Testimony of Chris Jay Hoofnagle
Director, Electronic Privacy Information Center West Coast Office
After the Breach:
How secure and accurate is consumer information held by
ChoicePoint and other data aggregators?
California Senate Banking, Finance and Insurance Committee
Room 3191, State Capitol
Wednesday, March 30, 2005
VERSION CORRECTED APRIL 5, 2005
Chairman Speier, Vice-Chairman Cox, and Members of the Committee, thank you for extending the opportunity to testify on information aggregators. My name is Chris Hoofnagle and I am director of the Electronic Privacy Information Center's (EPIC) West Coast office. Founded in 1994, EPIC has closely tracked the development of entities we call "commercial data brokers," companies like Choicepoint, Lexis, and Acxiom that buy and sell personal information for a variety of purposes.
In June 2001, EPIC filed a series of requests under the Freedom of Information Act (FOIA) seeking access to government records regarding Choicepoint and its competitors. Four years and a lawsuit later, we have some idea about how this company operates, and how commercial data brokers pose a severe threat to privacy.
In December 2004, EPIC filed a complaint with the Federal Trade Commission, urging the agency to engage in a serious inquiry on the status of data brokers' products. EPIC believes that some of these products may be "consumer reports" for purposes of the Fair Credit Reporting Act, thus subjecting both the seller and the buyer to regulation under the Act.
Since that December filing, there have been a series of serious security breaches involving sensitive personal information in the news. Some commercial data brokers have sold personal information directly to criminals. This news has rekindled interest in creating rules for commercial data brokers to protect personal information.
In my statement today, I will begin by discussing Choicepoint and its recent data acquisitions. I will then shift to the fuel for Choicepoint's data—public records. Public records were intended to provide citizens with a window onto government, but increasingly they serve as a microscope for businesses and government to profile citizens. Next I will discuss commercial data brokers' self-regulatory rules. I will conclude with a framework of suggestions for reform of the commercial data broker industry.
The Known Extent of Choicepoint's Data Acquisition
Choicepoint became independent from Equifax, a leading U.S. credit rating agency, in 1997. ChoicePoint obtains 40,000 new public records daily to insert into its database of more than 19 billion records. Its business and government services division offers through its "AutoTrackXP" product identity verification, property records, bankruptcy records, licenses, liens, judgments, and other records to local, state and federal law enforcement, including the Drug Enforcement Administration and the Federal Bureau of Investigation. It also advertises the AutoTrackXP product as a solution for financial services anti-fraud and anti-money laundering compliance.
Since its spinoff from Equifax, ChoicePoint has acquired a number of information collection and processing companies. These include:
- National Data Retrieval, Inc., a provider of public records information;
- List Source, Inc., d/b/a Kramer Lead Marketing Group, a marketing company in the life and health insurance and financial services markets;
- Mortgage Asset Research Institute, Inc., a mortgage fraud monitoring company; Identico Systems, LLC, a customer identity verification company;
- Templar Corporation; insuranceDecisions, Inc., an insurance industry claims administration company;
- Bridger Systems, Inc., a USA PATRIOT Act compliance company;
- CITI NETWORK, Inc. d/b/a Applicant Screening and Processing, a tenant screening company;
- TML Information Services, Inc., a provider of motor vehicle reports.
- Drug Free, Inc., a drug testing company;
- National Drug Testing, Inc., a drug testing company;
- Application Profiles, Inc., a background check company;
- Informus Corporation; a company enabling ChoicePoint to offer products online;
- Tyler-McLennon, Inc., a background screening company;
- ChoicePoint Direct Inc., formerly known as Customer Development Corporation, a database marketing company;
- EquiSearch Services, Inc.;
- DATEQ Information Network, Inc., an insurance underwriting services company;
- Washington Document Service, Inc., a court record retrieval service;
- DataTracks Technology, Inc., a public record information company;
- DataMart, Inc., a database software company; Statewide Data Services, Inc;
- NSA Resources, Inc., a drug testing company;
- DBT Online, Inc., a public record services provider;
- RRS Police Records Management, Inc., a provider of police reports and related services;
- VIS’N Service Corporation; Cat Data Group, LLC;
- Drug Free Consortium, a drug testing company;
- BTi Employee Screening Services, Inc., an employee pre-screening services company;
- ABI Consulting Inc., a drug screening company;
- Insurity Solutions, Inc., an insurance rating company;
- National Medical Review Offices, Inc.;
- Bode Technology Group, Inc., a DNA identification company;
- Marketing Information & Technology, Inc., a direct marketing company;
- Pinkerton’s, Inc., a preemployment screening company;
- Total eData Corporation, an e-mail database company;
- L&S Report Service, Inc., a provider of police records;
- Resident Data, Inc., a residential screening services provider;
- Vital Chek Network, Inc., a provider of vital records;
- Accident Report Services, Inc., a provider of police records;
- Programming Resources Company, insurance software company;
- Professional Test Administrators, Inc., a drug testing company;
- CDB Infotek, a seller of public records;
- Medical Information Network, LLC, an online physician verification service; and
- Rapsheets.com, an online provider of criminal records data.
As you can see, it is difficult to generalize about Choicepoint. The company has personal information in many fields, and the public does not fully understand how this information is gathered, used, and sold. I would like to focus today's discussion on two aspects of Choicepoint's activities: the company's "AutoTrackXP" product, and the "VitalChek" subsidiary.
On its website, ChoicePoint markets "AutoTrackXP", which is described as:
AutoTrackXP and ChoicePoint Online provide Internet access to more than 17 billion current and historical records on individuals and businesses, and allow users to browse through those records instantly. With as little information as a name or Social Security number, both products cross-reference public and proprietary records including identity verification information, relatives and associates, corporate information, real property records and deed transfers. In addition, access is available to a staff of field researches who perform county, state and federal courthouse searches.
A sample AutoTrackXP report on the ChoicePoint web site shows that it contains Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; UCC filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; "other people who have used the same address of the subject," "possible licensed drivers at the subject's address," and information about the data subject's relatives and neighbors.
The AutoTrackXP report is very similar in content to a standard credit report issued by one of the "big three" credit reporting agencies. However, AutoTrackXP is not governed by the Fair Credit Reporting Act. This means that anyone with a Choicepoint account can buy an AutoTrackXP report.
AutoTrackXP is Made Available to Law Enforcement With Little Privacy Process
Federal law enforcement agencies have multi-million dollar contracts with Choicepoint to have Internet access to AutoTrackXP. This raises serious due process issues. When law enforcement requests a credit report, it has to comply with procedures designed to protect individuals. For instance, full credit report normally cannot be obtained without a court order, grand jury subpoena, or child support request. But law enforcement can obtain much of the same information from AutoTrackXP reports without engaging in any process.
The Privacy Act of 1974 was enacted, in part, because of the specter of a federal data clearinghouse, one central place where all personal information could be stored for government access. When the law was passed in 1974, Congress envisioned that only the government could have the incentive and precious computing resources to build such a data clearinghouse. Congress was wrong—the private sector has created the feared federal data clearinghouse. Our law should not allow an end-run around the protections of the FCRA and Privacy Act where the private sector can escrow troves of personal information custom-tailored for the government.
AutoTrackXP is Available to a Wide Variety of Businesses Based on Their Status, Not Need
I have attached as Appendix II the standard subscriber agreement that Choicepoint uses for its services. Notice that page one enumerates the types of businesses that are eligible for the company's services. They include attorneys, law offices, investigations, banking, financial, retail, wholesale, insurance, human resources, security companies, process servers, news media, bail bonds, and if that isn't enough, Choicepoint also includes "other."
This illustrates a subtle but important reason why EPIC believes AutoTrackXP should be subject to Fair Credit Reporting Act regulation. Choicepoint allows dissemination of sensitive personal information to a broad array of businesses based on the business' status, not on their need for the personal information. That is, under the FCRA, a credit report can be pulled for a number of enumerated purposes. But under Choicepoint's regime, there is no purpose specification. Access is conditioned on one's status as an employee of a business, rather than on whether a specific purpose is articulated for obtaining the information. We think that it is this distinction that has contributed to personal information being sold to criminals. If users of Choicepoint were required to articulate a specific justification for each acquisition of personal information, auditing would be more effective, and there would be less opportunity to obtain information for illegitimate reasons.
Choicepoint isn't the only company that makes available sensitive personal information to those who may have no legitimate need or purpose for the data. U.S. Senator Charles Schumer noted last week that Westlaw made available Social Security Numbers to Congressional staff persons who had accounts on the service. Westlaw addressed the problem by blocking staff access to the database. It is unclear how many other Westlaw subscribers have access to the same information.
Commercial Data Brokers' Auditing Raises Serious Questions
The data leaks exposed in recent years have involved tens of thousands, hundreds of thousands, or even millions of records. How is it that so many records can be stolen before wrongdoing is detected?
In its subscriber agreement, Choicepoint writes that the company: "will conduct periodic reviews of Subscriber activity…violations discovered in any review by [Choicepoint] will be subject to immediate action, including…referral to federal or state regulatory agencies."
Has the company ever referred subscribers to authorities? Has the company terminated accounts of subscribers suspected of wrongdoing? Just how many unauthorized accesses can occur before Choicepoint's self-policing mechanism catches wrongdoing? 10? 10,000?
Has Choicepoint ever notified individuals, before implementation of the California Security Breach Notice Law, of unauthorized access to personal information? The answer may be no. In a recent Securities and Exchange Commission filing, Choicepoint wrote that in context of the most recent breach, the company only searched its records back to July 1, 2003:
"These numbers were determined by conducting searches of our databases that matched searches conducted by customers who we believe may have had unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law…"
If Choicepoint really cares about privacy and security, why did the company only search back to the effective data of California's security breach notification law?
The public does not know the answer to any of these questions.
Choicepoint's New Stance Is Insufficient to Protect Privacy
Two weeks ago, Choicepoint announced that the company will no longer sell "sensitive consumer data" except where "there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes." We think that this concession does not fully address the risks to privacy posed by AutoTrackXP. First, Choicepoint is one of many commercial data brokers; its decision does not bind others. Second, it has articulated a subjective standard—"specific consumer driven transaction or benefit"—for sale of personal information. Under this standard, Choicepoint can decided what a consumer benefit is. In the past, Choicepoint has declared that selling personal information benefits consumers in the aggregate, and thus individuals should have no right to opt-out of Choicepoint's databases. Simply put, Choicepoint's idea of what benefits consumers differs from what consumers and consumers advocates think benefits them. Third, Choicepoint can always change its policy to the detriment of privacy. The last decade has seen a number of companies change their privacy policies to the detriment of consumers without any objection by the Federal Trade Commission.
VitalChek performs "expedited delivery of over 25,000 certified vital record documents on a weekly basis…VitalChek now provides service in all 50 states as well as British Columbia, Canada." VitalChek is now owned by Choicepoint.
Serious questions are raised by this relationship. Why should this company have access to vital records in all fifty states? When one orders a vital record, does Choicepoint get a copy too? Should vital records, which contain the same information that credit card companies use to authenticate new accounts, be so easily alienated on vitalchek.com?
And while Choicepoint emphasizes how responsible the company is with personal data, on its Vitalchek site, anyone can click on "Ultimate People Finder," and buy personal information on another for $6.95.
Perverting the Purpose of Public Records
Much of the personal information in AutoTrackXP originates from public records. In a variety of contexts, the government compels individuals to reveal their personal information, and then pours it into the public record for anyone to use for any purpose. The private sector has collected the information, repackaged it, and brought it back to the government and businesses full circle.
Privacy expert Robert Ellis Smith published a list of personal information that appears in court records systems in various states. The list includes medical records, Social Security numbers, victim's names, credit card and account numbers, psychiatric evaluation reports, juror's names, tax returns, payroll information, vehicle identification and driver's license numbers, and family profiles.
It is unfair to have this information systematically poured into the public record and used for any purpose by the private sector.
Public record policy in America was designed to protect people from government power; to provide a window into the operations of officials and thus a check on arbitrary or abusive exercise of authority. To a large extent, access to public records has served this purpose. But with electronic access and the power of aggregation, these policies have increasingly shifted to benefit the government and businesses. We need to realign these policies so that less personal information appears in the public record, while maintaining access to documents that allows for investigation and oversight of government.
Correction Rights Are Lacking
Many commercial data brokers do not extend any right of correction to individuals. They explain that since the information came from public records, the individual must correct the public record in order to amend the dossier held by the data broker. This policy does not recognize the potential for error that is inherent in commercial data brokers' information collection methods. Commercial data brokers send "stringers" to copy paper records into their databases. These stringers often copy the records by hand, and thus can make errors in transcription. There is no systematic way to test how accurate these transcriptions are.
The IRSG Principles Have Failed
The Individual Reference Services Group (IRSG) was formed in order to manage fomenting criticism regarding companies that sold personal information. The IRSG created "principles" for the sale of personal information, but dissolved shortly after passage of the Gramm-Leach-Bliley Act in 1999.
The Principles set forth a weak framework of protections, allowing companies to sell non-public personal information "without restriction" to "qualified subscribers," which include law enforcement agencies. So-called "qualified subscribers" need only state a valid purpose for obtaining the information and agree to limit redissemination of information. Under IRSG Principles, individuals can only opt-out of the sale of personal information to the "general public," but ChoicePoint does not consider its customers to be members of the general public.
The IRSG Principles have been carefully crafted in order to ensure maximum flexibility by CDBs. They have failed to set forth a reasonable degree of protection for individuals. These self-regulatory initiatives served their purpose—to stop Congress from creating real, enforceable rights while allowing privacy-invasive activities to continue.
Accordingly, recommended protections are suggested in the next section to promote privacy.
Suggestions for Reform
George Washington Law Professor Daniel J. Solove and I formulated a sixteen point strategy to address commercial databrokers. The full strategy can be accessed at http://ssrn.com/abstract=681902. I wish to present several of the approaches today.
There is no general knowledge about the companies using personal information. In order to grant consent, gain access, or otherwise exercise one's rights with regard to personal information maintained by data brokers, credit reporting agencies, and other institutions, people must know about what institutions are collecting their data. Accordingly, we have suggested that any company "primarily engaged in interstate collection, maintenance, and/or sale of personally identifiable information" should register with government consumer protection authorities. Such registration information could be made available online, allowing individuals to learn of data brokers and their rights with respect to them.
Access to and Accuracy of Personal Information
ChoicePoint and other data brokers collect detailed dossiers of personal information on practically every American citizen. Most people haven't even heard of these companies. Even if they do know about these companies, people have no way of knowing what information is maintained about them, why it is being kept, to whom it is being disseminated, and how it is being used. The records maintained by these companies can have inaccuracies. This wouldn't matter much if the information were never used for anything important. But the data is being used in ways that directly affect individuals – by businesses for background checks, creditors for assessing financial reputations, the government for law enforcement purposes, and private investigators for investigation. Accordingly, we suggest that individuals should have the ability to visit a centralized source to access and correct information from data brokers at no cost.
Businesses and financial institutions currently grant access to people's records when the accessor merely supplies a Social Security Number, date of birth, mother's maiden name, or other forms of personal information that is either available in public records or sold by data brokers. This makes the repositories of individuals' personal data and their accounts woefully insecure, as identity thieves can readily obtain the information needed to gain access and usurp control.
Accordingly, we suggest that companies develop methods of identification which (1) are not based on publicly available personal information or data that can readily be purchased from a data broker; and (2) can be easily changed if they fall into the wrong hands. Biometric identifiers present problems because they are impossible to change, and if they fall into the wrong hands could prove devastating for victims as well as present ongoing risks to national security.
Social Security Number Use Limitation
Numerous businesses and organizations demand that a person provide a Social Security Number and then use that number as a password for access to accounts and data. Many schools and other organizations use Social Security Numbers on identification cards, thus ensuring that when a wallet is lost or stolen, one's Social Security Number is exposed. The use of Social Security Numbers is so extensive that as simple a transaction as signing up for cell phone service often requires disclosing one's Social Security Number. Accordingly, we suggest that unless specifically authorized by statute or regulation, business and other privacy sector entities shall be barred from using Social Security Numbers for identification purposes.
Access and Use Restrictions for Public Records
Our current policy for public records was developed in a day where all information was on paper, dispersed across the country in small courthouses. Information was poorly indexed; periodically, it was destroyed by fire, improper storage, or negligence. Access was difficult enough. Aggregation was impossible. Today, massive database companies sweep up the data in public record systems and use it to construct dossiers on individuals for marketers, private investigators, and the government. This is what ChoicePoint does. These uses of public records turn the justification for public records on its head. Public records are essential for effective oversight of government activities, but commercial data brokers have perverted this principled purpose, and now public records have become a tool of businesses and the government to watch individuals.
States that allow broad access to public records are supplying troves of data to law enforcement. For instance, ChoicePoint's AutoTrackXP services include thirty-six extra databases on Florida residents and seven extra on Texans. Access to information on Florida residents is particularly broad. It includes marriage records, beverage licensees, concealed weapons permits, day care licensees, handicapped parking permits, "sweepstakes," worker compensation, medical malpractice, and salt water product licensees.
Accordingly, we suggest that access to personal information in public records shall be restricted for certain purposes. For example, accessing public records to obtain data for commercial solicitation should be prohibited. Other purposes shall be permitted: monitoring the government, research, educational purposes, tracing property ownership, and other traditional non-commercial purposes. Furthermore, state and local agencies that maintain public record systems must make substantial efforts to limit the disclosure of Social Security Numbers, phone numbers, addresses, and dates of birth.
Curbing Excessive Uses of Background Checks
Background checks are cheaper now than ever before, leading to a situation where individuals are being screened for even menial jobs. We risk altering our society to one where the individual can never escape a youthful indiscretion or a years-old arrest, even for a minor infraction. Background checks are frequently being used by employers even for jobs that do not involve security-related functions, the handling of large sums of money, or the supervision of children or the elderly. Accordingly, we suggest that background checks should only be performed in contexts where fiduciary relationships are involved, where a large amount of money is handled, where employment involves care taking, or any of the jobs enumerated by the Employee Privacy Protection Act, 29 U.S.C. § 2007. Whether background checks are performed by employers or by companies hired to do the screening, the employee or prospective employee shall receive a copy of the actual investigation.
Limiting Government Access to Business and Financial Records
Increasingly, the government is gathering personal information from businesses and financial institutions. Companies such as ChoicePoint have multi-million dollar contracts with government agencies to supply them with personal information. The Fourth Amendment is often inapplicable because in a series of cases, including United States v. Miller, 425 US 435 (1976) and Smith v. Maryland, 442 US 735 (1979), the Court has held that whenever a third party possesses personal information, there is no reasonable expectation of privacy. In the Information Age, it is impossible to live without extensive information about one’s life existing in the hands of various third parties: phone companies, cable companies, Internet Service Providers, merchants, booksellers, employers, landlords, and so on. Thus, the government can increasingly obtain detailed information about a person without ever entering her home. Accordingly, we recommend that whenever the government attempts to access personal information from third parties that maintain record systems of personal information (databases or other records of personally identifiable information on more than one individual), the government should be required to obtain a special court order that requires probable cause and particularized suspicion that the information sought involves evidence of a crime. Exceptions should exist for reasonable law enforcement needs, including emergency circumstances.
Finally, I wish to note that the Solove/Hoofnagle approach would preserve the rights of the states to continue to innovate new protections for privacy.
Thank you for holding this hearing on information aggregators. We have long suspected, and recent events now have confirmed, that commercial data brokers present a serious risk to privacy that needs to be addressed by robust privacy law. We look forward to continuing to working with the Committee to provide information on this topic and other privacy issues.
ChoicePoint, AutoTrackXP and ChoicePoint Online, http://www.choicepoint.com/industry/government/ public_le_1.html (accessed Oct. 25, 2004).
 Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004) (attached as Appendix I).
ChoicePoint, All Financial Solutions, http://www.choicepoint.com/business/financial/allfinan.html (accessed Oct. 25, 2004).
 ChoicePoint, AutoTrackXP and ChoicePoint Online, http://www.choicepoint.com/industry/retail/public_cbi_1.html.
 ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/sample_rpts/AutoTrackXP.pdf.
 Individuals were easily able to exploit the relationship between Ford Motor Credit and Experian to obtain 30,000 credit reports. Benjamin Weiser, Identity Ring Said to Victimize 30,000, N.Y. Times, Nov. 26, 2002, p A1.
 The records of twenty million people, some of which contained SSNs, were stolen from commercial data broker Acxiom in 2003. While Acxiom claimed that its security system was extraordinary, hackers were able to download password files for all accounts on the system. DOJ, Milford Man Pleads Guilty to Hacking Intrusion and Theft of Data Cost Company $5.8 Million, Dec. 18, 2003, available at http://www.usdoj.gov/criminal/cybercrime/baasPlea.htm.
 Choicepoint form 8-K, Mar. 4, 2005, available at http://phx.corporate-ir.net/phoenix.zhtml?c=95293&p=irol-SECText&TEXT=aHR0cDovL2NjYm4uMTBrd2l6YXJkLmNvbS94bWwvZmlsaW5nLnhtbD9yZXBvPXRlbmsmaXBhZ2U9MzMxMzE3MiZkb2M9MCZhdHRhY2g9b24=
 ChoicePoint to Exit Non-FCRA, Consumer-Sensitive Data Markets; Shift Business Focus to Areas Directly Benefiting Society and Consumers, Choicepoint Press Release, Mar. 4, 2005, available at http://www.choicepoint.com/choicepoint/news.nsf/IDNumber/TXK2005-5381565?OpenDocument.
 The privacy statement mailed to individuals who request their AutoTrackXP report read in part: "We feel that removing information from these products would render them less useful for important business purposes, many of which ultimately benefit consumers. ChoicePoint DOES NOT DISTRIBUTE NON-PUBLIC INFORMATION (as defined in the Principles) TO THE GENERAL PUBLIC PURSUANT TO SECTION V(C) OF THE PRINCIPLES. The general public therefore has NO direct access to or use of NON-PUBLIC INFORMATION (as defined in the Principles) from ChoicePoint whatsoever. Letter from Gina Moore, ChoicePoint, to Chris Hoofnagle, Electronic Privacy Information Center (Feb. 21, 2003) (emphasis in original), available at http://epic.org/privacy/choicepoint/cp_nooptout.pdf.
 Robert Ellis Smith, Here's Why People Are Mad, Vol. 29, No. 3 Privacy J. 7, 7 (Jan. 2003) (citing Stephen Grimes, administrator of the Judicial Records Center in Rhode Island).
 Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. Cal. L. Rev. 1083, 1084 (2002); see Daniel J. Solove, Access and Aggregation: Public Records, Privacy, and the Constitution, 86 Minn. L. Rev. 1137, 1152-54 (2002) (explaining how the digitization of records has made personal information documents more accessible and less secure)
Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004)
EPIC Privacy Page | EPIC Home Page
Last Updated: April 18, 2005
Page URL: http://www.epic.org/privacy/choicepoint/casban3.30.05.html