Shostack + Friends Blog Archive


Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.”

Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports:

Among the report’s most interesting findings: only 14 percent of consumers who were aware of their right to a congressionally-mandated free credit report said the reports were very effective in the fight against ID theft.

“The free credit report thing is basically a farce. It only tells you very specific information about your situation at a point in time,” Litan said. Consumers on the West Coast who downloaded their free report last November aren’t eligible for another year, and have had to watch the long string of data thefts with no recourse but to pay for another peek at their reports. “Everyone assumes consumers are dumb,” Litan said. “They’re not. They know these measures are ineffective.”

‘Not really a prevention tool’
Equifax spokesman David Rubinger said free credit reports were never advertised as a panacea for the identity theft problem.

“This is bearing out what Equifax has always said — free credit reports are not going to stop ID theft. They are just one tool,” he said. “The good news is there are products in private sector that can protect consumers.”

All three credit bureaus sell credit monitoring services for about $10 a month that allow daily credit report checkups.

Never advertised? Excuse me? You people fought them tooth and nail. And why should I pay $10 a month to enable their business model? So sorry, but I’d prefer to shut down all the gossip-mongers who I don’t choose to work with.

Joel Winston, an FTC lawyer who helps oversee the free credit report provision, agreed that the reports are not a panacea, but he thought the “program is working pretty well.”

“I’m a lawyer for the FTC, and I’m here to help you.”

Beth Givens, executive director of the Privacy Right Clearinghouse, said “The regulatory agencies have fallen flat on their faces. They are so industry-oriented they have lost site of who they are really supposed to be protecting.”


4 comments on "Stupid Privacy Invasion Fatigue"

  • Axel says:

    I’ll never understand the prevalence of tools over common sense. The USA seem to insist on remediating and alleviating problems with tools instead of processes. The only panacea, the only silver bullet to privacy leaks is severe legislation, either forbidding the collection and storage of private data without consent of the person concerned or a initiating strict data protection along the lines the EU and Canada have.
    We have the right to check what any given company or gov’t office keeps of our data. They are required to show it and, additionally, we can force them to destroy the data they keep or correct it if it has errors in it.
    If a company such as ChoicePoint kept data about me that is obviously incorrect and will put me in danger for whatever reason (tieing false criminal records to me or connecting me with false credit ratings/reports) I insist on having the damn right to correct what they do (and possibly sue them to hell and back again for the opportunities I missed).
    Somehow, this is not happening. Instead, companies are on the search for some strange tool supposed to keep them out of trouble. This won’t work – it only takes one loophole to break through, after all.

  • Good point, Axel. My only concern is that allowing decentralized database monitoring of personal data on a massive scale without good authentication mechanisms may open the door for further fraud. If you can’t guarantee that the person accessing the data is the proper owner, then you only compound the problem. Even access records allow an impersonator to learn who regularly checks their data…
    Of course, this does provide a mechanism of accountability at the individual level–it’s my own fault if I don’t watch my records–but it’s not clear how well this mechanism would actually play in the market.

  • Outsourcing makes fraud cheaper, too

    Since Adam Shostack is suffering from Stupid Privacy Invasion Fatigue, I’ll take this one for him.
    According to The Register quoting The Sun (deemed nsfw by many places, including my employer),
    The paper says one of its journalists bought details…

  • Axel says:

    Allan, ChoicePoint is a prime example of my original point. They were not hacked, their security processes just weren’t adequate enough. Each and every authentication scheme would have been moot because employees accessed the data because they believed the fraudsters were legit.
    As to your comment: we do have mandatory ID cards over here, so the authentication works pretty well with that. (No, I don’t want to get into a discussion about the sense of a US ID card system. All I can say is: it works over here).

Comments are closed.