Friday, May 13, 2005

Patriot Act Rewards ChoicePoint

"Identity Verification" Exposes Consumers to Risks

Consumer Affairs reports:
Most Americans give their uncritical approval to renewing the USA PATRIOT Act, passed hastily by Congress in the aftermath of 9/11. Few realize that key provisions of the measure put every American's private personal data into the hands of the very bunglers so heartily vilified in recent months for selling, losing and misplacing hundreds of thousands of consumers' records.
The drive to quickly ratify the sweeping measures so quickly passed a few years ago began in April, with Attorney General Albert Gonzales urging Congress to renew every single provision aspect of the Act before key provisions expire in December. "Now is not the time to engage in unilateral disarmament" when dealing with terrorists and their associates, he said.

The words are stirring, as politicians' words so often are. Would the response have been as positive if Gonzales had said, "Now is not the time to delay giving all of our private records to ChoicePoint and LexisNexis?"

The Watch List

One of the key provisions of the PATRIOT Act, Section 326, mandates that banks set up a process to verify the identity of all new customers opening accounts of any kind. That system, called the Customer Identification Program (CIP), would be maintained as a database and cross-referenced against a government-provided "watch list" of known terrorists, suspected terrorists, and individuals being investigated for possible suspicious activity. The database would be used to track money laundering and financing of terrorist activities within the United States.

This raises more than a few privacy concerns. No one wants to end up on a "watch list" simply for sharing a name with a known member of al-Qaeda, after all. But on its face, the system seems to make sense. Tracking the money trail is a proven way to establish criminal activity, as the FBI demonstrated by using the RICO act to take down organized crime families.

However, just as with RICO, the potential exists to use this provision of the Act for far more than just cataloguing suspicious bank account activity. Moreover, a closer observation reveals that this extensive "data mining" actually leaves innocent Americans' private data more vulnerable to identity theft and misuse, not less.

Know Your Customer, Know Your Enemy

Section 326 is titled "Verification of Identification." It involves collecting and maintaining identity data on any customer opening a new financial account at participating institutions, "including name, address, and other identifying information". Since everything the government touches must have an acronym, this is called the "Customer Identification Program", or "CIP."

This provision has brought forth a host of companies and banks offering software and database solutions that supposedly ensure the accurate collection of customer data needed to comply with this section of the act.

The IntegraSys corporation's ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to "warm address lists" that target "known sites of fraudulent activity", such as hotel mailboxes, prisons, P.O. boxes, etc.

Data-warehousing giant LexisNexis' Instant ID solution offers a Web-based "robust and high quality tool which financial institutions can utilize to verify and validate the identity of a person opening a new account�fast, convenient and effective solution to assist financial institutions in complying with the USA PATRIOT Act by verifying the identity of new account applicants."

The government "watch lists" used to verify the customer's identity are maintained by the U.S. Treasury's Office of Foreign Assets Control (OFAC). OFAC's purpose is to implement and enforce economic sanctions against known terrorists, drug dealers, and the like, "to accomplish foreign policy and national security goals." OFAC publishes and regularly updates a list of "Specially Designated Nationals" (SDN's), known or suspected terrorists and accomplices, and makes it available on its website.

OFAC itself does not mandate that financial institutions comply with identifying potential suspects ("hits") on the watch list. It instead leaves the duty of compliance up to individual financial regulators and the many companies that have stepped into the breach to provide identity verification. The official word from the Treasury Department's Office of Public Affairs is that "the final rule employs a risk-based approach that allows financial institutions flexibility, within certain parameters, to determine which forms of identification they will accept and under what circumstances."

As Kevin Bankston, staff attorney for the Electronic Frontier Foundation puts it, this was "a huge sop for data warehousers" -- a way for information brokers to further their goals of gathering exhaustive data on consumers. Given the prohibitive amount of time and effort necessary to maintain constant compliance with the frequently changing OFAC lists, data brokers seized the opportunity to gain a new foothold in the identity business.

Further complicating matters, although the PATRIOT Act became law on October 26, 2001, the Treasury Department did not issue guidelines on how Section 326 should be implemented until July of 2002. A final ruling on the guidelines was not issued until September of 2003, with a mandatory compliance date of October 1, 2003. Even given the necessity of extensive inquiries from banks to understand how the rules were to be implemented, the gap of two years between the passage of the law and the final ruling means banks were -- and are -- essentially free to use whatever means necessary to "verify customer identities."

Moreover, a more dangerous aspect of the Act allows that information to be shared with governmental agencies and other financial institutions, often resulting in customers being shut out of banking privileges altogether.

Section 314: Sharing Your Information

According to the Treasury Department's Financial Crimes Information Network (FinCEN), Section 314 of the PATRIOT Act "permits financial institutions, upon providing notice to the United States Department of the Treasury, to share information with one another in order to identify and report to the federal government activities that may involve money laundering or terrorist activity."

Essentially, this rule creates a vast web of personal data, traded between banks, credit bureaus, and the like, from which the government can pick and choose anyone it believes to be engaging in suspicious activity. This provision does have some advantageous aspects, as it was utilized to gather data in the Riggs Bank money-laundering scandal. However, it also means that many innocent Americans or foreign nationals can find themselves "unbanked" if their names match that of a suspected terrorist on the watch list, or if their Social Security Number was used in cases of identity theft.

In their zealous attempts to comply with both OFAC's lists and FinCEN's own Section 314-related lists, many banks have closed customers' accounts suddenly and without explanation -- the hardest hit being those of Arab or Muslim descent, regardless of their actual intentions, citizenship, or activity.

The actual requirements for information gathering under Sections 314 and 326 are actually not terribly daunting. Banks are required to ask for a full name, address (P.O. Boxes won't do), Social Security number, and date of birth from any customer wishing to open a new account as "minimum procedure." "Non-documentary verification" -- that is, proving a customer's identity apart from the papers they present -- can involve anything from using Section 314 to communicate with other banks regarding their financial history, to consulting with the major consumer reporting agencies (CRA's) to determine their credit activity.

Although Section 326 mandates that banks give consumers "adequate notice" that these procedures are being used, the guidelines are so vague that nothing more than a verbal description of the actions being taken can suffice.

In addition, banks are required to compile, submit, and maintain exhaustive records of the customer's identity, how it was verified, and any discrepancies encountered, for up to five years after the consumer closes the account. Imagine the prospect of bank employees coming and going with access to your personal information, even if you no longer maintain an account with that institution.

Information brokers have been lobbying to move from the cumbersome "document solution" to a completely electronic ID-verification system, based solely around mining data records and using Social Security numbers as the linchpin. As one financial services firm puts it, "From conversations with financial institutions, manual solutions can take up to 25 times longer than automated solutions, which can lead to reduced service levels and inefficient processes at the bank."

As they see it, "[u]sing a comprehensive identity verification solution provides the greatest protection against identity fraud while improving customer service, risk management, and operational efficiency."

The key players in the drive for completely automated ID verification warehouses are by no means new to the game -- they are none other than data-mining giant ChoicePoint, and eFunds, the parent company of the ChexSystems banking data clearinghouse.

Unholy Alliances

Years before its now-infamous security breach and the loss of thousands of consumer records, ChoicePoint was a major government contractor. In fact, it is by most measure the federal government's primary source of information on individual Americans.

The federal government has turned to commercial databases for information because it is not allowed to collect such data. In 1974, Congress passed the Privacy Act, which made it illegal for the government to operate its own "Big Brother" database. But Congress did not restrict private companies from conducting surveillance and gathering data on individual Americans. Nor did it prohibit the government from buying that information.

Since at least April of 2001, the Alpharetta, Georgia-based data broker has been providing multiple government agencies with thousands of data records on individuals. According to the Electronic Privacy Information Center (EPIC)'s investigation, ChoicePoint owns dozens of information brokering or collecting services, trafficking in everything from medical records, to drug test results, to arrest and criminal records.

One of their key acquisitions was the Bridger Insight software verification system, designed to provide "enhanced due diligence research to quickly uncover otherwise unknown customer information." The Bridger Insight system allows for a full-scale electronic identity verification, including helpful "risk assessment" scores as to whether or not the individual's identity data constitutes a concern, and full-page "verification reports" with "Pass" or "Fail" marks depending on the results.

If this sounds like the work of a consumer reporting agency or credit bureau, ChoicePoint's pedigree as a spin-off of credit reporting giant Equifax bears that out. However, unlike Equifax, ChoicePoint is not officially classified as a consumer reporting agency, and thus not subject to the terms of the Fair Credit Reporting Act (FCRA).

EPIC filed suit against ChoicePoint in 2004 for what it calls "subverting the policy goals of federal information privacy law." Also very much like a credit reporting agency, ChoicePoint was taken to task for providing inaccurate, outdated, and mixed-up consumer data records -- with a "90% error rate", according to Pam Dixon of the World Privacy Forum. Couple this with the sale of 145,000 data records to an admitted criminal enterprise, and ChoicePoint was the lucky recipient of Privacy International's 2005 "Lifetime Menace" award for being "an abuser and broker of personal information for many years now, collecting information on Americans and foreigners without having to adhere to strict privacy laws."

Nevertheless, ChoicePoint's Bridger Insight system is one of the cornerstones of the PATRIOT Act's identity verification solutions, "help[ing] more than 4,000 clients simplify the process of achieving compliance and conducting due diligence."

As detailed in ConsumerAffairs.Com's special report on ChexSystems, the Bridger Insight software system was partnered with eFunds' ChexSystems database in 2002 to "help streamline Section 326 compliance efforts of financial institutions," according to eFunds' senior vice-president Mark Spilsbury.

The Scottsdale, Arizona-based "information solutions" company has positioned itself as a prime mover in the identity verification field. One of their major subsidiaries, Penley Inc., provides a host of ID verification products, including BackgroundWatch, which researches customer data and returns a three-tiered search result. The "Basic Search" returns general data, such as name, address, SSN, and the like. The "Extended Search" offers more in-depth information, including lists of property records and "possible friends and relatives" (emphasis added).

The "Complete Search" contains all of this data, plus records of any sort of license, weapon registration, and voter registration. All of this information is integrated with the ChexSystems suite to track banking records and evidence of suspicious activity. The end result is a frighteningly complete portrait of an individual's personal records, containing all of their essential data and information.

Furthermore, the "risk assessment" components allow participating financial institutions to not only study a customer's past banking history, but in the case of the QualiFile system, to actually make judgments on their future history based on "[a bank's] pre-determined risk strategy and a risk assessment score that scientifically predicts the likelihood that you will have to force-close this account."

Penley has been a strong advocate of moving to a Web-based solution for its data warehousing for some time. Their cleverly named "ID Verification" system advocates a centralized, one-stop "turnkey" process, with (in their words) "simple 'pass' or 'fail' answers which require little interpretation by the frontline employees."

The system apparently requires nothing more than an Internet connection and a Web browser to use -- no software or hardware required. Given that eFunds proudly proclaims its ownership of one of the largest debit databases in the world , and its ability to outsource its customers' operations to offshore call centers, the potential for identity theft and data mismanagement is tremendous.

Apparently, the notion that a purely Web-based information database might find itself prey to hackers and data thieves is apparently not as high a priority as ensuring that the data is collected and sold to whomever wants it.

Keeping Your Information Safe: What You Need To Know

The sheer number of data mismanagement scandals in recent months has drawn Americans' attention to the fact that their private, personal information is no longer strictly their own. It can be traded among banks, provided to the government, and used by "information brokers" to sell consumers products, predict their shopping patterns, and determine their ability to open bank accounts, receive credit cards, or apply for loans. The PATRIOT Act's "identity verification" provisions grant data brokers even more power to hoard your information and use it for whatever purpose they wish -- or worse, mismanage it and let it fall into the hands of identity thieves.

Sections 314 and 326 are not "sunset" provisions of the Act. They are permanent for as long as the Act remains law. As debate begins swirling over the necessity of the Act and its consequences for Americans, greater attention must be paid to the fact that the very thing this Act was passed to protect -- Americans' freedom and liberty -- was endangered by the ability of data sellers to take our information and turn it into a commodity.

If you are concerned about your right to privacy and keeping your information safe, there are many resources to consult, including the following:

The USA PATRIOT ACT: The full text of the act, a summary, related bills, and other information, direct from the Library of Congress.

The Electronic Privacy Information Center (EPIC): A nonprofit, nonpartisan public research center that specializes in privacy rights, First Amendment protections, and civil liberties. EPIC has a special section devoted to ChoicePoint and its abuse of consumer privacy.

The Electronic Frontier Foundation (EFF): Focused on protecting digital rights, freedom of expression on the Internet, and the right to online privacy. An arm of Consumers' Union, aimed at providing Americans with all the tips and knowledge they need to protect their personal and financial information.

ConsumerAffairs.Com's Financial Services Section: Full of the latest news regarding the financial world and how to make sure you can gain the services you need without sacrificing your privacy or rights as a consumer.

Filed under: , , , , , , , , , , , , , , , ,

No comments: