- FTC Pursues Investigation of Data Brokers: The Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The agency said it will use the information to study privacy practices in the data broker industry. In 2009, EPIC testified in support of new legislation to regulate the data broker industry. In 2005, EPIC brought a complaint to the FTC against the data broker Choicepoint that produced a $10 million settlement, then the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Dec. 19, 2012)
- Lawmakers Gain "Partial Glimpse" into Data Brokers' Business Practices: Members of the Congressional Bi-Partisan Privacy Caucus released the responses of several data brokers to an inquiry into their business practices. Data brokers collect and sell the personal information of consumers to third parties, typically without the knowledge of the consumers themselves. The lawmakers reported that most of the companies did not consider themselves "data brokers," and that "[m]any questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers." The Federal Trade Commission recently called for data-broke legislation in a report on consumer privacy. In 2005, EPIC brought a complaint against the data broker Choicepoint that produced a $10 million settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: ChoicePoint and EPIC: Federal Trade Commission. (Nov. 8, 2012)
- Spokeo to Pay $800, 000 to Trade Commission to Settle Privacy Violations: The data broker Spokeo agreed to pay $800,000 to settle a complaint filed by the Federal Trade Commission that the company marketed its data profiles to employers in violation of federal privacy law. The FTC alleges that Spokeo violated the Fair Credit Reporting Act by failing to ensure that its information was accurate, failing to ensure that it would be used only for legally permissible purposes, and failing to tell users if adverse decisions were made based on the information. The FTC also alleged that Spokeo created its own endorsements on news and technology websites and represented them as independent endorsements. The FTC's settlement bans Spokeo from future FCRA violations and misrepresentations. In 2004, EPIC successfully urged the FTC to investigate the compilation and sale of personal dossiers by the data broker ChoicePoint. That investigation produced a $10 m settlement, the largest in the FTC's history for a violation of federal privacy law. For more information, see EPIC: Federal Trade Commission and EPIC: Choicepoint. (Jun. 12, 2012)
- Data Broker Merger Threatens Privacy. Reed-Elsevier, corporate parents of Lexis-Nexis, has made a move to acquire Choicepoint, the databroker. Consumer privacy will be seriously affected if the merger is approved without any privacy safeguards. The previous Google-Doubleclick merger involving two large databases of personal information similarly raised privacy as well as antitrust issues. Choicepoint is a large player in the commercial databroker market and has been the target of an EPIC privacy complaint and an FTC investigation and fine for the privacy harms its business practices cause. (February 21, 2008)
- Coalition: Data Security Bills Fall Short. A coalition of privacy and consumer advocacy groups have called upon leaders of five Congressional committees to consider a strong privacy framework for data security. All the legislation being considered by Congress would roll back protections offered in states with security breach notice requirements, and many of the bills do not address the privacy problems raised by commercial data brokers. (November 9, 2007)
- EPIC Testifies on Data Security Legislation. In testimony before the House Commerce Subcommittee on Consumer Protection, EPIC West Coast Director Chris Hoofnagle urged Congress to pass strong data security legislation that includes privacy protections for use of personal information. The hearing concerned bipartisan draft data security legislation that would require companies to give notice to consumers of security breaches. (Jul. 28, 2005)
Introduction and Background
ChoicePoint is an Alpharetta, Georgia-based company that sells information in three markets--insurance, business and government, and marketing. According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: "claims history data, motor vehicle records, police records, credit information and modeling services...employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches...print fulfillment, teleservices, database and campaign management services..."
ChoicePoint has managed to attain a large share of the commercial data broker (CDB) market with strategic purchases of other businesses. Since its spinoff from Equifax in 1997, ChoicePoint has acquired a number of information collection and processing companies. These include:
National Data Retrieval, Inc., a provider of public records information; List Source, Inc., d/b/a Kramer Lead Marketing Group, a marketing company in the life and health insurance and financial services markets; Mortgage Asset Research Institute, Inc., a mortgage fraud monitoring company; Identico Systems, LLC, a customer identity verification company; Templar Corporation; insuranceDecisions, Inc., an insurance industry claims administration company; Bridger Systems, Inc., a USA PATRIOT Act compliance company; CITI NETWORK, Inc. d/b/a Applicant Screening and Processing, a tenant screening company; TML Information Services, Inc., a provider of motor vehicle reports; Drug Free, Inc., a drug testing company; National Drug Testing, Inc., a drug testing company; Application Profiles, Inc., a background check company; Informus Corporation; a company enabling ChoicePoint to offer products online; Tyler-McLennon, Inc., a background screening company; ChoicePoint Direct Inc., formerly known as Customer Development Corporation, a database marketing company; EquiSearch Services, Inc.; DATEQ Information Network, Inc., an insurance underwriting services company; Washington Document Service, Inc., a court record retrieval service; DataTracks Technology, Inc., a public record information company; DataMart, Inc., a database software company; Statewide Data Services, Inc; NSA Resources, Inc., a drug testing company; DBT Online, Inc., a public record services provider; RRS Police Records Management, Inc., a provider of police reports and related services; VIS'N Service Corporation; Cat Data Group, LLC; Drug Free Consortium, a drug testing company; BTi Employee Screening Services, Inc., an employee pre-screening services company; ABI Consulting Inc., a drug screening company; Insurity Solutions, Inc., an insurance rating company; National Medical Review Offices, Inc.; Bode Technology Group, Inc., a DNA identification company; Marketing Information & Technology, Inc., a direct marketing company; Pinkerton's, Inc., a preemployment screening company; Total eData Corporation, an e-mail database company; L&S Report Service, Inc., a provider of police records; Resident Data, Inc., a residential screening services provider; Vital Chek Network, Inc., a provider of vital records; Accident Report Services, Inc., a provider of police records; Programming Resources Company, insurance software company; Professional Test Administrators, Inc., a drug testing company; CDB Infotek, a seller of public records; Medical Information Network, LLC, an online physician verification service; and Rapsheets.com, an online provider of criminal records data.
An April 13, 2001 article in the Wall Street Journal reported that profiling company ChoicePoint provided personal information to at least thirty-five government agencies. EPIC has filed a series of Freedom of Information Act requests to determine the nature and amount of information sold to government. To date, EPIC has determined that ChoicePoint has several multi-million dollar contracts with law enforcement agencies to sell personal data.
ChoicePoint sells a wide array of information to the government, including:
- Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse's name, address, previous address, phone number, Social Security number, and employer.
- "Workplace Solutions Pre-Employment Screening," which includes financial reports, education verification, reference verification, felony check, motor vehicle record, SSN verification, and professional credential verification.
- Asset Location Services.
- The ability to engage in "wildcard searches," which allows law enforcement to "obtain a comprehensive personal profile in a matter of minutes" with only a first name or partial address.
- The use of "Soundex" queries, which allow searches on personal information based on how names sound, rather than how they are spelled.
- Information on neighbors and family members of a suspect.
ChoicePoint's AutoTrackXP is one of the most favored CDB products. It provides an interface for additional data points, including:
- Linkage services, which draw graphical relationships between suspects and other addresses, neighbors, and Social Security Numbers.
- Public records, including Social Security Death Master Filings, bookings and arrests, liens, judgments, and bankruptcies.
- Licenses, including drivers, pilots, and professional credentials.
- Lists of residents of Georgia, New York, and Ohio.
- National real-time phone directories and reverse look up services.
- Business information, compiled nationwide from Secretaries of State.
- "SmartSeach," a tool that allows broad wildcard searches: "There may be thousands of Jane Does, but there's probably only one Jane Doe who's between 25 and 30 and lives on the upper west side of Manhattan. SmartSearch makes it possible to find that one."
- U.S. Military Personnel.
- Boat owners.
At Privacy International's Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the "Greatest Corporate Invader" award "for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials." At Privacy International's Big Brother Award ceremony held in Seattle, Washington in April 2005, ChoicePoint received the "Lifetime Menace Award" for its continued efforts to build dossiers on individuals.
- ChoicePoint, a profiling company. ChoicePoint operates a number of websites devoted to law enforcement access to personal information, including ChoicePoint Online for the FBI, ChoicePoint Online for the INS, ChoicePoint Online for HUD, and ChoicePoint Online for the Government.
- Security and Exchange Commission Information on ChoicePoint.
- ChoicePoint's Big Brother Award, Privacy International, 2001.
- FBI's Reliance on the Private Sector Has Raised Some Privacy Concerns, Wall Street Journal, April 13, 2001 (subscription required).
- FBI turns to private sector for data, MSNBC.com (WSJ), April 13, 2001.
- How ChoicePoint serves up your personal info to the FBI, Declan McCullagh's politechbot.com, April 13, 2001.
FTC Investigation of Choicepoint
The Federal Trade Commission (FTC) is conducting an investigation of Choicepoint and other commercial data brokers, in part based on a complaint that EPIC filed at the agency in December 2004. In that complaint, Chris Jay Hoofnagle and Daniel J. Solove urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute "consumer reports" for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Furthermore, EPIC argued that it is incumbent upon the Commission to analyze whether the sale of these dossiers circumvents the Act, giving businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.
Some dossier products, such as the company's AutoTrackXP report, are sold without complying with the substantive and procedural protections in the Fair Credit Reporting Act, a 1970 law that broadly regulates the compilation, use, and dissemination of "consumer reports."
AutoTrackXP reports contain Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; Uniform Commercial Code filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; "other people who have used the same address of the subject," "possible licensed drivers at the subject's address," and information about the data subject's relatives and neighbors. They are similar in scope and in use to standard credit reports normally protected by the Act. By selling them without the Act's protections, ChoicePoint is subverting the policy goals of federal information privacy law.
EPIC argued that companies like ChoicePoint are returning people to a pre-Fair Credit Reporting Act era, one marked by "unaccountable data companies that reported inaccurate, falsified, and irrelevant information on Americans, sometimes deliberately to drive up the prices of insurance or credit.
Later in December 2004, Choicepoint answered the EPIC letter, disputed charges, and called for a national debate. EPIC responded by challenging the company to a public debate.
In February 2005, EPIC supplemented the Choicepoint complaint. The supplemental letter raises three additional issues relevant to the rise of commercial data brokers. First, an article written by Robert O'Harrow Jr. of the Washington Post quoted Choicepoint representatives saying that the company acts like an "intelligence agency" and that the data industry should be subject to new regulations because of how personal information is being used. O'Harrow's article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers' data be accurate and their
practices accountable to the public.
Second, the letter included a dialogue from Declan McCullagh's Politechbot.com mailing list concerning the December 2004 complaint. A list message from a private investigator who uses Choicepoint noted that the company maintains an audit trail of clients who access personal information. The EPIC letter points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial data broker has turned in a user for prosecution as a result of an audit showing prohibited use of the service.
Last, the letter included a transcript of a recent television broadcast, "Someone's Watching," that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial data broker to access a stranger's Social Security Number, employment details, and other information without any legal justification.
Also in February 2005, Choicepoint announced that the company sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft. EPIC urged the company to make available to those whose personal information was negligently disclosed the same information made available to the crooks. "It is not only a matter of fairness, but also a critical public safety concern that these individuals have in their possession the same information about them that you gave to criminals," said the February 18 letter from EPIC.
California police have reported that the criminals used the ChoicePoint data to make unauthorized address changes on at least 750 people, and investigators believe that personal information of up to 400,000 people nationwide may have been compromised.
- Initial Complaint to the Federal Trade Commission, December 16, 2004.
- Choicepoint Letter Disputing EPIC's Claims, December 29, 2004.
- EPIC update to the complaint to the Federal Trade Commission, February 1, 2005.
- EPIC letter calling upon Choicepoint to give victim access to their dossiers, February 18, 2005.
In an article forthcoming in the University of Illinois Law Review, Daniel Solove and Chris Hoofnagle argue that Choicepoint's response to security problems is inadequate:
In light of Choicepoint's sale of personal information to criminals, the company has announced that it, "will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes."
We think ChoicePoint's reforms are inadequate to address the privacy implications of the commercial data broker industry. First, ChoicePoint's reforms do not bind the company's competitors, and so other commercial data brokers can continue to sell SSNs and other personal information. Jonathan Krim reported recently that, "So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multi-tiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud."
Second, Choicepoint is still going to sell its unregulated "public records" reports to small businesses, albeit with the SSN or driver license "truncated." Large businesses and law enforcement will still be able to obtain the full report with sensitive information. It is not clear how the SSN will be truncated. Some companies obscure the first five digits, while others block the last four. Without a full redaction of the SSN, small businesses it may be able possible to "reverse-engineer" the system, and obtain the full identifier. Why not completely eliminate the SSN from the report, rather than truncate it and risk that the user can piece the SSN together from several sources?''
Third, these public records reports sold by Choicepoint have been shown to be highly inaccurate. According to a report by Pam Dixon of the World Privacy Forum, Choicepoint's public information reports have a very high error rate. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon's initial findings are supported by anecdotal stories of other individuals who have obtained their unregulated ChoicePoint reports. Elizabeth Rosen, a victim of the Choicepoint privacy breach, found that five of the six pages of her report contained errors. Rosen's report erroneously indicated that she was the officer of businesses in Texas, that she maintained a private mail box at "Mailboxes Etc.," and that she owned businesses, including a "Zach's Cheese and Deli." Privacy researcher Richard Smith obtained his Choicepoint report and wrote that his report "contain[ed] more misinformation than correct information." Deborah Pierce's National Comprehensive Report from ChoicePoint falsely indicated a "possible Texas criminal history."
Fourth, individuals will have access, but not correction rights with respect to Choicepoint's unregulated public information reports. Choicepoint claims that they can't cannot correct these reports because they are generated from public records. However, this claim is deceptive--the problem is that Choicepoint is mixing up public record information between individuals. The public records are correct, but they are attached to people to whom they do not pertain. As mentioned earlier, Deborah Pierce's Choicepoint report indicated that she might have a criminal record in Texas. The criminal record itself may be accurate, but the record does not pertain to Deborah Pierce.
Fifth, nothing binds Choicepoint to its promise to maintain its reformed policies. In recent years, many large companies including eBay.com, Amazon.com, drkoop.com, and yahoo.com changed users' privacy settings or altered privacy policies to the detriment of users. Choicepoint is legally in a better position to renege on its promises, as it does not acknowledge a direct relationship with consumers that could be the basis of a legal action. Choicepoint's "consumers" are the businesses that buy data from the company.
Sixth, Choicepoint still is reserving the right to sell "sensitive" personal information to businesses in a large number of contexts. Choicepoint's release states that sensitive information will be sold to "[s]upport consumer-driven transactions where the data is needed to complete or maintain relationships . . .[p]rovide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships . . . [a]ssist federal, state and local government and criminal justice agencies in their important missions." These categories articulated by Choicepoint are broad and ill-defined. What specifically falls under "consumer-driven transactions"? When is data "needed to complete or maintain relationships?" Under this standard, Choicepoint can decide what a consumer benefit is. In the past, Choicepoint has broadly defined (pdf) "consumer benefit," explaining that the company would not let people opt-out of information sale because, "[w]e feel that removing information from these products would render them less useful for important business purposes, many of which ultimately benefit consumers." Simply put, Choicepoint's idea of what benefits consumers differs from what consumers and consumers advocates think benefits them.
Seventh, the Choicepoint policy allows the company to sell full reports for anti-fraud purposes. While in theory this exception seems appropriate, almost any transaction can have some fraud risk. If a broad fraud exemption is maintained, it will allow the sale of reports even when the fraud risk is minimal or a proxy for wishing to collect information for some other purpose.
Finally, Choicepoint's proposal does not at all limit sale of personal information to law enforcement. The company continues to sell personal information to 7,000 federal, state, and local law enforcement agencies.
Commercial Data Brokers Grilled at California Hearing
California State Senator Jackie Speier put Choicepoint, LexisNexis, and Acxiom in the hot seat in a hearing before the State's Senate Banking Committee on Wednesday, March 30, 2005. Speier, who chairs the committee, asked a series of hard-hitting questions, probing why the company did not disclose their data breach sooner and how Choicepoint's systems could be fooled by relatively unsophisticated criminals. For some time, Choicepoint's has used fear to promote its business model, saying that the company prevents predators from harming children and that many missing children have been found with the company's database. But Speier wasn't fooled by the company's public relations strategy--she asked Choicepoint what percentage of their actual business comprised finding lost children. Choicepoint could not immediately answer the question.
Speier also expressed skepticism concerning the data brokers' definition of "sensitive" information, which means Social Security Numbers and drivers license numbers. However, when these same identifiers appear in public records, LexisNexis not consider them sensitive, and sells them without restriction. Speier remarked that the identifiers were "indeed sensitive to most people in this nation...[the commercial data brokers' definition of "sensitive"]...doesn't reflect reality."
The hearing began with testimony from Elizabeth Rosen, a California nurse whose information was sold to criminals by Choicepoint. Rosen explained in detail her frustration with Choicepoint, because the company would not provide her with her full profile. A portion of her file that she did receive had errors on almost every page, including multiple incorrect addresses; that she owned companies, including a deli; and that she maintained a box at Mailboxes Etc. Senator Lowenthal asked Choicepoint why the company wouldn't give Rosen the same information the company sold to criminals, but the Choicepoint representative wouldn't directly answer the question.
EPIC's testimony before the committee focused on three issues. First, EPIC emphasized that the legislature should approach the commercial data broker issue primarily as a privacy problem rather than a security issue. Even if Choicepoint and other sold personal information in a secure way, the base problem is that the company continues to sell personal information to a wide variety of businesses without providing individuals with substantive rights.
Second, EPIC highlighted the difference between Choicepoint's regulated information services, such as employment and tenant screening services, and the company's non-regulated "public records" reports. It is the unregulated reports that are being abused, and legislative attention should be focused on these information products. EPIC warned legislators that Choicepoint plays a "shell game" with their products--Choicepoint doesn't always specify in policy debates whether they are discussing their regulated or unregulated reports, thus confusing the public and lawmakers.
Finally, EPIC suggested that California legislators take swift action to address databrokers following a scheme authored by George Washington University Law School Professor Daniel Solove and EPIC's Chris Hoofnagle.
At the hearing, ChoicePoint Vice President for Data Acquisition and Strategy, Don McGuffey, testified that:
"Approximately 60 percent of ChoicePoint's business is driven by consumer initiated transactions, most of which are regulated by the FCRA. Consumer driven transactions include not only pre-employment screening and insurance underwriting services, but also include tenant screening services, facilitating the delivery of vital records to consumers and the delivery of public filings for Title Insurance. These transactions are conducted as a result of a transaction initiated by the consumer.
"Nearly nine percent of ChoicePoint's business is related to Marketing Services, none of which include the distribution of personally identifiable information, but even so, are regulated by state and federal "do not mail" and "do not call" legislation.
"About five percent of ChoicePoint's business is the distribution of data to support local and federal law enforcement agencies in pursuit of their mission.
"Nearly six percent of our business supports law firms, financial institutions and general business to help mitigate risk through data and authentication solutions including litigation support and providing information needed to collect lawful debts.
"The final 20 percent of our business sells software and technology services that do not include the distribution of personally identifiable information.
Choicepoint apologized for selling personal information to criminals, and announced a series of reforms. The company is no longer going to sell "sensitive" personal information to small businesses. The company will still sell its full reports to big businesses and federal, state, and local law enforcement agencies (Choicepoint estimates that it has 100,000 clients, including contracts with 7,000 law enforcement agencies). Small businesses will still be able to buy Choicepoint reports, but it appears that Social Security Numbers will be truncated in some fashion. The company also announced that they are working on a system to provide access to all if its information products. However, individuals will not be able to correct their "public records" reports. Choicepoint also announced that the company could automatically redact SSNs that appear in public records.
Pam Dixon of the World Privacy Forum gave a preview of a report on commercial data brokers that reveals a very high error rate in personal information reports. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon also warned legislators that companies are using "anti-fraud" loopholes in privacy law to justify expansive information use.
ChoicePoint Sells Personal Information on Latin Americans to the American Government
In April 2002, EPIC obtained documents under FOIA that indicated that the Immigration and Naturalization Service (INS) had purchased personal information from the national ID databases of several Latin American countries. ChoicePoint, a data brokerage company, has a contract with INS to provide citizen registry, motor vehicle, and other information for Brazil, Argentina, Mexico, Columbia, and Costa Rica.
In April 2003, Jim Krane of the Associated Press wrote an article about the sale of this information that ran in newspapers internationally. From there, the documents sparked inquiries in Mexico and other Central and South American countries regarding the sale of foreign citizens' personal information to the US government by information broker ChoicePoint.
Latin American privacy experts claim that the acquisition of the information by ChoicePoint may have been illegal, and that the sale infringes on national sovereignty. Costa Rican, Nicaraguan, and Mexican authorities have decided to investigate the matter, and the Mexican Federal Electoral Institute filed a criminal complaint against persons who have sold voter data to ChoicePoint.
One group of documents obtained from the Immigration and Naturalization Service (INS) shows that ChoicePoint offered a contract for unlimited direct access to international databases for a $1 million fee. Other documents obtained from the Department of Justice Management Division show that the agency entered into an $11 million contract with ChoicePoint for fiscal year 2002.
- Mexico claims ChoicePoint stepped across the line, Atlanta Journal Constitution, April 27, 2003.
ChoicePoint's Subsidiary, DBT, Scrubbed Many Eligible Voters from the Florida Election Rolls in 2000
Investigative reporter Greg Palast has extensively covered the sale of personal information by ChoicePoint's subsidiary, DBT Online, to the Florida government. The information was used to scrub voter rolls of ineligible voters--individuals who had committed felonies. Palast found that DBT's records contained numerous errors, resulting in the exclusion of many voters. Most of the excluded voters were poor or minorities.
- Adam C. Smith, No telling if voter rolls are ready for 2004: In 2000, some people were mistakenly labeled felons and denied voting rights. Despite three years of reform efforts, inconsistencies and obstacles remain, December 21, 2003.
- Botched Name Purge Denied Some the Right to Vote, Washington Post, May 31, 2001.
- Greg Palast, Ex-Con Game, How Florida's "Felon" Voter-Purge Was Itself Felonious, Harper's Magazine, March 2002, p. 48-49.
- Greg Palast, The Best Democracy Money Can Buy, Pluto Press (2002).
- Florida's flawed "voter-cleansing" program, Salon.com, December 4, 2000.
In May 2003, Rabbi Joel Levine brought suit in the U.S. District Court for the Southern District of Florida against ChoicePoint for violation of the Driver's Privacy Protection Act (DPPA). (Levine v. ChoicePoint, No. 03-80491.) That law requires that a state obtain express consent from an individual before motor vehicle department records can be sold for direct marketing or other purposes. Levine alleged that ChoicePoint knowingly obtained personal information from the Florida department of motor vehicles for resale to others, in violation of the DPPA. A similar suit was brought against Lexis-Nexis. (Levine v. Reed Elsevier, No. 03-80490). Levine voluntary dismissed both suits, and the cases were closed in 2003.
A similar action was filed on May 29, 2003 titled Brooks, et al v. Auto Data Direct, et al, No. 03-61063. That action alleges violations of the DPPA against ChoicePoint, company's subsidiaries, and a number of other private-sector data sellers, including Experian, Polk, Seisint, Acxiom, and Reed Elsevier.
Documents filed in a federal lawsuit in March 2003 in the Northern District of Georgia indicate that ChoicePoint is constructing a "Central Biometric Authority." According to the complaint filed by International Biometric Group and ChoicePoint's answer, the central biometric authority is intended to perform "secure and standardized acquisition, matching, and indexing of biometric data." This biometrics database appears to be in development for ChoicePoint's expanding employee and volunteer background check services.
Senator Ron Wyden (D-OR) has introduced 108 S. 1484, the Citizens' Protection in Federal Databases Act. The bill would require the Departments of Justice, Defense, Homeland Security, Treasury, Central Intelligence Agency, and the Federal Bureau of Investigation to submit a report to Congress on use of private-sector databases, or lose funding for purchasing personal information from companies such as ChoicePoint and Lexis-Nexis.
- Dan Christensen, Major Information Brokers Face Class Action for Invasion of Privacy, Miami Daily Business Review, June 24, 2003.
- Complaint in Levine v. ChoicePoint, No. 03-80491 (S.D. Fla. 2003).
- Complaint in International Biometric Group v. ChoicePoint, 03-0831 (N.D. Ga. 2003).
- Answer in International Biometric Group v. ChoicePoint, 03-0831 (N.D. Ga. 2003).
- 108 S. 1484, Citizens' Protection in Federal Databases Act, THOMAS Database.
On June 22, 2001, EPIC submitted Freedom of Information Act requests to the Department of Justice, Federal Bureau of Investigation, United States Marshals Service, Drug Enforcement Agency, Immigration and Naturalization Service, Internal Revenue Service, and to the Bureau of Alcohol, Tobacco, and Firearms for agency records relating to "transactions, communications, and contracts concerning businesses that sell individuals' personal information." Months later, many of the agencies had not responded. Accordingly, on January 14, 2002 EPIC brought suit in the U.S. District Court for the District of Columbia against the Department of Justice and the Department of the Treasury. This case is still being litigated. It is currently styled Electronic Privacy Information Center v. Dep't of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).
- EPIC Complaint in EPIC v. Dept. of Justice et. al.
- Press release in EPIC v. Dept. of Justice et. al., January 15, 2002.
- FBI's Reliance on the Private Sector Has Raised Some Privacy Concerns, Wall Street Journal, April 13, 2001 (subscription required).
- FBI turns to private sector for data, MSNBC.com (WSJ), April 13, 2001.
EPIC has obtained FOIA documents from nine different agencies concerning ChoicePoint. All of the documents provided by the government are scanned in PDF format below.
Bureau of Alcohol, Tobacco, and Firearms
- Release 1 of 1, April 9, 2002. This material is largely contracting documents between the agency and DBT Online and Lexis Nexis.
Drug Enforcement Agency
- Release 1 of 1, July 3, 2002. This material is largely contracting documents between the agency and ChoicePoint. It contains one document where the DEA agrees to comply with the Gramm-Leach-Bliley Act.
- Part A (2.3 MB).
Department of Justice
- Release 1 of 3, August 14, 2002. These documents contain detailed information on what information is available to the government through ChoicePoint.
- Part A (1.5 MB).
- Release 2 of 3, December 13, 2002. This is a memo discussing a "Report of Investigation into Misconduct Allegations...Concerning Unauthorized Disclosure of Information."
- Part A (1.5 MB).
- Release 3 of 3, October 8, 2003. These highly redacted documents discuss a memorandum regarding ChoicePoint.
- Part A (575 KB).
Department of State
- Release 1 of 3, November 3, 2003. A series of news articles that were collected by the agency to track outrage in Mexico and other countries over the sale of personal information by ChoicePoint.
- Part A (1.8 MB).
- Release 2 of 3, December 3, 2003. These documents contain a cable from the American Embassy in Mexico to several different government agencies warning that a "potential firestorm may be brewing" as a result of sale of personal information by ChoicePoint.
- Part A (218 KB).
- Release 3 of 3, February 2, 2004. These documents discuss public relations strategies for the American Embassy to counter public anger surrounding the release of personal information of Latin Americans to ChoicePoint.
- Part A (1.3 MB).
Federal Bureau of Investigation
- Release 1 of 4, January 31, 2002.
- Part A (3.3 MB). These documents reference a secret, sole-source contract between ChoicePoint and the Federal Bureau of Investigation's Criminal Investigative Division.
- Part B (2.4 MB). These contracting documents contain discussions of the definition of "public source information," and negotiations regarding a non-disclosure agreement between the agency and ChoicePoint.
- Part C (2.7 MB). These contracting documents specify that ChoicePoint employees who have access to a developing FBI facility be cleared to receive "secret" level information.
- Part D (2.7 MB). These contracting documents discuss a FBI facility used with ChoicePoint located somewhere in Northern Virginia.
- Part E (2.3 MB). Handwritten notes and other documents describing the non-disclosure agreement.
- Release 2 of 4, April 30, 2002.
- Part A (4 MB). These documents contain a memo titled: "Guidance Regarding the Use of ChoicePoint for Foreign Intelligence Collection or Foreign Counterterrorism Investigations." It analyzes law enforcement use of ChoicePoint in the context of federal privacy laws and the Attorney General's Guidelines. The memorandum rationalizes use of private-sector databases as the "least intrusive means" of collecting personal information and concludes that ChoicePoint can be used for foreign intelligence and counterintelligence investigations. A presentation titled "The FBI's Public-Source Information Program Fact Versus Fiction" highlights the agency's access to property records, professional licenses, news articles, driver and DMV records, census records, and credit headers. It lists ChoicePoint, Westlaw, Lexis Nexis, Dun and Bradstreet, and credit reporting agencies as sources for this information. Reliance on these databases has increased by 9600 percent since 1992, according to the presentation. However, one unnamed credit reporting agency is no longer selling credit header information to law enforcement.
- Part B (473 KB). These documents are heavily redacted.
- Part C (2.8 MB). These documents are heavily redacted.
- Release 3 of 4, March, 2005.
- Part A (2.29 MB). These documents include: 1) a 34-slide Choicepoint powerpoint presentation titled, "A Partnership for the New Millennium." The entire presentation, except for slides that only have a Choicepoint logo, have been redacted by the FBI. 2) A brochure discussing Choicepoint's ability to detect fraudulent businesses. 3) A Choicepoint report discussing information collection, including e-mail account information, employment screening, driver records, drug testing, military documents, voter registration information, and marketing information. 4) A Choicepoint report discussing Social Security Numbers.
- Part B (1.5 MB). A 34-page memo discussing the types of business information that may be available to Choicepoint.
- Part C (1.3 MB). A 24-page memo on "The Information Industry," entirely redacted; a memo discussing international data; a memo discussing drug testing in detail; and an announcement of the FBI's access to Choicepoint.
- Release 4 of 4, February 2006.
- Part A (1.1 MB). This is a "Vaughn Index," that explains the context and reasons for withholding information from documents in Part B and C below.
- Part B (2.3 MB). This disclosure contains interesting analysis concerning use of Choicepoint for counterintelligence purposes. It also has a memo evaluating Choicepoint as a provider for information.
- Part C (5.1 MB). This disclosure mainly contains contracting information from the FBI.
Immigration and Naturalization Service
- Release 1 of 1, March 25, 2002. These documents discuss contracts between the agency and ChoicePoint and Dun & Bradstreet. They contain detailed information on what personal information the government can obtain on Latin and Central Americans. There is a discussion of "cloaking," a security measure that protects law enforcement queries from tracking by ChoicePoint.
Internal Revenue Service
- Release 1 of 1, September 10, 2001. These are among the most interesting documents obtained under this FOIA request. The documents discuss the use of ChoicePoint for asset location, and Experian for credit checks on suspected tax evaders. The documents contain a "vision" for 2003 where the IRS would mirror huge amounts of personal information on agency computers in order to perform investigations.
Office of National Drug Control Policy
- Release 1 of 1, February 5, 2002. These documents discuss the agency's suspension of use of a CDB system because the company's found was suspected of having ties to drug smugglers.
- Part A (228 KB).
United States Marshals Service
- Release 1 of 1, July 30, 2002
- Part A (3.5 MB). These documents contain information on Lexis Nexis and ChoicePoint, including contractor evaluations, and marketing materials from DBT Online to the agency.
- Part B (4.6 MB). These documents contain contracting information.
- Part C (3.2 MB). These documents contain contracting information.
- Part D (3.8 MB). These documents describe an interactive pager service that allows Marshals to obtain ChoicePoint information wirelessly. It contains marketing materials, including newsletters written for law enforcement access to ChoicePoint.
- Part E (5.3 MB). These documents contain marketing materials for ChoicePoint services that show that the company designed the databases for law enforcement. It also contains a document showing that the Marshals service runs 20,000 searches a month.
- Part F (6.6 MB). These documents contain a memorandum of understanding between the Marshals Service and the Department of Justice's Management Division.
- Part G (5 MB). These documents contain contracting information.
- Part H (3 MB). These documents contain invoice summaries, showing that the agency ran between 14,000 and 40,000 ChoicePoint searches a month.
- Part I (2.6 MB). These documents describe ChoicePoint's "linkit" feature that produces graphical representations of relationships in data.
- Part J (61 KB). This document contains a "sole-source" justification for ChoicePoint.
- Brian Bergstein, In this data-mining society, privacy advocates shudder, Seattle Times (AP), January 2, 2004.
- Jim Porter, Law Review: How much information is too much with former employee referrals?, California Sierra Sun, December 31, 2003.
- Mary Lou Pickel, Private eyes fight database company, Atlanta Journal-Constitution, December 18, 2003.
- Firms Dig Deep Into Workers' Pasts Amid Post-Sept. 11 Security Anxiety, Wall Street Journal, March 12, 2002 (subscription required).
- Data Collectors Need Surveillance, Too, Businessweek Magazine, January 24, 2002.
- E-Legal: Uncovering Alleged Government Purchases of Electronic Personal Data, Law.com, January 22, 2002.
- Commercial Database Use Flagged, Federal Computer Week, January 16, 2002.
- My FBI File, Richard Smith Tipsheet, Privacy Foundation, May 11, 2001.
- What They (Don't) Know About You, Wired, May 11, 2001.
- Putting Identity Theft on Ice: Freezing Credit Reports To Prevent Lending to Impostors, in Chander, Radin, Gelman, Securing Privacy in the Internet Age (Stanford University Press Forthcoming 2005).
- Chris Jay Hoofnagle, Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, 29 N.C.J. Int'l L. & Com. Reg. 595 (Summer 2004).
- Daniel J. Solove, Access and Aggregation: Public Records, Privacy, and the Constitution, 86 Minnesota Law Review 6 (2002).
- Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy (MS Word Format), 53 Stanford Law Review 1393 (2001).
- Roger Clarke, Privacy and 'Public Registers,' May 11, 1997. In this article, Professor Clarke argues that public records should not be treated differently than other files containing personal information.
- Robert Gellman, Public Records: Access, Privacy, and Public Policy, April 21, 1995.
Previous Top News
- LexisNexis Breach Compromises Data on 310,000 Americans. Data broker LexisNexis said today that personal information on 310,000 U.S. citizens may have been stolen in a security breach announced last month. At the time, LexisNexis said the breach only affected 32,000 people. LexisNexis said its databases had been fraudulently breached 59 times using stolen passwords, allowing access to addresses, Social Security numbers, and other sensitive information. This is the latest in a recent string of data breach scandals (pdf) that have affected hundreds of thousands in the U.S. In testimony before Congress (pdf) and the California Senate, EPIC has called for the regulation of data brokers because there is too much secrecy and too little accountability in their business practices. (Apr. 12, 2005)
- EPIC Testifies in California Senate on Choicepoint, Commercial Data Brokers. In testimony to the California Senate Banking Committee, EPIC West director Chris Hoofnagle argued that the Choicepoint affair is a problem of privacy, not security. Even if commercial data brokers could securely sell personal information, that would not address the underlying issue of whether the information should be sold in the first place. EPIC urged California lawmakers to act quickly to limit commercial data brokers' collection and sale of personal information. Choicepoint's testimony (2 MB PDF) detailed the company's businesses practices and efforts to remedy the sale of information to criminals. (Mar. 30, 2005)
- Model Regime for Commercial Data Brokers a Top Ten Download. The Solove/Hoofnagle approach for addressing commercial data brokers is a top ten download on the Social Science Research Network. The authors have invited and continue to welcome comment on the document. (Mar. 28, 2005)
- Why Choicepoint's Response to is Fraud Inadequate. In light of Choicepoint's sale of personal information to criminals, the company has announced that it, "will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes." This response is inadequate. We explain why in detail below. (Mar. 28, 2005)
- Choicepoint Plays a Shell Game With its Products, Debate Must Focus on Non-FCRA Information Products. The information industry is confusing, and its complexity is allowing Choicepoint wiggle room in debates concerning its products. When asked questions regarding privacy rights, such as access to the profile and correction of errors, the company will describe its products regulated under the Fair Credit Reporting Act (FCRA), such as the Choicepoint's employment screening, tenant screening, and insurance reports. But the privacy debate surrounds the company's non-FCRA products, like AutotrackXP and other "public records" reports that Choicepoint sells to law enforcement, businesses, and private investigators. It was these non-FCRA products that probably were sold to criminals who then used them for identity theft purposes. The distinction is crucial, because individuals have very few rights to address unfair practices with the company's non-FCRA products. Accordingly, in December 2004, EPIC urged the FTC to investigate Choicepoint and declare their non-FCRA products to be "consumer reports" under the FCRA. If AutotrackXP were treated as a consumer report, individuals could exercise a series of rights currently unavailable to them. (March 28, 2005)
- Groups Urge FTC to Reevaluate FTC's Position on Choicepoint. EPIC and a coalition of privacy and consumer groups urged (pdf) Federal Trade Commission Chair Majoras to reevaluate the agency's position on commercial data brokers, as it was "very much in line with the views of the companies testifying before Congress, which had leaked or sold data to criminals, but was very far from the views expressed by consumer and privacy groups." The groups noted that the FTC itself contributed to current information privacy problems by approving self-regulatory principles authored by companies like Choicepoint and by allowing the sale of "credit headers" without privacy protections. The groups have called upon the FTC to "correct these extraordinary policy blunders and urge the application and enforcement of Fair Information Practices (FIPs) to the commercial data broker industry..." (Mar. 17, 2005)
- EPIC Introduces EPIC FOIA Notes, 2005 FOIA Gallery. In celebration of Freedom of Information Day, EPIC has launched EPIC FOIA Notes, a newsletter that will deliver the latest revelations EPIC obtains through the FOIA. You can view the first EPIC FOIA Note÷which reports formerly classified documents showing that ChoicePoint assured the FBI it could verify legitimate businesses÷and subscribe to the newsletter here. EPIC is also proud to introduce its 2005 FOIA Gallery, which contains highlights and scanned images of some of EPIC's FOIA disclosures from the past year. (Mar. 16, 2005)
- EPIC Testifies in Congress, Calls for Regulation of ChoicePoint. EPIC Executive Director Marc Rotenberg urged (pdf) lawmakers to regulate ChoicePoint and other data brokers in testimony today before a House subcommittee on consumer protection. Rotenberg testified that there is too much secrecy and too little accountability in the business dealings of data brokers, and the ChoicePoint debacle underscores the need for federal regulation of the information broker industry. ChoicePoint recently admitted (pdf) that it had sold personal information on 145,000 people to a criminal ring involved in identity theft. (Mar. 15, 2005)
- ChoicePoint Self-Regulation Fails; Proposal Made to Provide Privacy, Accountability. Years ago, ChoicePoint agreed to a set of self-regulatory principles to avoid privacy regulation created by the industry-supported Individual References Services Group (IRSG). The principles offered little real privacy (pdf) as ChoicePoint opted out from giving people the right to control their data. Professor Dan Solove and Chris Hoofnagle have proposed a framework for addressing commercial data brokers as the Senate Banking Committee begins hearings to discuss ChoicePoint. (Mar. 9, 2005)
- 32,000 Americans at Risk After Data Broker's Security Breach. Data broker LexisNexis announced today that its subsidiary, Seisint, may have allowed criminals to access sensitive information on 32,000 U.S. citizens, including names, addresses, Social Security and driver's license numbers. Seisint is also responsible for the Multistate Anti-Terrorism Information Exchange Program (MATRIX), a controversial law enforcement data mining program that has floundered in recent months due in part to privacy concerns. Seisint's security breach comes just weeks after it was revealed (pdf) that data broker ChoicePoint sold data on 145,000 people to a criminal ring engaged in identity theft, and Bank of America announced that data tapes containing personal information on 1.2 million federal employees were either stolen or lost in late December. For more information, see EPIC's Financial Privacy page. (Mar. 9, 2005)
- ChoicePoint Also Sold Personal Data to Identity Thieves in 2002. The Los Angeles Times reported that ChoicePoint, which recently admitted it had sold personal information on 145,000 Americans to identity thieves, also sold such information on at least 7,000 people to identity thieves in 2002. Last week, EPIC urged the data broker to make available to the recent victims the information that was sold to the crime ring. ChoicePoint has not yet disclosed this information. In its latest letter (pdf) to the victims, ChoicePoint merely states that information such as "name, address or Social Security number" may have been accessed by the criminals. (Mar. 3, 2005)
- UPDATE - EPIC Urges Choicepoint to Give Victims Access to Records, Turn Over Profits From Bogus Sales. In a letter to the Choicepoint CEO, EPIC today urged the company to "make available to the 145,000 people the information that was sold by your company last fall to the crime ring." EPIC also urged Choicepoint to "disgorge the funds that you obtained from the sale of the data and make these funds available to the individuals who will suffer from identity theft as a result of this disclosure." EPIC concluded that "your recent security breach demonstrates the profound importance of having the Choicepoint AutoTrackXP and Customer Identification Programs databases regulated by the Fair Credit Reporting Act." (Feb. 19, 2005)
- Choicepoint Snafu Widens. Commercial data broker Choicepoint has wrongfully disclosed information on more than 145,000 Americans. The warning letters sent by the company to California residents indicate that individuals are subject to a heightened risk of identity theft. In December 2004, EPIC urged the Federal Trade Commission to initiate an investigation of Choicepoint and the data broker industry under the Fair Credit Reporting Act. News of the breach has sparked calls to extend the California notice law to all states and for credit freeze legislation. (Feb. 16, 2005)
- Criminals Gain Access to Choicepoint Databases. Bob Sullivan has reported that commercial data broker Choicepoint issued notices to over 30,000 California residents that their personal information may have been accessed by criminals with access to the Choicepoint's information products. Individuals outside California may have been affected too, but the company is not obligated to disclose security breaches to residents of other states. As recently as two weeks ago, EPIC again warned the Federal Trade Commission about unjustified access to commercial databases and questioned the adequacy of Choicepoint's auditing procedures. For more information, see EPIC's Choicepoint Page. (Feb. 15, 2005)
- EPIC Supplements Data Broker Filings. In a follow up letter to the Federal Trade Commission, EPIC supplemented earlier filings that requested that the agency investigate commercial data brokers for compliance with the Fair Credit Reporting Act. The letter points to recent news reporting that characterizes commercial data broker Choicepoint as a "private intelligence service," and a recent television broadcast showing private investigators using a commercial data broker without legal justification. (Feb. 1, 2005)
- EPIC Challenges Choicepoint to Public Hearings on Consumer Privacy. EPIC has called for hearings in Congress and before the Federal Trade Commission on the need for new privacy protections for American consumers. In a December 16, 2004 complaint to Federal Trade Commission, EPIC urged the Commission to determine whether Choicepoint, a large information broker, complies with federal privacy law and also whether it will be necessary to update the laws. Choicepoint disputed EPIC's charges but said it favored a national debate. Let the debate begin. (Jan. 5, 2005)
- EPIC Seeks Investigation of ChoicePoint, Data Brokers. In a letter to the Federal Trade Commission, EPIC has urged the agency to investigate ChoicePoint and other data brokers for compliance with the federal Fair Credit Reporting Act. The letter argues that Choicepoint and its clients have performed an end-run around the FCRA, and sell personal information to law enforcement, private investigators, and businesses without substantive or procedural privacy protections. (Dec. 16, 2004)
- Court Rules Secret Contract Subject to FOIA. A federal court has held (pdf) that a classified contract between the Federal Bureau of Investigation and ChoicePoint, a commercial data broker, is subject to the Freedom of Information Act. The court also rejected the FBI's request for a two-year delay for review of the contract. EPIC has obtained over 1,500 documents about ChoicePoint under FOIA, and Associate Director Chris Hoofnagle recently published a law journal article analyzing the documents. (Aug. 24, 2004)
- Staff Publication: Big Brother's Little Helpers. EPIC Associate Director Chris Hoofnagle has published Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement (PDF), in the University of North Carolina Journal of International Law and Commercial Regulation. The article summarizes over 1,500 documents obtained by EPIC on ChoicePoint and commercial databrokers, and concludes that companies that routinely sell personal information to the government should be subject to the Privacy Act. (Aug. 2004)