Justice Breyer's Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.

Posted by Deven Desai at 01:01 PM | Comments (0) | TrackBack

My New Book, Understanding Privacy

I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what "privacy" means and why it is valuable. Professor Arthur Miller once wrote that privacy is "exasperatingly vague and evanescent." In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here's a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn't focus on the nature of the information, the individual's preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I've updated the taxonomy in the book, and I've added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

Posted by Daniel J. Solove at 12:03 AM | Comments (5) | TrackBack

The Digital Person Free Online!

Last month, Yale University Press allowed me to put my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet online for free. The experiment has gone quite well. The book's website received a big bump in traffic, with many people downloading one or more chapters. The book's sales picked up for several weeks after it was placed online for free. Sales have now returned to about the same level as before the book went online.

I'm delighted to announce that NYU Press has allowed me to put my book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, 2004) online for free.

Here's a brief synopsis of The Digital Person from the book jacket:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. These databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases--which Daniel J. Solove calls “digital dossiers”--has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. In THE DIGITAL PERSON, Solove engages in a fascinating discussion of timely privacy issues such as spyware, web bugs, data mining, the USA-Patriot Act, and airline passenger profiling.

THE DIGITAL PERSON not only explores these problems, but provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Book reviews are collected here.

Posted by Daniel J. Solove at 12:08 AM | Comments (0) | TrackBack

Ranking Banks Based on Incidents of Identity Theft

Chris Hoofnagle just released a new report entitled Measuring Identity Theft at Top Banks. In the report, he ranks the top 25 US banks according to their relative incidence of identity theft. The report is based on consumer-submitted complaints to the FTC where the victim identified an institution.

In a previous paper called Identity Theft: Making the Unknown Knowns Known, Chris argued that there should be mandatory public disclosure of identity theft statistics by banks. Since the financial institutions don't currently release such data, we have no idea which institutions are being more effective at reducing identity theft than others.

For his new paper, Chris made a FOIA request last year to the FTC for two years of consumer complaint data. The FTC found it too burdensome to release two years' worth of data, so "the request was limited to three randomly-chosen months in 2006, January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions were identified by victims." Chris's paper is based on an analysis of this data.

From the abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is a first attempt to meaningfully compare institutions on their performance in avoiding identity theft. This analysis faces several challenges that are described in the methods section. The author welcomes constructive criticism, suggestions, and comments in an effort to shine light on the identity theft problem.

This is a fantastic endeavor, as more information on how institutions are protecting against identity theft is sorely needed. Chris admits that his study has some limitations and could be improved if financial institutions would supply more information to the public. But based on the information Chris could find out, this report is quite revealing. Hopefully, it will spark more transparency from financial institutions in the future.

Here is one of many charts in the paper. The chart below is of incidents of identity theft relative to the size of each institution.

Posted by Daniel J. Solove at 11:06 AM | Comments (1) | TrackBack

Coming Back from the Dead

Lazarus had it easy. Not so for Laura Todd, who has been trying to come back from the dead for nearly a decade. According to WSMV News in Nashville:

According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there's no end to the complications the situation creates.

“One time when I (was) ruled dead, they canceled my health insurance because it got that far,” she said.

Todd’s struggle started with a typo at the Social Security administration. She said the government has assured her since the problem that they have deleted her death record, but she said the problems keep cropping up.

On Wednesday, the IRS once again rejected her electronic tax return. She said she’s gone through it before.

“I will not be eligible for my refund. I'm not eligible for my rebate. I mean, I can't do anything with it,” she said.

Channel 4’s Nancy Amons first reported about Todd’s ordeal last week, but Amons has since found out more about how common the problem is.

According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.

The audit said the lack of documentation in the Social Security computer makes it impossible for the government's auditors to determine if the people are dead or alive.

But some of those who are alive have found more complications after their resurrection.

Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.

One of the problems with modern recordkeeping is that although computers make things more efficient, they compound the effects that errors have on people's lives. The difficulty is that the law currently does not afford people with sufficient power to clean up mistakes in their records. Since information is so readily transferred between entities, an error that is corrected in one database has often migrated to another database before the correction. The error doesn't die. Instead, you do.

Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source.

Right now, we're living in a bureaucratic data hell, and that's because that there aren't sufficient incentives for entities to be careful with the records they keep about people.

Image: The Resurrection of Lazarus by Vincent van Gogh, 1889-90, from Wikicommons.

Posted by Daniel J. Solove at 12:04 AM | Comments (0) | TrackBack

Information Privacy Law Casebook Update

I'm pleased to announce that Paul Schwartz and I have just completed an update to our casebook, Information Privacy Law (Aspen 2006). The update is 111 pages, and is available for download (free of charge) at the casebook's website. Among other things, it includes excerpts of many new cases: Bonome v. Kaysen, Barrett v. Rosenthal, MacWade v. Kelly, US v. Andrus, Warshak v. US, Doe v. Cahill, US v. Ellison, Gonzales v. Google, Georgia v. Randolph, Copland v. UK, and more. It also includes discussions of the NSA surveillance program, the litigation regarding the NSA surveillance, the Protect America Act of 2007 (amending FISA), national security letter litigation, the Virginia Tech shooting and privacy laws, data security breaches, US-EU sharing of airline passenger data, and more. Additionally, it includes excerpts from many new scholarly books and articles.

A new edition is in the works, and it will be ready for use in the spring 2009 semester. The book will be available in late 2008 so instructors can plan their courses. If you're a professor currently using the book or are considering using the book in a class, please email me with any comments and suggestions for the next edition.

Posted by Daniel J. Solove at 02:49 PM | Comments (0) | TrackBack

Requiring Banks to Disclose Identity Theft Statistics

Kudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:

The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .

The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.

The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.

Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris's paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:

There is widespread agreement that identity theft causes financial damage to consumers, lending institutions, retail establishments, and the economy as a whole. Surprisingly, there is little good public information available about the scope of the crime and the actual damages it inflicts. The publicly available data on identity theft come mainly from survey research. Methodologically, these survey polls of the public suffer from being both under and overinclusive in measuring the problem. As a result, low estimates attribute tens of billions of dollars in costs to the economy and consumers, the highest estimates place losses in the hundreds of billions.

To identify proper interventions and appropriately allocate resources we need comprehensive, hard data on the scope and effect of identity theft. One way to provide concrete data is to require lending institutions to publicly report figures on identity theft. Such public reporting will help identify the relative need for intervention and the likely efficacy of interventions. These disclosures are necessary to provide a sound baseline for investment by businesses and action by regulators. They are also warranted because the public pays the price of identity theft directly when they are the victim, and indirectly through higher fees, interest rates, and because the losses are tax subsidized.

The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

For all those interested in identity theft, Chris's paper is definitely worth reading. In the New York Times article, I have a brief quote which sums up my positive reaction to the proposal yet a practical concern:

Daniel J. Solove, an associate professor at George Washington University Law School, says that blame for identity theft is generally directed at criminals and victims who are lax with their personal data — not companies that fail to protect customer accounts. Direct reporting “brings attention to the fact that financial institutions contribute significantly to the problem, and it will make them more accountable,” he said.

Mr. Solove supports the direct reporting proposal, although he fears that banks will be motivated to challenge customer reports of identity theft, because mounting fraud will make them look bad.

Toward the end of the the New York Times article is a quote from a policy advisor at an industry trade group that strikes me as a bit silly:

The financial services industry opposes the plan. Doug Johnson, a senior policy adviser at the American Bankers Association, an industry trade group, said that revealing internal bank data on identity theft would not do much to help fight the problem. He said that it might actually distract financial institutions, which now privately share information among themselves and collaborate to fashion antifraud techniques.

Complying with the direct reporting proposal would “take our eye off the ball,” he said. “We should be watching what’s happening today, not what happened in the past.”

Posted by Daniel J. Solove at 01:48 AM | Comments (1) | TrackBack

How Should Data Security Breach Notification Work?

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California's data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

For anybody interested in data security, this article is definitely worth checking out.

Posted by Daniel J. Solove at 11:07 PM | Comments (1) | TrackBack

Is Identity Theft Really Declining?

A study by Javelin Strategy & Research finds that identity theft declined by 11.5% in 2006:

According to the study, 8.4 million adult Americans, or one in 27, learned last year that criminals committed fraud with personal data such as credit card or Social Security numbers. That’s down from 8.9 million in 2005 and 10.1 million in 2003.

Adults under 25, African-Americans, and people who make more than $150,000 were among the groups most likely to suffer fraud, the study said. The youngest adults were also among the least likely to take steps to stop it, the study said.

Consumers on average spent $535 to clear up a fraud, though more than half spent nothing, the study said. Many businesses excuse customers from liability for certain frauds.

Results were based on a phone survey last fall of 5,006 people, including 469 who said they were fraud victims.

The survey was sponsored by Wells Fargo & Co., the fifth-largest U.S. bank; Visa, the credit card association; and CheckFree Corp., which makes bill paying software.

What is probably intended by the study is to stave off legislatures from calling for greater regulation of the identity theft problem. After all, the problem is declining. Self-regulation must be working. Or is it?

Chris Hoofnagle (senior staff attorney, Samuelson Clinic at Berkeley Law School) disputes the study:

2007 brings another identity theft survey from Javelin Strategy. As usual, it strives to conclude that identity theft is on the decline and that most identity theft is the result of information being stolen from the victim. Both conclusions are dead wrong. Why?

Javelin’s study doesn’t detect “synthetic identity fraud.” Public polling on identity theft completely misses the biggest modern fraud issue–synthetic identity theft. In synthetic cases, the impostor creates an entirely new identity using information from many different victims. Since this synthetic identity is based on some real information, and sometimes upon artfully created credit histories, it can be used to apply for new credit accounts. This harms consumers because it creates subfiles at the CRAs, and the real owner of the SSN is sometimes targeted by collections efforts. . . .

According to ID Analytics, in 2003, 88% of fraudulent new accounts were opened with synthetic identities. In addition, 73% of dollar losses were due to synthetic theft, with only 26% being attributed to traditional, true name identity theft. These frauds go completely unmeasured by public polling, but cost the consumers and the economy billions in higher fees.

Moreover, Javelin's study attributes most identity theft to people connected to the victim. But Hoofnagle writes:

Javelin’s conclusions on how identity theft occurs (through connections to the victim) contradicts all the existing literature, which attributes the problem largely to insiders. . . .

In a study of 1,037 verified instances of identity theft, Collins and Hoffman found that 47% of impostors stole information from individuals by stealing mail and trash, purse snatching, and stealing information from friends and relatives. 51% of impostors obtained information by stealing it from businesses.

Posted by Daniel J. Solove at 12:01 AM | Comments (0) | TrackBack

Verifying Identity: From One Foolish Way to Another

For quite some time, banks and financial institutions have been using people's Social Security Numbers (SSNs) to verify their identities. Suppose you want to access your bank account to check your balance, change addresses, or close out the account. You call the bank, but how does the bank know it's really you? For a while, banks were asking you for your SSN. Your SSN was used akin to a password. If you knew this "secret" number, then it must be you. Of course, as I have written about at length, a SSN is one of the dumbest choices for a password. Not only is it a password that can readily be found out, but it is a password that's very hard to change. Not a wise combination. People's SSNs are widely available, and the data security breaches in the past two years exacerbated the exposure. A lot of legislative attention has focused on the leakers of the data, and rightly so, but not enough attention has been focused on the businesses that use people's SSNs as passwords. If SSNs weren't used in this way, leaking them wouldn't cause the harm it does.

But now, it seems, banks are starting to rethink the use of SSNs. According to a USA Today story:

A growing number of banks and retailers are moving beyond Social Security numbers to verify your identity. They're relying on such personal details as your car color, your father-in-law's name and the city you lived in five years ago.

No, you never gave them this information; rather, they pulled it from public and private databases. These private details are increasingly being used to approve you for credit at a store, give you access to your account online or to verify that you — rather than an impostor — are making a purchase.

It's the latest effort by financial institutions to fight a growing threat of identity theft from online "phishing" and other scams. Chase, HSBC, Vanguard, American Express and Barclaycard US use this customer-verification technique. Mellon Financial is testing it. In the past two years, the technology has been adopted by six of the top 10 U.S. banks and thrifts, says Verid, a provider of the technology.

The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you -- after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people's backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.

The story continues:

Frank Lapiano, a sales rep in New York, got a taste of this technology when he and his fiancée bought a wedding ring at a department store in September.

To verify his identity, his credit card issuer, Chase, asked about the last four digits of his Social Security number, his mother's maiden name and charges he'd made in the past 48 hours. Then the bank dug deeper: It asked multiple-choice questions about which age range reflected his father's age and also about the city his mother lived in.

The problem here is that the last four digits of the SSN are not a good password. Neither is one's mother's maiden name, since it readily appears in public records such as birth certificates. Charges made in the past 48 hours might not be ideal to use either, since a thief who stole a person's credit card might be the one who made such charges. And the details about his father's age and whereabouts of his mother come from public records, which may not be reliable and which can readily be found out by a fraudster too. All a fraudster needs to do is buy a public records report about a victim from a database company, and the fraudster will have all the information he needs to circumvent this security tool. Moreover, asking numerous questions can slow down the identification process and make it less efficient. What we want isn't perfect security; it is smart security using passwords that do not contain information anybody can readily find out and that can be changed easily if they fall into the hands of a frauster.

So it's a good thing that banks are moving past the SSN, but I'm not sure they're moving to something much wiser.

Posted by Daniel J. Solove at 12:15 PM | Comments (6) | TrackBack

How Does the US Rank Among Countries in Privacy Protection?

How does the United States rank among countries in privacy protection? Practically at the bottom according to a ranking by Privacy International, a UK-based privacy advocacy group. The ranking is based on Privacy and Human Rights, an annual report about privacy laws around the world published by Privacy International and the Electronic Privacy Information Center. Here's the ratings table and here's the briefing paper for the table. Unfortunately, every time I try to access the PDF file of the briefing paper that explains the rankings, it not only fails to load, but it also crashes my browser, whether Firefox or Explorer.

The press release for the rankings states:

Conversely, the rankings indicate which countries are the worst privacy offenders - the emerging surveillance societies. The report measures the extent of information available to authorities about citizens and the many ways that data is used. Categories include police data, DNA, visual surveillance and identity card technology. These are measured alongside against legal and constitutional protections.

Below are some key findings. (Please note that “worst ranking” and “lowest ranking” denotes countries that exhibit poor privacy performance and high levels of surveillance.)

* The two worst ranking countries in the survey are Malaysia and China. The highest-ranking countries are Germany and Canada.

* In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world. In terms of the health of national privacy protection, the US has been ranked between Thailand and Israel.

* The worst ranking EU country is the United Kingdom, which fell into the “black” category along with Russia and Singapore. The black category defines countries demonstrating “endemic surveillance”.

* Despite having no comprehensive national privacy law, the United States scored higher than the UK. Thailand and the Philippines also scored higher than the UK.

* Argentina scored higher than 20 of the 25 EU countries.

I'm quite skeptical of rankings, which are often attention-grabbing at the expense of being particularly accurate or useful. After all, it's hard to reduce everything to a uniform system. One country may protect one dimension of privacy well but others poorly. Which counts more? So I think we could analyze countries, say, on which has more stringent regulation of government access to business records or on which has greater rights of citizens to access their personal data. We can compare countries on whether they have a privacy protection agency. But how much does this factor into overall privacy protection? A privacy agency, for example, can exist in name but exercise little substantive power. The larger point is that general privacy rankings are hard to do since privacy protection involves so many different dimensions. It would help if I could access the explanatory memo for the rankings, which will hopefully work at some point. That said, I strongly believe that US privacy protections are in great need of improvement and that many other countries have protections that strike me as more desirable than those in the US.

UPDATE: Kevin Jon Heller's post at Opinio Juris also examines the report, and he has more data from it, including the ranking and scores of each country, as well as the criteria that went into the scoring.

Posted by Daniel J. Solove at 01:38 PM | Comments (1) | TrackBack

The Digital Person: Now in Paperback

I'm pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls "digital dossiers"—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.

Posted by Daniel J. Solove at 05:29 PM | Comments (0) | TrackBack

Privacy on the Road

From the New York Times, a nice little piece about privacy (or lack thereof) on the road:

Using a public computer can also mean courting trouble, because data viewed while surfing the Web, printing a document or opening an e-mail attachment is generally stored on the computer — meaning it could be accessible to the next person who sits down. (To remove traces of your work, delete any documents you have viewed, clear the browser cache and the history file and empty the trash before you walk away.)

“You also run the risk that somebody has loaded a program on there that can capture your log-ins and passwords,” Mr. Louderback said, recalling an incident a few years ago when a Queens resident was caught installing this type of “key logger” software on computers at several Kinko’s locations in New York.

As the article points out, it's a scary, scary world out there. Public computers can be searched for passwords or equipped with malicious keyloggers. Wiireless hot spots can be raided with packet sniffers. There are software solutions for getting around these, but the easiest solution is also the safest:

Absolutely never check your bank account on a public computer. And be careful about checking it on a wireless hotspot.

One thing the article lacked was a real discussion of how prevalent this kind of identity theft is. What are the statistics on this kind of thing, Dan? How much identity theft (or for that matter, data theft) comes out of these kinds of interactions - do we have any ideas?

Posted by Kaimipono D. Wenger at 11:41 PM | Comments (3) | TrackBack

The Ten Greatest Privacy Disasters

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee's revenge
5. Amy Boyer's murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

See the Wired article for its explanations. It's a good list, but there are a few problems. Although we still don't know all the details of the NSA surveillance program, it's not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn't lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.

Some notable omissions: Where's Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn't regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I'd definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.

Hat Tip: Bruce Schneier

Posted by Daniel J. Solove at 09:58 AM | Comments (8) | TrackBack

Privacy, Information, and Technology

My new casebook, PRIVACY, INFORMATION, AND TECHNOLOGY (ISBN: 0735562548) (with Marc Rotenberg & Paul M. Schwartz) is now hot off the presses from Aspen Publishers. It is an abridged version (300 pages) of our regular casebook, INFORMATION PRIVACY LAW
(2d ed.), which is about 1000 pages in length.

Privacy, Information, and Technology is designed as a supplement to courses and seminars in technology law, information law, and cyberlaw. It will provide between 2-4 weeks of coverage of information privacy issues pertaining to technology, government surveillance, databases, consumer privacy, and government records.

More information about the book is here. If you’re interested in getting a review copy of the book, please send an email to Daniel Eckroad.

The book will sell for $35 and can be purchased on Aspen's website.

The book consists of four chapters. Chapter 1 contains an overview of information privacy law, its origins, and philosophical readings about privacy. Chapter 2 covers issues involving law enforcement, technology, and suveillance. Chapter 3 focuses on government records, databases, and identification. Chapter 4 covers business records, financial information, identity theft, privacy policies, anonymity, data mining, and government access to private sector data.

The full table of contents is available here.

Posted by Daniel J. Solove at 04:51 PM | Comments (0) | TrackBack

Data Security Laws, the States, and Federalism

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced -- over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.

The stateline.org website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.

I never used to be a fan of federalism, but in following information privacy law, I've found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act -- not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to "protect" our privacy.

Since it is so hard to get Congress to do or change anything, and since Congress seems to respond less to the problems of the people and more to the problems of companies, perhaps there's a small oasis in the states where good laws can get passed, where things can still get done. The pathologies that affect Congress certainly affect state legislatures too, but it seems to me to be less so. Congress is so swept up in the national party politics and posturing that it seems almost totally crippled and unable to do anything.

Of course not all state laws are perfect. According to an article at stateline.org, "only 21 of the 32 states with breach notification laws impose the requirement on government agencies. The 11 states with breach notification laws that don't apply to government agencies are Colorado, Connecticut, Delaware, Georgia, Maine, Minnesota, Montana, North Carolina, North Dakota, Texas and Utah." But despite these problems, the states, and not Congress, are the true friends of protecting privacy.

Increasingly, I've really warmed up to federalism. It's great to have a federal rule when it is one you agree with, but not so great when you don't like it and it undoes your state's better laws.

Posted by Daniel J. Solove at 07:01 PM | Comments (0) | TrackBack

Panic! More Private Data Lost

The Birmingham News reported, yesterday, that a computer with private employee data from supermarket chain Bruno's was lost. An employee with Deloitte put his notebook in checked baggage at the airport. Naturally, it did not reappear on the baggage belt. (The story does not clarify whether the bag didn't appear, or whether the bag arrived sans laptop.) Apparently the folks at Royal Ahold (the owner of Brunos) have ongoing problems in this regard. Last May, another Ahold supplier lost a computer containing private employee data. Nobody thinks this is a good thing, but is it really newsworthy?

We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses - most obviously identity fraud - but I suspect that, in most cases, the ultimate recipient of the computer was seeking, well, a computer. In any case, one thing is clear: the media like to find stories that fit into existing news frames. In particular, they like to find stories that fit with growing social anxieties. Thus, a few years back, a couple of drivers went nuts on the road, taking shots at drivers in other cars. Some savvy writer coined the term "road rage". Suddenly, aggressive acts by drivers - even those that would have been too mundane to report - became newsworthy as proof of surging "road rage."

So it is, I fear, with misplaced computers containing private data. The good news for Brunos employees is that, given baggage handling norms, the compuer is likely inoperable. And even if does work, it's probable that the thief - if there be one - simply wanted some additional computing power. On the other hand, maybe that notebook is for sale this very day in at the nation's lost baggage depot - The Unclaimed Baggage Center - in Scottsboro, Alabama. If so, identity thiefs would be advised to hustle on down before a local farmer buys the unit and accidentally erases pages of highly valuable private information.

Posted by Dan Filler at 11:55 AM | Comments (1) | TrackBack

Some Interesting Facts About Identity Theft

Today's Washington Post contains an interesting article about identity theft. Some identity thieves enlist unwitting employees of financial institutions into supplying them with personal information:

An identity-theft ringleader, also known as the "concierge," recruits an "insider" to steal personal information from work, data that can be used to make bogus credit cards with real names and account numbers.

Often the "insider" is a lonely woman who falls in love with the concierge after he sidles up to her in a bar, orders her a drink, and discovers that she works for a bank or insurance company -- at which point he escalates his wooing. After a while, he persuades her to leak him some customer data because he's "short on cash." . . .

The concierge then turns that information into cash using various schemes. One involves giving the customer names and numbers to someone who uses machinery in his basement to churn out phony credit cards and IDs -- documents that might not fool a cop but do get past many store clerks. Or the ringleader may use the information to open new credit accounts in the names of unsuspecting victims.

Next, he rents a van in someone else's name, rounds up a bunch of drug addicts, and gives each a bogus credit card and a shopping list, Goldberg said. Dumped at a suburban mall, they make their purchases and return with hot merchandise.

Then they are driven to another mall in a nearby county, where they are sent shopping again. Purchases are kept under $200 and repeated in different counties to keep the dollar value of individual merchant losses below the radar of police agencies. . . .

Another interesting part of the article discusses how drug dealers are increasingly turning to identity theft:

"What I am finding is these people are in fact retired drug dealers who are sick of getting shot at and arrested," [Richard] Goldberg [a prosecutor in the U.S. Attorney's office in the Eastern District of Pennsylvania] said at the summit, which drew thousands of security professionals to Washington for four days.

These days, identity theft is almost as lucrative as drug dealing -- but safer.

A stolen credit card number can sell for $100 to $1,000 on the black market, Goldberg said, depending on whether it includes the expiration date and other security codes, plus background on its owner.

Perhaps we should be pleased that the federal government is inept at addressing the identity theft problem . . . finally, a way to get drug dealers off the streets. . . .

Posted by Daniel J. Solove at 03:04 PM | Comments (2) | TrackBack

More Data Lost: 1.3 Million Student Loan Recipients

From CNET:

About 1.3 million customers of a Texas provider of student loans are at risk of ID fraud, after a contractor lost computer equipment with sensitive information on them.

The equipment, which was not identified, contains the names and Social Security numbers of the borrowers, the Texas Guaranteed Student Loan company said in a statement Tuesday. The hardware was lost by an employee of Hummingbird, a enterprise software company hired to prepare a document management system, it said.

This follows a similar pattern to the way that the Veteran's Administration lost 26 million records -- some employee takes home the data and it promptly gets lost or stolen. Security tip: Don't let your employees go home with the data! The government seems to be able to figure this out when it comes to top secret information; companies have figured it out when it comes to trade secrets. But when it comes to personal data belonging to others, it seems as though employees can just waltz out the door with it.

Hat tip: Deven Desai

Posted by Daniel J. Solove at 12:36 PM | Comments (3) | TrackBack

Private vs. Public Sector Responses to Data Security Breaches

I just blogged about the massive data security breach by the Veterans Administration, affecting 26.5 million veterans. Bob Sullivan has a terrific post comparing the government's response to its data security breach to that of the businesses that have had such breaches in the past:

It's become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.

So far, the vets haven't been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.

That's insufficient. . . .

Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that's a tepid step at best to spy signs of identity theft after a data leak like this.

The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It's hardly a perfect solution and doesn't catch every instance of ID theft, but it's a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.

The VA should do the same. Anything less is neglectful.

Bob Sullivan is exactly right. More at Sullivan's excellent post.

Posted by Daniel J. Solove at 07:49 PM | Comments (0) | TrackBack

The Government's Data Security Breach and "Data Neutralization"

The AP reports an enormous breach of data security by the government:

Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.

The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.

This data breach is one of the largest ever. There are several points worth mentioning about this fiasco:

1. The government can be just as careless with people's personal data as businesses and other organizations, which last year revealed data security breaches affecting millions of Americans -- over 50 million according to one tally.

2. Keeping massive quantities of personal data creates risks to individuals. People must depend upon those keeping their data to maintain good security practices. This is one reason why, whenever the government collects data about people, we should be concerned.

3. Many data breaches are low-tech and are due to just a few irresponsible individuals or bad apples. Often, all it takes is for one dishonest or careless employee to breach security. In this instance, an employee took the data home, something that the employee wasn't supposed to do. But why weren't there better limits in place at Veterans Affairs? It is amazing that an employee can just walk out with personal data on 26.5 million people. Shouldn't procedures be in place to prevent such things from happening?

4. Congress should look into legislation to neutralize the damage that all the leaked data can cause to people. Many of the laws addressing data security breaches focus on notifying people about breaches and on limiting such breaches. That's all well and good, but more needs to be done. We need a "data neutralization" law. By "data neutralization," I mean neutralizing certain pieces of personal information to reduce the potential damage that can be caused when such information is leaked. Leaked Social Security numbers and other identifying information wouldn't cause so much trouble if the government restricted businesses and other organizations from using them as passwords to gain access to accounts or to verify identity. If these practices are stopped, the leaking of a Social Security number becomes much less harmful.

Related Posts
1. Solove, Free Credit Reports: My Exciting Adventure (Concurring Opinions) (October 2005)
2. Solove, Notice Much Delayed: The FDIC Security Breach (PrawfsBlawg) (June 2005)
3. Solove, Data Security Breach Supersized: 40 Million People Affected (PrawfsBlawg) (June 2005)
4. Solove, Data Leaks: Déjà Vu All Over Again (PrawfsBlawg) (June 2005)
5. Solove, Tallying Up Data Security Breaches (PrawfsBlawg) (May 2005)

Posted by Daniel J. Solove at 07:21 PM | Comments (0) | TrackBack

New Casebook (Privacy, Information, and Technology)

Apologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book's contents is after the fold.

SUMMARY OF CONTENTS

1. INTRODUCTION
A. Information Privacy, Technology, and the Law
B. Information Privacy Law: Origins and Types
C. Philosophical Perspectives

2. LAW ENFORCEMENT, TECHNOLOGY, AND SURVEILLANCE
A. The Fourth Amendment and Emerging Technology
B. Federal Electronic Surveillance Law
C. Government Computer Searches

3. PRIVACY AND GOVERNMENT RECORDS AND DATABASES
A. Public Access to Government Records
B. Government Records of Personal Information
C. Identification

4. PRIVACY, BUSINESS RECORDS, AND FINANCIAL INFORMATION
A. The Collection and Use of Personal Data
B. Regulating Business Records and Databases
C. Spam
D. Identity Theft
E. Financial Information
F. Government Access to Financial and Business Records
G. Privacy Policies: Private vs. Public Enforcement
H. Anonymity

Posted by Daniel J. Solove at 12:16 AM | Comments (1) | TrackBack

Outsourcing Our Data

A growing data privacy issue is the outsourcing of personal data. Increasingly, US companies are outsourcing data processing to other countries. Although the United States lags much of the world in data protection, our personal information is being sent overseas to many countries that lack the same level of privacy protections as the United States. This can create risks that the data can be misused for identity theft or for fake identification. It could also create national security concerns.

There's a big outsourcing controversy brewing in Florida, where Governor Jeb Bush made a multimillion dollar deal with a company called Convergys to process personal data, including Social Security Numbers and financial information. Convergys then contracted with another company that then outsourced to India. According to the Tallahassee Democrat:

The Tallahassee Democrat reported Dec. 25 that two former employees of GDXdata Inc. had secretly sued their ex-employer, saying the company improperly sent Florida employee records to companies in India, Barbados and possibly China for some processing steps involving the People First system. People First is Gov. Jeb Bush's biggest "outsourcing" project - a nine-year, $350 million deal with Convergys - and all employee records are supposed to stay within the country.

Democratic legislators and U.S. Rep. Jim Davis of Tampa, a candidate for governor, called for an investigation of possible identity theft. Unions representing state employees urged DMS to make Convergys buy insurance to protect emloyees against fraudulent use of their personnel information.

Argenziano had scheduled a presentation by DMS Secretary Tom Lewis for her Senate Governmental Oversight and Productivity Committee meeting. But she said Lewis is meeting with top Convergys officials this week and "is not happy about some of the things he's finding."

The suit was filed under seal in Leon County Circuit Court, seeking to collect damages on behalf of the state for alleged irregularities in People First records processing. It did not accuse Convergys of any wrongdoing and the employee-services giant said at the time it had dropped GDXdata as a subcontractor for unexplained failure to do work as provided by its contract.

GDXdata said it would vigorously defend the suit. The plaintiffs said the company sought to cut processing costs from 6 cents to a penny per page by sending work overseas.

Posted by Daniel J. Solove at 12:09 AM | Comments (0) | TrackBack

Even Tearing Up Your Credit Card Applications Isn't Enough

One of the reasons why identity thieves are the luckiest criminals alive is because credit card companies make their crime really easy. This person at Cockeyed.com tried an experiment. He tore up his credit card application into little pieces, meticulously taped it back up, and then filled it out as follows:

Now, I wasn't going to be able to check my mailbox for a few weeks, so I marked this little checkbox and CHANGED MY ADDRESS to my parent's address, who are blessed with a very secure mailbox.

I wanted the BRAND NEW CARD to go to a DIFFERENT ADDRESS.

Also, I used my CELL PHONE NUMBER on the application. I'm not always at home, so I didn't want to have to call from my real home to authorize the card.

The result? A shiny new credit card was sent to his parent's address.

Check out the full story here.

It is amazing how irresponsible credit card companies can be.

Hat tip: Ann Bartow. Chris Hoofnagle has more ridiculous credit card application stories.

Related Posts
1. Solove, Free Credit Reports: My Exciting Adventure (Concurring Opinions) (October 2005)
2. Solove, Public Records and Identity Theft (Concurring Opinions) (March 2006)
3. Solove, Identity Theft: Increasingly an Affliction of the Young (Concurring Opinions) (January 2006)
4. Solove, Youngest ID Theft Victim? (PrawfsBlawg) (July 2005)
5. Solove, Why Identity Theft Isn’t Pretty (PrawfsBlawg) (July 2005)
6. Solove, Identity Theft Fears and Online Shopping (PrawfsBlawg) (June 2005)
7. Solove, Identity Thief Professors (PrawfsBlawg) (June 2005)

Posted by Daniel J. Solove at 12:05 AM

Public Records and Identity Theft

There are new details to report about the famous Hamilton County public records website. Several years ago, the clerk of courts of Hamilton County, Ohio placed a wide range of public records online. Many of the records had extensive personal information about individuals, including Social Security Numbers and home addresses. The Hamilton County website garnered a lot of attention. The NY Times ran a story about it in 2002 called Dirty Laundry, Online for All to See (Sept. 5, 2002) at G1, by Jennifer 8. Lee:

Four years ago, Mr. Cissell decided that it was time to move the county's court records onto the Web. The documents were already public. They were already electronic. Where else to put public electronic documents but on the Internet?

"It was the natural progression of technology," said Mr. Cissell, the clerk of courts for Hamilton County, whose seat is Cincinnati.

Mr. Cissell's three-person technology staff put together the Web site at www.courtclerk.org. State tax liens, arrest warrants, bond postings -- all became searchable and accessible on the Internet.

"Everything we get is scanned and available," said Mr. Cissell, a former United States attorney. "It was very easy to open the door to the public."

Visitors have flowed to the site. So have the complaints.

Later, in 2004, it was reported that records were removed from the website due to the fact that they were being used for identity theft:

Hamilton County Clerk of Courts Greg Hartmann announced he was removing more than 320,000 public documents from his Web site in an attempt to combat the growing crime of identity theft.

"This is a big deal. It's not something I have done lightly," Hartmann said of the deletions from www.courtclerk.org, which gets 60 million hits a year.

Today, Hartmann will begin blocking access to traffic tickets that previously have been available. Traffic tickets, Hartmann said, are particularly important to identity thieves because they contain names, addresses, telephone numbers and Social Security numbers, all information that can be used to steal an identity and rack up large bills under the new, stolen identity.