American Culture

Who has access to your personal data? Everyone–except you

By Martin Bosworth

Last month the Associated Press cast a harsh light on a dark secret of many big public industries–that workers have far securicam.jpg too much access to personal data of customers, and misuse and abuse it accordingly

Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information. Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.

This ties in with findings from a new report by Chris Hoofnagle, formerly with the Electronic Privacy Information Center (EPIC) and senior fellow for the Berkeley Center for Law and Technology. Hoofnagle analyzed data compiled from the FTC’s consumer fraud complaint list and found that the world’s biggest banks and telecom companies are the largest trouble spots for cases of identity theft and fraud:

The report, compiled from 88,000 complaints filed with the FTC over three months in 2006, shows that major banks and telecommunications companies accounted for a much larger portion of the filed complaints than other industries, and that telecommunications companies lacked a standard of measuring the complaints.

There’s a deeply sad irony in the fact that telecom companies who have done all they could to enable the Bush regime’s illegal surveillance agenda on Americans and are fighting with each other over who’ll get to police the Internet are also the least capable of actually protecting the data they collect with such feverish intensity. But this is a common truth typical of all of these surveillance and data mining programs–putting all of these vast troves of data together in one place only makes it all the easier for unscrupulous employees or smart thieves to abuse it. No security system can ever perfectly account for the unpredictability and capriciousness of human experience–witness this awesome Washington City Paper story about a young petty thief who was able to fool workers at the Nuclear Regulatory Commission into thinking she worked there, using her access to make off with goods and cash. Social engineering and psychological foibles trump data security every time.

And we, as consumers and citizens, are still kept in the dark over how our data is being sold, resold, used, and misused. When Lexis-Nexis’ corporate parent Reed Elsevier announced last month that it would buy infamous data broker ChoicePoint, were privacy advocates given a chance to scrutinize the deal? Will it be given any more oversight than a rubber stamp of approval from the FTC or the Department of Justice? And more importantly, what will this new information broker juggernaut do with the data it collects, besides sell it to the highest bidder? Will it train its employees in ethical conduct and ensure that they only have access to the data they need at any given time?

These are questions that need answering, if we’re to prevent more cases of these data treasure troves being pilfered and plundered for profit.

8 replies »

  1. Pingback:
  2. Crank out all the misinformation you possibly can and make it as difficult as possible for data gathers and thieves. GIGO: garbage- in-garbage out.

  3. When I recently called Verizon and Comcast for perfectly routine, non-financial transactions, both companies insisted that I chant my Social Security number to the people they’ve got answering their phones.


    I never supplied, heh, was never ASKED for, my SSN to/by either company. They got it by other means and chose to use it as an entry gate for a customer seeking to block text spam from a cell phone and inquire about a service outtage. I’ve got account numbers for both companies, but foo, why use those when you can let me know my privacy and security have been invades by the Ubergreedies?

    Yes, it is nice to know that every time I call up about some little twiddle, Mr. or Ms. Boiler Room Slave will have access to my SSN. And, as it turned out, to my mother’s maiden name.

    No point in locking all that down now. We need another way of proving a transaction is legit and a person is who they say they are. The old “proofs” have been rendered useless.

    Most of all, who bears the misery of opening up personal identifying information to all and sundry needs to be changed by law. It’s got to move from you and me to the corporate pigs at the trough. Let’s make it happen.