Home    Contact Us    Privacy News    APC News    Services    Speeches

PrivacyToday.com^™

Global Privacy Issues At The Click Of Your Mouse^™

Official website of

American Privacy Consultants, Inc.^™

 

Statement by Robert Douglas

 

Before the

Committee on Government Reform

Subcommittee on Government Management,

Information and Technology

 

United States House of Representatives

 

Hearing On

Establishing a Commission for the Comprehensive

Study of Privacy Protection

H.R. 4049

 

April 12, 2000

    

     Thank you, Mr. Chairman.  My name is Robert Douglas and I am the founder and Chief Executive Officer of American Privacy Consultants.  American Privacy Consultants assists businesses, government agencies, legislators and the media understand and implement appropriate privacy policies and strategies in today’s fast changing privacy environment.

 

     First, Mr. Chairman, let me state that I appreciate the opportunity to appear before you to give my support for the creation of a Privacy Commission and to state my belief that a comprehensive review of current privacy law and the formulation of a privacy plan for the 21^st Century is important and long overdue.  I firmly believe the challenges created by the Information Age to the privacy expectations of our citizens is one of the most significant problems facing our nation today.  Striking the right balance between safeguarding the traditional privacy rights and values of all Americans and allowing enough commonsense access to information that is helping the Information Age to thrive will not be an easy task.  Nor is it one that should occur on a piecemeal basis.  It is time for this country to have a comprehensive privacy plan and strategy.

 

     I want to personally thank you for your willingness and desire to address this serious issue and the time you have invested on this problem.  I am aware from both the proposed legislation before us today and other recent activity in Congress that our Nation’s representatives have heard the concerns of the American people and are moving to take action.  I particularly want to thank your Committee’s staff, and specifically Heather Bailey, for the time they have invested with me discussing this problem and assisting me in preparing for my testimony today. 

    

     Prior to founding APC, I was a Washington, DC private detective with more than 17 years experience in complex criminal defense investigation and trial preparation.  In 1997 after becoming concerned about my own experiences in purchasing personal information from “Information Brokers” and other private investigators I began investigating the practice of Information Brokers selling citizens personal financial information on the Internet.[1]  I took the results of this investigation to Congress and this resulted in my testifying before the Committee on Banking and Financial Services, during the July 28, 1998 Hearing On The Use Of Deceptive Practices To Gain Access To Personal Financial Information.  Along with other witnesses I exposed the use of identity theft and fraud by Information Brokers to penetrate banking security systems.  That hearing resulted in passage of the Financial Information Privacy Act (FIPA), which was incorporated into the Gramm-Leach-Bliley financial modernization bill signed into law on November 12, 1999. 

 

     At the 1998 hearing I informed Congress through the Banking Committee that the use of identity theft, fraud and deception was rampant in the information broker industry and extended well beyond personal financial information.[2]  However, given the scope of the Banking Committee’s jurisdiction the Financial Information Privacy Act (FIPA) provisions attacking the use of identity theft, fraud and deception under Gramm-Leach-Bliley were narrowly defined and constrained to the illegal access of personal financial information.  It is my hope that passage of H.R. 4049 will result in a Privacy Commission that can, as a small but important part of a broader mandate, investigate the use of identity theft to access and steal many other types of personal information of citizens and residents of the United States.

 

     Given my past and current occupations I am often asked what personal information can be gathered about the average citizen.  The truth is almost anything can be learned about anybody in the United States today.  Name, address, social security number, date of birth, phone number (whether listed, unlisted, or non-published), height, weight, eye color, hair color, mother’s maiden name, relatives names and addresses, neighbors names and addresses, criminal records, civil records, tax liens, real estate holdings, bank account numbers and balances, stock holdings, credit card account numbers and individual credit card transactions, long distance phone records, cellular phone records, pager records, 800 number records, motor vehicle records, driving records, aircraft or watercraft ownership, credit histories, medical histories, where you shop and what you buy, where you went to school, what your grades were, even your SAT scores as Vice-President Gore and Governor Bush saw on the front page of the Washington Post.

 

     When I recite that partial list the follow-up question is always; “How?”

 

     The impact of technology on privacy today is the ability to accumulate, store, filter, cross-reference, analyze and disseminate vast amounts of information about anyone in a fast and cost-efficient manner that was previously unavailable.  The partial list I provided of the information that can be obtained on anyone has always been available through one means or another.  However, until relatively recently this information was rarely accessed to any large degree because of the time and expense that would have been involved in locating it across thousands of different individual computer databases or paper record storage facilities.  Today all that information is quickly being accumulated into vast super-databases and is being packaged and sold like any other commodity.

 

     The expanding use of the Internet coupled with decreasing costs and increasing capacity for accumulation and storage of data has brought the information age to a point where almost anyone can now afford to participate in the buying or selling of data of any type about anybody.

 

     Simply put, privacy in the United States is too often a concept not a reality.

 

     For the purpose of today’s hearing I would like to focus on several particularly egregious categories of personal information that are being advertised and sold on the World Wide Web.  The first example is found at Docusearch.com and is a menu of personal biographical information being sold by a company called Docusearch operating out of the state of Florida.

    

 

 

     From the Locate Searches menu one can easily see that most anyone’s Social Security number, address, date of birth and address can be purchased.  These are the essential ingredients for identity theft.  With this information a criminal can impersonate anyone they choose and gain access to all other personal information concerning the target of the identity theft.

 

     The following web page from the Docusearch site is the description of the Social Security Number Search:

Search For Social Security Number
Search Price
$49.00
Availability
National
Approximate Return Time
1 Business Day

Requires
Subject's full name & complete last known street address

Search Description
This search accesses one national service bureau and is used to locate the Subject's Social Security Number.
Search Strategy
This search should be ordered if you do not know your Subject's Social Security Number, but do possess their first and last name, and a current or previous complete street address. The source of this search is obtained from a major service bureau. We all know that, (with very few exceptions), no matter where you live, maintaining credit is an absolute necessity. The fact that your Subject may have poor credit, is of little consequence. When collection bureaus and skip tracers locate them; they report their findings to the subscribing credit bureau who; in turn, updates the Subject's Credit Header.

No Hit - No Fee

Credit Header
The Credit Header is the top portion of a Credit Report, and details the Subject's current and previous addresses, as reported by participating subscribers as well as the Subject. It usually dates back 7 years or so.
Note: No credit history, ratings, assessments or financial data pertaining to the Subject, will be accessed or returned with search results.
Important Note
There are a couple factors that can reduce your chances of success. One being the accuracy of the submitted information. The slightest inaccuracy will likely return inconclusive results. Another factor is the age of your information. Most credit bureaus purge previous addresses dating prior to 7-10 years.
To gain a greater understanding about Locate Searches, and how to select the one which best serves your specific needs, please review Anatomy of a Locate Search, as well as the additional helpful links provided below.

     This page is important because it documents the use of credit headers for obtaining and selling on the Internet personal biographical information first obtained as part of credit transactions and then sold to private investigators and information brokers by credit bureaus.  This is a common and widespread practice that must be revisited by Congress.  While there are many useful and legitimate reasons for the access of credit header information in certain legal contexts, and despite all intents and purposes of the credit industry, the wholesale access of biographical data maintained as part of credit reports goes on at an alarming rate.  There are hundreds of web sites on the Internet selling biographical information obtained from credit reports. 

 

     The sale of credit headers is the starting point for many forms of identity theft as it gives the identity thief all the biographical information necessary to impersonate the true owner of the information.  This ability to then impersonate the true owner opens up access to all other forms of personal information sought by the identity thief.  Congress should extend the same permissible purposes test currently in place for the access to credit data under the FCRA to the biographical data included in the “credit header” which is now exempted under current interpretations of the FCRA.

 

     Another company, Strategic Data Service located at Datahawk.com sells similar information:

 

Click here to order!

 

     Again we see the sale of all types of personal information useful for identity theft.  Additionally, on the above list we see the sale of the physical street address for a Post Office Box owner.  Our citizens pay extra for PO boxes to protect their privacy and U.S. Postal Regulations recognize very few exceptions for obtaining the corresponding physical address.  Yet we see it here for sale on the Internet.

 

     The next category shows the sale of Driver and Vehicle Searches at the Docusearch web site.  Included in the list are the sale of names and addresses associated with a license plate and the sale of specific driver license numbers.  Both pieces of personal information are often used in identity theft.

 

 

 

     The following web page from the Docusearch site is the description of the Driver History/Records By Name & License Number Search:

Driver History/Records By Name & License Number

Search Price
$39.00

Availability
See Chart

Approximate Return Time
Search results are obtained directly from each state, so return times do vary. The average return time is normally 2-3 business days.

Requires
See Chart

Search Description
Driving Records may provide identifying information and insight into a person's character. It is also useful to determine the status and accuracy of one's own Driving Record, especially when applying for insurance or receiving a ticket, out of State. Information returned may include driver's license number, class and status, full name, date of birth, physical description, dates of convictions, violations and accidents, sections violated, docket numbers, court locations and accident report numbers. Only one State per search will be performed. If the Subject's middle name is recorded on the license, you must include the full middle name in your request. The middle initial will not suffice.

Note: DMV records are obtained directly from the issuing agency and are subject to local & state laws. Some states restrict access* to the Subject's physical address, and therefore may be omitted. This is out of our control and laws change often and without notice.

*The State of California restricts access and will not return current address information.

     Many Americans believe that the passage of the Drivers Privacy Protection Act stopped the sale of this type of information.  However, the act allowed an exemption for private investigators.  So, as the search description above notes, it is currently left to individual States to regulate the types of information available to private investigators and information brokers.  Unfortunately, there are a number of information brokers who are also private investigators, or who have established relationships with private investigators, that are subsequently accessing this information and selling it to almost anyone who submits a request via the Internet.

 

     The next web page category from Docusearch is Telephone Searches:

 

 

 

     One can see from this listing that almost any phone number can be traced back to it’s owner whether or not the individual owner has taken steps to protect their privacy by paying extra for an unlisted or non-published number.

 

     The next web page is the Search For Non-Published Telephone Number Description from the above Telephone Searches category:

Search For Non-Published Telephone Number
Search Price
$59.00
Availability
National
Approximate Return Time
2-3 Business Days

Requires
Subject's Complete Street Address

Search Description
Given any Subject's complete street address, including zip code and any apartment number, this search will return the Non-Published Telephone Number on record.
Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For this reason, DOCUSEARCH.COM requires an explanation stating the purpose for requesting this search, and its' intended use. Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate business purpose or may cause emotional or physical harm.
 *Significant restrictions apply

     We can see from the description that by just knowing someone’s address we can obtain the phone number—even if non-published.  This is the type of information that a stalker or harasser uses to chase their prey.  While the search description states that a purpose needs to be stated for the request, it is not difficult for someone with criminal intent to make up a reason that will satisfy this requirement.

     Again, we find similar services offered by Strategic Data Services:

Unlisted & Unpublished Telephone Numbers, Number Ownership Information, Reverse Number Tracing, Cellular & Pager Telephone Record Searches.

 

 

Click here to order!   

 

 

 

     However, in the above list we see the addition of long distance toll records.  In other words, you can purchase the long distance phone records including the number called, the date, time and duration of the call.  Further, there is no requirement for a purpose to be stated.

     The next web page category from Docusearch is Financial Searches:

 

 

     We can see from this category that both personal and corporate private financial information can be obtained.

 

     The next web page is the description page for Bank Account Searches:

Bank Account Search
Search Price
$249.00
Availability
National
Approximate Return Time
10-18 Business Days*

Requires
Subject's Full Name, Complete Street Address, Social Security Number

Search Description
Given a Subject's full name, complete address and social security number, this search will return the bank name and address, account type, account number, (if available) and approximate current balance of all located personal accounts. We access a federal database and identify open accounts using the Subject's SSN, however this search will only identify accounts in the Subject's primary state the business resides. If you suspect accounts exist in more than the primary residing state, a separate search request for each state is required, and should include the Subject's address in that state.
NOTE: This search uses the Subject's social security number as the account identifier, so only primary account holders are returned. Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search.
Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For this reason, DOCUSEARCH.COM requires an explanation stating the purpose for requesting this search, and its' intended use. Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate business purpose or may cause emotional or physical harm.
This is a Premier Search and results are guaranteed.
View Sample Report
Important Disclaimer
Financial searches are for informational purposes only, and are not acceptable as an exhibit or as evidence. Every effort is made to provide a complete & thorough search result. However, no method of research is 100% fool-proof and no firm can offer an absolute guarantee that every account will be found.
*This search requires many hours of research and can't be rushed, as we want to return thorough, accurate results. Therefore, this is an approximate return time.

 

 

     Note that under the search description Docusearch claims to be accessing a Federal Database.[3]  While I have little doubt that this is a false statement, even if it were true I believe it would be a blatant violation of the Privacy Act.  I would also note that even though Gramm-Leach-Bliley and FIPA outlawed certain methods of accessing and selling personal financial information, many private investigators and information brokers are ignoring the law or finding other methods of access that they believe fall outside of Gramm-Leach-Bliley.

 

     The next web page description is from Acc-u-data.com and demonstrates the sale of credit card information:

CREDIT CARD ACTIVITY
Scroll Down to Place Your Order

This search will provide you with the monthly credit card bill for either an individual or business. Information required: Full Name, Social SS# or Tax ID#, Street Address, City, State & Zip.

Note you must have a judgement to order this search. That judgement must be faxed to us at 904-532-2981.

Reports are E-Mailed, also the original will be snail mailed along with your paid invoice.

Cost of Search $175.00 Per Statement

     While this company appears to require that a judgment be provided in order to obtain a copy of the credit card activity, and it is questionable at best as to whether simply having a judgment in hand would allow lawful access to credit card bills or activity as opposed to a credit report under the Fair Credit Reporting Act, there are many information brokers who make no such requirement.  Gramm-Leach-Bliley drove many information brokers underground.  However, for the determined individual there are several ways to find brokers who will sell credit card information including individual purchase information.

 

     The examples I have provided easily demonstrate that a vast and varied amount of personal information is available on the Internet.  These examples are just several of thousands available.  I have provided committee staff with hundreds of other web page examples of information being advertised and sold on the Internet.  The methods of access to this data range from lawful collection and resale to illegal theft and resale.  I have investigated this issue for the past 4 years.  I have worked extensively with the financial services industry and financial regulators to educate and assist them in combating illegal access to financial information.  However, that is just a drop in the bucket of the total amount and types of information being accessed. 

 

     If H.R. 4049 passes, and it should, I will do all I can to assist the Privacy Commission or any Committee of Congress to understand and weed out the methods currently being used and developed to access our fellow citizens’ personal and private information. 

 

     In conclusion, the time is right to have a Privacy Commission with broad based authority to examine privacy in the United States today and to take appropriate steps to safeguard the privacy of all Americans while insuring that restrictions are not so draconian as to impede our booming Information Age economy.

 

     Robert Douglas is the founder and Chief Executive Officer of American Privacy Consultants (APC) located in Alexandria, Virginia, and can be reached at 703-836-8001.  APC assists businesses, governments, legislators and the media understand and implement appropriate privacy policies and strategies in today’s fast changing privacy environment.

     Prior to founding APC, Mr. Douglas was a Washington, DC private detective with more than 17 years experience in complex criminal defense investigation and trial preparation.  In 1997 Mr. Douglas investigated the practice of “Information Brokers” selling citizens personal financial information on the Internet.  Mr. Douglas took the results of this investigation to Congress and this resulted in his testifying before the United States House of Representatives, Committee on Banking and Financial Services, during the July 1998 Hearing On The Use Of Deceptive Practices To Gain Access To Personal Financial Information.  Mr. Douglas and other witnesses exposed the use of identity theft and fraud by “Information Brokers” to penetrate banking security systems.  That hearing resulted in passage of the Financial Information Privacy Act, which was incorporated into the Gramm-Leach-Bliley financial modernization bill signed into law in November of 1999.

     Mr. Douglas and APC continue to monitor the methods of those who would attempt to penetrate our nations financial institutions and violate the privacy of those who entrust their assets to those institutions.  Additionally, APC assists financial institutions in developing and implementing programs to prevent the illegal access of depositor’s financial information.

 

 

Home    Contact Us    Privacy News    APC News    Services    Speeches

Appendix I

The End of Privacy

By Adam L. Penenberg

Forbes Magazine Cover Story; November 29, 1999

 (Our reporter dared a private eye to dig up dirt on him. The results are terrifying to anybody who worries about prying eyes or credit card scamsters. What can you do to protect yourself?)

THE PHONE RANG AND A STRANGER CRACKED SING-SONGY AT THE OTHER END OF the line: "Happy Birthday." That was spooky--the next day I would turn 37. "Your full name is Adam Landis Penenberg," the caller continued. "Landis?" My mother's maiden name. "I'm touched," he said. Then Daniel Cohn, Web detective, reeled off the rest of my "base identifiers"--my birth date, address in New York, Social Security number. Just two days earlier I had issued Cohn a challenge: Starting with my byline, dig up as much information about me as you can. "That didn't take long," I said.

"It took about five minutes," Cohn said, cackling back in Boca Raton, Fla. "I'll have the rest within a week." And the line went dead.

In all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them. Okay, so you've heard it before: America, the country that made "right to privacy" a credo, has lost its privacy to the computer. But it's far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard.

For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessly links it all together. As e-commerce grows, marketers and busybodies will crack open a cache of new consumer data more revealing than ever before (see box, p. 188).

It will be a salesman's dream--and a paranoid's nightmare. Adding to the paranoia: Hundreds of data sleuths like Dan Cohn of Docusearch have opened up shop on the Web to sell precious pieces of these data. Some are ethical; some aren't. They mine celebrity secrets, spy on business rivals and track down hidden assets, secret lovers and deadbeat dads. They include Strategic Data Service (at datahawk.com) and Infoseekers.com and Dig Dirt Inc. (both at the PI Mall, www.pimall.com).

Cohn's firm will get a client your unlisted number for $49, your Social Security number for $49 and your bank balances for $45. Your driving record goes for $35; tracing a cell phone number costs $84. Cohn will even tell someone what stocks, bonds and securities you own (for $209). As with computers, the price of information has plunged.

You may well ask: What's the big deal? We consumers are as much to blame as marketers for all these loose data. At every turn we have willingly given up a layer of privacy in exchange for convenience; it is why we use a credit card to shop, enduring a barrage of junk mail. Why should we care if our personal information isn't so personal anymore?

Well, take this test: Next time you are at a party, tell a stranger your salary, checking account balance, mortgage payment and Social Security number. If this makes you uneasy, you have your answer.

"If the post office said we have to use transparent envelopes, people would go crazy, because the fact is we all have something to hide," says Edward Wade, a privacy advocate who wrote Identity Theft: The Cybercrime of the Millennium (Loompanics Unlimited, 1999) under the pseudonym John Q. Newman.

You can do a few things about it (see box, p. 186). Give your business to the companies that take extra steps to safeguard your data and will guarantee it. Refuse to reveal your Social Security number--the key for decrypting your privacy--to all but the financial institutions required by law to record it.

Do something, because many banks, brokerages, credit card issuers and others are lax, even careless, about locking away your records. They take varied steps in trying to protect your privacy (see box, p. 187). Some sell information to other marketers, and many let hundreds of employees access your data. Some workers, aiming to please, blithely hand out your account number, balance and more whenever someone calls and asks for it. That's how Cohn pierced my privacy.

"You call up a company and make it seem like you're a spy on a covert mission, and only they can help you,"he says. "It works every time. All day long I deal with spy wannabes."

I'm not the paranoid type; I don't see a huddle on TV and think that 11 football players are talking about me. But things have gone too far. A stalker would kill for the wealth of information Cohn was able to dig up. A crook could parlay the data into credit card scams and "identity theft," pilfering my good credit rating and using it to pull more ripoffs.

Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops, retired military men, accountants and research librarians. Now 39, he grew up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own agency to investigate insurance fraud and set up shop in Florida. "There was no shortage of work," he says. He invented a "video periscope" that could rise up through the roof of a van to record a target's scam.

In 1995 he founded Docusearch with childhood pal KennethZeiss. They fill up to 100 orders a day on the Web, and expect $1 million in business this year. Their clients include lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer, and Citibank's legal recovery department uses Docusearch to find debtors on the run.

Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the top floor of a dull, five-story office building in Boca Raton, Fla., sitting in cubicles under a fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You click through it and load up an on-line shopping cart as casually as if you were at Amazon.com.

The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as "pretext calling," fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, "and you'll never figure out how he is paid because there's no paper trail."

Yet Cohn claims to be more scrupulous than rivals. "Unlike an information broker, I won't break the law. I turn down jobs, like if a jealous boyfriend wants to find out where his ex is living." He also says he won't resell the information to anyone else.

Let's hope not. Cohn's first step into my digital domain was to plug my name into the credit bureaus--Transunion, Equifax, Experian. In minutes he had my Social Security number, address and birth date.Credit agencies are supposed to ensure that their subscribers (retailers, auto dealers, banks, mortgage companies) have a legitimate need to check credit.

"We physically visit applicants to make sure they live up to our service agreement," says David Mooney of Equifax, which keeps records on 200 million Americans and shares them with 114,000 clients. He says resellers of the data must do the same. "It's rare that anyone abuses the system." But Cohn says he gets his data from a reseller, and no one has ever checked up on him.

Armed with my credit header, Dan Cohn tapped other sites. A week after my birthday, true to his word, he faxed me a three-page summary of my life. He had pulled up my utility bills, my two unlisted phone numbers and my finances.

This gave him the ability to map my routines, if he had chosen to do so: how much cash I burn in a week ( $400), how much I deposit twice a month ( $3,061), my favorite neighborhood bistro (the Flea Market Cafe), the $720 monthly checks I write out to one Judith Pekowsky: my psychotherapist. (When you live in New York, you see a shrink; it's the law.) If I had an incurable disease, Cohn could probably find that out, too.

He had my latest phone bill ( $108) and a list of long distance calls made from home--including late-night fiber-optic dalliances (which soon ended) with a woman who traveled a lot. Cohn also divined the phone numbers of a few of my sources, underground computer hackers who aren't wanted by the police--but probably should be.

Knowing my Social Security number and other personal details helped Cohn get access to a Federal Reserve database that told him where I had deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account.

A few days later Cohn struck the mother lode. He located my cash management account, opened a few months earlier at Merrill Lynch &Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker.

That's too much for some privacy hawks. "If someone can call your bank and get them to release account information without your consent, it means you have no privacy," says Russell Smith, director of Consumer.net in Alexandria, Va., who has won more than $40,000 suing telemarketers for bothering him. "The two issues are knowledge and control: You should know what information about you is out there, and you should be able to control who gets it."

How did Cohn get hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned Merrill Lynch and talked to one of 500 employees who can tap into my data. "Hi, I'm Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg," he told the staffer, knowing the words "licensed" and "state" make it sound like he works for law enforcement.

Then he recited my Social Security, birth date and address, "and before I could get out anything more he spat out your account number." Cohn told the helpful worker: "I talked to Penenberg's broker, um, I can't remember his name...."

"Dan Dunn?" the Merrill Lynch guy asked. "Yeah, Dan Dunn," Cohn said. The staffer then read Cohn my complete history--balance, deposits, withdrawals, check numbers and amounts. "You have to talk in the lingo the bank people talk so they don't even know they are being taken," he says.

Merrill's response: It couldn't have happened this way--and if it did, it's partly my fault. Merrill staff answers phoned-in questions only when the caller provides the full account number or personal details, Merrill spokesperson Bobbie Collins says. She adds that I could have insisted on an "additional telephonic security code" the caller would have to punch in before getting information, and that this option was disclosed when I opened my CMA. Guess I didn't read the fine print, not that it mattered: Cohn says he got my account number from the Merrill rep.

Sprint, my long distance carrier, investigated how my account was breached and found that a Mr. Penenberg had called to inquire about my most recent bill. Cohn says only that he called his government contact. Whoever made the call, "he posed as you and had enough information to convince our customer service representative that he was you," says Russ R. Robinson, a Sprint spokesman. "We want to make it easy for our customers to do business with us over the phone, so you are darned if you do and darned if you don't."

Bell Atlantic, my local phone company, told me a similar tale, only it was a Mrs. Penenberg who called in on behalf of her husband. I recently attended a conference in Las Vegas but don't remember having tied the knot.

For the most part Cohn's methods fly below the radar of the law. "There is no general law that protects consumers' privacy in the U.S.," says David Banisar, a Washington lawyer who helped found the Electronic Privacy Information Center (www.epic.org). In Europe companies classified as "data controllers" can't hand out your personal details without your permission, but the U.S. has as little protection as China, he contends.

The "credit header"--name, address, birth date, Social Security--used to be kept confidential under the Fair Credit Reporting Act. But in 1989 the Federal Trade Commission exempted it from such protection, bowing to the credit bureaus, bail bondsmen and private eyes.

Some piecemeal protections are in place: a 1984 act protecting cable TV bills; the 1988 Video Privacy Protection Act, passed after a newspaper published the video rental records of Supreme Court nominee Robert Bork. "It's crazy, but your movie rental history is more protected under the law than your credit history is," says Wade, the author.

Colorado is one of the few states that prohibit "pretext calling" by someone pretending to be someone else. In July James Rapp, 39, and wife Regana, 29, who ran info-broker Touch Tone Information out of a strip mall in Aurora, Colo., were charged with impersonating the Ramseys--of the JonBenet child murder case--to get hold of banking records that might be related to the case.

Congress may get into the act with bills to outlaw pretext calling. But lawyer Banisar says more than 100 privacy bills filed in the past two years have gone nowhere. He blames "an unholy alliance between marketers and government agencies that want access" to their data.

Indeed, government agencies are some of the worst offenders in selling your data. In many states the Department of Motor Vehicles was a major peddler of personal data until Congress passed the Driver's Privacy Protection Act of 1994, pushing states to enact laws that let drivers block distribution of their names and addresses. Some states, such as Georgia, take it seriously, but South Carolina has challenged it all the way up to the U.S. Supreme Court. Oral arguments are scheduled for this month.

As originally conceived, Social Security numbers weren't to be used for identification purposes. But nowadays you are compelled by law to give an accurate number to a bank or other institution that pays you interest or dividends; thank you, Internal Revenue Service. The bank, in turn, just might trade that number away to a credit bureau--even if you aren't applying for credit. That's how snoops can tap so many databases.

Here's a theoretical way to stop this linking process without compromising the IRS' ability to track unreported income: Suppose that, instead of issuing you a single 9-digit number, the IRS gave you a dozen 11-digit numbers and let you report income under any of them. You could release one to your employer, another to your broker, a third to your health insurer, a fourth to the firms that need to know your credit history. It would be hard for a sleuth to know that William H. Smith 001-24-7829-33 was the same as 350-68-4561-49. Your digital personas would converge at only one point in cyberspace, inside the extremely well guarded computers of the IRS.

But for now, you have to fend for yourself by being picky about which firms you do business with and how much you tell them. If you are opening a bank account with no credit attached to it, ask the bank to withhold your Social Security number from credit bureaus. Make sure your broker gives you, as Merrill Lynch does, the option of restricting telephone access to your account, and use it. If a business without a legitimate need for the Social Security number asks for it, leave the space blank--or fill it with an incorrect number. (Hint: To make it look legitimate, use an even number between 10 and 90 for the middle two digits.)

Daniel Cohn makes no apologies for how he earns a living. He sees himself as a data-robbing Robin Hood. "The problem isn't the amount of information available, it's the fact that until recently only the wealthy could afford it. That's where we come in."

In the meantime, until a better solution emerges, I'm starting over: I will change all of my bank, utility and credit-card account numbers and apply for new unlisted phone numbers. That should keep the info-brokers at bay for a while--at least for the next week or two.

Home    Contact Us    Privacy News    APC News    Services    Speeches

Appendix II

 

Statement by Robert Douglas

 

before the

 

Committee on Banking and Financial Services

United States House of Representatives

 

Hearing On

The Use Of Deceptive Practices To Gain Access To

Personal Financial Information

 

July 28, 1998

 

Introduction

 

     Thank you, Mr. Chairman.  My name is Robert Douglas and my firm is Douglas Investigations.  My firm provides private investigative services to the Washington, DC legal community.  While we specialize in complex criminal defense matters, we also provide general investigative services including traditional areas of civil investigation and information search services.  It is my experience with the information broker industry that brings me before you today.

 

     First, Mr. Chairman, let me state that I appreciate the opportunity to appear before you to give my perspective on what I believe to be one of the most significant problems facing our nation today.  I want to personally thank you for your willingness and desire to address this serious issue and the time you have invested on this problem.  I am aware from both the legislation you have introduced and your public comments that you share my concerns about maintaining citizen’s financial privacy.  I particularly want to thank your Committee’s staff, and specifically David Cohen, for the time they have invested with me discussing this problem. 

    

     Mr. Chairman, I also would like to single out for recognition your administrative assistant, Bill Tate, for his assistance in getting this critical issue before you and the Committee.  When I first approached Bill with my concerns about this subject, he immediately recognized this as an issue worthy of you and your Committee’s attention and moved quickly to bring it before you.  For that I am thankful and I believe the American people will be thankful when they learn the scope and dimensions of the problem we are hear today to discuss.

 

     All across the United States information brokers and private investigators are stealing and selling for profit our fellow citizens personal financial information.  The problem is so extensive that no citizen should have confidence that his or her financial holdings are safe.

 

     The types of financial information for sale include:  Private bank account numbers and balances; stock, bond and mutual fund holdings including the number of shares held; insurance policy data including the types of insurance maintained and the amount or value of the policy; credit card information including account numbers, size of credit lines, and transaction details including specific purchases.

 

     While the theft and sale of this information is occurring on a daily basis, much of societies focus on privacy as it relates to personal information has been concentrated elsewhere.  To date, the majority of public scrutiny has been on issues related to basic data collected via the Internet and the explosion of information that is collected everyday as part of routine commercial transactions.

 

     Issues such as the mass collection of citizens social security numbers, home addresses, phone numbers, and purchasing preferences by retailers have dominated the debate.  As part of this debate we routinely hear and read of generic “what ifs...” and concerns that “sometime in the near future” a citizen’s most privately held information will be easily obtained by anyone willing to pay for it.

 

     Mr. Chairman, I am here today to tell you that we passed that point long ago and somehow it seems no one noticed.

 

 

The Sale of Financial Information

by “Information Brokers”

 

     Currently, thousands of information brokers and private investigators are advertising their ability to locate citizen’s personal financial information.  The advertisements almost uniformly refer to “bank account searches” and/or “asset investigations”.  These advertisements can be found in legal and investigative trade journals, general circulation newspapers, the yellow pages, and on the World Wide Web.

 

     The genesis of this specialty niche within the information industry is a growing black market that has developed to sell financial and other forms of personal information.  As with most black markets, there needs to be a seller of a commodity that can’t be obtained through normal channels and a buyer interested in that commodity.  In this case the sellers are private investigators and information brokers, who I will collectively refer to as brokers, who have perfected a technique they call “pretexting”.  The commodity is private financial information.  Originally, and to a great extent still, the buyers were lawyers looking to seize assets of individuals with unsatisfied judgments.

 

     I do not want to mislead the Committee on this point.  There is a substantial problem in this country concerning the ability of successful parties to a lawsuit ever collecting the monetary awards from the opposing party.  There are millions of uncollected judgments representing billions of uncollected dollars in the United States.  In my opinion, this fact has played a large role in the development of the black market for financial information.  Indeed, if you review the materials I have provided to the Committee, most brokers providing these asset location services advertise them as a means to locate liquid assets to seize in order to satisfy judgments.  However, if you review those materials closely in conjunction with the audio and video tapes I have provided the Committee of a private investigator and an information broker selling an individuals banking information, you will clearly see that far too many brokers are selling citizens private information to anyone who cares to purchase it.

 

     Even if, for arguments sake, all brokers were only providing financial information obtained through pretext to attorneys holding lawful judgments as a means to assist in the collection on those judgments, it would still be a gross violation of privacy and in many states a violation of the law.  In other words, in a society governed by law, the end cannot justify the means.

 

     Yet this is the very argument that many brokers I have talked to make.  Their position is that there is nothing wrong with what they do.  They see themselves as financial bounty hunters filling a demand for information on where individuals have secreted their money.  Time and again in numerous conversations I have had with brokers around the country I have heard the following two positions argued as a justification of the services they sell.

 

     The primary position is that it is not against the law to obtain private financial information.  In the materials I have provided the Committee there are two specific examples of this declaration.  One is direct and the other is by inference.  The first is a broker assuring the viewers of the web page that it is legal to obtain financial information.  The second is a law firm newsletter on the web where they advise their readers and clients that they use brokers to locate bank accounts and that they will assist their clients in hiring brokers to do the same. 

 

     In furtherance of this position that what they do is legal, brokers argue that there is no federal law prohibiting a private citizen from obtaining the financial information of another private citizen.  The brokers, and in some instances their corporate attorneys, have told me that federal laws in this area relate only to the government’s access to a citizen’s financial information.    I would like to note that these very brokers and their attorneys appear to be ignoring existing state laws in many instances.

 

     The second position brokers advance is that “pretexting”, which I will discuss in more detail shortly, is perfectly legal.  The argument goes like this.  “If the bank is stupid enough to tell me the information, that’s the banks problem--not mine.”

 

 

The Extent of the Problem

 

     Five years ago there were a small number of these brokers actively advertising their “asset location” services.  The advertisements at that time were largely confined to legal and investigative trade journals, as the target markets were lawyers and creditors who had judgments that had remained uncollected.

 

     Today, there are literally hundreds of brokers advertising around the United States by means of the Internet.  By way of example I have provided to the Committee, and have here at the table with me today, approximately 285 individual web pages from approximately 40 companies advertising on the World Wide Web.  These 40 companies were located by searching the phrase “bank account search” on just one of the many Internet search engines.  Specifically, the AltaVista Internet search engine.

 

     The results are a combination of information brokers and traditional private investigators.  Each of these firms is advertising to other private investigators, information re-sellers, attorneys, and often the general public.  Even the firms that are publicly stating that they are not selling to the public will gladly sell to a private investigator without any ability to control where the data will go from there.  The end result is that thousands of investigators, brokers, and in many cases individual consumers can now purchase the personal financial information of any citizen in the United States.

 

     To further illustrate to the Committee the scope of the problem we are discussing today I would like to point out another fact.  By just examining two of the forty companies I have provided the Committee with web pages for, Noble Assets and The Pathfinder Group, you will see that they claim to have located over 1.5 billion dollars in assets.  If we take them at their word, or even if we divide that number by a factor of two, the scope of the dilemma is staggering.

 

 

Identity Theft and Pretexting

 

     The means by which private financial information is most commonly obtained is identity theft.  The financial data is obtained by the broker under false pretenses.  The most common method of identity theft used to obtain privately held financial information is for the broker to obtain through currently legal means enough biographical information on the target of the investigation to be able to falsely pretend that he, the broker, is the actual owner of the information sought after.  Having convinced the financial institution by false pretenses that he, the broker, is actually the institution’s client, the institution is only too happy to provide whatever information is requested.

 

     The following is a basic example of this method.  Bob Smith is the holder of a bank account at USA Bank.  Joe Info Broker obtains from one of dozens of lawful databases, many of which can be found on the Internet, Mr. Smith’s full name, social security number, address, and date of birth.  Joe Broker then starts calling banks in Mr. Smith’s neighborhood posing as someone who has received a check from Mr. Smith.  When Joe Broker finds a bank that confirms that Mr.Smith has an account, Joe Broker hangs up.  Joe Broker then calls back and identifies himself to the bank as Mr. Smith.  The bank, for security reasons, asks for personal information that the bank mistakenly believes only Mr. Smith would know.  Joe Broker armed with Mr. Smith’s biographical data is able to convince the bank that he is actually Mr. Smith.  The bank then provides Joe Broker with any information he requests on Mr. Smith’s account.

 

     A second method is for the broker to falsely convey to the target of the asset investigation that he, the broker, is an employee of a legitimate financial institution or company.  Having gained the confidence of the target, the broker induces the target to provide his or her own financial data.

 

     The following is a basic example of this second method.  Joe Info Broker, having determined Sally Senior Citizen’s bank by the means outlined above, calls Sally Senior Citizen at home and pretends to be an employee of the bank.  Joe Broker tells Sally that there is some confusion with her account and that they can clear it up on the phone if she goes and gets her checkbook.  Sally wanting to avoid a trip to the bank complies.  Joe Broker having gained Sally’s confidence gets her to read her account number to him as a means of “confirmation”.  Joe then gets Sally to tell him what her balance is so “the bank” can be sure its records are accurate.  Sally complies.  Joe Broker now has Sally’s banking information.

 

     These are just two of many methods that I have uncovered.  I note that the Committee will hear today from an information broker, Al Schweitzer, and I suspect that Mr. Schweitzer will be able to provide other techniques commonly in use.  However, at the core of any of these techniques is identity theft.

 

     Private investigators and information brokers who obtain these types of information by the above methods prefer to call it “pretexting”.  While pretexting is a commonly accepted investigative technique, I believe it is more properly classified as fraud when it rises to the level of identity theft as outlined above.

 

     Pretexting is a traditional, accepted investigative technique within the investigative trade.  The technique of pretexting is to either intentionally induce or allow another party to believe the investigator is someone they are not.  The goal being that the individual being pretexted will drop their guard and reveal information that they would not if they knew the true identity of the investigator.  This technique is routinely used by both law enforcement and private investigators.

 

     An example of traditional pretexting would be to pose by phone as a generic delivery person with a package for Mr. Jones as a method to determine if Mr. Jones is home so that a subpoena could be served or a warrant executed.  A second example would be to pose as an “old school friend” in order to find the current address of Mr. Jones from Mr. Jones’ parents.  The goal again being to learn the public address of Mr. Jones so that lawful process can be carried out.

 

     The difference between true pretexting and identity theft is simple.  In pretexting, the investigator poses as a generic individual or company in order to obtain public, non-protected information such as an address, name of a witness or relative.  Identity theft is the use of the targets personal and biographical information to impersonate the target as a means to obtain the target’s private, protected information.

 

 

Creditor Networks and “Sources”

 

     While I believe identity theft is currently the most common method being used by information brokers today, and is almost always used to gain the balance of a financial account, it is not the only method.

 

     Creditor networking as a means of obtaining personal financial information is another method used by brokers.  This method consists of a broker calling companies that have made inquiries on a target’s credit report in order to learn what biographical and financial information that company maintains on the target.  The broker will offer to exchange data in the broker’s possession or promise to call back with information developed as a means to induce the company to provide personal data on the target.  By calling one or more companies the broker begins to piece together the financial profile of the subject in order to then sell that information to the broker’s client.

 

     The final method I will address is that of using “sources”.  The term source in the investigative trade is often code language for illegally obtained information.  The broker purchases or trades on an existing friendship or relationship to obtain protected information from the “source”.  Brokers spend years developing “sources” and are constantly trying to cultivate new ones to obtain information. 

 

     I have heard brokers brag of developing sources within the major credit agencies as a means of obtaining “no foot print” credit reports.  A “no foot print” credit report is a report obtained on a target that doesn’t leave a notation on the report’s inquiry section recording who has obtained a copy of the target’s report.  Brokers also try to develop “sources” within the financial services sector itself.  One of the tapes I have provided to the Committee and to the FDIC is replete with discussions of sources developed within the financial industry.

 

 

Stalking, Theft, and Financial Terrorism

 

     In my introduction today I stated, “[t]he problem is so extensive that no citizen should have confidence that their personal financial holdings are safe.”  Mr. Chairman, I am not an alarmist by nature and consequently I do not make that statement lightly.  Frankly, I fought a battle within myself debating whether I should make such an incendiary charge.  However, the statement is true and I would like to provide the Committee with one example of what I know has already transpired by this information ending up in the wrong hands.  Further, I would like to warn the Committee of what can easily happen, and perhaps has already, if quick action is not taken.

 

     I am personally aware of a case that a Maryland private investigative agency has worked on where a stalker has purchased by means of a private investigator and an information broker the personal information of a Virginia woman.  This information included amongst other items her driving record and personal banking information.  As a form of harassment, terror and demonstration of power the stalker proceeded to distribute this information to all the woman’s neighbors in her community.

 

     While this example is bad enough in and of itself, it is just a small taste of the harm that can and will occur with this type of information so widely available by means of the Internet.

 

     With the financial information that can be purchased from a broker and the techniques that these brokers will teach to others and sell in books advertised on the Internet the following can be accomplished:

 

Theft

     1) You can steal money directly from the bank account of a citizen by using tele-check type services to make purchases.

     2) You can steal money directly from the bank account of a citizen by having the money wired from the account to another location.

     3) You can steal money directly from the bank account of a citizen by using the account information to make purchases on the Internet.

     4) You can use a citizen’s credit card information to make purchases by phone or the Internet.

     5) You can use investment information to cash in holdings to obtain the funds.

     6) You can determine the insurance coverage’s and policy amounts of a citizen and cash in certain types of policies.

 

Financial Terrorism

     1) You can close a citizens financial accounts.

     2) You can stop payment on checks the citizen has issued.

     3) You can use the knowledge of financial holdings to assist in blackmail or kidnapping.

     4) You can determine a business competitors financial holdings as a means to obtain a competitive edge.

     5) You can close a business competitors accounts or place stops on checks issued to create havoc for the competitor.

 

     These are just a few examples of the types of harm that can easily be visited upon a citizen or business.  I note that one of the guests today is Evan Hendricks representing Privacy Times.  I suspect Mr. Hendricks will be able to supply stories he is aware of and/or potential scenarios of how financial information in the wrong hands can cause incredible amounts of damage in a very short period of time.  In fact, it is easier to cause the damage than it is to correct it once it has taken place.

 

 

The Proposed Legislation

 

     One of the questions I was asked to address in your invitation letter, Mr. Chairman, was whether I thought existing Federal and state laws adequately safeguard citizen’s financial information.  Quite simply they do not.

 

     I note that Massachusetts Assistant Attorney General Clements is on the witness list for today.  I would also note that all of the companies the State of Massachusetts prosecuted are still in operation to the best of my knowledge.  As one broker we caught on tape stated to me concerning the fine given to Noble Assets, ...”what’s twenty to thirty thousand dollars when you’re making a quarter of a million a year”.

 

     I would also like to state that I researched the issue of whether obtaining private financial information is legal off and on for more than four years.  I found it hard to come to a conclusion based upon existing law and a review of law journals and books on privacy.  While everything in my gut told me that this can’t be right, I saw dozens of other companies advertising the ability to provide bank account and other financial information.  Many of these advertisements appeared and continue to appear in the local legal trade journal, Legal Times.  This paper is read in all the major law offices and I have seen it in the U.S. Attorney’s office for the District of Columbia.

 

     Indeed, an attorney representing one broker, Integrity National, told me that she had researched both the law and the methodology being used by Integrity and that what they sold was perfectly legal.  Noble Assets prominently displays that one of the principles of the firm is an attorney.  At one point I went to a legal conference here in the District of Columbia titled “Collecting On Judgments In DC, Maryland and Virginia.”  I asked two members of the panel, both attorneys, if they could provide assistance in this area and all I got in return was a blank stare.  They stated that they did not know the answer to the question of legality.

 

     Based upon my early research and discussions with brokers and their attorneys I purchased financial information on behalf of attorneys looking to collect on judgments for approximately 2 years.  At the end of that period I had an experience with a broker that clearly revealed to me that he was obtaining the information through fraud.  At that point I ceased purchasing financial information and put out a warning to all my clients that I believed brokers were stealing this information by means of identity theft.

 

     The preceding paragraphs are meant to illustrate that it is not easy to determine what laws specifically apply in this area.  Because of that reason and because of the scope and danger presented I believe there needs to be Federal law directly controlling the use of deceptive practices to obtain personal financial information.

 

     I have had an opportunity to review the legislation introduced by Chairman Leach and I believe it directly and fairly addresses the problem we are discussing today.  The legislation clearly evidences a thorough understanding of the issues presented and outlaws the use of identity theft or theft by false pretenses in the obtaining of financial information.  I support the inclusion of both criminal and civil remedies as a means of enforcement.

 

     I believe that passage of this law coupled with enforcement will almost immediately end the problem.  As I reviewed web pages advertising the sale of financial information, many of which I have provided to the Committee, I was struck by the fact that without exception they all noted that in order to obtain a credit report the purchaser had to be in compliance with the Fair Credit Reporting Act.  Brokers are terrified of being put out of business and/or sued for violating the FCRA.  I believe similarly they will get the word quickly that identity theft, as a means of obtaining personal financial information, is no longer acceptable.

 

     Enforcement of the law will require a minimal amount of resources.  Specifically, a single federal agent with a computer, Internet access, fax machine and the skill to out pretext the pretexters as I did, could shut this industry down in a matter of months.

 

 

Education

 

     Finally, the last area that needs to be addressed is education.  No matter what happens today and whether or not this legislation passes, we must do all we can to educate the public, your fellow legislators, financial institutions, hospitals, universities, and any other company or institution that maintains private information about the dangers of identity theft.  As I noted earlier there are individuals teaching classes and writing books on how to “pretext”.  We need to teach businesses, institutions and individual citizens what steps they can take to protect their ever decreasing privacy and their most valued information.

 

 

Conclusion

 

     Mr. Chairman, I would like to once again thank you for the invitation to appear today.  I have great confidence that the Committee recognizes the seriousness of the problem before it and the threat it presents to the integrity of all financial information. 

 

     As a child I was taught that the first role of government is to protect the people.  This is an opportunity for this Committee and this Congress to do so.  As a professional in the investigative trade I would ask you on behalf of the honest members of the profession that you stop the use of deceptive practices to access financial information.  As a citizen of the United States I insist that you do so.

 

Home    Contact Us    Privacy News    APC News    Services    Speeches

 

Appendix III

 

Statement by Robert Douglas

 

Before the

Interagency Public Forum

Hosted by the Federal Deposit Insurance Corporation

 

Is It Any Of Your Business?

Consumer Information, Privacy, and the Financial Services Industry

 

March 23, 2000

 

     As a former private investigator and now as Chief Privacy Officer for American Privacy Consultants in Alexandria, Virginia, I am frequently asked in this dawning of the information age coupled with the technological revolution created by the Internet just how much information is readily available about the average citizen.  The truth is almost anything can be learned about anybody in the United States today.  Name, address, social security number, date of birth, phone number (whether listed, unlisted, or non-published), height, weight, eye color, hair color, mother’s maiden name, relatives names and addresses, neighbors names and addresses, criminal records, civil records, tax liens, real estate holdings, bank account numbers and balances, stock holdings, credit card account numbers and individual credit card transactions, long distance phone records, cellular phone records, pager records, 800 number records, motor vehicle records, driving records, aircraft or watercraft ownership, credit histories, medical histories, where you shop and what you buy, where you went to school, what your grades were, even your SAT scores as Vice-President Gore and Governor Bush saw on the front page of the Washington Post.

     As I have only fifteen minutes to address you today please accept my assertion that the list goes on and on.

     The impact of technology on consumer privacy today is the ability to accumulate, store, filter, cross-reference, analyze and disseminate vast amounts of information about anyone in a fast and cost-efficient manner that was previously unavailable.  The partial list I provided of the information that can be obtained on any consumer has always been available through one means or another.  The fact of the matter is that until relatively recently this information was rarely accessed to any large degree because of the time and expense that would have been involved in locating it across thousands of different computer databases or paper record storage facilities.  Today all that information is quickly being accumulated into vast super-databases and is being packaged and sold like any other commodity.

     The expanding use of the Internet coupled with decreasing costs and increasing capacity for accumulation and storage of data has brought the information age to a point where almost anyone can now afford to participate in the buying or selling of data of any type about anybody.

     Simply put, privacy in the United States is too often a concept not a reality.

 

PRIVACY AND FINANCIAL INFORMATION

 

     Since this public forum will focus in part on trying to determine what defines personal versus public information under Gramm-Leach-Bliley and the ramifications of this decision on consumer privacy given the current realities of technology that I just discussed, I would like to illuminate fact from fiction currently circulating in the media concerning technology and the impact on consumer financial privacy and demonstrate how a name and address can be used to obtain financial information about any individual in the United States.

 

FACT FROM FICTION

 

     When it comes to consumer information, privacy, and the financial services industry we need to separate fact from fiction and the legal from the illegal.  Recent events and subsequent media coverage has led the average consumer to believe that their personal information is not being properly safeguarded by the financial services industry and that this information is in fact for sale to anyone and most disturbingly can be purchased on the Internet. 

     A portion of this negative publicity is well deserved and is the direct consequence of the fact that a relatively small number of financial institutions have been selling consumer information stored in their super-databases, including individual names, addresses, phone numbers, and financial account numbers to outside companies with no direct relationship to the consumer.  The U.S. Bancorp and Charter Pacific cases illustrate this problem and served as a wakeup call to the financial services industry that consumers will not stand for such third party practices.  Congress also heard that warning bell from consumers in the closing hours of the passage of Gramm-Leach-Bliley and the ripple effect continues today. 

     As I am aware that Minnesota Attorney General Hatch is here today and that he is an expert on the subject of third party information sharing practices by financial institutions having successfully prosecuted the U.S. Bancorp matter, I will leave further discussion of this area to him and others.  Suffice it to say that consumers are watching closely and when they perceive that a financial institution has not properly safeguarded their personal information or has cavalierly sold that information for the financial benefit of the institution over the confidentiality requirements of consumers, they will demand further regulatory restrictions.

     However, it must also be stated as a fact that technology has increased the ability of financial institutions to assist consumers in a myriad of ways from easier 24 hour access of their financial information to the ability to learn of new relevant financial products and services uniquely appropriate for the individual consumer based upon data the financial institution possesses and is able to analyze on behalf of the consumer.

     Make no mistake about it; consumers want these conveniences, services and products made available through increased data analysis capabilities and the ease of use of the Internet and telecommunication systems.  The rub is they also want, indeed demand, that privacy of their information be maintained.  The challenge for the financial services industry is to allow the individual consumer to strike the appropriate privacy balance they desire.

THE SALE OF FINANCIAL INFORMATION ON THE INTERNET

 

     The second area that consumers have been learning more and more about over the last several years through the media is the common, but incorrect, belief that any individual’s financial information can be accessed because of the Internet.  Recently both Forbes Magazine in a cover story and a CNN Moneyline News Hour Special Presentation left consumers with the distinct belief that everyone’s financial information is being collected on the Internet and is therefore accessible to others.  This belief is also a combination of fact and fiction and needs to be clarified before the public comes to fear the use of the Internet to assist in financial transactions and consumer purchases anymore than it already does.

     Technology and the Internet do not enable access to private financial information such as bank account numbers, account balances, credit card transactions, and stock portfolios as has been advanced by CNN, Forbes and dozens of other media outlets.  Setting aside illegal hacking of a small number of commercial web sites and the subsequent revelation of credit card numbers, the unfortunate reality is that financial information has been being accessed and sold long before the current rise of the Internet.  In fact, financial information has been being accessed by the age-old technique of fraud for many years.  The role of the Internet has simply been one of many ways that information thieves advertise the sale of this data that they obtain through identity theft and fraud.

     To illustrate this fact one need go no further then any of the many commercially available Internet search engines and search the phrase “bank account search”.  Literally hundreds of web pages devoted to the sale of financial information including balances and account numbers will be returned as a result of the search.  However, I must state again, contrary to recent media assertions that the Internet and computer databases are allowing these “information brokers” or “Internet Private Investigators” to obtain personal financial information, the information is merely being advertised on the Internet and is actually obtained in most cases through a form of identity theft known as pretext.  It should be noted here today that this means of accessing and selling consumer’s financial information is now illegal under Gramm-Leach-Bliley under all but a few narrowly defined circumstances.  It should also be noted that unfortunately the practice continues and is more prevalent than when I testified before Congress concerning this problem in July of 1998.  Because of the practices of these so-called “Internet Private Investigators”, “Information Brokers” and sloppy reporting by certain media outlets there is a growing belief that financial information is obtained and sold by use of the Internet.

     The reality is the means by which private financial information is most commonly obtained is identity theft.  The financial data is obtained under false pretenses.  The most common method of identity theft used to obtain privately held financial information is for the information broker to obtain through the use of credit headers from the major credit reporting agencies enough biographical information on the consumer to be able to falsely pretend that he, the broker, is the actual owner of the information sought after.  Having convinced a financial institution by false pretenses that he, the information broker, is actually the institution’s client, the institution is deceived into providing whatever information is requested by the information broker impersonating the consumer.

     The following is a basic example of this method.  Bob Smith is the holder of a bank account at USA Bank.  Joe Info Broker obtains from one of dozens of lawful databases, many of which can be found on the Internet, Mr. Smith’s full name, social security number, address, and date of birth.  Joe Broker then starts calling banks in Mr. Smith’s neighborhood posing as someone who has received a check from Mr. Smith.  When Joe Broker finds a bank that confirms that Mr. Smith has an account, Joe Broker hangs up.  Joe Broker then calls back and identifies himself to the bank as Mr. Smith.  The bank, for security reasons, asks for personal information that the bank believes only Mr. Smith would know.  Joe Broker armed with Mr. Smith’s biographical data is able to convince the bank that he is actually Mr. Smith.  The bank then provides Joe Broker with any information he requests on Mr. Smith’s account.

     A second method is for the broker to falsely convey to the target of the asset investigation that he, the broker, is an employee of a legitimate financial institution or company.  Having gained the confidence of the target, the broker induces the target to provide his or her own financial data.

     These are just two of dozens of fraud schemes used by so-called “Internet Private Investigators” and “Information Brokers” to steal consumer’s personal financial information and sell it on the Internet.  The core of any of these techniques is identity theft and is currently illegal under Gramm-Leach-Bliley with very few exceptions. 

     I must state once again as clearly as possible that technology and the Internet play no substantial role in the collection or sale of this information other than as an advertising and sales vehicle.  There is no magic database in Cyberspace holding all our financial information that these “Information Brokers” can just tap into and sell to anyone and everyone.  There is no financial institution today that is selling individuals financial information to “Information Brokers” for their re-sale to the public.  There is no government database that holds all individuals current financial information that is accessed by “Internet Private Investigators”.  The financial institutions and the government are victims of these illegal practices and misperceptions not the perpetrators.  Strict enforcement of current laws under Gramm-Leach-Bliley and FTC statutes are needed to stamp out the harm these brokers and investigators are doing to the confidence of the American consumer.

     To illustrate the problem of the growing misperception that the Internet is the source of financial information being collected and sold one look no further than the Forbes cover story of November 29, 1999 and CNN’s Moneyline Special of March 6, 2000.  Both stories relied heavily on just one of the hundreds of “Internet Private Investigators” that advertise and sell their services on the Internet.

     In the Forbes piece the private investigator is referred to as a “Web detective” and is asked by the reporter to learn as much as he can just using the reporter’s byline.  The “Web detective” obtained the reporter’s birth date, address, and social security number in “about five minutes”.  I would note that this is normally done through the currently legal practice of credit companies selling personal biographical information on consumers.

     The reporter went on to state, “(I)n all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them.” 

     The reporter concluded this portion of the article stating, “(O)kay, so you've heard it before: America, the country that made "right to privacy" a credo, has lost its privacy to the computer. But it's far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard.  For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessly links it all together.”

     In a mere two paragraphs the reporter has incorrectly linked current information technology to the sale of personal financial information without ever providing a single fact as to how this so-called Web detective obtained the reporters personal information.  There is no database holding an individual’s personal bank account information legally available to a “Web detective” or anyone else absent a Court order.

     In the CNN piece after trying unsuccessfully to locate an unpublished phone number on the Internet they went on to state, “(T)he pros, however, can pick you clean.  Hire an Internet private investigator like Daniel Cohn, and if you have good enough reason, he’ll find the phone number….And if you convince him you have a legitimate reason and your willing to pay a bit more, Docusearch (Cohn’s firm) will give you someone’s bank account balances, bank account activity, and even the stocks, bonds and securities someone owns, all of which poses a double threat to the Internet as a place to do business.  First the threat of federal regulation.”

     Here CNN cuts to William Daley, Secretary of Commerce stating, “If a Web firm fails to protect consumers’ privacy, if they fail to disclose, if they fail to give consumers choice, I guarantee you that the government will be forced to react.”

     CNN’s reporter than goes on to say “And if consumers grow to distrust the Internet as a place to do business, some of them may start to avoid it just as they would an unsafe city neighborhood.  The difference is that, on the Internet, you can get mugged and never even know it.”

    I would argue that the viewers of this segment were the ones who were mugged by CNN’s using an example of a single so-called Internet private investigator’s untested assertion that he can provide an individual’s financial information as a “threat to the Internet as a place to do business” and implying through their editing in the comments of the Secretary of Commerce that it is the Internet itself that is allowing firms such as Docusearch to obtain and sell personal financial information.

     To further highlight the misperception problem that technology has made our citizen’s personal financial information available to anyone because of the accessibility of databases accessed via the Internet one need look no further than several web pages from the Docusearch web site that Forbes and CNN relied upon.

     The first overhead shows a web page advertising the sale of Social Security Numbers.  An individual wishing to purchase a consumers personal financial information from an information broker or private investigator will almost always need to supply the consumers name, current address and social security number.  A name and address can be obtained from many publicly available legal sources.  A social security number is more difficult to obtain and the most common method used by information brokers and private investigators is to purchase what is commonly called the credit header from the consumers credit report that is sold by credit reporting companies outside of the Fair Credit Reporting Act.  Several major credit-reporting agencies enter into contracts with information brokers and private investigators to sell consumers biographical information that is collected as part of routine credit applications.  These brokers and investigators are now selling that personal biographical data.  This header will reveal all the biographical data the credit agency has on the consumer and may include name, maiden name, current address, history of addresses, social security number, telephone numbers, and employment information.  The credit header and specifically the social security number is the starting point for many information brokers and private investigators in their quest for information on a consumer.

     The second overhead shows that should the phone number of a consumer be needed and not be publicly available it can be obtained.  I have included this overhead as a momentary detour from the focus on financial information to make the point that information brokers and private investigators are selling more than just financial information.  Many are willing to obtain and sell phone records including complete lists of the long distance calls consumers have made.

     The third overhead shows a list of financial searches being sold by Docusearch and advertised on the Internet.  I will again stress that in regards to the bank searches listed here I am not aware of any such data maintained or collected for dissemination via the Internet or other forms of technology for the access and sale by information brokers and private investigators via the Internet or any other means.

     The final overhead shows the bank account search web page of Docusearch.com where under the Search Description it specifically states that Docusearch “access(es) a federal database…”  I suspect this will come as news to many of the participants here today and makes it somewhat understandable why CNN and Forbes produced the pieces they did.  I just wonder whether the reporters ever asked Docusearch to prove that they access a federal database in order to sell consumers financial information via the World Wide Web.  There is no such database.

     In closing, this forum today is another important step in the much needed attempt to define the role of privacy in the information age and in particular to the role of the financial services industry.  Hopefully, as we go forward here today and in the future in trying to determine what is privacy as it relates to the American consumer we can also continue to separate fact from fiction and find a healthy balance between the wonderful advances of the information age and the traditional role of privacy and freedom that has been with us since the founding of this Nation.

 

 

     Robert Douglas is the founder and Chief Executive Officer of American Privacy Consultants (APC) located in Alexandria, Virginia, and can be reached at 703-836-8001.  APC assists businesses, governments, legislators and the media understand and implement appropriate privacy policies and strategies in today’s fast changing privacy environment.

     Prior to founding APC, Mr. Douglas was a Washington, DC private detective with more than 17 years experience in complex criminal defense investigation and trial preparation.  In 1997 Mr. Douglas investigated the practice of “Information Brokers” selling citizens personal financial information on the Internet.  Mr. Douglas took the results of this investigation to Congress and this resulted in his testifying before the United States House of Representatives, Committee on Banking and Financial Services, during the July 1998 Hearing On The Use Of Deceptive Practices To Gain Access To Personal Financial Information.  Mr. Douglas and other witnesses exposed the use of identity theft and fraud by “Information Brokers” to penetrate banking security systems.  That hearing resulted in passage of the Financial Information Privacy Act, which was incorporated into the Gramm-Leach-Bliley financial modernization bill signed into law in November of 1999.

     Mr. Douglas and APC continue to monitor the methods of those who would attempt to penetrate our nations financial institutions and violate the privacy of those who entrust their assets to those institutions.  Additionally, APC assists financial institutions in developing and implementing programs to prevent the illegal access of depositor’s financial information.

 

Home    Contact Us    Privacy News    APC News    Services    Speeches