Wednesday, December 12, 2012

All secrecy and no privacy

Based on my own personal observations and experiences, most of us don’t think about invasions of personal privacy until something bad happens. For example: you learn that your personally identifiable information (name, address, date-of-birth and Social Security number etc.) has been stolen by identity thieves and is now being used to fraudulently obtain goods and services half way across the country using your good name and credit.

But the reality is that we all suffer invasions of personal privacy on a daily basis. It’s just that we don’t know it.

Regrettably, existing laws governing our privacy and personal data protection are woefully inadequate and far too open to interpretation by private companies specializing in both the collection and sale of public and non-public record information on each and every man, woman and child living in America today.

Add to that list: social network firms collecting and storing information on nearly every facet of a consumers life, advertising networks tracking consumers as they browse the Internet, and both private and government owned camera networks collecting biometric data through the use of facial recognition technology in our cities, highways and malls and very soon it becomes apparent that our lives are perhaps not as private as they once were.

How did we get here? Simple answer; advancements in computer technology coupled with significantly enhanced data storage capabilities which now permit big data organizations including consumer reporting agencies, data brokers and marketing firms to acquire vast amounts of information from multiple sources surreptitiously on virtually all American consumers without their knowledge or consent.

It’s a fact of life that every day hundreds of private companies across America (including those which falsely suggest that they operate within the auspice of the The Fair Credit Reporting Act or FCRA) update their files on each and every one of us with information collected from so called contributors.

While it’s hard to pin down exactly which businesses, organizations and government agencies directly or in-directly contribute information to data brokers and other consumer data traffickers, evidence points to auto dealerships sales and service departments, cable TV and satellite companies, county government agencies, insurance companies, magazine subscription services, money transfer and bill paying agents, online retailers, pharmacies, state Department of Motor Vehicle offices, supermarkets, telephone companies (both land line, mobile and VOP) and utility companies providing electric, gas and water services to consumers.

In many instances, this information includes updates and/or confirmation of such personal details as present address, employment or school location, mobile and/or land line phone numbers (including work and non-published numbers) automobiles owned or driven, recent subscriptions and purchases, utility company payments and even personal financial data including non-traditional credit history, utility company account status and recent applications for credit, employment, federal or state benefits, rental accommodation and business or professional licence’s.


Within a matter of hours, updated information received from a contributor is merged onto a consumers exiting file and in-turn made available (for a fee) to practically any business entity, organization or government agency with a perceived permissible purpose interested in you. An email notification may even be sent out if you change your mailing address, phone number or drivers license details or any other pertinent personal information which may be of interest to your creditors including auto loan companies, credit card issuers and home mortgage lenders. Even federal, state or local law enforcement agencies which may have accessed your file in the past.

Needless to say, if you don’t know about the existence, let alone the contents of your personal files, with potentially hundreds of consumer data organizations across America, it can be kind of hard to identify inaccuracies let alone correct them before you are turned down for on an auto loan, home mortgage or perhaps worse rejected for a job based on inaccurate information contained in a report (or behavioral score) furnished along with a copy of your credit report from one of the big three consumer reporting agencies: Equifax, Experian and Trans-Union.

A good example would be the National Consumer Telecom & Utilities Exchange, Inc. (NCTUE), which reportedly collects and provides information to industry members on reportedly 80% of utility customers in America through a contractual arrangement with consumer reporting agency Equifax, Inc.

The fact is, very few consumers are aware of NCTUE’s existence, let alone its activities which includes according to its website, providing information to third parties for the purpose of offering selected consumers with pre-approved offers of credit. In other words, they collect information on how you pay your electric, gas, phone or water bill and amongst other things sell it to third parties without your knowledge or consent.

Switching from the private sector to the public sector, the announcement this past October by the South Carolina Department of Revenue that hackers had accessed millions of taxpayers records including Social Security numbers and employer identification numbers, once again demonstrates how vulnerable we all are to the failings of both elected officials and senior government employees in understanding the concept of protecting citizens (taxpayers) personal data.

Based on news reports, the South Carolina Department of Revenue had no official in charge of overseeing the safety and security of state owned computer systems containing both personal and business tax records due to a lack of candidates for the poorly paid position which I understand had been vacant for quite some time.
 
While in this case, officials really had no choice but to inform the public owing to the size an magnitude of this data breach by foreign hackers. Based on my own personal observations and experiences, the South Carolina "openness" approach is most definitely the exception rather than the rule when it comes to both federal and state government agencies.

There is perhaps no better example of this than back in the 90’s, when identity thieves operating in Connecticut allegedly acquired thousands of consumer credit reports under false pretenses from one of the big three consumer reporting agencies using bogus law office and debt collection agency credentials. The identity thieves who also operated as unlicensed private investigators cultivated a network of dishonest employees at banks all willing to betray the trust of their employer and the general public by selling private and confidential customer information which included account numbers, daily balances and other detailed transaction history. Interestingly, one of the biggest group of customers for this illicit information was unscrupulous law firms working in the debt collection field seeking to locate debtors personal assets.

Despite the fraudsters obtaining consumer credit reports on thousands of victims spanning well over five years and receiving stolen customer data from some of America’s largest banks, none of the federal, state or local law enforcement authorities made aware of these multiple crimes, bothered to properly investigate the crimes, let alone contact the thousands of identified victims whose personal bank accounts and credit reports had been accessed and used for a variety of unlawful purposes.

To be honest, it is still hard for me to come to terms with the fact that based on my own personal observations and experiences over the past twenty years, that the majority of law makers, policy advisors and senior government officials (which includes employees at branches of the of the US Justice Department and US Treasury Department along with their colleagues at the Social Security Administration) appear to view the subject of personal privacy, consumer data protection and identity fraud prevention as less than a priority.

Today, tomorrow, next week, next month and next year we will all (with a few exceptions) be subjected to invasions of personal privacy by business entities and their agents in most cases which we have never heard of collecting and trafficking in our most personal information. All without our knowledge and consent or the ability to correct errors, omissions or outright falsehoods.

Worse, if this information is stolen as a result of a data breach and used in the commission of a crime, there is every reason to believe that you won’t know about it until it’s too late and the damage has already be done to your credit rating, personal finances or online reputation.

Under the circumstances, it looks like we all live in a world of "all secrecy and no privacy" as we go into 2013.

To be continued...
 
 

Sunday, December 2, 2012

Invasion of personal privacy, the bribery of police officers and theft of confidential data


This past week, the Leveson report was released in the UK (Inquiry into the Culture, Practices and Ethics of the Press), which in simple terms sets out recommendations for British lawmakers to consider in relation to the phone hacking scandal (invasion of personal privacy, the bribery of police officers and theft of confidential data) by employees at several News International plc newspapers owned and controlled by News Corp, which here in the United States owns the Fox News Channel and The Wall Street Journal.

Contained within the report is the recommendation that the British government should put in place a "self-regulatory board" with the authority to supervise and sanction news media organizations considered to be operating outside of the public interest and/or law.

This proposal has been met with skepticism and in some circles outright condemnation with many pointing out that Britain has enjoyed a press free of supervision for centuries.

The fact remains however, that journalists and operatives hired to procure private and confidential information on targeted individuals by News International newspapers broke the law and above all, betrayed the trust of the British public.

Unfortunately, once again we see the invasion of personal privacy and theft of confidential data, used as a component of doing business by a group of highly educated people (in this case News International employees) all willing to knowingly flout the law in order to obtain  private voice mail messages on individual citizens including a missing (later discovered murdered) teenage school girl.

Perhaps what makes this conduct especially reprehensible, is the fact that it was carried out year-after-year presumably in order to increase sales and in turn profits for a division of a publicly traded media company (News Corp) listed on stock markets around the world.  

Under the circumstances, the Leveson "self-regulatory board" is not only a good idea but essential in order to restore the public (and the worlds) trust in the British newspaper industry.

Tuesday, November 27, 2012

Hewlett-Packard burns its reputation once again

One of the things that caught my attention in the delivery room the day my eldest son was born twenty three years ago was the number of medical devices and diagnostic machines manufactured by the Hewlett-Packard Co.

Back then, Hewlett-Packard was still known by its full name and not HP (except perhaps by company employees and Wall Street types) and enjoyed a reputation for not only designing and manufacturing quality products sold around the world, but also for fostering a spirit of corporate integrity and above all, honesty. Almost certainly, an ethos stemming from the company’s founders, Bill Hewlett and Dave Packard who started their little enterprise in a garage near Palo Alto, California back in 1939 with a reported total investment of $538.

One can only wonder how Mr. Hewlett (1913 - 2001) and Mr. Packard (1912 - 1996) would feel today if they knew how their company’s reputation has been so tarnished in recent years by one corporate misstep and/or scandal after another.

The latest revelation by current CEO Meg Whitman, that HP has asked the SEC along with the UK Serious Fraud Office to investigate alleged accounting irregularities at the recently acquired British company, Autonomy Corporation PLC, does not exactly bode well for the company on the global reputation front.  Neither does the reported $9 Billion write-down recently announced as a result of the troubled acquisition, let alone Ms. Whitman’s finger-pointing in the media specifically directed at Autonomy’s accountants, Deloitte, overtly suggesting that the accounting firm along with its client "cooked the books" and duped HP into buying the company.

Clearly, Hewlett-Packard's due dilligence before completing the deal back in 2011 was inadequate, and perhaps worse, by going public with some pretty damning allegations against both Deloitte and Autonomy’s former management, has stirred up a firestorm of counter accusations against the Palo Alto company including a statement by Autonomy founder Mike Lynch to the British press that joining HP was "like boarding a plane, realizing the engine is on fire and then going up to the cockpit only to find that the pilots are having a fight."

My own personal interest in Hewlett-Packard in the capacity of a consumer privacy advocate, dates back to the company’s spying scandal of 2006, when it was revealed that former HP chairwoman Patricia Dunn had hired a firm of independent security experts to investigate alleged leaks of confidential company information by members of the HP Board of Directors to the news media. The security experts in turn hired private investigators who reportedly set about using so called social engineering techniques which included pretexting (a form of identity fraud) in order to obtain the personal phone records of HP board members, along with journalists working for CNET, the New York Times and Wall Street Journal.

Unfortunately for Ms. Dunn, this illicit plot was discovered, ultimately resulting in her forced resignation from HP and worse, California Attorney General Bill Lockyer filing criminal charges against both her and other HP employees and contractors. These included four felony counts: fraudulent use of wire, radio or television transmissions; taking, copying, and using computer data without authorization; identity theft; and conspiracy.

A long suffering cancer patient who had undergone surgery in the summer of 2006, Ms. Dunn’s attorneys eventually managed to get the charges dismissed against her (to the surprise of many, including me) while the other HP defendants cut plea deals with the prosecutor.
Some positive things did however come out of the HP spying scandal. This included a congressional committee looking into the business practices of Hewlett-Packard and other large companies identified as using ID fraud as a business tool.

Documents and testimony provided to the House Energy and Commerce Committee in 2006 revealed that amongst others, LaSalle Bank (now part of Bank of America) Ford Motor Credit, and a unit of Wachovia Bank (now part of Wells Fargo) had also allegedly used investigators to obtain the personal telephone call records of individual consumers using pretexting and other unlawful techniques.

In response to this unlawful conduct, Congress passed the Telephone Records and Privacy Protection Act of 2006 (H109-4709) which was signed into law by President Bush in 2007.  Clearly, the intent of this act was to reinforce existing federal laws including the Gramm- Leach- Bliley Act of 1999 which already outlawed pretexting and other techniques for obtaining private and confidential information under false pretenses.

Unfortunately however, the 2006 federal law did not stop pretexting which is still widely used today by some investigators (also known as information brokers or skip tracers) working for the debt collection and vehicle repossession industry.

Returning to the topic of HP, and its problems, following Ms. Dunn's departure in 2006, Mark Hurd was appointed chairman of the company. Four years later, Mr. Hurd resigned after alleged personal expense account irregularities were discovered and a sexual harassment allegation surfaced making his future at HP untenable.

Mark Hurd was followed Léo Apotheker who served briefly as the Chief Executive Officer of Hewlett-Packard from November 2010 until his firing in September 2011.

In January 2011, former eBay executive and California gubernatorial candidate, Meg Whitman joined the Hewlett-Packard board and was later appointed President and CEO in September 2011 after Mr. Apotheker’s firing.

Amongst other things, Ms. Whitman voted as a board member to purchase Autonomy, a company which sells a broad range of enterprise search and knowledge management software products including what I would describe as digital eavesdropping technology used by amongst others, businesses (including the financial services industry) and government agencies to monitor telephone calls, emails and other communications for a variety of purposes.

Interestingly and perhaps troubling, depending on your point of view, Autonomy software can "listen" through a million hours of telephone conversations, and find key words or phrases which may be of interest to, for example, government investigators or law enforcement officials seeking information on an individual or group of individuals for predictive policing purposes.

A good example is the case of Société Générale’s rogue trader, Jérôme Kerviel, who was convicted through the use of Autonomy software by law enforcement authorities.

Almost certainly, Ms. Whitman, along with the other HP board members believed that Autonomy was a good fit when they agreed to purchase the company in 2011.  But alas, things have not worked out and Ms. Whitman, who is now embroiled in a trans-Atlantic blame game with Autonomy founder Mike Lynch, is being closely watched and reported on by the worlds news media.  Not exactly a good thing for Hewlett-Packard's global reputation.
 


 
 
 
 
 
 
 
 
 
 
 
 

Sunday, November 25, 2012

Identity fraud rings identified operating in Southern States

 

 

This month, consumer risk management firm, ID Analytics of San Diego, published a study indicating that there are more than 10,000 identity fraud rings operating in the US, and many are in southern states.

According to the report, the study is the first to investigate the interconnections of identity manipulators and identity fraudsters to identity rings of criminals working in collaboration.

So called hotbeds for fraud rings include; Alabama, the Carolinas, Delaware, Georgia, Mississippi and Texas.

The study which reportedly looked at approximately 1.7 billion identity risk events demonstrates once again how sophisticated consumer analytics data bases are truly becoming.

One can only wonder if federal, state and local law enforcement agencies will receive a copy of this study and actually use it in a meaningful way. The fact is, based on past history, reports and studies relating to the activities of identity fraud rings operating here in the US seldom results in prosecutions.

Data mining for fraud detection purposes is a good thing. However, data mining should be an inclusive exercise which not only helps protect the safety and security of financial services firms, but also assists victims of identity fraud in learning the most likely source of a data breach involving their personal identifiable information.

Almost certainly, this suggestion would meet with strong opposition from both the consumer data and financial services industries which would most likely sight potential liability issues.  However, with carefully crafted federal legislation including a mandatory notification process in place, American consumers could (and should) have the ability to search and locate information on a central database which would help them identify the source of a past data breach involving their personal information. Which would be a good thing.