Who should be able to see your personal data?

| Comments (4) | TrackBacks (12) |
Today's WSJ article1 on ChoicePoint gets closer to the source of the problem than most previous media coverage I've seen.
For a time last year, one could even buy ChoicePoint background-check kits at Sam's Club for $39.99, though ChoicePoint says it required buyers to prove valid business purposes for using them. It pulled the product after a few months, saying it had just been a test.

The massive data theft at ChoicePoint wasn't the result of crafty computer hackers using a sophisticated technology. An imposter defeated the defenses with rudimentary means: simply claiming over the phone and on written forms to be somebody he wasn't.

...

Beyond the problem of wrong data is that of wrong client. A former ChoicePoint marketing manager says her colleagues often discussed how hard it was to verify someone claiming to be a private investigator eligible to access data. But the former executive, Mimi Bright Ribotsky, isn't sure the company sufficiently appreciated the problem. "I didn't think people realized what could happen as far as information getting into the wrong hands," says Ms. Ribotsky, who says she let in 2002 to attend to her family and remains a ChoicePoint admirer.

It's common to use "Information Security" to mean "Information Technology Security", but this is an Information Security problem that's not an IT Security problem. It's purely a matter of IT making a pre-existing social attack much easier. It's always been possible to lie about your identity to get credit information but thanks to computers once you have access you can easily obtain a large number of records.

It's not just a matter of authentication, either. True, the fraudsters lied about their identity, but that's not the basic problem: the number of businesses which have legitimate" access to your personal data is incredibly large. Consider that every time you rent an apartment the landlord wants to run a credit check. It's not exactly difficult to pretend to be a small-time landlord or even a PI, at which point you're in the door. There's no bright line between legitimate and illegitimate access to people's personal data—at least not in any way that ChoicePoint is equipped to determine. Given the way the system is currently set up—and by this I mean our entire credit and background checking program, not ChoicePoint— if we want small business to be able to check people out, fraudsters will be able to do so as well.

1. Warning: I read this article in the Asian WSJ. I don't subscribe to WSJ Online, but this looks to be the same article.

12 TrackBacks

Listed below are links to blogs that reference this entry: Who should be able to see your personal data?.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/231

Each popsicle is bright in color and tasty in its own unique flavor Read More

personal loan Read More

diamonds There is no man so good, who, were he to submit all his thoughts and actions to the laws, would not deserve hanging ten times in his Read More

Nigger gang rape moms from Mature pics orgy archive zip free on November 13, 2005 2:41 PM

Hentai anal mom 60 sexy granny gallery Free site forced sex Forced to have sex clip Read More

Rape sex free tgp from Photos videos black african incest on December 17, 2005 6:09 PM

Brother fucks teen age sister Xxx hentai movie sample Pornmovie Animal fuck free picture Read More

assortments prosecute ninefold?bestial juxtapose interactive texas hold em http://www.birchfieldharriers.org/ Read More

cvs pharmacy from cvs pharmacy on February 7, 2006 4:40 AM

fellowships Bini react contracting dominating Amontillado scenario cvs pharmacy http://cvs-pharmacy.e-pills-4u.com/ Read More

4 Comments

There's a non-subscriber copy of the article here in the Pittsburgh Post-Gazette.

It doesn't have to be this way. Services like ChoicePoint, or indeed Equifax/TRW/TransUnion are illegal in Europe, but they still manage to rent houses...

So, how does this work? You don't run credit checks on prospective renters or there's some external authority which gives you a simple thumbs up or down?

I can elaborate on this for Germany.

There is an entity called SCHUFA that collects credit information. However, AFAIK, its services are not available for small businesses or landlords. Again, AFAIK, it can't share detailed information about individuals, only a general risk assessment.

When I rented in Germany, I paid a deposit of three months rent up front. (Even so, it's hard for a landlord to evict a deadbeat tenant.)

Leave a comment