Consumer Information, Privacy, and the Financial Services Industry - Pretext

Home Contact Us Privacy News APC News Services Speeches

PrivacyToday.com^™

Global Privacy Issues At The Click Of Your Mouse^™

Official website of

American Privacy Consultants, Inc.^™

Statement by Robert Douglas

Before the

Interagency Public Forum

Hosted by the Federal Deposit Insurance Corporation

Is It Any Of Your Business?

Consumer Information, Privacy, and the Financial Services Industry

March 23, 2000

As a former private investigator and now as Chief Executive Officer for American Privacy Consultants in Alexandria, Virginia, I am frequently asked in this dawning of the information age coupled with the technological revolution created by the Internet just how much information is readily available about the average citizen. The truth is almost anything can be learned about anybody in the United States today. Name, address, social security number, date of birth, phone number (whether listed, unlisted, or non-published), height, weight, eye color, hair color, mother’s maiden name, relatives names and addresses, neighbors names and addresses, criminal records, civil records, tax liens, real estate holdings, bank account numbers and balances, stock holdings, credit card account numbers and individual credit card transactions, long distance phone records, cellular phone records, pager records, 800 number records, motor vehicle records, driving records, aircraft or watercraft ownership, credit histories, medical histories, where you shop and what you buy, where you went to school, what your grades were, even your SAT scores as Vice-President Gore and Governor Bush saw on the front page of the Washington Post.

As I have only fifteen minutes to address you today please accept my assertion that the list goes on and on.

The impact of technology on consumer privacy today is the ability to accumulate, store, filter, cross-reference, analyze and disseminate vast amounts of information about anyone in a fast and cost-efficient manner that was previously unavailable. The partial list I provided of the information that can be obtained on any consumer has always been available through one means or another. The fact of the matter is that until relatively recently this information was rarely accessed to any large degree because of the time and expense that would have been involved in locating it across thousands of different computer databases or paper record storage facilities. Today all that information is quickly being accumulated into vast super-databases and is being packaged and sold like any other commodity.

The expanding use of the Internet coupled with decreasing costs and increasing capacity for accumulation and storage of data has brought the information age to a point where almost anyone can now afford to participate in the buying or selling of data of any type about anybody.

Simply put, privacy in the United States is too often a concept not a reality.

PRIVACY AND FINANCIAL INFORMATION

Since this public forum will focus in part on trying to determine what defines personal versus public information under Gramm-Leach-Bliley and the ramifications of this decision on consumer privacy given the current realities of technology that I just discussed, I would like to illuminate fact from fiction currently circulating in the media concerning technology and the impact on consumer financial privacy and demonstrate how a name and address can be used to obtain financial information about any individual in the United States.

FACT FROM FICTION

When it comes to consumer information, privacy, and the financial services industry we need to separate fact from fiction and the legal from the illegal. Recent events and subsequent media coverage has led the average consumer to believe that their personal information is not being properly safeguarded by the financial services industry and that this information is in fact for sale to anyone and most disturbingly can be purchased on the Internet.

A portion of this negative publicity is well deserved and is the direct consequence of the fact that a relatively small number of financial institutions have been selling consumer information stored in their super-databases, including individual names, addresses, phone numbers, and financial account numbers to outside companies with no direct relationship to the consumer. The U.S. Bancorp and Charter Pacific cases illustrate this problem and served as a wakeup call to the financial services industry that consumers will not stand for such third party practices. Congress also heard that warning bell from consumers in the closing hours of the passage of Gramm-Leach-Bliley and the ripple effect continues today.

As I am aware that Minnesota Attorney General Hatch is here today and that he is an expert on the subject of third party information sharing practices by financial institutions having successfully prosecuted the U.S. Bancorp matter, I will leave further discussion of this area to him and others. Suffice it to say that consumers are watching closely and when they perceive that a financial institution has not properly safeguarded their personal information or has cavalierly sold that information for the financial benefit of the institution over the confidentiality requirements of consumers, they will demand further regulatory restrictions.

However, it must also be stated as a fact that technology has increased the ability of financial institutions to assist consumers in a myriad of ways from easier 24 hour access of their financial information to the ability to learn of new relevant financial products and services uniquely appropriate for the individual consumer based upon data the financial institution possesses and is able to analyze on behalf of the consumer.

Make no mistake about it; consumers want these conveniences, services and products made available through increased data analysis capabilities and the ease of use of the Internet and telecommunication systems. The rub is they also want, indeed demand, that privacy of their information be maintained. The challenge for the financial services industry is to allow the individual consumer to strike the appropriate privacy balance they desire.

THE SALE OF FINANCIAL INFORMATION ON THE INTERNET

The second area that consumers have been learning more and more about over the last several years through the media is the common, but incorrect, belief that any individual’s financial information can be accessed because of the Internet. Recently both Forbes Magazine in a cover story and a CNN Moneyline News Hour Special Presentation left consumers with the distinct belief that everyone’s financial information is being collected on the Internet and is therefore accessible to others. This belief is also a combination of fact and fiction and needs to be clarified before the public comes to fear the use of the Internet to assist in financial transactions and consumer purchases anymore than it already does.

Technology and the Internet do not enable access to private financial information such as bank account numbers, account balances, credit card transactions, and stock portfolios as has been advanced by CNN, Forbes and dozens of other media outlets. Setting aside illegal hacking of a small number of commercial web sites and the subsequent revelation of credit card numbers, the unfortunate reality is that financial information has been being accessed and sold long before the current rise of the Internet. In fact, financial information has been being accessed by the age-old technique of fraud for many years. The role of the Internet has simply been one of many ways that information thieves advertise the sale of this data that they obtain through identity theft and fraud.

To illustrate this fact one need go no further then any of the many commercially available Internet search engines and search the phrase “bank account search”. Literally hundreds of web pages devoted to the sale of financial information including balances and account numbers will be returned as a result of the search. However, I must state again, contrary to recent media assertions that the Internet and computer databases are allowing these “information brokers” or “Internet Private Investigators” to obtain personal financial information, the information is merely being advertised on the Internet and is actually obtained in most cases through a form of identity theft known as pretext. It should be noted here today that this means of accessing and selling consumer’s financial information is now illegal under Gramm-Leach-Bliley under all but a few narrowly defined circumstances. It should also be noted that unfortunately the practice continues and is more prevalent than when I testified before Congress concerning this problem in July of 1998. Because of the practices of these so-called “Internet Private Investigators”, “Information Brokers” and sloppy reporting by certain media outlets there is a growing belief that financial information is obtained and sold by use of the Internet.

The reality is the means by which private financial information is most commonly obtained is identity theft. The financial data is obtained under false pretenses. The most common method of identity theft used to obtain privately held financial information is for the information broker to obtain through the use of credit headers from the major credit reporting agencies enough biographical information on the consumer to be able to falsely pretend that he, the broker, is the actual owner of the information sought after. Having convinced a financial institution by false pretenses that he, the information broker, is actually the institution’s client, the institution is deceived into providing whatever information is requested by the information broker impersonating the consumer.

The following is a basic example of this method. Bob Smith is the holder of a bank account at USA Bank. Joe Info Broker obtains from one of dozens of lawful databases, many of which can be found on the Internet, Mr. Smith’s full name, social security number, address, and date of birth. Joe Broker then starts calling banks in Mr. Smith’s neighborhood posing as someone who has received a check from Mr. Smith. When Joe Broker finds a bank that confirms that Mr. Smith has an account, Joe Broker hangs up. Joe Broker then calls back and identifies himself to the bank as Mr. Smith. The bank, for security reasons, asks for personal information that the bank believes only Mr. Smith would know. Joe Broker armed with Mr. Smith’s biographical data is able to convince the bank that he is actually Mr. Smith. The bank then provides Joe Broker with any information he requests on Mr. Smith’s account.

A second method is for the broker to falsely convey to the target of the asset investigation that he, the broker, is an employee of a legitimate financial institution or company. Having gained the confidence of the target, the broker induces the target to provide his or her own financial data.

These are just two of dozens of fraud schemes used by so-called “Internet Private Investigators” and “Information Brokers” to steal consumer’s personal financial information and sell it on the Internet. The core of any of these techniques is identity theft and is currently illegal under Gramm-Leach-Bliley with very few exceptions.

I must state once again as clearly as possible that technology and the Internet play no substantial role in the collection or sale of this information other than as an advertising and sales vehicle. There is no magic database in Cyberspace holding all our financial information that these “Information Brokers” can just tap into and sell to anyone and everyone. There is no financial institution today that is selling individuals financial information to “Information Brokers” for their re-sale to the public. There is no government database that holds all individuals current financial information that is accessed by “Internet Private Investigators”. The financial institutions and the government are victims of these illegal practices and misperceptions not the perpetrators. Strict enforcement of current laws under Gramm-Leach-Bliley and FTC statutes are needed to stamp out the harm these brokers and investigators are doing to the confidence of the American consumer.

To illustrate the problem of the growing misperception that the Internet is the source of financial information being collected and sold one look no further than the Forbes cover story of November 29, 1999 and CNN’s Moneyline Special of March 6, 2000. Both stories relied heavily on just one of the hundreds of “Internet Private Investigators” that advertise and sell their services on the Internet.

In the Forbes piece the private investigator is referred to as a “Web detective” and is asked by the reporter to learn as much as he can just using the reporter’s byline. The “Web detective” obtained the reporter’s birth date, address, and social security number in “about five minutes”. I would note that this is normally done through the currently legal practice of credit companies selling personal biographical information on consumers.

The reporter went on to state, “(I)n all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them.”

The reporter concluded this portion of the article stating, “(O)kay, so you've heard it before: America, the country that made "right to privacy" a credo, has lost its privacy to the computer. But it's far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard. For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessly links it all together.”

In a mere two paragraphs the reporter has incorrectly linked current information technology to the sale of personal financial information without ever providing a single fact as to how this so-called Web detective obtained the reporters personal information. There is no database holding an individual’s personal bank account information legally available to a “Web detective” or anyone else absent a Court order.

In the CNN piece after trying unsuccessfully to locate an unpublished phone number on the Internet they went on to state, “(T)he pros, however, can pick you clean. Hire an Internet private investigator like Daniel Cohn, and if you have good enough reason, he’ll find the phone number….And if you convince him you have a legitimate reason and your willing to pay a bit more, Docusearch (Cohn’s firm) will give you someone’s bank account balances, bank account activity, and even the stocks, bonds and securities someone owns, all of which poses a double threat to the Internet as a place to do business. First the threat of federal regulation.”

Here CNN cuts to William Daley, Secretary of Commerce stating, “If a Web firm fails to protect consumers’ privacy, if they fail to disclose, if they fail to give consumers choice, I guarantee you that the government will be forced to react.”

CNN’s reporter than goes on to say “And if consumers grow to distrust the Internet as a place to do business, some of them may start to avoid it just as they would an unsafe city neighborhood. The difference is that, on the Internet, you can get mugged and never even know it.”

I would argue that the viewers of this segment were the ones who were mugged by CNN’s using an example of a single so-called Internet private investigator’s untested assertion that he can provide an individual’s financial information as a “threat to the Internet as a place to do business” and implying through their editing in the comments of the Secretary of Commerce that it is the Internet itself that is allowing firms such as Docusearch to obtain and sell personal financial information.

To further highlight the misperception problem that technology has made our citizen’s personal financial information available to anyone because of the accessibility of databases accessed via the Internet one need look no further than several web pages from the Docusearch web site that Forbes and CNN relied upon.

The first overhead shows a web page advertising the sale of Social Security Numbers. An individual wishing to purchase a consumers personal financial information from an information broker or private investigator will almost always need to supply the consumers name, current address and social security number. A name and address can be obtained from many publicly available legal sources. A social security number is more difficult to obtain and the most common method used by information brokers and private investigators is to purchase what is commonly called the credit header from the consumers credit report that is sold by credit reporting companies outside of the Fair Credit Reporting Act. Several major credit-reporting agencies enter into contracts with information brokers and private investigators to sell consumers biographical information that is collected as part of routine credit applications. These brokers and investigators are now selling that personal biographical data. This header will reveal all the biographical data the credit agency has on the consumer and may include name, maiden name, current address, history of addresses, social security number, telephone numbers, and employment information. The credit header and specifically the social security number is the starting point for many information brokers and private investigators in their quest for information on a consumer.

The second overhead shows that should the phone number of a consumer be needed and not be publicly available it can be obtained. I have included this overhead as a momentary detour from the focus on financial information to make the point that information brokers and private investigators are selling more than just financial information. Many are willing to obtain and sell phone records including complete lists of the long distance calls consumers have made.

The third overhead shows a list of financial searches being sold by Docusearch and advertised on the Internet. I will again stress that in regards to the bank searches listed here I am not aware of any such data maintained or collected for dissemination via the Internet or other forms of technology for the access and sale by information brokers and private investigators via the Internet or any other means.

The final overhead shows the bank account search web page of Docusearch.com where under the Search Description it specifically states that Docusearch “access(es) a federal database…” I suspect this will come as news to many of the participants here today and makes it somewhat understandable why CNN and Forbes produced the pieces they did. I just wonder whether the reporters ever asked Docusearch to prove that they access a federal database in order to sell consumers financial information via the World Wide Web. There is no such database.

In closing, this forum today is another important step in the much needed attempt to define the role of privacy in the information age and in particular to the role of the financial services industry. Hopefully, as we go forward here today and in the future in trying to determine what is privacy as it relates to the American consumer we can also continue to separate fact from fiction and find a healthy balance between the wonderful advances of the information age and the traditional role of privacy and freedom that has been with us since the founding of this Nation.

Robert Douglas is the founder and Chief Executive Officer of American Privacy Consultants (APC) located in Alexandria, Virginia, and can be reached at 703-836-8001. APC assists businesses, governments, legislators and the media understand and implement appropriate privacy policies and strategies in today’s fast changing privacy environment.

Prior to founding APC, Mr. Douglas was a Washington, DC private detective with more than 17 years experience in complex criminal defense investigation and trial preparation. In 1997 Mr. Douglas investigated the practice of “Information Brokers” selling citizens personal financial information on the Internet. Mr. Douglas took the results of this investigation to Congress and this resulted in his testifying before the United States House of Representatives, Committee on Banking and Financial Services, during the July 1998 Hearing On The Use Of Deceptive Practices To Gain Access To Personal Financial Information. Mr. Douglas and other witnesses exposed the use of identity theft and fraud by “Information Brokers” to penetrate banking security systems. That hearing resulted in passage of the Financial Information Privacy Act, which was incorporated into the Gramm-Leach-Bliley financial modernization bill signed into law in November of 1999.

Mr. Douglas and APC continue to monitor the methods of those who would attempt to penetrate our nations financial institutions and violate the privacy of those who entrust their assets to those institutions. Additionally, APC assists financial institutions in developing and implementing programs to prevent the illegal access of depositor’s financial information.

Home Contact Us Privacy News APC News Services Speeches