Slashdot Mirror
Congress to Investigate ChoicePoint
twzop writes "I just saw a story on the CBS evening news about the previously posted story about ChoicePoint, Inc. in Atlanta, GA getting hacked and US citizens' data being compromised. The story stated that Congress was going to get involved by investigating the scandal and that there was a large class action lawsuit against the private firm."
It's just congress getting ready to solicity another round of bribes...err campaign contributions. How many Enron executives are in jail again? Yeah.
Before we get too excited about the possibility of justice, let's remember that it's only a crime if it wasn't a rich person that did it.
This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it? The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.
This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.
The issue is wether anyone should be selling this stuff AT ALL.
---This is very interesting, but didn't ChoicePoint sell this personal information to the people that "stole" it?
I consider misleading to get information the same as hacking to get it. The only difference is that ChoicePoint was paid. Why should they care?
---The issue is that people were buying credit reporting services from choicepoint, since choicepoint is in the business of selling this data to companies. The people who stole this data just posed as real companies, and choicepoint didn't do their homework and check on the black hats' bona fidus.
Sometimes hacking has to do with throwing up a huge wall of "mistrust" and make the other party believe in something they shouldnt. Still, couldnt you claim that many "legit" companies use this data in what could be considered very improper?
Guess that brings up the question whether we should punish the company(s) or the people who do wrong...
---This is not a hacker issue; no one is claiming a computer was rooted or compromised or that some kid with a script was punching passwords into choicepoint's web site. Choicepoint was selling this data, and the they were human engineered into selling the data to people who had malign intent.
Still, this shows one of my points: Laziness. A "identity" company not checking the corporate identity. And then the people in the "evil" company do evil things.
Who's to be punished?
---The issue is wether anyone should be selling this stuff AT ALL.
Would you accept checks from somebody for medium-large amounts without checking up on who they are, and whether they've bounced checks before?
In reality, the law SHOULD be that you have full access to YOUR information, and can correct provable, factual parts that are incorrect. I really cant answer if they should be selling this data...
ChoicePoint sold data to customers that turned out to be criminals. These criminal customers did not "hack" into the system, they were granted paid access to it. At best/worst the criminals did a bit of social engineering to appear as a legitimate business. Otherwise the feat involved no technological illegitimate access. I think that is the scariest part of the story.
Two wrongs don't make a right, but three lefts do.
This is identity infringement. Or is it actually "theft" when people do it to content owners?
Can't have it both ways, Slashdotters.
You are not a ChoicePoint customer. ChoicePoint cares NOTHING about you. You are a number in a database, with a bunch of corresponding fields. Unless you've paid ChoicePoint for their services, you mean absolutely nothing to this company.
Furthermore, people keep complaining that their information got stolen. It's not your information. It's ChoicePoint's information. It belongs to them, and to the people that purchase access to it from them. They took the time to collect and aggregate it, and they own it. The fact that it may or may not directly affect your life for better or worse in substantial ways does not even enter the equation.
Obviously, there is something fundamentally wrong here that needs to be corrected. In my opinion, information should be held by an organization specicially authorized by the government to do so. The information should be encrypted and secured, and leaks should be punishable by prison time. A standard, open algorithm should be created, to convert the information into a simple number (like a "credit score.") Companies pay for access to these scores. Only upon showing direct need, in a court of law, should specific information be given to specific companies, under strict confidentiality. If a particular company needs to know a specific detail about all of their customers, they can petition to be granted access to that information only, under the same confidentiality agreement.
Furthermore, individuals should be given unfettered access to their own information, on request. (Identity verification should be draconian here.) Individuals should have the right to challenge an inaccuracy, and to provide documentation disproving it.
Granted, it may have some issues of its own, but at least it's a step up from "give everyone's most intimate financial details to every company that pays us a nickel." Any thoughts?
Formerly GNU/Anonymous Coward. This message has been determined to cause cancer in laboratory animals.
- over 3 million Americans had fraudulent ID theft (the worse kind), and 10 million total had some type of ID theft
- ID theft victims spent a total of 300 million hours "fixing" their problems.
- Fraudulent ID theft averaged $10,000 stolen. The total cost of all ID theft is $50 billion.
- the monetary cost to fix fraudulent ID theft averages $1,200 per ID victim.
But in reading this report the bias that "businesses are the true victims" shows up. The $5 billion in costs to the identity victim (and 300 million hours of time) is described as "Individuals whose information is misused bear only a small percentage of the cost of ID Theft" (pg 6). That's a bad way of thinking about it for several reasons:- 300 million hours of victims' time = 300 million hours of research and investigative time = a 'donation' of at least a few billion dollars.
- The ID theft victim gets hit with real and lasting costs. Companies get to write off their losses, or use insurance and pass their costs on to consumers. A year after ID theft is discovered, the theft is just a blip in a spreadsheet to the companies where the stolen identity was used. The victim will still be writing letters, finding new ramifications, and losing time and sleep over the matter.
- Those 300 million hours also = stress, lost time from work, family, charities, plus also extra medical expenses.
- "15 percent of ID Theft victims reported that their personal information was misused in nonfinancial ways. The most common such use reported was to present the victim's name and identifying information when someone was stopped by law enforcement authorities or was charged with a crime." What's the cost of your kid seeing you arrested because someone else used your name? Not to mention...
- Now that the government gets data from Choicepoint and others, and because the government has no legal responsibility to find or fix bad data in its files, the rest of your life could be hobbled by bad data and you won't quite know why.
So basically Choicepoint and the credit card reporting agencies are creating a "public bad." Like polluters, they force other people and companies to bear the cost of problems they've created. 300 million hours and $5 billion dollars would = fantastic security finished in months if the companies themselves had to pay these costs. Instead, 10 million people are forced to do their own cleanup work, and the fact that 9.999 million people have already done the job doesn't make it any easier for you when you're the victim.Well, that number has been "widening" every time ChoicePoint makes a "choice" to reveal more details. Currently the number is 145,000, which I believe is up from 120,000 and 20,000.
The public certainly doesn't know the number. My guess is ChoicePoint (a) knows it is higher (b) doesn't know the total.
sPh
Id Theft can be extremely painful to resolve.
I had (regular) mail stolen from my mail box (before I realized how bad it is to actually use your mailbox for outgoing mail), at first I thought it was a post office screw up, but several months later, I got a call from a bank employee who just completed a transaction which he thought was fishy. He asked my if I had just cashed a four figure check there. When I told him that I hadn't he warned me that somebody was stealing my Identity. I called my credit card companies to get new cards and security added to my accounts, contacted all of the big three credit agencies and got a hold put on my credit, contacted the local police.
The next thing I knew it was raining collection notices on me.
This guy was printing checks with my name and driver's liscense number. For Id, he had a printer which could create fake driver's liscenses with all of my information, but his face and description.
Fortunately, I was lucky, this guy got pulled over for a faulty brake light and the officer looked into the car and saw over a dozen driver's liscenses on the back seat of his car, all with his picture on them, but different names. The officers told me that I was the one in a hundred whose Identity Thief was caught.
Now, 8 years later, I can share some lessons with you. Trust me, you don't want any of this to happen to you, arguing with collection agencies is no fun at all, they assume that everybody is a slimeball.
1) Get a shredder. Get two in case the first one breaks. Shred everything that has anything that can identify you. Id Theives also dumpster and dump dive to look for your information, don't give them any help. shred shred shred...
2) Get your annual credit report from the big three credit bureaus. Take the time to review it, carefully. They each have a formal procedure for clearing up problems. Follow it to correct your information. They can be reached here http://www.creditreporting.com/
3) Check your credit and bank statements, you never know what they have on you or when they get it.
4) If it does happen to you, file a police report immediately. This report number is your best defense against the onslaught of collection agencies that will soon be banging down your door.
When the fraud was officially investigated, ChoicePoint admitted to a false-positive rate of up to 15%, which was already far in excess of Bush's lead in the Florida poll. Later, an independent investigation showed an error rate of more than 90% - some 55,000 voters, some 30,000 of whom were black.
What you seem to be missing here is that a false positive on the felon list does not mean that person was disenfranchised. Instead it meant that the election supervisor of the county that the individual lived in was required to verify that they were eligible to vote (that is, if the county used the felon list at all- over half of the counties ignored the list completely). You see, the list was designed to have false positives. As Katherine Harris said, it was supposed to cast a wide net to find ineligible voters that were registered to vote. In other words, if somebody was disenfranchised, it is the County Election Supervisor's fault.
So please stop calling it "fraud". There was no fraud here.
This is a flat-out lie. Read some first-hand accounts of voter disenfranchisement for yourselves. Voters were erroneously scrubbed from the electoral roll, were not adequately notified in advance, tried to vote anyway and were turned away - simple as that.
It is not a lie. None of the witnesses that the USCCR heard from were prevented from voting because of the felon list. Allow me to quote from the dissenting statment:
"The defense of freedom requires the advance of freedom" - George W Bush