you’d like to preserve your business model, it can’t involve dumping toxic waste into the river. It also can’t involve mandatory collection of data you can’t protect.

(Via Daniel Solove, “Is the FTC Finally Getting Serious About Security?” )

Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said.

“It’s not going to help and the public is starting to learn that,” Chapman said. He decried the government’s plan to force Equifax and the other top three credit-reporting agencies, Experian and TransUnion, to provide annual credit reports free of charge.

“I’m all for good laws, laws that protect people. But this isn’t one of them,” said Chapman, who also opposes the law because it forces the companies to give away their product, which he called “un-American.”

What Chapman wants to see are stricter standards for data storing, including mandatory encryption. He also spoke in favor of a new method of identifying people other than by Social Security number.

You know, maybe you could stop blaming the victims of fraud by impersonation, stop enabling the crime by allowing all Americans to freeze their credit, and add a comprehensive program to stop libeling people who are victims of the crime?

(From Associated Press, Equifax CEO: Identity Theft Is an Epidemic.)

Fingerprint Privacy

fingerprint-stars.jpgThere have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like

it is not possible to recreate the fingerprint from the stored template

However, as Ross, J. Shah, and A. K. Jain, “Towards Reconstructing Fingerprints from Minutiae Points,” that just ain’t so. You can reconstruct fingerprints from minutae, and they both describe and demonstrate that. Which is to say, the biometrics vendors who persist in making these claims are either ignorant or liars.

Andy Adler points out in “Images can be Regenerated From Quantized Biometric Match Score Data,” you can do the same with faces. Adler’s technique is very different, using the server for repeated queries. Cryptographers would call that an oracle.) Adler was also kind enough to respond to a query about fingerprints with a pointer to Ross, Shah, and Jain’s work. The Adler paper was pointed out to me by Daniel David Walker. And finally, the fingerprint is from

UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“:

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that “unlike electoral registers, the National Identity Register will not be open for any general access or inspection.”

Any guesses as to who’ll be first in line? (I already gave you a hint in the title.)

Meanwhile, Stefan Brands has a 4 part summary of the LSE analysis of the new ID card system. Part I, Part II, Part III, Part IV. Summary of the summaries: The proposed system was designed by companies selling “enterprise” software with no concern for, or thought given to, the appropriateness of that software for national ID use.
(UK ID tidbit via Pacanukeha’s “It’s all about Control.” ID card from ID Unknown)

A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” reports on a dispute between the parents and children, mediated by the state:

A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause allowing people to keep their records sealed. By calling for a veto, Cavoukian “is trying to say that we do not have an automatic right to our birth registration information,” said Wendy Rowney of the Coalition for Open Adoption Records.

I find this interesting first because of the human dramas it represents, of people wanting to know about their heritage, and the conflict with parents who make a mistake, choose to bear a child, but want no part of raising that child. (There’s also an interesting tie to Roe v. Wade, which you may recall was based on a woman’s right to privacy.)

The second thing that makes this interesting is that its an outgrowth of the government collection of data. Before the growth of centralized records, a baby ‘left on the church steps’ could be truly anonymous. There were no records to be had, except possibly in people’s memories. If a family was wealthy enough to send a daughter some distance, she could go under an assumed name, and return, and perhaps get on with her life.

These multiple person privacy issues are extremely hard. A related example is what happens if a sibling gets a genetic test? A great deal about me can be inferred. Should I have a data protection right in that test result? What if two siblings get tested, and the data holder starts performing family inferences?