Data miners free to dig deep for personal details

Net Results: Two weeks ago, 34,000 Californians woke to discover that their most sensitive personal information had been purchased by criminals.

Everything from social security numbers, addresses, driver licence numbers, mortgage details, legal history, credit ratings, insurance claims, bankruptcy files, car registration numbers, home title deeds, thumbprints, DNA information and phone numbers - all sold to a gang who themselves used stolen identities to create fake companies and receive faxes full of sensitive information at just €150 per batch.

But those 34,000 were just a small portion of the 145,000 Americans whose details were apparently sent to the criminal gang by ChoicePoint, a spinoff of credit checking company Equifax, which markets this information to businesses that want to know a person's credit history.

The only reason anyone knew about this security breach - which was detected last October, after the criminals had been using the information for over a year - is that California is the only state that requires companies that handle personal data to inform victims of this kind of crime.

ChoicePoint has since confirmed that the 144,778 affected individuals (California officials are guessing the number is closer to 500,000) come from all 50 states as well as the District of Columbia (Washington DC), Puerto Rico, Guam and the US Virgin Islands. Some 750 of those are known to have been defrauded through identity-theft crime.

The US has few data privacy protections and little regulation of the data aggregation industry, where companies in the data mining business like ChoicePoint suck in information from myriad sources then present it in comprehensive profiles for millions of individual citizens.

Where does all this information come from? From businesses that collect it in the course of doing business with customers, and from local, state and government agencies. ChoicePoint holds 19 billion data files for, as Time magazine noted, "clients ranging from the cub scouts to the CIA".

ChoicePoint, based near Atlanta, Georgia, is the largest data mining firm in the US and has been on a buying spree of late, acquiring background check companies, data collection companies, and DNA analysis firms, all of which contribute to the data aggregation process.

Up until this breach, most Americans had no idea such information was so publicly available, bought and sold to anyone who wants to set up an account, through huge corporations that bulk-sell personal information as a commodity.

People did know there were companies that provide credit check information - nearly every adult will have applied for a loan, a mortgage, a credit card, credit for buying furniture, credit to get a car, all of which involve credit checks.

But as is clear from the shocked response of public representatives in the US, people don't understand how their information could have been so freely available, much less sold to criminals.

Already, 19 state attorneys have approached ChoicePoint to ask that people in their states also be told if their profiles were sold to the criminal ring. The US Senate will hold an enquiry into the industry and whether it needs greater regulation.

The answer is obvious - of course it does. Information that most people had believed was confined to the private files of banks, government departments and the police turns out to be on offer at low cost to nearly anyone who wants to set up an account with a data mining firm.

Yet for an immediate example of how indifferent legislators have been up to now, and how low awareness is among citizens of the dangerous vulnerability of their personal information, consider this. California Senator Dianne Feinstein sponsored a federal bill last year to help prevent just this sort of accident by making data mining firms (or any firm holding sensitive data) responsible for disclosing all leaks of information.

The bill got nowhere.

Senator Feinstein introduced another similar bill earlier this year that would bring this California-style disclosure notification to all the states, rather than just her own, and also require data miners to gain customer permission to sell on such data.

She is still unable to get a single co-sponsor for the bill (having co-sponsors, especially from one's rival party, helps a bill through Congress). Maybe post-ChoicePoint, some legislative colleague will decide protecting their constituency's personal information in this way might be a vote-getting gesture.

If you are feeling smug because data protection laws keep such information safe here, think again. Ireland and the EU are busy creating large databases of information - mostly in the name of better law enforcement or government - that would hold similarly sensitive information.

The Government's plans to have a single information "broker" for data on all Irish citizens, from tax to medical to civil records - with data held in at most two locations - makes such a system worryingly vulnerable to hackers.

In addition, just because there aren't brokers of credit information operating here now on the scale that they are in the US does not mean that they could not operate here, even within the legal parameters of EU data protection laws.

Those laws are hardly pillars to lean against, in any case: they are under vigorous assault from marketers on one side,and law enforcement on the other, both of which claim a need and right to access and use all sorts of personal details.

The problem with data is its abstraction. People have a hard time visualising why they should be worried about the aggregation, loss, sale or misuse of their personal information - and why they should be vigilant against attempts to gather it together into large databases for any reason, be it credit history, marketing ease or law enforcement use.

Just because things can be done, doesn't mean they should be done.

The ChoicePoint fiasco shows how an abstraction can turn into a very scary, tangible reality.

klillington@irish-times.ie

weblog: http://weblog. techno-culture.com