Slashdot Mirror

← Back to Stories (view on slashdot.org)

Companies To Be Liable For Deals With Online Criminals

Posted by kdawson on from the sees-you-when-you're-sleeping dept.

Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on. "The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."

40 of 171 comments (clear)

  1. Hm.. by kvezach · · Score: 2, Interesting

    Does the crime of Slashdot first-posting get you on that list?

  2. Onerous Burden on Businesses? by Apple+Acolyte · · Score: 4, Insightful

    This sounds like quite an onerous burden on businesses, and I imagine it will be struck down by the courts soon enough unless it's much narrower and specific a regulation than the story makes it appear. Private parties should not be expected to do the job of law enforcement.

    --
    Part of the hardcore faithful who believed in Apple long before it was cool again to do so
    1. Re:Onerous Burden on Businesses? by Serenissima · · Score: 5, Insightful

      Well fortunately, online criminals have no way of pretending to be someone else so it should be a relatively painless procedure for businesses to check their identities.

      --
      Give a man a fire and he'll be warm for a day. But light a man on fire and he'll be warm for the rest of his life.
    2. Re:Onerous Burden on Businesses? by tha_mink · · Score: 3, Interesting

      This sounds like quite an onerous burden on businesses, and I imagine it will be struck down by the courts soon enough unless it's much narrower and specific a regulation than the story makes it appear. Private parties should not be expected to do the job of law enforcement. It depends on how easy it is to do. I think for the most part, businesses that will be affected by this will probably want to insure that they are not helping criminals. I know I can speak for our business.

      Plus, this thing kinda reminds me of the Payment card industry standard which, among other things, requires business that accept credit and bank cards to adhear to a strict policy of security when dealing with these cards. Every year, even on the smallest level, companies should be filling out a "self test" which requires you answer questions about your card security. Among the questions is a whole bunch of requirements you'd expect of a data center but not, say, a restaurant. Glass walls, biometric access, camera systems, etc. Fines start at $100,000 and you risk losing your ability to take credit cards. The published standard is here.

      I'm sure that 99% of small businesses that accept Visa/MC/AMEX etc have *no idea* about this standard and even if they did, they have no resources to adhear to it. That's why this "Red Flag" deal reminds me of it.
      --
      You'll have that sometimes...
    3. Re:Onerous Burden on Businesses? by HalAtWork · · Score: 2, Insightful

      Why do they have to check them if no crime is being committed? This is just like gathering a bunch of information on people that could be used as evidence in case a crime will be committed in the future. Do we have to start reading people their miranda rights every time a transaction occurs on the internet?

      --
      Twinstiq, game news
    4. Re:Onerous Burden on Businesses? by inviolet · · Score: 3, Insightful

      Well fortunately, online criminals have no way of pretending to be someone else so it should be a relatively painless procedure for businesses to check their identities.

      A solution's effectiveness is a tertiary concern for a government agency when addressing a problem. The agency's primary concern is to increase its own power. The secondary concern is to receive public approbation by doing something very visible. A "no-fly list" like this one is the perfect implemention of an agency's two main goals.

      That's only 90% crazy though. Sometimes, the function of law-enforcement is just to remind everyone that law enforcement exists. After all, whether any random soul will cross the line from dove to hawk mostly depends his assessment of law enforcement's effectiveness. Therefore, an appearance of effectiveness is often just as good as actual effectiveness.

      But not in this case. The bad guys know exactly how to beat the list (fake or stolen credentials) and they can even test whether they've succeeded. Therefore, this "no-fly list" creates a false sense of security, which means that people will be overall less safe.

      --
      FATMOUSE + YOU = FATMOUSE
    5. Re:Onerous Burden on Businesses? by Anonymous Coward · · Score: 2, Informative

      The thing is, such "bad guy" databases, if maintained in realtime and accessed online can be monitored for access by the database maintainer (let's call them TLA).

      That transaction log itself contains great data mining material for TLA:

      This is simplified, but imagine the query sent to TLA by PoopyCorp was "SELECT * FROM BAD_GUYS WHERE NAME='Joe Bloggs'". Now, TLA knows that Joe Bloggs does business with PoopyCorp - possibly very valuable information if Joe Bloggs is a politician and PoopyCorp manufactures sex toys, or hell, if Joe Bloggs is a startup company founder and PoopyCorp supplies loans (uhoh, looks like BloggsCo is in financial difficulties, they're looking for a loan).

      If the query was checking *any* more involved stuff, it could be an even more catastrophic leak of information to TLA.

      If PoopyCorp instead just got a copy of the whole database from TLA each time (i.e. "SELECT * FROM BAD GUYS"), and does the checking to see if Joe Bloggs is in that without involving TLA further, great, no information leak to TLA - except then PoopyCorp knows everyone on the list, an information leak in the other direction.

      In short, the idea of mandating this sort of check is deeply evil, though optional checking is less problematic (Joe Bloggs can take his business elsewhere if PoopyCorp *wants* to check with TLA to protect its interests).

    6. Re:Onerous Burden on Businesses? by CSMatt · · Score: 2, Insightful

      Not surprising. If I ran an insurance agency I wouldn't want to give life insurance to someone who's just going to strap a bomb to his chest.

    7. Re:Onerous Burden on Businesses? by billcopc · · Score: 2, Insightful

      IMHO, the job of law enforcement should be to print off this list, go visit these "terrorists" one by one and pop them.

      Oh, they don't want to do it ? Why not ? Because they're afraid of false positives ? Proof that the system is worthless.

      It's quite simple: if Lex Luthor can't spend his dirty money in the USA, he'll drive up to Canada, get things done, then come back to the states to be a terrorists again. Not only does it NOT solve the crime problem, it actually diverts money away from the local economy.

      Go FTC! keep it up, and in 20 years you can all become Canada's 11th province and get in on the lower taxes and subsidized health care, like every other modern civilized nation in the world.

      --
      -Billco, Fnarg.com
  3. Is rootkit Sony on the list? by MacDork · · Score: 5, Insightful

    No? How about forged packet Comcast? No again? What about exposing most of the internet to id theft and cross site scripting Barefruit? Not a very thorough list, is it?

    1. Re:Is rootkit Sony on the list? by Kartoffel · · Score: 2, Interesting

      Exactly. The FTC needs to clearly define the penalties for doing business with "criminals". If I do business with Comcast (presumably, a known criminal entity) just what, exactly, am I liable for? Can I still buy a Sony PS3, or will there be additional fines for having done business with an criminal organization?

  4. Mistaken Idenity by DiceRoller · · Score: 2, Insightful

    .. but what happens if I Jason Smith am not a criminal and there happens to be a Jason Smith criminal out there that isn't me. Also who in their right mind uses their real name on the internet? Just gives the goverment more knowledge where you are on the internet. ( I'm still stuck on Baker St on the internet).

  5. Maybe not such a great idea by Kartoffel · · Score: 5, Insightful

    At first this sounds like an incentive for businesses not to conduct transactions with criminals. Take identity theft, for example. I don't want vendors consorting with thieves, should somebody steal my credit card info. But how should vendors know it's a thief and not me? It's not reasonable.

    Worst case scenario: this turns out to be another vague No-Fly list that persecutes the innocent while doing little to no actual good. In any case, it will be more work and more liability for vendors.

  6. Jail? by sm62704 · · Score: 4, Insightful

    Companies that fail to do so may be liable for large fines or jail time

    They're going to put whole companies in jail?

    But at any rate, after Sony's criminal rootkit vandalism of millions of computers, I'm going to have to see a CEO in shackles before I believe it. And Martha Stewart doesn't count.

    For those of you unfamiliar with Sony's evil, deliberate vandalism, here are two links:
    serious
    content-free

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  7. *sniff* What's this here? by BenParr · · Score: 2, Insightful

    Is it just me, or does this stink of lobbyists?

  8. EU Export by Tiberius_Fel · · Score: 3, Informative

    To my knowledge, European Union regulations already require you to check the people to whom you are shipping goods, to see if they are on a list of known terrorists and their associates.

    --
    Join the Empire! http://www.empirereborn.net/
    1. Re:EU Export by dargaud · · Score: 2

      check the people to whom you are shipping goods, to see if they are on a list of known terrorists If they know his name and address, why don't they go and arrest him ? And if he's too small-fishy to warrant an arrest, why can't the guy purchase his porn online like anybody else...?
      --
      Non-Linux Penguins ?
  9. Changing Idenity by iamsamed · · Score: 2, Interesting

    .. but what happens if I Jason Smith am not a criminal and there happens to be a Jason Smith criminal out there that isn't me. Also who in their right mind uses their real name on the internet?

    Aaaaaannnnnd, changing identity is easy. It's nothing to create a corporate entity - and that's a real one. Fake ones? Ha! So, while they're checking their all seeing database of criminals, the crooks are changing their identity.

    It's even done by legal, although unethical, businesses. Get too many complaints to the Better Business Bureau just change your business' name.

  10. Re:Red Flag? by EricWright · · Score: 2, Interesting

    Bad form... replying to self... get over it.

    Not paying enough attention, I missed this link from TFA. This notice is all about identity theft, while the summary indicates that companies will be required to check customer lists against known criminals.

    If someone steals my identity and uses it to buy something, it will be my name in the customer database, not the criminal's. How would checking the customer list help? As far as I know, I'm not a known criminal or terrorist.

    Although, I guess I would (incorrectly) end up on the list after a hypothetical incident.

  11. Does that include the government itself? by Reality+Master+201 · · Score: 2, Insightful

    Or are we only counting criminals that aren't considered above the law?

  12. Your papers, please... by GogglesPisano · · Score: 3, Insightful

    I remember a common threat in grade school was "this will be on your permanent record". We used to joke about it - it seemed ridiculous.

    As an adult, it's starkly clear to me that "permanent records" do exist for all of us, and they control our lives to a large degree. Credit reports, "no-fly" lists, and now this "red flag" list - somewhere out there grim people in small offices quietly compile lists of citizens whom they feel should be "less free".

    What kind of oversight exists for this list? What does one have to do (or not do) to appear on it? If you're on it, how can you be removed?

    I wish I could say I was surprised by this new step towards an Orwellian dystopia, but the past several years have numbed me to it.

  13. Who does this apply to? by BoberFett · · Score: 4, Insightful

    The FTC page that the original article links to

    http://www.ftc.gov/opa/2007/10/redflag.shtm

    Only talks about financial institutions and creditors. It doesn't seem to indicate that Mary's Online Potpourri Barn has to do a background check on everybody that orders a lemon scented candle.

    1. Re:Who does this apply to? by zappepcs · · Score: 2, Insightful

      holy flying c-notes batman.... The financial institutions and creditors ARE the criminals. How the hell is that supposed to work?

      --
      Support NYCountryLawyer RIAA vs People
    2. Re:Who does this apply to? by iamdrscience · · Score: 2, Informative

      You're exactly right. This article is obviously little more than a regurgitated press release for MicroBilt. The reality is that this law is intended for big companies and companies doing big money deals and they're the only ones that are going to have to worry about it. Microbilt is just trying to get some more customers by making it sound like a broader law than it is and given that it's been written up as an article and been posted to Slashdot, I'd say they've done a pretty good job.

  14. I'm doing business with Mastercard by MacDork · · Score: 5, Insightful

    Mastercard is the one doing actual business with terrorists... why aren't THEY responsible for this "small" fee?

    1. Re:I'm doing business with Mastercard by bcwright · · Score: 3, Informative

      I think if you read the actual proposed regulation that's published at http://www.ftc.gov/ you'll see that that's exactly what happens. This regulation does not appear to apply to businesses who merely accept credit cards, but rather to those who issue credit cards or other forms of credit.

  15. Why aren't these "known criminals" in jail? by Vellmont · · Score: 5, Insightful

    This seems like some kind of backdoor conviction without a trial. If the government "knows" these people are criminals, why haven't they been arrested, convicted, and sentenced? If the government is forbidding people to do business with these people, shouldn't they have a trial or some kind of public hearing where the facts are presented?

    This kind of thing seems like it could lead to rampant abuse, or at least error if someone winds up on one of these lists that shouldn't be on it.

    --
    AccountKiller
    1. Re:Why aren't these "known criminals" in jail? by mini+me · · Score: 4, Insightful

      If they have served their time, why are we preventing them from integrating back into society?

  16. This will be the year of the Linux desktop by houghi · · Score: 2, Interesting

    ... because nobody will be able to do business with Microsoft. They are convicted in Europe.

    --
    Don't fight for your country, if your country does not fight for you.
  17. I don't get it. by jellomizer · · Score: 3, Insightful

    1. Inocent until proven guilty. So why should there be a black list of people who havn't been threw justice system.

    2. Rights after you serve your time. So if the person was an online criminal and served his/her time. Is is really reasonable to block them for using the inernet ever again, espectially in a world with increasing demmand to use the internet for daily communication and comerse.

    3. People on probation is such a small portion of a list that the forced blacklist is an undue burden.

    4. These people are criminals... They have been proven to be untrustworthy, what makes it so they don't lie on an online form or use someone elses idenity.

    5. Small ISP and companies don't have resources to do this. a 10-15k project for a big company is a drop in the bucket for for a small ISP it is a huge undertaking, which could kill it.

    6. Why punish honest/trusting people. America's growth was based on contract by handshake. There are a lot of companies that still want to keep that type additude. But laws like this make it so you need a lawer for everthing... (on a side note why the hell do we keep electing lawers into government)

    7. In a slumbing echonomy is it prudent to make it difficult for people to do business.

    8. If it forces criminals to be smarter and hide their tracks more, doesn't it make it more difficult for authorities to track such people.

    9. If the criminals cannot work online they will still be criminals and be on the street with guns and drugs.

    10. What happends if your name matches a criminal.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  18. Does not fly - will increase ID theft. by LauraLolly · · Score: 5, Insightful

    The "Do Not Fly" list already has shown how well false positives work - it's caused trouble for people who are wrongly put onto the list. Those with particularly common names will have particular trouble.

    Unless there's a swift and clear grievance system, this will cause so many false positives that positives will be worked around. And who says that any bad people wouldn't steal or set up identities under which to do business?

    The end result in three years? There will be lots of news about false positives, and the bad guys will just use more ID theft. Which will put those with stolen IDs into still more of a mess.

    I don't think that this passed the "run it by a six-year-old first" test.

  19. At last, a list I want to be on by clovis · · Score: 3, Interesting

    It appears to me that if I get on that list it will greatly reduce my exposure to Identity Theft.

  20. We're developing our program now by Pagey123 · · Score: 3, Interesting

    I work for a small community bank, and we are in the process of developing our program now. The regulations implement sections 114 and and 315 of the FACT Act. Section 114 requires all covered institutions to create and implement a written Identity Theft Prevention Program consisting of four elements: 1. Identification of Red Flags 2. Detection of Red Flags 3. Responding to Red Flags 4. Updating the Program To be covered, an institution must offer what is called a "covered account." A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. The regulatory bodies go on to offer guidance on 5 categories of potential Red Flags, including: 1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; 2. The presentation of suspicious documents; 3. The presentation of suspicious personal identifying information, such as a suspicious address change; 4. The unusual use of, or other suspicious activity related to, a covered account 5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. Section 114 also requires the issuer of a debit or credit card to verify the vailidity of an address change followed by the request for a new, additional, or replacement card if requested within 30 days of the address change. In other words, if you receive a request for a new card within 30 days of an address change, you are required to validate the address change with the customer to be sure it is indeed a valid request before mailing the new card. Section 315 requires the users of consumer reports (i.e., credit reports) to verify the identity of the consumer if the report notes a substantial difference in the address provided by the institution versus the address last on file with the Credit Reporting Agency. This applies only if a continuing relationship is established with the consumer. One of the ways to comply with Element 2, detecting Red Flags, is to use various software programs (such as those for BSA/AML) or databases to run checks against, but the regulations clearly state that the program must be appropriate for the size of the institution and the scope of its operations. I highly doubt they'll expect mom & pop types institutions to deploy extraordinary measures to verify that Jim Bob is not a terrorist. Now, if you're Bank of American or Fifth Third, for example, you'll be expected to do a little more. Also note that bank's service providers are required to have a Red Flags program in place. Meaning if I am generating mortgage or auto loans for a financial institution, I'm required to detect and respond to Red Flags, and the bank is required to assess my program. Hope this helps!

  21. Scope isn't as broad as it looks by 44BSD · · Score: 2, Informative
    From the federal register item linked to in TFA:

    The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft
    to do these things. If you sell something to someone for cash, you are not a creditor. If you were a financial institution, and thus covered by GLBA, you'd know it already. Unless you extend credit, you're not a creditor. Not much to see here, and the fact that this article had its origin in somebody selling a service to help you comply with this may be meaningful.
  22. Re:Ex-cons 2 generatins ago by jellomizer · · Score: 2, Insightful

    Unfortunatly that is where there is a problem with our justice system. Do do a crime you get punished for it. Then you are continiously punished because you are statiticly shown to do it again. Thus being in a situation where you have reduced rights and limited ways to improve youself thus you are stuck to commit crimes again to survive.

    There are some crimes where people can stop and others that cannot.
    Sex Crimes are often due to mental problems which need to be addressed and monitored for a long time. (yet we lock them up vs. giving them the proper help)
    However Internet Crimes such as Idenity Theft can be corrected by proper rehibelation.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  23. If it's like OFAC's list... by brennanw · · Score: 2, Insightful

    ... then it's a list of names of people and the known aliases of people who commit crimes but who haven't been apprehended yet. Usually crimes like extortion, terrorism, racketeering, international stuff that makes it difficult to just walk up to someone, put cuffs on them, and haul them off to jail.

    Which isn't to say this can't lead to rampant abuse -- it certainly can -- but the idea of the list is more along the lines of "this is a guy who is suspected of being involved in illegal activity right this very moment -- do not do business with him" rather than "this is a guy who just got out of jail last week -- do not do buseinss with him."

    --
    Eviscerati.Org: All Hail the Eviscerati
  24. Re:Yes they are by Tanktalus · · Score: 3, Insightful
    We are also running headlong into an age of "lifelong punishment," where 50 year old men are denied needed services because of a crime they commited when they were 19 and drunk, and which they would not commit now that they have grown up. This sort of thing is happening *today*, is utterly unjust, and will only get worst if we continue with this sort of personal data tracking.

    This is where a pardon is supposed to come in. Pardons aren't just for the wealthy and the connected. They're also for the 30-year-olds who did something stupid at 19 while drunk, paid their dues (fines, revocation of privileges such as driver's license, and/or jail time) and haven't had a criminal charge since. A successful pardon application, which may take a year or two to process, should also automatically (I hope!) remove your name from all criminal registries, including sex offender registries (though I imagine that these would be harder to get pardons for).

    Ok, maybe I'm dreaming...

  25. Why are there known criminals free? by tygt · · Score: 2, Insightful

    Can someone explain how we have a list of known criminals and their location (name = location, on the internet, and if you can access them on-line you can figure out where they are) and they're still free?

  26. eBay screwed! by Dahamma · · Score: 2, Interesting

    Wow, this would exclude half of eBay's customer base...

  27. They got the color wrong. by Ungrounded+Lightning · · Score: 2, Insightful

    This kind of thing seems like it could lead to rampant abuse, or at least error if someone winds up on one of these lists that shouldn't be on it.

    Yep. And they got the color wrong, too.

    This is not a "red flag". It's a government-maintained "blacklist":
      - It creates a broad penalty for anyone they put on the list, making it virtually impossible for them to get or hold a well-paying job, buy a house, buy a car, or do most of the other big-ticket business of life.
      - Putting people on it is done in secret and without legal due process, for reasons other than imposing statutory penalties for conviction of violating a published law. No opportunity to confront witnesses against them or challenge the process - either as they're being added or to remove themselves afterward.
      - The list is effectively secret. It's known to the business people but is virtually unknown to the people on it, who get no notification that they've on it or even that it exists.

    Welcome to the McCarthy Era, version 2.0.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way