EPIC logo

Choicepoint

FOIA Lawsuit | FOIA Documents | News | Resources

Top News

Introduction and Background

ChoicePoint is an Alpharetta, Georgia-based company that sells information in three markets--insurance, business and government, and marketing. According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: "claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services..."

ChoicePoint has managed to attain a large share of the commercial data broker (CDB) market with strategic purchases of other businesses. Since its spinoff from Equifax in 1997, ChoicePoint has acquired a number of information collection and processing companies. These include:

National Data Retrieval, Inc., a provider of public records information; List Source, Inc., d/b/a Kramer Lead Marketing Group, a marketing company in the life and health insurance and financial services markets; Mortgage Asset Research Institute, Inc., a mortgage fraud monitoring company; Identico Systems, LLC, a customer identity verification company; Templar Corporation; insuranceDecisions, Inc., an insurance industry claims administration company; Bridger Systems, Inc., a USA PATRIOT Act compliance company; CITI NETWORK, Inc. d/b/a Applicant Screening and Processing, a tenant screening company; TML Information Services, Inc., a provider of motor vehicle reports; Drug Free, Inc., a drug testing company; National Drug Testing, Inc., a drug testing company; Application Profiles, Inc., a background check company; Informus Corporation; a company enabling ChoicePoint to offer products online; Tyler-McLennon, Inc., a background screening company; ChoicePoint Direct Inc., formerly known as Customer Development Corporation, a database marketing company; EquiSearch Services, Inc.; DATEQ Information Network, Inc., an insurance underwriting services company; Washington Document Service, Inc., a court record retrieval service; DataTracks Technology, Inc., a public record information company; DataMart, Inc., a database software company; Statewide Data Services, Inc; NSA Resources, Inc., a drug testing company; DBT Online, Inc., a public record services provider; RRS Police Records Management, Inc., a provider of police reports and related services; VIS'N Service Corporation; Cat Data Group, LLC; Drug Free Consortium, a drug testing company; BTi Employee Screening Services, Inc., an employee pre-screening services company; ABI Consulting Inc., a drug screening company; Insurity Solutions, Inc., an insurance rating company; National Medical Review Offices, Inc.; Bode Technology Group, Inc., a DNA identification company; Marketing Information & Technology, Inc., a direct marketing company; Pinkerton's, Inc., a preemployment screening company; Total eData Corporation, an e-mail database company; L&S Report Service, Inc., a provider of police records; Resident Data, Inc., a residential screening services provider; Vital Chek Network, Inc., a provider of vital records; Accident Report Services, Inc., a provider of police records; Programming Resources Company, insurance software company; Professional Test Administrators, Inc., a drug testing company; CDB Infotek, a seller of public records; Medical Information Network, LLC, an online physician verification service; and Rapsheets.com, an online provider of criminal records data.

An April 13, 2001 article in the Wall Street Journal reported that profiling company ChoicePoint provided personal information to at least thirty-five government agencies. EPIC has filed a series of Freedom of Information Act requests to determine the nature and amount of information sold to government. To date, EPIC has determined that ChoicePoint has several multi-million dollar contracts with law enforcement agencies to sell personal data.

ChoicePoint sells a wide array of information to the government, including:

ChoicePoint's AutoTrackXP is one of the most favored CDB products. It provides an interface for additional data points, including:

At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the "Greatest Corporate Invader" award "for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials." At Privacy International's Big Brother Award ceremony held in Seattle, Washington in April 2005, ChoicePoint received the "Lifetime Menace Award" for its continued efforts to build dossiers on individuals.

FTC Investigation of Choicepoint

The Federal Trade Commission (FTC) is conducting an investigation of Choicepoint and other commercial data brokers, in part based on a complaint that EPIC filed at the agency in December 2004. In that complaint, Chris Jay Hoofnagle and Daniel J. Solove urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute "consumer reports" for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Furthermore, EPIC argued that it is incumbent upon the Commission to analyze whether the sale of these dossiers circumvents the Act, giving businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.

Some dossier products, such as the company's AutoTrackXP report, are sold without complying with the substantive and procedural protections in the Fair Credit Reporting Act, a 1970 law that broadly regulates the compilation, use, and dissemination of "consumer reports."

AutoTrackXP reports contain Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; Uniform Commercial Code filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; "other people who have used the same address of the subject," "possible licensed drivers at the subject's address," and information about the data subject's relatives and neighbors. They are similar in scope and in use to standard credit reports normally protected by the Act. By selling them without the Act's protections, ChoicePoint is subverting the policy goals of federal information privacy law.

EPIC argued that companies like ChoicePoint are returning people to a pre-Fair Credit Reporting Act era, one marked by "unaccountable data companies that reported inaccurate, falsified, and irrelevant information on Americans, sometimes deliberately to drive up the prices of insurance or credit.

Later in December 2004, Choicepoint answered the EPIC letter, disputed charges, and called for a national debate. EPIC responded by challenging the company to a public debate.

In February 2005, EPIC supplemented the Choicepoint complaint. The supplemental letter raises three additional issues relevant to the rise of commercial data brokers. First, an article written by Robert O'Harrow Jr. of the Washington Post quoted Choicepoint representatives saying that the company acts like an "intelligence agency" and that the data industry should be subject to new regulations because of how personal information is being used. O'Harrow's article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers' data be accurate and their
practices accountable to the public.

Second, the letter included a dialogue from Declan McCullagh's Politechbot.com mailing list concerning the December 2004 complaint. A list message from a private investigator who uses Choicepoint noted that the company maintains an audit trail of clients who access personal information. The EPIC letter points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial data broker has turned in a user for prosecution as a result of an audit showing prohibited use of the service.

Last, the letter included a transcript of a recent television broadcast, "Someone's Watching," that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial data broker to access a stranger's Social Security Number, employment details, and other information without any legal justification.

Also in February 2005, Choicepoint announced that the company sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft. EPIC urged the company to make available to those whose personal information was negligently disclosed the same information made available to the crooks. "It is not only a matter of fairness, but also a critical public safety concern that these individuals have in their possession the same information about them that you gave to criminals," said the February 18 letter from EPIC.

California police have reported that the criminals used the ChoicePoint data to make unauthorized address changes on at least 750 people, and investigators believe that personal information of up to 400,000 people nationwide may have been compromised.

Choicepoint's Response to the Sale of Information to Criminals is Inadequate

In an article forthcoming in the University of Illinois Law Review, Daniel Solove and Chris Hoofnagle argue that Choicepoint's response to security problems is inadequate:

In light of Choicepoint's sale of personal information to criminals, the company has announced that it, "will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes."

We think ChoicePoint's reforms are inadequate to address the privacy implications of the commercial data broker industry. First, ChoicePoint's reforms do not bind the company's competitors, and so other commercial data brokers can continue to sell SSNs and other personal information. Jonathan Krim reported recently that, "So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multi-tiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud."

Second, Choicepoint is still going to sell its unregulated "public records" reports to small businesses, albeit with the SSN or driver license "truncated." Large businesses and law enforcement will still be able to obtain the full report with sensitive information. It is not clear how the SSN will be truncated. Some companies obscure the first five digits, while others block the last four. Without a full redaction of the SSN, small businesses it may be able possible to "reverse-engineer" the system, and obtain the full identifier. Why not completely eliminate the SSN from the report, rather than truncate it and risk that the user can piece the SSN together from several sources?''

Third, these public records reports sold by Choicepoint have been shown to be highly inaccurate. According to a report by Pam Dixon of the World Privacy Forum, Choicepoint's public information reports have a very high error rate. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon's initial findings are supported by anecdotal stories of other individuals who have obtained their unregulated ChoicePoint reports. Elizabeth Rosen, a victim of the Choicepoint privacy breach, found that five of the six pages of her report contained errors. Rosen's report erroneously indicated that she was the officer of businesses in Texas, that she maintained a private mail box at "Mailboxes Etc.," and that she owned businesses, including a "Zach's Cheese and Deli." Privacy researcher Richard Smith obtained his Choicepoint report and wrote that his report "contain[ed] more misinformation than correct information." Deborah Pierce's National Comprehensive Report from ChoicePoint falsely indicated a "possible Texas criminal history."

Fourth, individuals will have access, but not correction rights with respect to Choicepoint's unregulated public information reports. Choicepoint claims that they can't cannot correct these reports because they are generated from public records. However, this claim is deceptive--the problem is that Choicepoint is mixing up public record information between individuals. The public records are correct, but they are attached to people to whom they do not pertain. As mentioned earlier, Deborah Pierce's Choicepoint report indicated that she might have a criminal record in Texas. The criminal record itself may be accurate, but the record does not pertain to Deborah Pierce.

Fifth, nothing binds Choicepoint to its promise to maintain its reformed policies. In recent years, many large companies including eBay.com, Amazon.com, drkoop.com, and yahoo.com changed users' privacy settings or altered privacy policies to the detriment of users. Choicepoint is legally in a better position to renege on its promises, as it does not acknowledge a direct relationship with consumers that could be the basis of a legal action. Choicepoint's "consumers" are the businesses that buy data from the company.

Sixth, Choicepoint still is reserving the right to sell "sensitive" personal information to businesses in a large number of contexts. Choicepoint's release states that sensitive information will be sold to "[s]upport consumer-driven transactions where the data is needed to complete or maintain relationships . . .[p]rovide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships . . . [a]ssist federal, state and local government and criminal justice agencies in their important missions." These categories articulated by Choicepoint are broad and ill-defined. What specifically falls under "consumer-driven transactions"? When is data "needed to complete or maintain relationships?" Under this standard, Choicepoint can decide what a consumer benefit is. In the past, Choicepoint has broadly defined (pdf) "consumer benefit," explaining that the company would not let people opt-out of information sale because, "[w]e feel that removing information from these products would render them less useful for important business purposes, many of which ultimately benefit consumers." Simply put, Choicepoint's idea of what benefits consumers differs from what consumers and consumers advocates think benefits them.

Seventh, the Choicepoint policy allows the company to sell full reports for anti-fraud purposes. While in theory this exception seems appropriate, almost any transaction can have some fraud risk. If a broad fraud exemption is maintained, it will allow the sale of reports even when the fraud risk is minimal or a proxy for wishing to collect information for some other purpose.

Finally, Choicepoint's proposal does not at all limit sale of personal information to law enforcement. The company continues to sell personal information to 7,000 federal, state, and local law enforcement agencies.

Commercial Data Brokers Grilled at California Hearing

California State Senator Jackie Speier put Choicepoint, LexisNexis, and Acxiom in the hot seat in a hearing before the State's Senate Banking Committee on Wednesday, March 30, 2005. Speier, who chairs the committee, asked a series of hard-hitting questions, probing why the company did not disclose their data breach sooner and how Choicepoint's systems could be fooled by relatively unsophisticated criminals. For some time, Choicepoint's has used fear to promote its business model, saying that the company prevents predators from harming children and that many missing children have been found with the company's database. But Speier wasn't fooled by the company's public relations strategy--she asked Choicepoint what percentage of their actual business comprised finding lost children. Choicepoint could not immediately answer the question.

Speier also expressed skepticism concerning the data brokers' definition of "sensitive" information, which means Social Security Numbers and drivers license numbers. However, when these same identifiers appear in public records, LexisNexis not consider them sensitive, and sells them without restriction. Speier remarked that the identifiers were "indeed sensitive to most people in this nation...[the commercial data brokers' definition of "sensitive"]...doesn't reflect reality."

The hearing began with testimony from Elizabeth Rosen, a California nurse whose information was sold to criminals by Choicepoint. Rosen explained in detail her frustration with Choicepoint, because the company would not provide her with her full profile. A portion of her file that she did receive had errors on almost every page, including multiple incorrect addresses; that she owned companies, including a deli; and that she maintained a box at Mailboxes Etc. Senator Lowenthal asked Choicepoint why the company wouldn't give Rosen the same information the company sold to criminals, but the Choicepoint representative wouldn't directly answer the question.

EPIC's testimony before the committee focused on three issues. First, EPIC emphasized that the legislature should approach the commercial data broker issue primarily as a privacy problem rather than a security issue. Even if Choicepoint and other sold personal information in a secure way, the base problem is that the company continues to sell personal information to a wide variety of businesses without providing individuals with substantive rights.

Second, EPIC highlighted the difference between Choicepoint's regulated information services, such as employment and tenant screening services, and the company's non-regulated "public records" reports. It is the unregulated reports that are being abused, and legislative attention should be focused on these information products. EPIC warned legislators that Choicepoint plays a "shell game" with their products--Choicepoint doesn't always specify in policy debates whether they are discussing their regulated or unregulated reports, thus confusing the public and lawmakers.

Finally, EPIC suggested that California legislators take swift action to address databrokers following a scheme authored by George Washington University Law School Professor Daniel Solove and EPIC's Chris Hoofnagle.

At the hearing, ChoicePoint Vice President for Data Acquisition and Strategy, Don McGuffey, testified that:

"Approximately 60 percent of ChoicePoint's business is driven by consumer initiated transactions, most of which are regulated by the FCRA. Consumer driven transactions include not only pre-employment screening and insurance underwriting services, but also include tenant screening services, facilitating the delivery of vital records to consumers and the delivery of public filings for Title Insurance. These transactions are conducted as a result of a transaction initiated by the consumer.

"Nearly nine percent of ChoicePoint's business is related to Marketing Services, none of which include the distribution of personally identifiable information, but even so, are regulated by state and federal "do not mail" and "do not call" legislation.

"About five percent of ChoicePoint's business is the distribution of data to support local and federal law enforcement agencies in pursuit of their mission.

"Nearly six percent of our business supports law firms, financial institutions and general business to help mitigate risk through data and authentication solutions including litigation support and providing information needed to collect lawful debts.

"The final 20 percent of our business sells software and technology services that do not include the distribution of personally identifiable information.

Choicepoint apologized for selling personal information to criminals, and announced a series of reforms. The company is no longer going to sell "sensitive" personal information to small businesses. The company will still sell its full reports to big businesses and federal, state, and local law enforcement agencies (Choicepoint estimates that it has 100,000 clients, including contracts with 7,000 law enforcement agencies). Small businesses will still be able to buy Choicepoint reports, but it appears that Social Security Numbers will be truncated in some fashion. The company also announced that they are working on a system to provide access to all if its information products. However, individuals will not be able to correct their "public records" reports. Choicepoint also announced that the company could automatically redact SSNs that appear in public records.

Pam Dixon of the World Privacy Forum gave a preview of a report on commercial data brokers that reveals a very high error rate in personal information reports. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon also warned legislators that companies are using "anti-fraud" loopholes in privacy law to justify expansive information use.

ChoicePoint Sells Personal Information on Latin Americans to the American Government

In April 2002, EPIC obtained documents under FOIA that indicated that the Immigration and Naturalization Service (INS) had purchased personal information from the national ID databases of several Latin American countries. ChoicePoint, a data brokerage company, has a contract with INS to provide citizen registry, motor vehicle, and other information for Brazil, Argentina, Mexico, Columbia, and Costa Rica.

In April 2003, Jim Krane of the Associated Press wrote an article about the sale of this information that ran in newspapers internationally. From there, the documents sparked inquiries in Mexico and other Central and South American countries regarding the sale of foreign citizens' personal information to the US government by information broker ChoicePoint.

Latin American privacy experts claim that the acquisition of the information by ChoicePoint may have been illegal, and that the sale infringes on national sovereignty. Costa Rican, Nicaraguan, and Mexican authorities have decided to investigate the matter, and the Mexican Federal Electoral Institute filed a criminal complaint against persons who have sold voter data to ChoicePoint.

One group of documents obtained from the Immigration and Naturalization Service (INS) shows that ChoicePoint offered a contract for unlimited direct access to international databases for a $1 million fee. Other documents obtained from the Department of Justice Management Division show that the agency entered into an $11 million contract with ChoicePoint for fiscal year 2002.

ChoicePoint's Subsidiary, DBT, Scrubbed Many Eligible Voters from the Florida Election Rolls in 2000

Investigative reporter Greg Palast has extensively covered the sale of personal information by ChoicePoint's subsidiary, DBT Online, to the Florida government. The information was used to scrub voter rolls of ineligible voters--individuals who had committed felonies. Palast found that DBT's records contained numerous errors, resulting in the exclusion of many voters. Most of the excluded voters were poor or minorities.

Recent Developments

In May 2003, Rabbi Joel Levine brought suit in the U.S. District Court for the Southern District of Florida against ChoicePoint for violation of the Driver's Privacy Protection Act (DPPA). (Levine v. ChoicePoint, No. 03-80491.) That law requires that a state obtain express consent from an individual before motor vehicle department records can be sold for direct marketing or other purposes. Levine alleged that ChoicePoint knowingly obtained personal information from the Florida department of motor vehicles for resale to others, in violation of the DPPA. A similar suit was brought against Lexis-Nexis. (Levine v. Reed Elsevier, No. 03-80490). Levine voluntary dismissed both suits, and the cases were closed in 2003.

A similar action was filed on May 29, 2003 titled Brooks, et al v. Auto Data Direct, et al, No. 03-61063. That action alleges violations of the DPPA against ChoicePoint, company's subsidiaries, and a number of other private-sector data sellers, including Experian, Polk, Seisint, Acxiom, and Reed Elsevier.

Documents filed in a federal lawsuit in March 2003 in the Northern District of Georgia indicate that ChoicePoint is constructing a "Central Biometric Authority." According to the complaint filed by International Biometric Group and ChoicePoint's answer, the central biometric authority is intended to perform "secure and standardized acquisition, matching, and indexing of biometric data." This biometrics database appears to be in development for ChoicePoint's expanding employee and volunteer background check services.

Senator Ron Wyden (D-OR) has introduced 108 S. 1484, the Citizens' Protection in Federal Databases Act. The bill would require the Departments of Justice, Defense, Homeland Security, Treasury, Central Intelligence Agency, and the Federal Bureau of Investigation to submit a report to Congress on use of private-sector databases, or lose funding for purchasing personal information from companies such as ChoicePoint and Lexis-Nexis.

FOIA Lawsuit

On June 22, 2001, EPIC submitted Freedom of Information Act requests to the Department of Justice, Federal Bureau of Investigation, United States Marshals Service, Drug Enforcement Agency, Immigration and Naturalization Service, Internal Revenue Service, and to the Bureau of Alcohol, Tobacco, and Firearms for agency records relating to "transactions, communications, and contracts concerning businesses that sell individuals' personal information." Months later, many of the agencies had not responded. Accordingly, on January 14, 2002 EPIC brought suit in the U.S. District Court for the District of Columbia against the Department of Justice and the Department of the Treasury. This case is still being litigated. It is currently styled Electronic Privacy Information Center v. Dep't of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).

FOIA Documents

EPIC has obtained FOIA documents from nine different agencies concerning ChoicePoint. All of the documents provided by the government are scanned in PDF format below.

Bureau of Alcohol, Tobacco, and Firearms

Drug Enforcement Agency

Department of Justice

Department of State

Federal Bureau of Investigation

Immigration and Naturalization Service

Internal Revenue Service

Office of National Drug Control Policy

United States Marshals Service

News

Resources

Previous Top News

Return to EPIC Home Page | EPIC Privacy Page

Last Updated: February 21, 2008
Page URL: http://www.epic.org/privacy/choicepoint/