The members of News.com's Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main resources page.
Friday: Driver's licenses and next steps
From: Jim Harper
Subject: California's attempt to reduce ID fraud: any statistics?
Thu, 27 Oct 2005 14:40:31
The urge to try to pick the right security practices is natural, especially among smart, interested people. But we are talking here about writing general rules that will be applied over the indefinite future. Is it possible to right a rule now about when encryption should be used in all the future contexts that may arise? What about the quality of encryption that must be used? I think the consensus is that it's impossible.
Better to write a rule at a higher level of abstraction, one that focuses on what we really want: consumer protection. The imposition of proportional liability for harming a consumer through data breach puts the encryption decision with the party closest to the problem--the data holder--and puts the risk with the data holder for getting it wrong.
Apropos of Sen. Simitian's comment, I would also argue for placing liability on public sector actors - including government officials in their personal capacities--to get the incentives right. Otherwise, an agency may breach and pay out taxpayer dollars in compensation, but that means little to the people in the agency making decisions.
Sen. Simitian cites his A.B. 1219 as a response to criminal identity fraud. I would be curious to know how many times it has been used since it was enacted three years ago. Senator, did you hit your target?
Also, I'm still curious to know whether A.B. 700 has reduced identity fraud in California. Senator, any statistics?
From: James Van Dyke
Subject: Self-regulation by industry groups
Thu, 27 Oct 2005 14:52:00
In the debate on the need for and design of regulation, we must consider the existence and efficacy of what is effectively self-regulation. Effective regulation need not be solely the product of government entities. Financial industry bodies such as Visa, BITS, and NACHA act to create, implement and occasionally even strongly enforce standards of behavior on the part of their members with regard to the handling of customer financial records.
For example, CardSystems, a processor of payment card transactions for merchants, disclosed that millions of consumer records were exposed, and subsequently were met with plans for network excommunication by Visa and American Express (which will likely be their death knell). Regulation makes the most sense when individual self-interest is not in line with the greater good. However, in a well-organized industry such as financial services, government entities need not be the sole source of regulation.
From: Orson Swindle
Subject: Re: Self-regulation by industry groups
Thu, 27 Oct 2005 14:55:41
Amen!
From: CNET News.com
Subject: Driver's license data and legal fix recommendations
Fri, 28 Oct 2005 07:30:57
One of our readers, Amy Smith, posed this question to the panel:
My question to the panel is what gives a state government agency like the DMV the right to sell my data? I just went to renew my drivers license and no where on the form did I see a disclosure that my data might be sold for commercial purposes nor am I given the right to "opt out" if they choose to do so? Is this legal, and if not, what are the implications to agencies and data acquirers?Any thoughts on how the federal "Driver Privacy Protection Act" has worked in practice?
Also, since it's our last day for this roundtable, I wanted to thank you again for participating and ask you what the most important legal fix would be to help reduce the likelihood of identity theft. Is it security breach notification laws, regulations of so-called data brokers, etc.?
From: Chris Hoofnagle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 08:08:26
Amy Smith asks, "what gives a state government agency like the DMV the right to sell my data?"
The federal Drivers Privacy Protection Act has prohibited this practice since 1998, unless the individual opts in to the sale. At least one state (Florida) didn't implement the law until this year. So that might explain it.
The question reveals an attitude that speaks to individuals' anger about privacy. "What give them the right," is something I hear pretty frequently. The answer is that they can collect your data and use it for almost any purpose unless there is privacy legislation protecting both the data and the context in which it is collected.
There is a pretty strong correlation between invasive practices and self-regulation. And while legislation isn't always perfect, it is privacy law that shields your television records from being collected (Cable Communications Policy Act), your video rental records from being sold (VPPA), and your cell and wireline phones from ringing. If you look at the fields where self-regulation controls, you'll find that your data is being sold to anyone, even criminals, for almost any purpose.
In practice, DPPA has been mediocre. While it did cut off driver's information for commercial purposes, there are 14 exemptions to the law. It is underinclusive in that it only protects your driver record, and so marketing companies now try to get your data from your drivers license (ever had your licensed "swiped"). Even if a bar/car rental company says that they are swiping your card for security purposes, in most states, they can keep all of the data captured from it and use it for whatever purpose they see fit.
EPIC has done quite a bit of work on the DPPA, and we recently filed an amicus brief in an 11th Circuit case where we successfully argued that default or "liquidated" damages are available under the law.
As for the most important legal fix for identity theft? I'm for credit freeze. If individuals had more control over their credit reports, it would be less likely that identity thieves, pets and toddlers would be issued credit cards.
Have a nice weekend!
From: Orson Swindle
Subject: Re: Drivers license data and legal fix recommendations
Fri, 28 Oct 2005 9:00:36
Amy Smith's dismay is shared by many, I suspect. The U.S. Code is pretty clear, yet I am sure there are those who see loopholes through which they can continue this practice. Does anyone have idea as to the magnitude of this practice in revenue terms as a state government "profit center"? For those who believe government should intrude big time and is best suited to solve the identity theft problem with new laws and regs, might this driver's license data situation (where a government entity is allegedly not following the law) be lesson about the ability of the government to get it right?
As to News.com's last question, a couple of comments:
The Safeguards Rule has esssentially been expanded beyond its original scope by BJs Wholesale Club case. There is a new universe of data users who are not familiar with compliance requirements envisioned in the Safeguards Rule. Congress will likely move on this, but slowly, then there are rules to write. The Center for Information Policy Leadership will provide some rational thoughts to mapping out what needs to be done to cope with Safeguards Rule requirements, expanding existing Rules, and meeting responsiblities for protecting sensitive information.
Second, law enforcement, such as the FTC, needs and has requested more flexibility in cross-border fraud investigative work that will require the ability to share information across borders with law enforcement agencies. Current restrictions often stand as impediments in tracking down the culprits when they are offshore.
There must be greater attention given by CEOs and Corporate/Organization Boards to information security and privacy obligations. These functions need to move obscurity to the boardroom in significance. The concerns are not going away. Those who invest in better information security practices (in terms of resources and attitude) will gain competitive advantage and those who fail or refuse to do so will suffer much harm as they allow their customers, cliets and consumers to be harmed.
General public awareness must be enhanced--constantly. Think of the process of making users of information technology more aware of their responsibilities and vulnerabilities as a journey, not a destination. We must keep this dialogue going, inform the lawmakers, increase private sector leadership, and make sure the public understands how important safe computing practices are for our future.
I look forward to working with you all in my capacity as Chairman of Information Security Projects at the Center and from my new relationship with The Progress & Freedom Foundation.
From: Joe Simitian
Subject: A defense of California's data-security laws
Fri, 28 Oct 2005 13:58:39
Lots of ground to cover today.
Jim Harper asks about the level of use of AB 1219 in California to help mitigate the impact of criminal identity theft. Honest answer is: I don't know. After three years on the books, this would be a good time to assess whether the statute has been put to good use.
As to the effectiveness of AB 700/SB 1386--we'll never know for sure what steps informed consumers have taken, or with what effect, in the aftermath of a data security breach. Perhaps more importantly, we do know that in response to AB 700/SB 1386, the private sector has taken steps to improve security and avoid the problem altogether.
Prior to the July 1, 2003 implementation of AB 700 I met in Los Angeles with 200 data security breach experts from around the country at a conference organized, in part, by the U.S. Secret Service. They were ramping up new protections to help their clients avoid a breach and subsequent notice requirement. I later heard quite a bit about folks along the Route 128 corridor around around Boston (where there is apparently significant expertise in this area) ramping up their efforts.
So, we'll never know what breaches were avoided; but we do know security was improved in direct response to the legislation.
As to the provocative question of the day (i.e., what's the single most important step we could take?), I'd like to suggest we think big on this.
We need a fundamental change in our thinking about who our personal information belongs to. Does it "belong" to anyone who happens to have it? Or does it belong to each of us individually? If we took the view that our personal information is our own, and that each of us is entitled to control the manner in and extent to which it is used, the privacy world would look quite different.
the first thing I want to know is whether the data was encrypted;
and that's the one thing the news story never mentions.
Someone may have the student records, patient records, etc.. and just may not have found the right buyer on IRC yet. Or maybe someone bought the data and is sitting on it to make people think that nothing happened with the data until they get a chance to use it.
I wish to ask the following questions:
Encryption, firewalls, biometrics, multi-level authentication, etc.
Can they stop a bank officer who is legally authorised to access the bank's encrypted database from retieving customers' profiles on screen and copy the IDs off the screen? Afer all insider theft is one of the most common methods of ID theft.
Credit report monitoring
This service is not going to reveal that your ID has been used by a criminal or illegal immigrant to apply for a job, rent an apartment, get married, buy a mobile phone, subscribe to the internet, apply for a new driving license, etc.
Paper Shredders
If you shred every piece of paper in your house, from your wallet, from your office desk, and replace your letter box with a paper shredder, can you stop a criminal from stealing your ID located at the many application forms, computer records located in hundreds of filing cabinets and databases at hudnreds of offices around the country?
ID Legislation
We are presently seeing an unfolding story of top officers in the country leaking sensitive employee data .. would a criminal with a long criminal history be concern about being slap on the wrist for stealing an ID?
Legislation to shred all sensitive office document.
The law might require every office to shred papers containing customers' IDs but what is to stop the person in charge of the shredder from copying those IDs before he shred the papers?
It all seem like the encryption software vendors, biometrics vendors, paper shredders sellers, credit monitoring services and politicians are out to make a quick buck and earn a vote or two.
By offering these socalled advice, tips and socalled security services, we are creating a false sense of security and as a result the public lets their guard down, making life easier for the criminals and ID thieves, shifting the responsibility and blame away from companies and create a lot of hot air.
Where are the real experts?
A false sense of security is worse than no security at all!
lose time and money when they must close accounts and establish
new accounts when personal data is compromised by companies with
whom they do business.
When my brokerage reported that they had lost backup files of
their customer database, I had to establish a relationship with
a new brokerage, setup new accounts for trading, each 401k, each
IRA rollover, etc. as well as execute dozens of documents to
effect the transfer of assets. This process took several weeks
at a significant cost of time, money and the ability to trade
even though no indentity fraud occured.
Both my PayPal and my Ebay accounts were hacked and I cancelled my accounts with them as well. Fortunately PayPal notified me just as the bank and credit card companies did, and I lost no money. However cancelling accounts is no solution to an epidemic problem.
Since then, they have hacked my Classmates password, (I had to cancel it also as it provided a host of information), and they continue to hack my Hotmail account on a daily basis in order to use my account to send spam containing trojans.
I change my sixteen digit Hotmail password almost on a daily basis, and I have notified Microsoft about the problem at least three times, yet the attacks continue. They force hack my account and Microsoft seems powerless or unwilling to stop it. I have determined that the hackers come from Brazil, Germany and Russia.
The most recent disturbing attacks have been against my online banking account. Fortunately Chase notified me of the problem and I've changed from an eight digit to a thirty two digit password. They tried again and I've had to change the thirty two digit passward once, but Chase has been responsible about their security and those attacks have ceased for the present.
This has gotten completely out of hand. Their must be some reliable form of biometric passwords that will foil hackers once and for all. Perhaps a rock sold secure central location of fingerprints or finger blood vessels that Hitachi just developed? Or maybe life in prison terms for thousands of hackers who steal other people's livelihood and are ruining the Web's commerce? Quite frankly, I no longer make web purchases other than my online banking service. I'm sure millions of others have stopped also.
I would like to see some really secure proposals out there folks. I don't think we can wait for point of light defense and I'm not sure how that would work for secure logging on to other sites. Any suggestions?????
* Doctor's office
* Employer
* Land lord
* Car dealership
* Gazillion others
HOW CAN IT BE A SECRET? It cannot be by definition!
Same with Credit-card number. Every time you shop with it, you must disclose the secret.
Your "secret" credit-card number is known to hundereds, maybe thousands of organizations.
At the end of the day, the number of people that have access to your secret information is very large.
To make things worse, to get a credit card, nobody will need to see you! its all through the mail.
DL will not help much at all, there is no need for one more additional secret you need to tell everyone.
It's time to graduate from the flawed old systems and start employing strong cryptography, without any secret sharing.
http://techtonic.blogspot.com/2005/03/security-breaches-not-anymore.html
other various online and offline scams rests solely in the hands
and minds of consumers. Not the Government at any level. Not
business or commercial enterprises, either online or offline. Not
through some unnamed standards body or clueless, stamped in
stone regulations.
The focus should be on the CONSUMERS who provide the ONLY
EFFECTIVE method of driving everyone else in this solution. As
some bright person once said, consumers want to feel secure, in
control and want what they want when they want it. Feeling
secure and being in control are suffering right now. Consumers
might just walk away without them. And Government,
businesses and commercial enterprises need to COMPLETELY
understand this reality.
Not all businesses and commercial enterprises are totally
clueless when it comes to taking that extra care of the
relationship they share with their valued clients and customers
both online and offline. Sure, a lot of businesses and
commercial enterprises just don't "get it!" But the businesses
and commercial enterprises that do GET IT are on solid ground
and growing profitably and steadily because not only do their
customers and clients keep coming back, they tell their friends,
neighbors and business associates with WHOM to do business.
My main point here is the same point that is echoed in most all
of the comments that have been posted thus far; customers and
clients are much more aware and concerned about ID Theft and
Scams than ANY governmental agency, business or commercial
enterprise. And if the customers and clients are not safe and
secure, in control and want what they want when they want it,
those same customers and clients move on to another location
that does GET IT!
I have studied ID Theft and Online/Offline Scams for more than
three decades. It is interesting to note that a certain segment of
the customers/clients population actually finds out about the
businesses and commercial enterprises that really provide the
highest level of customer service, provide security, product and/
or service guarantees. and hold the best interests of their
customers and/or clients in the highest regard. And those same
customers and clients tell their friends, neighbors, business
associates and just about anyone who is interested who those
outstanding businesses and commercial enterprises are!
It's called, "Word of Mouth" advertising; the most efficient, cost-
effective, reliable form of advertising ever imagined.
And that is precisely why after many decades of research, I
founded http://www.cattboxx.com so those customers and/or
clients could have a safe secure place to let EVERYONE who has
internet access know where to do business online and be treated
with respect and dignity in a safe, secure, guaranteed
environment. Customers and or clients do not have to depend
on some governmental agency to lead them in the right
direction (as if that were at all possible in the first place).
Customers and or clients do not have to engage in decades of
research to figure out how to be able to feel secure, in control
and want what they want when they want it from which
businesses and or commercial enterprises. Those same
customers and or clients are able to find out the REAL STORY
from other customers and or clients who have already made the
trip and have the free enterprise audacity to let other real, live
breathing human beings know what works.
And that is precisely why after many decades of research, I
founded http://www.cattboxx.net so businesses and commercial
enterprises who were trying to figure out HOW to reach out to
their customers and or clients in a respectful and dignified
manner could find the pertinent information at one location to
be able to adjust and correct their customer relationship
approach online with a more focused and effective manner. It's
not about some clueless CRM software that runs on some non-
human server. It's all about real live breathing human beings
from businesses and commercial enterprises relating directly to
real live breathing human beings who are interested in
purchasing goods and/or services either online or offline.
It's NOT about any kind of governmental regulations, because
even at best, governmental regulations move at the speed of
SMELL long after the situation is so messed up that NOBODY can
ignore the SMELL. Customers and/or clients are the parakeets in
the mine shafts that die FIRST when the breathable oxygen
becomes contaminated. In other words, you ALWAYS take care
of your customers and/or clients and your business or
commercial enterprise will continue to profitably grow and
prosper.
And if you are still skeptical, point your browser to http://
www.cattboxx.com to find out what THOUSANDS of online
customers have to say about which businesses and commercial
enterprises are the ONLY ONES with whom to do business. Then
you will be able to more fully understand that this problem is
NOT that tough, but you will find out that it is indeed impossible
for me to make this so complicated that ANYONE could finally
GET IT!
At what point do consumers get the protection the law is supposed to impose? Has anyone at the FTC even checked on any of these companies to see if the consent order is being acknowledged or not? Sunbelt has about 400 offices in the South that fall under the requirement to demostrate third-party verification that they have implemented the required safeguards in all of their operations (mostly in Coldwell Banker offices). Where is the proof of this compliance? Lack of enforcement agents is not an acceptable excuse when these companies have agreed to get in compliance a certain date. It is neither cost-prohibitive nor an undue burden to these companies to implement a Safeguard Program, yet they are NOT BEING HELD ACCOUNTABLE??!!! Where is the public interest being served here?
In my opinion it is unfair to allow unsafe business practices to continue at the hand of companies that have clearly and willfully violated FTC law. My company provides affordable compliance management tools for businesses affected by the FTC Safeguards Rule (www.safeguardprogram.com), but because of lack of enforcement and awareness of the law I get resistance from the very companies who are REQUIRED BY LAW to have safeguards and best practices in place. They LAUGH at the suggestion that they will suffer any penalties for NOT having a Safeguard Program in place. Data Security Programs SHOULD be in high demand in light of all the recent security breaches and identity theft making the news this year.
I am aware of the proposed Data Protection and Security Act of 2005 and the implications for financial service providers, information brokers and non-profit organizations. The requirements of this law are almost identical to those of the Safeguards Rule, with notable additions and penalties for breach notification and non-compliance.
What assurance do we the Public have that this law will be advertised and enforced any better than the existing privacy laws? I beg this question on behalf of the American people.
-ceebee
31 social security numbers and over 1/4 million in cash advances, fake loans, credit cards and no account checks while on probation and law enforcement with judge help covered it up.
google southdakotagov.info
31 social security numbers and over 1/4 million in cash advances, fake loans, credit cards and no account checks while on probation and law enforcement with judge help covered it up.
google southdakotagov.info
Vendors subscribe to services that record each time your banks loose some money due to ID theft and you get points added to your record!
It works in reverse the higher your risk score the more trouble you will have the next time you need to buy something, from flowers to a car.
So even if you never made a late payment, you could be denied a flower delivery for mother?s day!
You can?t even say you where a victim of Identity Theft, That alone could raise your risk score and you may end up living life in the 70?s having to do everything in person.
I was a victim, myself, found that USB device offered by someid.net and use it to give the vendors positive ID without having to worry about my risk score.
- It's already done!
- by lmaster1 July 17, 2007 8:54 AM PDT
- You no longer have to give out your info to identify yourself, try someid.net.
- Reply to this comment
-
(24 Comments)