Wednesday, March 19, 2008

Treasury Department OFAC list catching, "blacklisting" misidentified consumers

Ellen Nakashima has a story in the Washington Post that mixed consumer identity protection with “reputation defense.” It is “A Good Name Dragged Down: Consumers Get Tangled in Terrorist Watchlist,” link here. The story is on page D1, Business, of today’s Washington Post (Wed. March 19). The story also has an illustration: a nametag with the words "Hello, my name is Mud".

The story refers to the Treasury’s Office of Foreign Assets Control. Companies are not allowed to do business with individuals on the list. But unfortunately they often miss identify consumers, especially those with Muslim-sounding names. One person was asked to undress and show that he did no have a particular tattoo when he tried to buy a car.

The OFAC runs a list of “specially designated nationals.” Banks, apartments, car dealers, etc. can not legally process transactions with persons on the list, who are effectively "blacklisted" by the Treasury Department. But OFAC has not provided a convincing procedure to handle misidentification. Persons have been told to contact credit reporting agencies, but this would not have anything to do with the list. The OFAC list does not seem to be well-coordinated with other lists.

Obviously persons really on the list might have an incentive to steal identities of similarly named people, and an NCOA-check such as what I’ve proposed on these pages might help prevent mishaps.

On March 18 Nakashima had a similar story “Reports Cite Lack of Uniform Policy for Terrorist Watch List, p A02, link here.

Sunday, March 16, 2008

VA bans individuals from posting SSN's from online public records (Virginia)

Dena Potter has an AP story about the new Virginia state law, "Law bars publicizing Social Security Numbers: Violators face $2,500 penalty; ACLU eyes challenge." The AP itself did not show a link to it but The Washington Times ran it today on p A7, the Metropolitan Section, link here.

The law was by the Virginia General Assembly. It would appear to prohibit any individual or entity from publishing (as on a personal website, blog, or social networking profile) the social security number of any individual, even those obtained online from websites operated by the State.

This seems to be going after individuals for what is a government and big business problem. Consumer security is threatened largely because large institutions are reckless in identifying borrowers.

Friday, March 07, 2008

Low-tech problems: a man lives off a name on a student id card for over two decades

Even over twenty years ago, identities could be borrowed. Last night (March 6) ABC World News Tonight presented the story of Charles Free (an ironic name) who escaped from a Florida prison in 1979 (by walking away from a work detail), found a lost student ID card with the last name of Free, and built a new life on that name.

The story is by Jim Avila, Beth Tribolet, Lauren Pearle, and Scott Michels. The title at ABC is "A Free Man for 30 Years, Fugitive Faces Prison; Family of Escapee Who Led Upstanding Life Pleads to Keep Him Out of Jail." He raised a family in Nevada, but now Florida wants him back. (Remember the song "Indiana wants me.") Here is the link. He (actually Jack Allen Hazen) is in poor health and might not survive serving his prison term now.

A somewhat similar story is the Sara Jane Olson story, about a woman who fled from charges related to the Symbionese Liberation Army (with Patty Hearst) in the 1970s. The cops caught up with her in St. Paul, MN in 1999. There was a book about her; here is the review.

In 2004, Lifetime TV aired a movie about another similar story, "The Michelle Brown Story," about how a domestic lived off the identity of her employer.

So there have been plenty of low-tech ways for this to happen in the past.

Saturday, March 01, 2008

110th Congress has signficant bills to protect consumer identity security

The March issue of the Erickson Tribune discusses recent attempts in Congress to protect consumer identification security. I give all the detailed links here.

The most important bill in the 110th Congress is in the Senate: Personal Data Privacy and Security Act of 2007, introduced by Patrick Leahy (D-VT), S. 495. This bill would criminalize many activities that deliberately or negligently jeopardize consumer security, and would require that data brokers make data on individual consumers available when requested. In the past, this has been an issue because data brokers don’t provide credit reports or “FICO scores” as such, but employers and landlords use them, and mis-information is possible. Data is sometimes collected on the wrong individual, and sometimes these companies present data on all like-named individuals in one report, a practice that could harm the reputation of a job applicant from a psychological perspective.

The bill does not appear at first to "burden" small businesses, although entrepreneurs who process their own credit card purchases and have high volumes of customers (often with the help of third party shared or dedicated web hosting) could be impacted, and systems development on the part of large ISPs like Verio could be needed to help them.

The House has a simpler bill, H. R. 958, the Data Accountability and Trust Act. It would also address non-digital records.

The House also has a better known and somewhat controversial bill, H.R. 3046, the Social Security Number Privacy and Identity Theft Protection Act of 2007, introduced by Michael McNulty (D-NY). This would prevent the “sale” of social security numbers, and data brokerage companies (and perhaps credit reporting companies) have argued and lobbied that this law would interfere with legitimate functions in their business.

Still, I think Congress could do more to require due diligence from major lender in properly identifying customers, using the NCOA database owned by the USPS, although considerable systems development and implementation (much of it mainframe, probably done by coordinated major vendors like EDS, Perot Systems, IBM, Computer Sciences, Unisys, Northrup-Grumman, etc) would have to take place first.