Category: Privacy (Consumer Privacy)

Black Boxes Bite Back

blackbox.jpgAs interest rates jump, piggybacking has become all the rage in “credit repair” circles. For a fee, groups like Instant Credit Builders will let you “borrow” (part of) another person’s credit score by becoming an “authorized borrower” on his cards. Here is ICB’s overheated defense of the practice:

ICB has developed a system to counter the harmful societal impacts of an emerging market called “subprime lending”. Mob-like blood suckers under the umbrella of legitimate lending institutions are targeting those who have poor credit scores but fall short of being beyond credit risk acceptance.

To explain why subprime lenders are in such an opportunistic industry, take this example: The commission payable to a financial adviser or mortgage broker from an actual prime lender on a $100,000 deal yields a broker about $250. Yet the same $100,000 deal using a subprime lender yields them $2,000 to $2,500. This niche market banking industry is getting paid well to enslave most minorities, low-income borrowers, even victims of identity theft with interest rates that can be up to 3.5% higher than average.

Needless to say, mortgage lenders are hoppin’ mad. The godfather of credit scores, FICO, has claimed that “piggy-backing will soon come to an end on its watch.” One irony here is that, as lenders crack down, “they may actually increase demand for some of the services that these Web sites offer.”

A lot of the commentary on these sites has been harsh, but let me offer something like an “unclean hands” defense. Credit scores have long come under attack for having a “a disparate impact on poor and minority populations.” Moreover, the scoring is opaque; scorers claim that transparency would undermine their “trade secrets.” So consumers are navigating a world where they can have only a vague idea of the rules. Lenders shouldn’t be surprised when entrepreneurs reverse-engineer the ratings system and the technology bites back.

Moreover, these rules themselves may be self-fulfilling prophecies: if you decree that one missed $10 payment for a family of 4 earning $30,000 per year lowers their credit score by 200 points, they probably are going to end up being more likely to default because they are going to be paying much more in interest for any financing they get. Again, because the scores are black boxes, we have no assurance that the companies that offer them try to eliminate such endogenicity or whether they actually try to profit from such self-fulfilling prophecies.

As long as credit ratings are so shrouded in secrecy, the lenders who rely on them should expect gaming of the system. Watch for a debate over “black hat” vs. “white hat” credit repair builders as controversial (and interminable) as that now occurring in the world of search engine optimization.

1

Requiring Banks to Disclose Identity Theft Statistics

creditcard-6a.jpgKudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:

The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .

The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.

The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.

Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:

Read More

9

Privacy’s Other Path

confidential5a.jpgProfessor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been relatively unexplored in America.

Although the tort law of privacy in America and England arose from the very same common law cases, the law has developed on very different paths in each country. For example, in England, a friend, spouse, lover, or nearly anybody else who violates a confidence can be liable. In America, people are said to assume the risk of betrayal for many breaches of confidence; the law, however, protects against the invasion of privacy by strangers. How and why did the law develop so differently in America and England? Our new article explores the answers to these questions and debunks many myths in the conventional wisdom about privacy law.

You can download and read the article for free on SSRN. If you don’t like it, we provide a full money-back guarantee. With a deal like this, how can you lose?

Here’s the abstract:

The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis “invented” the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual’s “inviolate personality.” English law, however, rejected Warren and Brandeis’s conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law’s divergent paths reveals that each body of law’s conception of privacy has much to teach the other.

We welcome any comments and suggestions for the article.

1

How Should Data Security Breach Notification Work?

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

For anybody interested in data security, this article is definitely worth checking out.

2

The Free Credit Reports That Aren’t Free

freecreditreport1.jpg

You’ve probably seen the commericals, which run incessantly on CNN and other cable channels. A happy young man says: “I’m thinking of a number . . . ” That number is a credit score, which you can obtain at a website called FreeCreditReport.com. You probably have heard that under a new federal law, credit reporting agencies are required to provide each person with a free credit report once a year. That website, however, has the much more obscure name AnnualCreditReport.com. I previously blogged about my experiences using AnnualCreditReport.com. One of the problems is that if you don’t know that the correct website is AnnualCreditReport.com, then it is very easy to go to the FreeCreditReport.com website. After all, it is featured quite prominently in a Google search for “free credit report.”

But there’s one catch — it ain’t free. Far from it. From the fine print:

When you order your free report here, you will begin your free trial membership in Triple AdvantageSM Credit Monitoring. If you don’t cancel your membership within the 30-day trial period, you will be billed $12.95 for each month that you continue your membership.

ConsumerInfo.com and Freecreditreport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to www.annualcreditreport.com.

FreeCreditReport.com is run by Experian, one of the credit reporting agencies. Experian also has another website offering free credit reports: ConsumerInfo.com. Recently, the FTC settled a case against ConsumerInfo.com website. According to an FTC news release:

Read More

15

The Rise of Customer Blacklists

hotel1a.jpgBlacklists appear to be the rage these days. With the ease of storing and sharing personal information — coupled with lax privacy law restrictions on such activities — companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against “bad” hotel guests:

Blacklisting everyone from the whisky-swilling scoundrels whose partying sabotaged your last vacation to the louts who channel Pink Floyd by dismantling their rooms, the new Australian database — which is expected to expand to Canada and the U.S. by year’s end — helps prevent unsavoury individuals from obtaining short-term accommodations.

“People are becoming less considerate of the space they’re staying in,” says Josh Ginty, project manager of the Guests Behaving Badly registry.

“What we hope to do is proactively advertise to those people … that their details will be recorded if they breach house rules. That in itself is often a strong enough deterrent.”

Accessible only to operators of hotels, motels and vacation homes, the membership-based registry tracks five levels of guest misconduct. These range from “lower-level blatant disregard” for regulations, such as smoking in non-smoking rooms or swimming in the pool after hours (several staff warnings must be ignored before the activity is reported on the registry) to higher-level infractions such as non-payment of the hotel bill, assault or vandalism.

“If you steal a couple of towels, we’re interested in tracking that,” says Mr. Ginty. “But it doesn’t compare to someone who has verbally or physically abused the night manager.”

More than 1,000 properties have signed up for the service since it launched in December 2006. Expansion to other continents is planned to begin in six months, depending on how easily the database can be adapted to each country’s privacy laws.

Customers have the ability to rate hotels with websites such as TripAdvisor.com. So why shouldn’t hotels be able to rate customers?

I don’t view the situations as symmetrical. Customers have long been spreading their opinions about hotels and other businesses — this is how the market produces good products and services. Word about bad hotels gets out and it leads to less business, thus creating an incentive for hotels to improve their service. But what happens when a similar process works against customers? True, some hotel guests are obnoxious and destructive, but do we really want to live in a country where people find themselves routinely blacklisted from various hotels and other businesses (stores, etc.)? In a Seinfeld episode, Elaine once found herself on a blacklist by doctors for being a bad patient. Perhaps this is the trend of the future. I sure hope not.

1

A Guide to Lobbyist Arguments on Consumer Protection

deck-cards.jpgChris Hoofnagle (Berkeley’s Samuelson Clinic) has posted on SSRN his paper, The Denialists’ Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts. From the abstract:

The Denalists’ Deck of Cards is a humorous illustration of how libertarian policy groups use denialism. In this context, denialism is the use of rhetorical techniques and predictable tactics to erect barriers to debate and consideration of any type of reform, regardless of the facts. Giveupblog.com has identified five general tactics used by denialists: conspiracy, selectivity, the fake expert, impossible expectations, and metaphor.

The Denialists’ Deck of Cards builds upon this description by providing specific examples of advocacy techniques. The point of listing denialists’ arguments in this fashion is to show the rhetorical progression of groups that are not seeking a dialogue but rather an outcome. As such, this taxonomy is extremely cynical, but it is a reflection of and reaction to how poor the public policy debates in Washington have become.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

The paper is quite humorous and well-done — essential reading for any policy wonk.

0

The Digital Person: Now in Paperback

digital-person-1.jpgI’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.

0

Data Security Laws, the States, and Federalism

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.

The stateline.org website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.

data-security-breach-laws2.jpgdata-security-breach-laws1.jpg

I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.

Read More

2

Can Spam and Spyware Ever Be Good?

Over at the Conglomerate, Professor Eric Goldman’s paper, A Coasean Analysis of Marketing, is being workshopped in the Conglomerate’s Second Annual Junior Scholars Workshop. Professors Peter Huang and Frank Pasquale (previously a guest blogger here at Concurring Opinions) are providing commentary.

Eric Goldman was teaching at Marquette Law School. This fall, he will be moving to Santa Clara Law School. He has a very informative blog about technology and marketing law issues.

I’ve read Eric’s paper, and it is quite interesting and provocative. Eric attempts to point out the brighter side to junk mail, spam, adware, and other marketing technologies that most of us detest. Is there such a thing as a good spam? I have my doubts, but Eric presents a thoughtful argument why we shouldn’t view spam and other marketing technologies as totally evil. He argues that we ought to be very careful in how we regulate marketing, and he proposes new approaches toward addressing the problems unwanted marketing create. Here’s the abstract:

Consumers claim to hate marketing—mostly, because they get too much unwanted marketing. In response, regulators develop medium-by-medium marketing suppression regulations. Unfortunately, these ad hoc solutions do little to satisfy consumers, and dynamic technologies and business practices quickly render them moot. Instead of continuing this cycle, there would be some benefit to developing a cross-media marketing regulatory scheme. However, any holistic solution must be predicated on a clear rationale for regulating marketing. The most common justification is that marketing imposes a negative externality on consumers, but this argument ignores the private and social welfare created by marketing and can lead to cost overinternalization and marketing undersupply. The Coase Theorem also suggests that social welfare improves by reducing the costs of matching marketers with interested consumers. To achieve this, consumers need a low cost but accurate mechanism to manifest their preferences. This Article shows that typical regulatory and marketplace solutions do not provide effective mechanisms. Instead, marketer-consumer matchmaking will improve from technology that will automatically infer consumer preferences and use these inferences to filter incoming marketing and seek out wanted content. This technology does not yet exist, but it is being rapidly developed. However, regulation of surreptitious monitoring devices (like adware and spyware) may inadvertently block the development of this socially-beneficial technology. As a result, current regulatory overreactions to developing technology may counterproductively foreclose social welfare improvements.

The Conglomerate welcomes your comments on Eric’s paper: “We invite all readers to comment on Eric’s paper in the commennts section of this post.” Please comment over at the Conglomerate post.