NEWS

< http://www.securityfocus.com/news/7622 >


 


In a data-mining society, privacy advocates shudder

By Brian Bergstein, The Associated Press Dec 10 2003 9:02PM

Edward Socorro had a good thing going as a sales manager with Hilton Hotels Corp. But not long after he started, a company hired by Hilton to do background checks on new employees reported that Socorro once spent six months in jail.

In reality, Socorro was no ex-con. He protested that the background check was wrong. But still he was fired. And although he later settled a lawsuit against Hilton, the damage was done.

Socorro learned the hard way about an increasing danger in our ever-more-networked society: the reliance of corporations and governments on commercially accessible databases that mine the paper trails of our lives. It figures to be among vital privacy issues garnering wider attention in 2004.

Databases have become remarkably efficient and inexpensive to query. Many employers, schools and even volunteer organizations now trust them in making decisions about whom to take on and whom to avoid.

But these databases are not infallible. They can be misinterpreted or only partially accurate, showing arrests or criminal records that were later wiped clean -- just enough to cost someone a job.

Privacy advocates and civil liberties groups are alarmed. They think some of these background checks could violate federal employment laws and credit-reporting rules that let consumers examine information on file about them.

At the very least, the Internet has made it far easier for anyone to obtain not only someone else's birthdates and social security numbers but also liens, lawsuits, divorces and other personal and potentially embarrassing -- but technically public -- information.

Such material was once available only to people who bothered to dig through musty courthouse files.

"I consider the issue of public records on the Internet to be one of the most challenging public policy issues of our time," said Beth Givens, director of the Privacy Rights Clearinghouse.

Activists have been sounding alarms for years about the decline of privacy in the digital age, with the public sometimes responding.

Witness attempts by lawmakers in 2003 to stomp out telemarketing and spam, albeit with limited success. Or how spooked citizens recently recirculated e-mails warning that Google can within seconds deliver the names and addresses that coincide with listed phone numbers.

Privacy advocates say far more worrisome intrusions are due as improving technology gives government, advertisers and insurance companies new ways to harvest precise information.

"We are really on the cusp of creating a surveillance society where every action, every utterance -- some might say every thought -- can be traced," said Barry Steinhardt, director of the American Civil Liberties Union's technology and liberty program.

The next year will bring more debate over radio-frequency identification, or RFID, which lets stores and suppliers track inventory. Critics fear it could secretly monitor consumers' behavior or whereabouts; retailers say those worries are overblown partly because RFID tags will be disabled at checkout counters.

Meanwhile, the U.S. government, acting on post-Sept. 11 mandates, will be monitoring travel more closely.

The government plans to begin scanning and storing foreign visitors' facial images and fingerprints in 2004. It also is developing CAPPS II -- the Computer Assisted Passenger Prescreening System -- which is expected to check travelers' credit reports, consumer transactions and other personal data.

While a privacy outcry led Congress to scale back the Pentagon's Total Information Awareness data-mining program this year, several states are cooperating on a similar terrorism and law-enforcement database project called Matrix, which is maintained by a private company in Florida.

Critics of such systems say they enable an unprecedented amount of snooping on law-abiding citizens but do little to actually enhance security -- consequently creating a dangerous, false sense of safety.

Other activists worry that detailed databases are ripe material for identity thieves or even terrorists.

For example, Robert Bulmash, founder of the Private Citizen advocacy group, points out that Edith Roman Associates Inc., which sells lists to direct-marketing companies, offers a file identifying 124,000 executives and officials who make homeland security-related decisions.

Or consider that a leading records aggregator, Acxiom Corp., was struck last year by a hacker who downloaded sensitive information belonging to about 10 percent of Acxiom's corporate customers.

"So long as there are databases out there that collect and maintain and put online aspects of our personal life, they're subject to theft and hacking and misuse," Bulmash said.

Bulmash believes companies should not sell or share personal data on citizens without getting explicit consent, a model followed in much of Europe.

And like other privacy watchdogs, Bulmash suggests that Americans buy and check their credit reports and files maintained by records companies like Acxiom or ChoicePoint Inc. to avoid mixups like the one that scorched Socorro.

Socorro had committed a minor infraction in Illinois -- now expunged from his record, according to his attorney -- that brought him six months of supervision, a wrist-slap often given for speeding tickets.

After that erroneously came up as jail time and Hilton fired him, it took Socorro seven months to find a new job. He eventually settled the lawsuit against Hilton and background checker IMI Data Search Inc.

To be sure, society can benefit from making more information publicly accessible. Quickly scanning city property records, for example, makes it far easier to see whether the assessor's nephew is getting a sweet deal on his taxes.

In hopes of serving such ideals while enhancing privacy, technology researchers are trying to develop ways to shuttle files around the Internet and within organizations so that only certain people can see certain pieces of information at a time.

In fact, the National Science Foundation recently launched a $12.5 million, five-year project to explore whether Internet communication protocols and applications _ which were designed for maximum openness -- could be rewritten to incorporate copyright law, medical-privacy rules and other consumer protections.

Even if the project succeeds, one participant, Yale University computer science professor Joan Feigenbaum, believes new information laws will be necessary, to reflect the sensitivity of "bread crumbs" we leave in the networked world.

But many privacy watchdogs fear legislative answers won't come soon. For evidence, they point to recent changes in the Fair Credit Reporting Act that added some new consumer protections but pre-empted more powerful -- and forward-looking -- measures enacted by some states.

"Our privacy is on life support," Steinhardt said. "And we need to take some heroic measures to save it."


 
Copyright 2004 Associated Press. All rights reserved.
This material may not be published, broadcast, rewritten, or redistributed.


Copyright © 1999-2005 SecurityFocus