Congress to Investigate ChoicePoint 259
twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."
Nothing to see indeed. (Score:3, Insightful)
Before we get too excited about the possibility of justice, let's remember that it's only a crime if it wasn't a rich person that did it.
Re:damage size? (Score:3, Insightful)
Time to set an example (Score:2, Insightful)
Re:Trust me, its not just ChoicePoint. (Score:5, Insightful)
This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it? The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.
This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.
The issue is wether anyone should be selling this stuff AT ALL.
Re:Trust me, its not just ChoicePoint. (Score:4, Insightful)
I consider misleading to get information the same as hacking to get it. The only difference is that ChoicePoint was paid. Why should they care?
---The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.
Sometimes hacking has to do with throwing up a huge wall of "mistrust" and make the other party believe in something they shouldnt. Still, couldnt you claim that many "legit" companies use this data in what could be considered very improper?
Guess that brings up the question whether we should punish the company(s) or the people who do wrong...
---This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.
Still, this shows one of my points: Laziness. A "identity" company not checking the corporate identity. And then the people in the "evil" company do evil things.
Who's to be punished?
---The issue is wether anyone should be selling this stuff AT ALL.
Would you accept checks from somebody for medium-large amounts without checking up on who they are, and whether they've bounced checks before?
In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect. I really cant answer if they should be selling this data...
Re:Screwed by ChoicePoint (Score:3, Insightful)
What's really ironic about this statement is that Choicepoint does background checks for employeers.
Last several times I was accepted for a job, I had to submit myself to a background check provided by Choicepoint.
They could do a similar background check on their clients, but I bet that would be bad for Choicepoint's business.
ChoicePoint NOT hacked (Score:5, Insightful)
Y'all have it backwards (Score:3, Insightful)
Class dismissed. (As in the "no class" action suit.)
Re:Mitigating damages (Score:5, Insightful)
Can't have it both ways, Slashdotters.
Re:It's about Time-Security puncture. (Score:5, Insightful)
Furthermore, people keep complaining that their information got stolen. It's not your information. It's ChoicePoint's information. It belongs to them, and to the people that purchase access to it from them. They took the time to collect and aggregate it, and they own it. The fact that it may or may not directly affect your life for better or worse in substantial ways does not even enter the equation.
Obviously, there is something fundamentally wrong here that needs to be corrected. In my opinion, information should be held by an organization specicially authorized by the government to do so. The information should be encrypted and secured, and leaks should be punishable by prison time. A standard, open algorithm should be created, to convert the information into a simple number (like a "credit score.") Companies pay for access to these scores. Only upon showing direct need, in a court of law, should specific information be given to specific companies, under strict confidentiality. If a particular company needs to know a specific detail about all of their customers, they can petition to be granted access to that information only, under the same confidentiality agreement.
Furthermore, individuals should be given unfettered access to their own information, on request. (Identity verification should be draconian here.) Individuals should have the right to challenge an inaccuracy, and to provide documentation disproving it.
Granted, it may have some issues of its own, but at least it's a step up from "give everyone's most intimate financial details to every company that pays us a nickel." Any thoughts?
Re:Mitigating damages (Score:2, Insightful)
That's an interesting way to look at it. You could say it was stolen from who holds it, and infringing on who it refers to. It's not who it was stolen from who suffers the most. I like this concept.
Re:ChoicePoint NOT hacked (Score:3, Insightful)
Re:Screwed by ChoicePoint (Score:1, Insightful)
And who gave them the authority?
Hint: It's something you always have with you. You see him every day in the mirror.
Re:Screwed by ChoicePoint (Score:3, Insightful)
Because it would cost money that's why. The only reason you know what happened is because the left wing hippies in california passed a law that holds businesses sort of kind of responsible.
Businesses have no morals or conscience. They don't care about you. It's up to you (through your govt) to make sure the businesses don't run amok.
10 million victims lose 300 million hours... (Score:5, Insightful)
- over 3 million Americans had fraudulent ID theft (the worse kind), and 10 million total had some type of ID theft
- ID theft victims spent a total of 300 million hours "fixing" their problems.
- Fraudulent ID theft averaged $10,000 stolen. The total cost of all ID theft is $50 billion.
- the monetary cost to fix fraudulent ID theft averages $1,200 per ID victim.
But in reading this report the bias that "businesses are the true victims" shows up. The $5 billion in costs to the identity victim (and 300 million hours of time) is described as "Individuals whose information is misused bear only a small percentage of the cost of ID Theft" (pg 6). That's a bad way of thinking about it for several reasons:- 300 million hours of victims' time = 300 million hours of research and investigative time = a 'donation' of at least a few billion dollars.
- The ID theft victim gets hit with real and lasting costs. Companies get to write off their losses, or use insurance and pass their costs on to consumers. A year after ID theft is discovered, the theft is just a blip in a spreadsheet to the companies where the stolen identity was used. The victim will still be writing letters, finding new ramifications, and losing time and sleep over the matter.
- Those 300 million hours also = stress, lost time from work, family, charities, plus also extra medical expenses.
- "15 percent of ID Theft victims reported that their personal information was misused in nonfinancial ways. The most common such use reported was to present the victim's name and identifying information when someone was stopped by law enforcement authorities or was charged with a crime." What's the cost of your kid seeing you arrested because someone else used your name? Not to mention...
- Now that the government gets data from Choicepoint and others, and because the government has no legal responsibility to find or fix bad data in its files, the rest of your life could be hobbled by bad data and you won't quite know why.
So basically Choicepoint and the credit card reporting agencies are creating a "public bad." Like polluters, they force other people and companies to bear the cost of problems they've created. 300 million hours and $5 billion dollars would = fantastic security finished in months if the companies themselves had to pay these costs. Instead, 10 million people are forced to do their own cleanup work, and the fact that 9.999 million people have already done the job doesn't make it any easier for you when you're the victim.Re:145,000 (Score:5, Insightful)
The public certainly doesn't know the number. My guess is ChoicePoint (a) knows it is higher (b) doesn't know the total.
sPh
It can takes years to fix this sort of thing... (Score:5, Insightful)
I had (regular) mail stolen from my mail box (before I realized how bad it is to actually use your mailbox for outgoing mail), at first I thought it was a post office screw up, but several months later, I got a call from a bank employee who just completed a transaction which he thought was fishy. He asked my if I had just cashed a four figure check there. When I told him that I hadn't he warned me that somebody was stealing my Identity. I called my credit card companies to get new cards and security added to my accounts, contacted all of the big three credit agencies and got a hold put on my credit, contacted the local police.
The next thing I knew it was raining collection notices on me.
This guy was printing checks with my name and driver's liscense number. For Id, he had a printer which could create fake driver's liscenses with all of my information, but his face and description.
Fortunately, I was lucky, this guy got pulled over for a faulty brake light and the officer looked into the car and saw over a dozen driver's liscenses on the back seat of his car, all with his picture on them, but different names. The officers told me that I was the one in a hundred whose Identity Thief was caught.
Now, 8 years later, I can share some lessons with you. Trust me, you don't want any of this to happen to you, arguing with collection agencies is no fun at all, they assume that everybody is a slimeball.
1) Get a shredder. Get two in case the first one breaks. Shred everything that has anything that can identify you. Id Theives also dumpster and dump dive to look for your information, don't give them any help. shred shred shred...
2) Get your annual credit report from the big three credit bureaus. Take the time to review it, carefully. They each have a formal procedure for clearing up problems. Follow it to correct your information. They can be reached here http://www.creditreporting.com/ [creditreporting.com]
3) Check your credit and bank statements, you never know what they have on you or when they get it.
4) If it does happen to you, file a police report immediately. This report number is your best defense against the onslaught of collection agencies that will soon be banging down your door.
Re:Nothing to see indeed. (Score:2, Insightful)
Re:Dear Choicepoint... (Score:3, Insightful)
The right-wing anti-liberty^H^Hals have been spreading the meme lately that you never had a right to privacy, contrary to the fourth amendment. Their argument is that the Constitution only limits what the government can do, so that Choicepoint and their ilk are not obligated to respect your right to privacy.
IANAL but I notice that the Civil Rights Act of 1964 gives the power 'to authorize the Attorney General to institute suits to protect constitutional rights in public facilities'. This is the law that makes it illegal for a privately owned diner, for example, which caters to the general public to require blacks to stand while eating. It seems obvious to me that a credit reporting agency which collects information about unsuspecting members of the general public should be held to the same laws as that diner. The attourney general should be authorized, in my opinion, to protect us from violations of our constitutional rights by that credit agency.
Re:It's about Time-Security puncture. (Score:2, Insightful)
Ultimately, there may be some protocols legislated to protect information, but these will be feel good measures more than adequate protection (most will be geared towards consolidation with data companies suggesting regulations). The bottom line will be what types of services different companies can provide, and how accurate/specific those databases will be. Anticipate several smaller companies coming in with very specific information (such as workman comp/insurance claims) to be sold.
Those smaller companies are not really looking to be profitable of themselves, but are looking for larger companies to buy them outright. In that respect, government regulation against sharing information becomes moot as the market consolidates. Everyone is waiting to see what regulations come about so they can plan their next move. Most are coordinating lobbying efforts to get favorable terms.
The companies that secure the most databases become the major players (look at Choicepoint's history of acquisitions to see how they got into such a dominating position), and they will wield their own political power.
The databases will not go away. They will just consolidate. They are too important to government as well as business. Security becomes a secondary issue when so much information is available under one roof. It becomes a single point of failure to the only game in town. Why should they care?
There will be no confidentiality agreements. More than likely, you will see government contracting these companies for info.
In short, information does indeed want to free. But this time it will be your information and short of armed revolt, there ain't much you can do about it.
Re:This is so wrong, it's frightening (Score:4, Insightful)
When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.
What you seem to be missing here is that a false positive on the felon list does not mean that person was disenfranchised. Instead it meant that the election supervisor of the county that the individual lived in was required to verify that they were eligible to vote (that is, if the county used the felon list at all- over half of the counties ignored the list completely). You see, the list was designed to have false positives. As Katherine Harris said, it was supposed to cast a wide net to find ineligible voters that were registered to vote. In other words, if somebody was disenfranchised, it is the County Election Supervisor's fault.
So please stop calling it "fraud". There was no fraud here.
This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.
It is not a lie. None of the witnesses that the USCCR heard from were prevented from voting because of the felon list. Allow me to quote from the dissenting statment [usccr.gov]:
Re:This is so wrong, it's frightening (Score:2, Insightful)
Did you read the post you linked to? http://www.usccr.gov/pubs/vote2000/report/ch2.htm [usccr.gov]
It does list people who were unable to vote, but not because of the felon purge.
Donnise DeSouza was told that her name was not on the rolls ... Furthermore, Ms. DeSouza learned that her name was actually on the rolls of registered voters
So, she was not purged.
Angenora Ramsey, an African American former poll worker with 18 years' experience, had changed her address prior to November 7. Based on her familiarity with election procedures, when Ms. Ramsey went to vote at Precinct 62 in Palm Beach County, she completed a change of address affidavit. But when the poll worker tried to call the office of the supervisor of elections to verify Ms. Ramsey's registration status, she was unable to get through.
Again - Not Purged
Margarita Green, a 75-year-old Cuban American woman, went to vote at the same precinct in Miami-Dade County where she had always voted since becoming a citizen in 1966. When Mrs. Green showed her registration card to the poll worker, she was told that her name was not on the rolls and that she must speak with another poll worker who would look into the problem. Mrs. Green recalled that it took a long time for the poll worker to reach the supervisor of elections because the phone line was busy. When she finally got through, the worker explained that according to their records Mrs. Green had called in 1998 and "erased" herself from the voter list.
Again - Not Purged in 2000
Marvin Rickles, Jr., a deputy at Precinct 74B in Palm Beach County, observed an African American school principal turned away, after waiting for two hours, because her name did not appear on the rolls and poll workers could not reach the supervisor of elections office. She returned to the precinct later that afternoon and was allowed to vote only after she discovered that her name had been misspelled on the rolls.[12]
So, you've called someone a liar and posted a link which contains not a single example of someone who was unable to vote due to the felon roll purging.
That is shameful to SlashDot.
Re:damage size? (Score:3, Insightful)
Re:This is so wrong, it's frightening (Score:3, Insightful)
The same thing is now happening with the Ohio frauds. Doubters needn't look any further than the statements of Ken Blackwell (Republican) in his summary dismissal of any such concerns. I'm watching it happen. Heck, the Congress only took a couple of lazy hours to dismiss the questions over the vote results from Ohio and a couple of other states.