Vermont passes first law to crack down on data brokers

Data Dump
Data Dump

TechCrunch reports:

While Facebook and Cambridge Analytica are hogging the spotlight, data brokers that collect your information from hundreds of sources and sell it wholesale are laughing all the way to the bank. But they’re not laughing in Vermont, where a first-of-its-kind law hems in these dangerous data mongers and gives the state’s citizens much-needed protections.

Data brokers in Vermont will now have to register as such with the state; they must take standard security measures and notify authorities of security breaches (no, they weren’t before); and using their data for criminal purposes like fraud is now its own actionable offense.

If you’re not familiar with data brokers, well, that’s the idea. These companies don’t really have a consumer-facing side, instead opting to collect information on people from as many sources as possible, buying and selling it amongst themselves like the commodity it has become.

This data exists in a regulatory near-vacuum. As long as they step carefully, data brokers can maintain what amounts to a shadow profile on consumers. I talked with director of the World Privacy Forum, Pam Dixon, about this practice.

“If you use an actual credit score, it’s regulated under the Fair Credit Reporting Act,” she told me. “But if you take a thousand points like shopping habits, zip code, housing status, you can create a new credit score; you can use that and it’s not discrimination.”

And while medical data like blood tests are protected from snooping, it’s not against the law for a company to make an educated guess your condition from the medicine you pay for at the local pharmacy. Now you’re on a secret list of “inferred” diabetics, and that data gets sold to, for example, Facebook, which combines it with its own metrics and allows advertisers to target it.

(click here to continue reading Vermont passes first law to crack down on data brokers | TechCrunch.)

Exactly why I wish the US would implement its own version of the GDPR that we’ve discussed. Corporations that mine our digital data, and sell it, and resell it, without oversight, or without giving “a taste” to the consumer are corporations that need to be regulated and watched by a consumer protection agency of some kind. Not every consumer is savvy enough to obfuscate their tracks, and honestly, even somewhat savvy consumers are no doubt caught up in these nameless corporations’ databases. Corporations like EquifaxQuotient and Catalina Marketing and a few thousand others don’t really need to use browser cookies anymore, they also use the unique ID of your devices, they track your IP numbers down to your block group, and can track you at home, at office, via phone, via credit card, via geolocation and via other means. I find it Orwellian and creepy.

My sincere wish is that Vermont continues on this path of regulation of the wild, wild web of data brokers, and that other states and the entire country follows suit.

Facebook Doesn’t Pay You Because That’s Not Their Model

Fuck The Internet
Fuck The Internet

In the context of describing yet another social network aimed at Facebook, albeit one that allegedly will pay you for your content1 Wired reports:

DURING MARK ZUCKERBERG’S over 10 hours of Congressional testimony last week, lawmakers repeatedly asked how Facebook makes money. The simple answer, which Zuckerberg dodged, is the contributions and online activities of its over two billion users, which allow marketers to target ads with razor precision. In which case, asked representative Paul Tonko (D – New York), “why doesn’t Facebook pay its users for their incredibly valuable data?”

(click here to continue reading Minds Is the Anti-Facebook That Pays You For Your Time | WIRED.)

Yeah, Facebook doesn’t want to really discuss this key aspect of their business in public: all their wealth is based on the mining and reselling of their users data. It was never a hidden fact, it was always known to anyone who bothered to ask, but Facebook doesn’t really like to explain it so that the majority realize they are the product being sold.

So let’s be clear, Facebook, Snapchat, Instagram, and Twitter even2 only exist to collect data about their users, and use information gleaned from their users to sell to corporations, or governments, etc. That is the model. If everyone, including your grandmother, and my 14 year old nephew understands this basic fact, we’ll all benefit as a society.

Footnotes:
  1. in cryptocurrency []
  2. which I still use frequently, maybe even more than I should []

Dental receptionist allegedly at the center of a massive identity theft scam

Teeth
Teeth…

Speaking of health care practitioners who cannot manage to protect personal data, there is another reason to be skeptical when your dentist wants copies of your drivers license and so on…

The New York District Attorney’s Office says that a massive identity theft ring stems from a Manhattan dental receptionist who stole customers’ personal information.

Four people, including 27-year-old Annie Vuong, the alleged receptionist, now stand accused of 394 charges relating to theft of $700,000. All four say they’re not guilty.

The scheme centers around the fact that it’s actually quite easy, if you have enough of a person’s information, to create an Apple account, and with one of those, it only takes about 30 seconds to get approved for a program to buy an Apple-themed Barclays Visa card. With one of those, customers can instantly turn right back around and buy Apple gift cards, which can be redeemed in Apple’s physical stores.

(click here to continue reading Dental receptionist allegedly at the center of a massive identity theft scam.)

Your Data Is Not Safe at Anthem Nor At Other Healthcare Corporations

Classless Society

The next decade is going to be a continual escalation of these sorts of crimes. Many sectors of corporations have skimped on beefing up their security practices, making data theft easier for criminals to steal consumer data.

patient medical records typically include information not easily destroyed, including date of birth, Social Security numbers and even physical characteristics that make them more useful for things like identity theft, creation of visas or insurance fraud by falsely billing for expensive medical or dental procedures that were either never done or performed on someone else. Some criminals have also tried a form of so-called ransom ware in which they threaten to reveal medical information unless they are paid.

“The whole thing is evolving,” said Barbara Filkins, an analyst with the SANS Institute, which has studied the risk to the health care sector.

Hospital systems, for example, are increasingly asking for photo IDs and driver’s licenses in an effort to block patients who have stolen someone else’s medical identity, said John Barlament, a lawyer at Quarles & Brady in Milwaukee. The use of medical identity fraud is growing, he said. “It’s a one-way trend here,” he said.

(click here to continue reading Data Breach at Anthem May Lead to Others – NYTimes.com.)

Site of the Doctors' Commons
Site of the Doctors’ Commons

From my perspective, I hate when health care providers make copies of my drivers license and write down my social security number and so on. Why? Because I don’t trust that they will keep my data safe. Especially as there is a push to digitize health records, health practitioners need to have stronger data management and destruction policies. Should a dentist I visited once several years ago be able to keep all my information for ever? I guess I need to get a fake ID for these sorts of situations.

The push to digitize patient health records in hospitals and doctors’ offices has also made medical records increasingly vulnerable, according to security experts. Moving medical records from paper to electronic form allows both patients and providers better access, but it has also made patient records susceptible to breaches, whether unintentionally or through a criminal attack.

About 90 percent of health care organizations reported they have had at least one data breach over the last two years, according to a survey of health care providers published last year by the Ponemon Institute, a privacy and data protection research firm. The founder, Larry Ponemon, a security expert, says most were because of employee negligence or system flaws, but a growing number are malicious or criminal.

Last year, 18 health care providers reported data breaches because of some form of hacking. Information at Centura Health was compromised last year after a phishing scheme obtained access to employee email accounts. The data included, in some instances, Social Security numbers, Medicare beneficiary numbers and clinical information for 12,000 patients of the facility, based in Englewood, Colo. In another case, a keystroke logger virus that infected three computers for a few weeks early last year at the student health center at the University of California, Irvine, may have captured patient’s health and dental insurance numbers and diagnoses.

Health care providers have sharply increased their spending on data security in the last year, but they remain technologically far behind other industries, say experts.

(click here to continue reading Data Breach at Anthem May Lead to Others – NYTimes.com.)

Photo Republished at All that Big Data Is Not Going to Manage Itself: Part One | The Signal: Digital Preservation

Data Dump 

My photo was used to illustrate this post

Since 2003 we’ve seen the National Science Foundation release its requirements for Data Management Plans (DMPs) and the White House address records management, open government data and “big data.”  There are now data management and sharing requirements from NASA, the Department of Energy… In this two-part series on government data management we’ll take a look back at some of the guidance that is driving data management practices across the federal government. In the second part we’ll look at the tools and services that have developed to meet the needs of this expanding data management infrastructure. It’s 2014 and we’re still struggling to ensure that the outputs of government-funded research are secure and made accessible as building blocks for new knowledge, but it’s not for lack of trying: federal government agencies such as NIH and the NSF recognized the need to preserve and keep data accessible through the requirements tied to their grant funding.

click here to keep reading :
All that Big Data Is Not Going to Manage Itself: Part One | The Signal: Digital Preservation

automatically created via Delicious and IFTTT

Facebook Is the NSA of Corporate America

Over Under Sideways
Over Under Sideways

Speaking of Big Data and Facebook, the marketing and privacy experts at Mark Zuckerman’s data mining company have come up with a new way to make money off of you: turning on the microphone on your mobile device, and listening in to your life as you live it.

The social network appears to be preparing to serve ads to users based on a Shazam-style feature that picks up via the microphones on devices with Facebook’s app installed—watching Breaking Bad? Check out this ad for the new drama on AMC. Listening to OutKast? Try Ludacris.…

Facebook’s ad strategy is getting more sophisticated every week; with the new tool (which Facebook stresses is optional, though you know how it is: if people like it and it’s convenient, that’s better than mandatory), it’ll have far more information about something Nielsen, Acxiom and other data giants conduct huge panel studies to determine: user media habits. Not the media habits users write down in diaries, but what people actually do and might not self-report to anyone but their friends—who marathons Murder, She Wrote until 3 in the morning or listens to nothing but Ween for three straight months.

  • It’s totally fair to wonder where the data derived from the recordings—song title, album, etc.—is stored and where it goes. Based on the fact that this is being used for marketing, the short answer seems to be “to people who are willing to pay to know what you’re into.” 
  • It’s hard to make this not creepy. Facebook is using your cell phone to listen to you and serve you ads. It’s doing it all in the name of user convenience, of course, but it’s still doing it. 
  • Marketers are going to love this. Dynamic ad serving has been a pipe dream for so long, and Facebook’s multi-billion-person user base is everyone’s favorite thing for that specific purpose.

(click here to continue reading Listening to Beyoncé? Facebook Has an Ad for You | Adweek.)

Or Pay The Price
Or Pay The Price

From the WSJ:

Facebook on Wednesday added a feature to its mobile app that identifies music and television shows playing in the background and suggests users share them with a larger audience.

The feature was the latest in a series of changes by Facebook to nudge users to divulge more—and more-specific—personal information on the social network. This week, it introduced a feature that allows users to prompt their friends to divulge more information about themselves. Last year, the social network allowed users to categorize posts by activity.

Facebook uses the data to sell targeted advertisements. The more detailed the information it gathers from users, the more personalized—and expensive—advertising the company can sell.

The recent changes represent an effort by Facebook to prod users into sharing more information about themselves. In recent years, the company has added categories, like “watching,” “eating” or “listening,” that users can add to their posts. In April it created a “traveling to” category, allowing users to post their travel destinations. A “nearby friends” feature, also rolled out last month, lets users know when their Facebook friends are in the vicinity. Turning on the feature lets Facebook track users wherever they go, even when the app is closed.

This week, Facebook began allowing users to request their friends’ relationship status using the new “Ask” button.

Advertisers like the additional data.

(click here to continue reading Facebook Adds Feature to Identify Music, TV Shows – WSJ.com.)

Continuous Video Recording in Progress
Continuous Video Recording in Progress

Amusingly, Facebook announced on the same day:

Responding to business pressures and longstanding concerns that its privacy settings are too complicated, Facebook announced on Thursday that it was giving a privacy checkup to every one of its 1.28 billion users.

 …

“They have gotten enough privacy black eyes at this point that I tend to believe that they realized they have to take care of consumers a lot better,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research and advocacy group. Ms. Dixon was briefed in advance about the latest changes.

For most of its 10-year history, Facebook has pushed — and sometimes forced — its users to share more information more publicly, drawing fire from customers, regulators and privacy advocates across the globe.

(click here to continue reading Facebook Offers Privacy Checkup to All 1.28 Billion Users – NYTimes.com.)

Sure, sure they are.

Experian Sold Consumer Data to ID Theft Service

We Finally Came To Realize

We Finally Came To Realize

A troubling tale via Krebs on Security

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.

THE ROLE OF EXPERIAN

In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.

Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.

While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”

Experian declined multiple requests for an interview.

(click here to continue reading Experian Sold Consumer Data to ID Theft Service — Krebs on Security.)

Or Pay The Price
Or Pay The Price

so if your account was one of the unlucky ones, what was stolen?

These services specialized in selling “fullz” or “fulls,” a slang term that cybercrooks use to describe a package of personally identifiable information that typically includes the following information: an individual’s name, address, Social Security number, date of birth, place of work, duration of work, state driver’s license number, mother’s maiden name, bank account number(s), bank routing number(s), email account(s) and other account passwords. Fulls are most commonly used to take over the identity of a person in order to engage in other fraud, such as taking out loans in the victim’s name or filing fraudulent tax refund requests with the IRS.

All told, findget.me and superget.info acquired or sold fullz information on more than a half million people, the government alleges.

Why exactly do we as a society allow Experian and similar organizations collect this data in the first place? They accumulate the data, and sell it to advertisers, or to scammers, and what benefit does it bestow on us? Other than headache and grief…

There was much gnashing of teeth when we discovered just how many hard disks the N.S.A. has filled with our personal data, why does Experian and other similar corporations get a pass from the public?

Revolution of The Innocent
Revolution of The Innocent

especially when Experian will skip away from this investigation with nothing more than a slap on the wrist with a wet noodle…

Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme. This incident bears some resemblance to a series of breaches at ChoicePoint, a data aggregator that acted as a private intelligence service to government and industry. Beginning in 2004, ChoicePoint suffered several breaches in which personal data on American citizens was accessed by crooks who’d used previously stolen identities to create apparently legitimate businesses seeking ChoicePoint accounts. ChoicePoint was later sued by the U.S. Federal Trade Commission, an action that produced a $10 million settlement — the largest in the agency’s history for a violation of federal privacy law.

Experian makes about $500,000,000 in profit a year, btw.