Shostack + Friends Blog Archive


Direct Marketing Association opposes consumer right to see, correct information

Access and correction rights are something the DMA wants removed from the bill, Cerasale said. For one thing, it would be expensive for list brokers and compilers to set up procedures enabling consumers to access and correct data. For another, the same hackers who caused the breach could also change the data.
You can’t correct the info we have on you because hackers may have made it incorrect. Gutsy argument to make, DMA — “Costs from hacking are better left on you, the millions of little guys, rather than us, even though it is vastly cheaper for us to make a correction than it is for you to recover from an unauthorized change’s consequences”.

6 comments on "Direct Marketing Association opposes consumer right to see, correct information"

  • Mordaxus says:

    I welcome this and think it’s a good idea. It reflects a notion that I have had for some time that invalid data about you is good, particularly if the world at large doesn’t trust the data source. “Oh, you saw that about me — pfft, what do you expect? It was in my credit report.”
    This is similar to the idea of idea of crowds, mixnets, and so on. Cities are good to hide in because people in cities just don’t care.
    So I think that inaccuracy is a form of privacy. Especially if you can laugh about it.

  • Adam says:

    I agree that it can be a form of privacy, but those who are suffering from inaccurate information should not be denied the chance to correct it. Eg, those expectant parents who have a miscarriage and get baby mailings for years saying things like “As your child turns three…”

  • Allan Friedman says:

    Chris – source on that quote?
    I hate to side with the DMA, but do we have good enough authentication technology to prevent non-subjects from accessing the subject database? If I stumble across, say, a DoB-SSN record and want to know whether there’s a tasty line of credit to be had, a marketing database would be a reasonable proxy for a credit report.
    –Databases are valuable competitive assets, so a marketing firm would have a strong incentive to prevent large-scale unauthorized access from competitors.
    –Marginal harm: there are many other, more valuable things that are also protected by weak authentication, so adding marketing DB doesn’t increase marginal risk of Bad Stuff, while offering a privacy benefit.
    For the past month, I’ve been working on a project comparing strong authentication systems with the alternatives of weak authentication and privacy auditing. I believe that auditing in particular is not terribly well understood. Any comments or suggestions would be most welcome.

  • Allan Friedman says:

    The canonical example of an access-right gone FUBAR is the Social Security Administration’s PEBES:

  • Chris Walsh says:

    Source is
    I had this in the post, but MT seems to have stripped the tags. I have used the same construct for other citations, so I’m mystified.

  • Chris Walsh says:

    I found the problem! Citation is now in place.

Comments are closed.