Archive for the ‘Privacy (ID Theft)’ Category
Understanding Privacy in Paperback
posted by Daniel Solove
I’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.
Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.
September 14, 2009 at 7:36 am
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)
Print This Post
No Comments
Predicting Social Security Numbers from Public Data
posted by Daniel Solove
Alessandro Acquisti and Ralph Gross have recently published their provocative article, Predicting Social Security Numbers from Public Data in the Proceedings of the National Academy of Sciences. According to the abstract:
Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.
Acquisti and Gross’s study has generated significant media attention. Here’s an article by Bob Sullivan for MSNBC and by Hadley Leggett for Wired. As Sullivan writes:
The two say they can guess the first 5 digits of the Social Security number of anyone born after 1988 within two guesses, knowing only birth date and location. The last four digits, while harder to guess, can be had within a few hundred guesses in many situations — a trivial hurdle for criminals using automated tools.
SSNs are currently used by numerous businesses and organizations to allow access to accounts – they function as a kind of password. They are also used to verify identity when people sign up for a new credit card or other account. They are thus a very useful tool for identity thieves and fraudsters who want to impersonate people to improperly access their accounts or obtain credit cards in their name.
The current focus of policymakers has been to provide better protections against the disclosure of SSNs.
Acquisti and Gross’s paper provides a powerful demonstration that protecting against the disclosure of SSNs is not providing enough protection to consumers. The article shows that no matter how much protection against the disclosure of SSNs, SSNs can be determined with other public information.
Congress or the FTC should prohibit companies from using SSNs as a means to verify identity. Companies, organizations, and government entities should be prohibited from using SSNs as a means of verifying identity to provide access to accounts or to create new accounts. Merely protecting against the disclosure of SSNs is insufficient since Acquisti and Gross demonstrate they can readily be predicted.
The government and businesses are at fault here. Too many business and organizations use the SSN improperly as a means to verify identity. And the government is at fault for creating the SSN and allowing it to be used improperly in ways that harm people.
July 6, 2009 at 8:41 pm
Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
2 Comments
Lessons from the Identity Trail
posted by Daniel Solove
There’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!
The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.
The book is available on Amazon.com or on our special Concurring Opinions Oxford University Press promo page for 20% off.
Here’s the table of contents:
April 8, 2009 at 10:01 pm
Posted in: Anonymity, Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical)
Print This Post
No Comments
Big Breaks in the Palin E-mail Breach Investigation
posted by Paul Ohm
The odds that the Feds will find the person who broke into Sarah Palin’s e-mail account are considerably better than I had thought they would have been, because someone who claims to have committed the crime has bragged about it to the infamous 4chan image hosting site. (Quick CoOp aside, every day I better appreciate how the paper by new permablogger Danielle Citron–who first introduced me to 4chan–on Cyber Civil Rights will be a must-read in this day of 4chan and Jason Fortuny.) Although the posts have been deleted, Kim Zetter has reproduced them for Wired’s Threat Level blog. First, the user known as “Rubico” bragged about how he had breached the Yahoo account by providing Governor Palin’s supposedly private answers to the questions posed by Yahoo’s password recovery scheme:
it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
Oh, and about Rubico’s screenshots? They apparently reveal the URL bar of Rubico’s browser, which in turn reveals that Rubico had not been browsing Yahoo directly but had instead been using an anonymizing proxy service called Ctunnel. Good idea, right?, because Yahoo no doubt captures and preserves the IP addresses used to recover passwords. But although using Ctunnel may have been a good idea, advertising that fact on a screenshot, it turns out, was not:
Gabriel Ramuglia who operates Ctunnel, the internet anonymizing service the hacker used to post the information from Palin’s account to the 4chan forum, told Threat Level this morning that the FBI had contacted him yesterday to obtain his traffic logs. Ramuglia said he had about 80 gigabytes of logs to process and hadn’t yet looked for the information the FBI was seeking but planned to be in touch with the agents today.
Apparently, providing the screenshot in this case was a particularly dumb move. In another interview Ramuglia notes:
Usually, this sort of thing would be hard to track down because it’s Yahoo email, and a lot of people use my service for that . . . . Since they were dumb enough to post a full screenshot that showed most of the [Ctunnel.com] URL, I should be able to find that in my log.
There are more lessons here than are worth listing. A few, after the jump:
September 20, 2008 at 11:01 pm
Posted in: Criminal Procedure, Current Events, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement)
Print This Post
2 Comments
Justice Breyer’s Information Available on Limewire
posted by Deven Desai
It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.
Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.
July 10, 2008 at 1:01 pm
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft)
Print This Post
No Comments
My New Book, Understanding Privacy
posted by Daniel Solove
I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what “privacy” means and why it is valuable. Professor Arthur Miller once wrote that privacy is “exasperatingly vague and evanescent.” In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:
Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.
In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.
Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.
Here’s a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn’t focus on the nature of the information, the individual’s preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I’ve updated the taxonomy in the book, and I’ve added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.
Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.
For more information about the book, please visit its website.
May 19, 2008 at 12:03 am
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security), Technology
Print This Post
5 Comments
The Digital Person Free Online!
posted by Daniel Solove
Last month, Yale University Press allowed me to put my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet online for free. The experiment has gone quite well. The book’s website received a big bump in traffic, with many people downloading one or more chapters. The book’s sales picked up for several weeks after it was placed online for free. Sales have now returned to about the same level as before the book went online.
I’m delighted to announce that NYU Press has allowed me to put my book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, 2004) online for free.
Here’s a brief synopsis of The Digital Person from the book jacket:
Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. These databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases–which Daniel J. Solove calls “digital dossiers”–has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.
Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. In THE DIGITAL PERSON, Solove engages in a fascinating discussion of timely privacy issues such as spyware, web bugs, data mining, the USA-Patriot Act, and airline passenger profiling.
THE DIGITAL PERSON not only explores these problems, but provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.
Book reviews are collected here.
March 27, 2008 at 12:08 am
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
No Comments
Ranking Banks Based on Incidents of Identity Theft
posted by Daniel Solove
Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.
In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don’t currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.
For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years’ worth of data, so “the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims.” Chris’s paper is based on an analysis of this data.
From the abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.
This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.
This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.
Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.
February 27, 2008 at 11:06 am
Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
One Comment
Coming Back from the Dead
posted by Daniel Solove
Lazarus had it easy. Not so for Laura Todd, who has been trying to come back from the dead for nearly a decade. According to WSMV News in Nashville:
According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there’s no end to the complications the situation creates.
“One time when I (was) ruled dead, they canceled my health insurance because it got that far,” she said.
Todd’s struggle started with a typo at the Social Security administration. She said the government has assured her since the problem that they have deleted her death record, but she said the problems keep cropping up.
On Wednesday, the IRS once again rejected her electronic tax return. She said she’s gone through it before.
“I will not be eligible for my refund. I’m not eligible for my rebate. I mean, I can’t do anything with it,” she said.
Channel 4’s Nancy Amons first reported about Todd’s ordeal last week, but Amons has since found out more about how common the problem is.
According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.
The audit said the lack of documentation in the Social Security computer makes it impossible for the government’s auditors to determine if the people are dead or alive.
But some of those who are alive have found more complications after their resurrection.
Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.
One of the problems with modern recordkeeping is that although computers make things more efficient, they compound the effects that errors have on people’s lives. The difficulty is that the law currently does not afford people with sufficient power to clean up mistakes in their records. Since information is so readily transferred between entities, an error that is corrected in one database has often migrated to another database before the correction. The error doesn’t die. Instead, you do.
Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.
Right now, we’re living in a bureaucratic data hell, and that’s because that there aren’t sufficient incentives for entities to be careful with the records they keep about people.
Image: The Resurrection of Lazarus by Vincent van Gogh, 1889-90, from Wikicommons.
February 22, 2008 at 12:04 am
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
No Comments
Information Privacy Law Casebook Update
posted by Daniel Solove
I’m pleased to announce that Paul Schwartz and I have just completed an update to our casebook, Information Privacy Law (Aspen 2006). The update is 111 pages, and is available for download (free of charge) at the casebook’s website. Among other things, it includes excerpts of many new cases: Bonome v. Kaysen, Barrett v. Rosenthal, MacWade v. Kelly, US v. Andrus, Warshak v. US, Doe v. Cahill, US v. Ellison, Gonzales v. Google, Georgia v. Randolph, Copland v. UK, and more. It also includes discussions of the NSA surveillance program, the litigation regarding the NSA surveillance, the Protect America Act of 2007 (amending FISA), national security letter litigation, the Virginia Tech shooting and privacy laws, data security breaches, US-EU sharing of airline passenger data, and more. Additionally, it includes excerpts from many new scholarly books and articles.
A new edition is in the works, and it will be ready for use in the spring 2009 semester. The book will be available in late 2008 so instructors can plan their courses. If you’re a professor currently using the book or are considering using the book in a class, please email me with any comments and suggestions for the next edition.
September 11, 2007 at 2:49 pm
Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
No Comments
Requiring Banks to Disclose Identity Theft Statistics
posted by Daniel Solove
Kudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:
The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .
The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.
The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.
Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:
March 22, 2007 at 1:48 am
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
One Comment
How Should Data Security Breach Notification Work?
posted by Daniel Solove
In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.
One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?
Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:
The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.
These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.
For anybody interested in data security, this article is definitely worth checking out.
March 4, 2007 at 11:07 pm
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
One Comment
Is Identity Theft Really Declining?
posted by Daniel Solove
A study by Javelin Strategy & Research finds that identity theft declined by 11.5% in 2006:
According to the study, 8.4 million adult Americans, or one in 27, learned last year that criminals committed fraud with personal data such as credit card or Social Security numbers. That’s down from 8.9 million in 2005 and 10.1 million in 2003.
Adults under 25, African-Americans, and people who make more than $150,000 were among the groups most likely to suffer fraud, the study said. The youngest adults were also among the least likely to take steps to stop it, the study said.
Consumers on average spent $535 to clear up a fraud, though more than half spent nothing, the study said. Many businesses excuse customers from liability for certain frauds.
Results were based on a phone survey last fall of 5,006 people, including 469 who said they were fraud victims.
The survey was sponsored by Wells Fargo & Co., the fifth-largest U.S. bank; Visa, the credit card association; and CheckFree Corp., which makes bill paying software.
What is probably intended by the study is to stave off legislatures from calling for greater regulation of the identity theft problem. After all, the problem is declining. Self-regulation must be working. Or is it?
Chris Hoofnagle (senior staff attorney, Samuelson Clinic at Berkeley Law School) disputes the study:
2007 brings another identity theft survey from Javelin Strategy. As usual, it strives to conclude that identity theft is on the decline and that most identity theft is the result of information being stolen from the victim. Both conclusions are dead wrong. Why?
February 4, 2007 at 12:01 am
Posted in: Privacy (ID Theft)
Print This Post
No Comments
Verifying Identity: From One Foolish Way to Another
posted by Daniel Solove
For quite some time, banks and financial institutions have been using people’s Social Security Numbers (SSNs) to verify their identities. Suppose you want to access your bank account to check your balance, change addresses, or close out the account. You call the bank, but how does the bank know it’s really you? For a while, banks were asking you for your SSN. Your SSN was used akin to a password. If you knew this “secret” number, then it must be you. Of course, as I have written about at length, a SSN is one of the dumbest choices for a password. Not only is it a password that can readily be found out, but it is a password that’s very hard to change. Not a wise combination. People’s SSNs are widely available, and the data security breaches in the past two years exacerbated the exposure. A lot of legislative attention has focused on the leakers of the data, and rightly so, but not enough attention has been focused on the businesses that use people’s SSNs as passwords. If SSNs weren’t used in this way, leaking them wouldn’t cause the harm it does.
But now, it seems, banks are starting to rethink the use of SSNs. According to a USA Today story:
A growing number of banks and retailers are moving beyond Social Security numbers to verify your identity. They’re relying on such personal details as your car color, your father-in-law’s name and the city you lived in five years ago.
No, you never gave them this information; rather, they pulled it from public and private databases. These private details are increasingly being used to approve you for credit at a store, give you access to your account online or to verify that you — rather than an impostor — are making a purchase.
It’s the latest effort by financial institutions to fight a growing threat of identity theft from online “phishing” and other scams. Chase, HSBC, Vanguard, American Express and Barclaycard US use this customer-verification technique. Mellon Financial is testing it. In the past two years, the technology has been adopted by six of the top 10 U.S. banks and thrifts, says Verid, a provider of the technology.
The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you — after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people’s backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.
The story continues:
November 9, 2006 at 12:15 pm
Posted in: Privacy (ID Theft)
Print This Post
6 Comments
How Does the US Rank Among Countries in Privacy Protection?
posted by Daniel Solove
How does the United States rank among countries in privacy protection? Practically at the bottom according to a ranking by Privacy International, a UK-based privacy advocacy group. The ranking is based on Privacy and Human Rights, an annual report about privacy laws around the world published by Privacy International and the Electronic Privacy Information Center. Here’s the ratings table and here’s the briefing paper for the table. Unfortunately, every time I try to access the PDF file of the briefing paper that explains the rankings, it not only fails to load, but it also crashes my browser, whether Firefox or Explorer.
The press release for the rankings states:
November 2, 2006 at 1:38 pm
Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement)
Print This Post
One Comment
The Digital Person: Now in Paperback
posted by Daniel Solove
I’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:
Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.
The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.
Links to reviews of the book are at The Digital Person website.
September 25, 2006 at 5:29 pm
Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement)
Print This Post
No Comments
Privacy on the Road
posted by Kaimipono D. Wenger
From the New York Times, a nice little piece about privacy (or lack thereof) on the road:
Using a public computer can also mean courting trouble, because data viewed while surfing the Web, printing a document or opening an e-mail attachment is generally stored on the computer — meaning it could be accessible to the next person who sits down. (To remove traces of your work, delete any documents you have viewed, clear the browser cache and the history file and empty the trash before you walk away.)
“You also run the risk that somebody has loaded a program on there that can capture your log-ins and passwords,” Mr. Louderback said, recalling an incident a few years ago when a Queens resident was caught installing this type of “key logger” software on computers at several Kinko’s locations in New York.
As the article points out, it’s a scary, scary world out there. Public computers can be searched for passwords or equipped with malicious keyloggers. Wiireless hot spots can be raided with packet sniffers. There are software solutions for getting around these, but the easiest solution is also the safest:
Absolutely never check your bank account on a public computer. And be careful about checking it on a wireless hotspot.
One thing the article lacked was a real discussion of how prevalent this kind of identity theft is. What are the statistics on this kind of thing, Dan? How much identity theft (or for that matter, data theft) comes out of these kinds of interactions – do we have any ideas?
August 22, 2006 at 11:41 pm
Posted in: Privacy (ID Theft)
Print This Post
3 Comments
The Ten Greatest Privacy Disasters
posted by Daniel Solove
Wired News lists what it considers to be the 10 greatest privacy disasters:
10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee’s revenge
5. Amy Boyer’s murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number
See the Wired article for its explanations. It’s a good list, but there are a few problems. Although we still don’t know all the details of the NSA surveillance program, it’s not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn’t lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.
Some notable omissions: Where’s Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn’t regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I’d definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.
Hat Tip: Bruce Schneier
August 22, 2006 at 9:58 am
Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (ID Theft), Privacy (Law Enforcement)
Print This Post
8 Comments
Privacy, Information, and Technology
posted by Daniel Solove
My new casebook, PRIVACY, INFORMATION, AND TECHNOLOGY (ISBN: 0735562548) (with Marc Rotenberg & Paul M. Schwartz) is now hot off the presses from Aspen Publishers. It is an abridged version (300 pages) of our regular casebook, INFORMATION PRIVACY LAW
(2d ed.), which is about 1000 pages in length.
Privacy, Information, and Technology is designed as a supplement to courses and seminars in technology law, information law, and cyberlaw. It will provide between 2-4 weeks of coverage of information privacy issues pertaining to technology, government surveillance, databases, consumer privacy, and government records.
More information about the book is here. If you’re interested in getting a review copy of the book, please send an email to Daniel Eckroad.
The book will sell for $35 and can be purchased on Aspen’s website.
The book consists of four chapters. Chapter 1 contains an overview of information privacy law, its origins, and philosophical readings about privacy. Chapter 2 covers issues involving law enforcement, technology, and suveillance. Chapter 3 focuses on government records, databases, and identification. Chapter 4 covers business records, financial information, identity theft, privacy policies, anonymity, data mining, and government access to private sector data.
The full table of contents is available here.
August 16, 2006 at 4:51 pm
Posted in: Articles and Books, Privacy, Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
No Comments
Data Security Laws, the States, and Federalism
posted by Daniel Solove
Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.
Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.
The stateline.org website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.
I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.
The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.
July 12, 2006 at 7:01 pm
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
No Comments
