Introduction and Background
ChoicePoint is an Alpharetta, Georgia-based company that sells information in three markets–insurance, business and government, and marketing. According to a recent quarterly statement filed at the Security and Exchange Commission, ChoicePoint sells: “claims history data, motor vehicle records, police records, credit information and modeling services…employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches…print fulfillment, teleservices, database and campaign management services…”
ChoicePoint has managed to attain a large share of the commercial data broker (CDB) market with strategic purchases of other businesses. Since its spinoff from Equifax in 1997, ChoicePoint has acquired a number of information collection and processing companies. These include:
National Data Retrieval, Inc., a provider of public records information; List Source, Inc., d/b/a Kramer Lead Marketing Group, a marketing company in the life and health insurance and financial services markets; Mortgage Asset Research Institute, Inc., a mortgage fraud monitoring company; Identico Systems, LLC, a customer identity verification company; Templar Corporation; insuranceDecisions, Inc., an insurance industry claims administration company; Bridger Systems, Inc., a USA PATRIOT Act compliance company; CITI NETWORK, Inc. d/b/a Applicant Screening and Processing, a tenant screening company; TML Information Services, Inc., a provider of motor vehicle reports; Drug Free, Inc., a drug testing company; National Drug Testing, Inc., a drug testing company; Application Profiles, Inc., a background check company; Informus Corporation; a company enabling ChoicePoint to offer products online; Tyler-McLennon, Inc., a background screening company; ChoicePoint Direct Inc., formerly known as Customer Development Corporation, a database marketing company; EquiSearch Services, Inc.; DATEQ Information Network, Inc., an insurance underwriting services company; Washington Document Service, Inc., a court record retrieval service; DataTracks Technology, Inc., a public record information company; DataMart, Inc., a database software company; Statewide Data Services, Inc; NSA Resources, Inc., a drug testing company; DBT Online, Inc., a public record services provider; RRS Police Records Management, Inc., a provider of police reports and related services; VIS’N Service Corporation; Cat Data Group, LLC; Drug Free Consortium, a drug testing company; BTi Employee Screening Services, Inc., an employee pre-screening services company; ABI Consulting Inc., a drug screening company; Insurity Solutions, Inc., an insurance rating company; National Medical Review Offices, Inc.; Bode Technology Group, Inc., a DNA identification company; Marketing Information & Technology, Inc., a direct marketing company; Pinkerton’s, Inc., a preemployment screening company; Total eData Corporation, an e-mail database company; L&S Report Service, Inc., a provider of police records; Resident Data, Inc., a residential screening services provider; Vital Chek Network, Inc., a provider of vital records; Accident Report Services, Inc., a provider of police records; Programming Resources Company, insurance software company; Professional Test Administrators, Inc., a drug testing company; CDB Infotek, a seller of public records; Medical Information Network, LLC, an online physician verification service; and Rapsheets.com, an online provider of criminal records data.
An April 13, 2001 article in the Wall Street Journal reported that profiling company ChoicePoint provided personal information to at least thirty-five government agencies. EPIC has filed a series of Freedom of Information Act requests to determine the nature and amount of information sold to government. To date, EPIC has determined that ChoicePoint has several multi-million dollar contracts with law enforcement agencies to sell personal data.
ChoicePoint sells a wide array of information to the government, including:
- Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse’s name, address, previous address, phone number, Social Security number, and employer.
- “Workplace Solutions Pre-Employment Screening,” which includes financial reports, education verification, reference verification, felony check, motor vehicle record, SSN verification, and professional credential verification.
- Asset Location Services.
- The ability to engage in “wildcard searches,” which allows law enforcement to “obtain a comprehensive personal profile in a matter of minutes” with only a first name or partial address.
- The use of “Soundex” queries, which allow searches on personal information based on how names sound, rather than how they are spelled.
- Information on neighbors and family members of a suspect.
ChoicePoint’s AutoTrackXP is one of the most favored CDB products. It provides an interface for additional data points, including:
- Linkage services, which draw graphical relationships between suspects and other addresses, neighbors, and Social Security Numbers.
- Public records, including Social Security Death Master Filings, bookings and arrests, liens, judgments, and bankruptcies.
- Licenses, including drivers, pilots, and professional credentials.
- Lists of residents of Georgia, New York, and Ohio.
- National real-time phone directories and reverse look up services.
- Business information, compiled nationwide from Secretaries of State.
- “SmartSeach,” a tool that allows broad wildcard searches: “There may be thousands of Jane Does, but there’s probably only one Jane Doe who’s between 25 and 30 and lives on the upper west side of Manhattan. SmartSearch makes it possible to find that one.”
- U.S. Military Personnel.
- Boat owners.
At Privacy International’s Big Brother Award ceremony held in Cambridge, MA on March 7, 2001, ChoicePoint received the “Greatest Corporate Invader” award “for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials.” At Privacy International’s Big Brother Award ceremony held in Seattle, Washington in April 2005, ChoicePoint received the “Lifetime Menace Award” for its continued efforts to build dossiers on individuals.
- ChoicePoint, a profiling company. ChoicePoint operates a number of websites devoted to law enforcement access to personal information, including ChoicePoint Online for the FBI, ChoicePoint Online for the INS, ChoicePoint Online for HUD, and ChoicePoint Online for the Government.
- Security and Exchange Commission Information on ChoicePoint.
- ChoicePoint’s Big Brother Award, Privacy International, 2001.
- FBI’s Reliance on the Private Sector Has Raised Some Privacy Concerns, Wall Street Journal, April 13, 2001 (subscription required).
- FBI turns to private sector for data, MSNBC.com (WSJ), April 13, 2001.
- How ChoicePoint serves up your personal info to the FBI, Declan McCullagh’s politechbot.com, April 13, 2001.
FTC Investigation of Choicepoint
The Federal Trade Commission (FTC) is conducting an investigation of Choicepoint and other commercial data brokers, in part based on a complaint that EPIC filed at the agency in December 2004. In that complaint, Chris Jay Hoofnagle and Daniel J. Solove urged the agency to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute “consumer reports” for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Furthermore, EPIC argued that it is incumbent upon the Commission to analyze whether the sale of these dossiers circumvents the Act, giving businesses, private investigators, and law enforcement access to data that previously had been subjected to Fair Information Practices.
Some dossier products, such as the company’s AutoTrackXP report, are sold without complying with the substantive and procedural protections in the Fair Credit Reporting Act, a 1970 law that broadly regulates the compilation, use, and dissemination of “consumer reports.”
AutoTrackXP reports contain Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; Uniform Commercial Code filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; “other people who have used the same address of the subject,” “possible licensed drivers at the subject’s address,” and information about the data subject’s relatives and neighbors. They are similar in scope and in use to standard credit reports normally protected by the Act. By selling them without the Act’s protections, ChoicePoint is subverting the policy goals of federal information privacy law.
EPIC argued that companies like ChoicePoint are returning people to a pre-Fair Credit Reporting Act era, one marked by “unaccountable data companies that reported inaccurate, falsified, and irrelevant information on Americans, sometimes deliberately to drive up the prices of insurance or credit.
Later in December 2004, Choicepoint answered the EPIC letter, disputed charges, and called for a national debate. EPIC responded by challenging the company to a public debate.
In February 2005, EPIC supplemented the Choicepoint complaint. The supplemental letter raises three additional issues relevant to the rise of commercial data brokers. First, an article written by Robert O’Harrow Jr. of the Washington Post quoted Choicepoint representatives saying that the company acts like an “intelligence agency” and that the data industry should be subject to new regulations because of how personal information is being used. O’Harrow’s article demonstrated the reliance on commercial data brokers for decision-making, and the growing importance that the brokers’ data be accurate and their
practices accountable to the public.
Second, the letter included a dialogue from Declan McCullagh’s Politechbot.com mailing list concerning the December 2004 complaint. A list message from a private investigator who uses Choicepoint noted that the company maintains an audit trail of clients who access personal information. The EPIC letter points out that law enforcement users are not subject to the audit trails, and that EPIC is unaware of a single case where a commercial data broker has turned in a user for prosecution as a result of an audit showing prohibited use of the service.
Last, the letter included a transcript of a recent television broadcast, “Someone’s Watching,” that aired on Dec. 18, 2004, on the Discovery Times Channel. The broadcast shows two private investigators using a commercial data broker to access a stranger’s Social Security Number, employment details, and other information without any legal justification.
Also in February 2005, Choicepoint announced that the company sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft. EPIC urged the company to make available to those whose personal information was negligently disclosed the same information made available to the crooks. “It is not only a matter of fairness, but also a critical public safety concern that these individuals have in their possession the same information about them that you gave to criminals,” said the February 18 letter from EPIC.
California police have reported that the criminals used the ChoicePoint data to make unauthorized address changes on at least 750 people, and investigators believe that personal information of up to 400,000 people nationwide may have been compromised.
- Initial Complaint to the Federal Trade Commission, December 16, 2004.
- Choicepoint Letter Disputing EPIC’s Claims, December 29, 2004.
- EPIC update to the complaint to the Federal Trade Commission, February 1, 2005.
- EPIC letter calling upon Choicepoint to give victim access to their dossiers, February 18, 2005.
In an article forthcoming in the University of Illinois Law Review, Daniel Solove and Chris Hoofnagle argue that Choicepoint’s response to security problems is inadequate:
In light of Choicepoint’s sale of personal information to criminals, the company has announced that it, “will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver’s license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes.”
We think ChoicePoint’s reforms are inadequate to address the privacy implications of the commercial data broker industry. First, ChoicePoint’s reforms do not bind the company’s competitors, and so other commercial data brokers can continue to sell SSNs and other personal information. Jonathan Krim reported recently that, “So far, neither those moves nor revelations of a series of breaches at major banks and universities has curbed a multi-tiered and sometimes shadowy marketplace of selling and re-selling personal data that is vulnerable to similar fraud.”
Second, Choicepoint is still going to sell its unregulated “public records” reports to small businesses, albeit with the SSN or driver license “truncated.” Large businesses and law enforcement will still be able to obtain the full report with sensitive information. It is not clear how the SSN will be truncated. Some companies obscure the first five digits, while others block the last four. Without a full redaction of the SSN, small businesses it may be able possible to “reverse-engineer” the system, and obtain the full identifier. Why not completely eliminate the SSN from the report, rather than truncate it and risk that the user can piece the SSN together from several sources?”
Third, these public records reports sold by Choicepoint have been shown to be highly inaccurate. According to a report by Pam Dixon of the World Privacy Forum, Choicepoint’s public information reports have a very high error rate. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon’s initial findings are supported by anecdotal stories of other individuals who have obtained their unregulated ChoicePoint reports. Elizabeth Rosen, a victim of the Choicepoint privacy breach, found that five of the six pages of her report contained errors. Rosen’s report erroneously indicated that she was the officer of businesses in Texas, that she maintained a private mail box at “Mailboxes Etc.,” and that she owned businesses, including a “Zach’s Cheese and Deli.” Privacy researcher Richard Smith obtained his Choicepoint report and wrote that his report “contain[ed] more misinformation than correct information.” Deborah Pierce’s National Comprehensive Report from ChoicePoint falsely indicated a “possible Texas criminal history.”
Fourth, individuals will have access, but not correction rights with respect to Choicepoint’s unregulated public information reports. Choicepoint claims that they can’t cannot correct these reports because they are generated from public records. However, this claim is deceptive–the problem is that Choicepoint is mixing up public record information between individuals. The public records are correct, but they are attached to people to whom they do not pertain. As mentioned earlier, Deborah Pierce’s Choicepoint report indicated that she might have a criminal record in Texas. The criminal record itself may be accurate, but the record does not pertain to Deborah Pierce.
Fifth, nothing binds Choicepoint to its promise to maintain its reformed policies. In recent years, many large companies including eBay.com, Amazon.com, drkoop.com, and yahoo.com changed users’ privacy settings or altered privacy policies to the detriment of users. Choicepoint is legally in a better position to renege on its promises, as it does not acknowledge a direct relationship with consumers that could be the basis of a legal action. Choicepoint’s “consumers” are the businesses that buy data from the company.
Sixth, Choicepoint still is reserving the right to sell “sensitive” personal information to businesses in a large number of contexts. Choicepoint’s release states that sensitive information will be sold to “[s]upport consumer-driven transactions where the data is needed to complete or maintain relationships . . .[p]rovide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships . . . [a]ssist federal, state and local government and criminal justice agencies in their important missions.” These categories articulated by Choicepoint are broad and ill-defined. What specifically falls under “consumer-driven transactions”? When is data “needed to complete or maintain relationships?” Under this standard, Choicepoint can decide what a consumer benefit is. In the past, Choicepoint has broadly defined (pdf) “consumer benefit,” explaining that the company would not let people opt-out of information sale because, “[w]e feel that removing information from these products would render them less useful for important business purposes, many of which ultimately benefit consumers.” Simply put, Choicepoint’s idea of what benefits consumers differs from what consumers and consumers advocates think benefits them.
Seventh, the Choicepoint policy allows the company to sell full reports for anti-fraud purposes. While in theory this exception seems appropriate, almost any transaction can have some fraud risk. If a broad fraud exemption is maintained, it will allow the sale of reports even when the fraud risk is minimal or a proxy for wishing to collect information for some other purpose.
Finally, Choicepoint’s proposal does not at all limit sale of personal information to law enforcement. The company continues to sell personal information to 7,000 federal, state, and local law enforcement agencies.
Commercial Data Brokers Grilled at California Hearing
California State Senator Jackie Speier put Choicepoint, LexisNexis, and Acxiom in the hot seat in a hearing before the State’s Senate Banking Committee on Wednesday, March 30, 2005. Speier, who chairs the committee, asked a series of hard-hitting questions, probing why the company did not disclose their data breach sooner and how Choicepoint’s systems could be fooled by relatively unsophisticated criminals. For some time, Choicepoint’s has used fear to promote its business model, saying that the company prevents predators from harming children and that many missing children have been found with the company’s database. But Speier wasn’t fooled by the company’s public relations strategy–she asked Choicepoint what percentage of their actual business comprised finding lost children. Choicepoint could not immediately answer the question.
Speier also expressed skepticism concerning the data brokers’ definition of “sensitive” information, which means Social Security Numbers and drivers license numbers. However, when these same identifiers appear in public records, LexisNexis not consider them sensitive, and sells them without restriction. Speier remarked that the identifiers were “indeed sensitive to most people in this nation…[the commercial data brokers’ definition of “sensitive”]…doesn’t reflect reality.”
The hearing began with testimony from Elizabeth Rosen, a California nurse whose information was sold to criminals by Choicepoint. Rosen explained in detail her frustration with Choicepoint, because the company would not provide her with her full profile. A portion of her file that she did receive had errors on almost every page, including multiple incorrect addresses; that she owned companies, including a deli; and that she maintained a box at Mailboxes Etc. Senator Lowenthal asked Choicepoint why the company wouldn’t give Rosen the same information the company sold to criminals, but the Choicepoint representative wouldn’t directly answer the question.
EPIC’s testimony before the committee focused on three issues. First, EPIC emphasized that the legislature should approach the commercial data broker issue primarily as a privacy problem rather than a security issue. Even if Choicepoint and other sold personal information in a secure way, the base problem is that the company continues to sell personal information to a wide variety of businesses without providing individuals with substantive rights.
Second, EPIC highlighted the difference between Choicepoint’s regulated information services, such as employment and tenant screening services, and the company’s non-regulated “public records” reports. It is the unregulated reports that are being abused, and legislative attention should be focused on these information products. EPIC warned legislators that Choicepoint plays a “shell game” with their products–Choicepoint doesn’t always specify in policy debates whether they are discussing their regulated or unregulated reports, thus confusing the public and lawmakers.
Finally, EPIC suggested that California legislators take swift action to address databrokers following a scheme authored by George Washington University Law School Professor Daniel Solove and EPIC’s Chris Hoofnagle.
At the hearing, ChoicePoint Vice President for Data Acquisition and Strategy, Don McGuffey, testified that:
“Approximately 60 percent of ChoicePoint’s business is driven by consumer initiated transactions, most of which are regulated by the FCRA. Consumer driven transactions include not only pre-employment screening and insurance underwriting services, but also include tenant screening services, facilitating the delivery of vital records to consumers and the delivery of public filings for Title Insurance. These transactions are conducted as a result of a transaction initiated by the consumer.
“Nearly nine percent of ChoicePoint’s business is related to Marketing Services, none of which include the distribution of personally identifiable information, but even so, are regulated by state and federal “do not mail” and “do not call” legislation.
“About five percent of ChoicePoint’s business is the distribution of data to support local and federal law enforcement agencies in pursuit of their mission.
“Nearly six percent of our business supports law firms, financial institutions and general business to help mitigate risk through data and authentication solutions including litigation support and providing information needed to collect lawful debts.
“The final 20 percent of our business sells software and technology services that do not include the distribution of personally identifiable information.
Choicepoint apologized for selling personal information to criminals, and announced a series of reforms. The company is no longer going to sell “sensitive” personal information to small businesses. The company will still sell its full reports to big businesses and federal, state, and local law enforcement agencies (Choicepoint estimates that it has 100,000 clients, including contracts with 7,000 law enforcement agencies). Small businesses will still be able to buy Choicepoint reports, but it appears that Social Security Numbers will be truncated in some fashion. The company also announced that they are working on a system to provide access to all if its information products. However, individuals will not be able to correct their “public records” reports. Choicepoint also announced that the company could automatically redact SSNs that appear in public records.
Pam Dixon of the World Privacy Forum gave a preview of a report on commercial data brokers that reveals a very high error rate in personal information reports. In her sample, 90% of the reports obtained contained errors; frequently these errors were serious, such as individuals being identified by the wrong sex. Dixon also warned legislators that companies are using “anti-fraud” loopholes in privacy law to justify expansive information use.
ChoicePoint Sells Personal Information on Latin Americans to the American Government
In April 2002, EPIC obtained documents under FOIA that indicated that the Immigration and Naturalization Service (INS) had purchased personal information from the national ID databases of several Latin American countries. ChoicePoint, a data brokerage company, has a contract with INS to provide citizen registry, motor vehicle, and other information for Brazil, Argentina, Mexico, Columbia, and Costa Rica.
In April 2003, Jim Krane of the Associated Press wrote an article about the sale of this information that ran in newspapers internationally. From there, the documents sparked inquiries in Mexico and other Central and South American countries regarding the sale of foreign citizens’ personal information to the US government by information broker ChoicePoint.
Latin American privacy experts claim that the acquisition of the information by ChoicePoint may have been illegal, and that the sale infringes on national sovereignty. Costa Rican, Nicaraguan, and Mexican authorities have decided to investigate the matter, and the Mexican Federal Electoral Institute filed a criminal complaint against persons who have sold voter data to ChoicePoint.
One group of documents obtained from the Immigration and Naturalization Service (INS) shows that ChoicePoint offered a contract for unlimited direct access to international databases for a $1 million fee. Other documents obtained from the Department of Justice Management Division show that the agency entered into an $11 million contract with ChoicePoint for fiscal year 2002.
- Mexico claims ChoicePoint stepped across the line, Atlanta Journal Constitution, April 27, 2003.
ChoicePoint’s Subsidiary, DBT, Scrubbed Many Eligible Voters from the Florida Election Rolls in 2000
Investigative reporter Greg Palast has extensively covered the sale of personal information by ChoicePoint’s subsidiary, DBT Online, to the Florida government. The information was used to scrub voter rolls of ineligible voters–individuals who had committed felonies. Palast found that DBT’s records contained numerous errors, resulting in the exclusion of many voters. Most of the excluded voters were poor or minorities.
- Adam C. Smith, No telling if voter rolls are ready for 2004: In 2000, some people were mistakenly labeled felons and denied voting rights. Despite three years of reform efforts, inconsistencies and obstacles remain, December 21, 2003.
- Botched Name Purge Denied Some the Right to Vote, Washington Post, May 31, 2001.
- Greg Palast, Ex-Con Game, How Florida’s “Felon” Voter-Purge Was Itself Felonious, Harper’s Magazine, March 2002, p. 48-49.
- Greg Palast, The Best Democracy Money Can Buy, Pluto Press (2002).
- Florida’s flawed “voter-cleansing” program, Salon.com, December 4, 2000.
In May 2003, Rabbi Joel Levine brought suit in the U.S. District Court for the Southern District of Florida against ChoicePoint for violation of the Driver’s Privacy Protection Act (DPPA). (Levine v. ChoicePoint, No. 03-80491.) That law requires that a state obtain express consent from an individual before motor vehicle department records can be sold for direct marketing or other purposes. Levine alleged that ChoicePoint knowingly obtained personal information from the Florida department of motor vehicles for resale to others, in violation of the DPPA. A similar suit was brought against Lexis-Nexis. (Levine v. Reed Elsevier, No. 03-80490). Levine voluntary dismissed both suits, and the cases were closed in 2003.
A similar action was filed on May 29, 2003 titled Brooks, et al v. Auto Data Direct, et al, No. 03-61063. That action alleges violations of the DPPA against ChoicePoint, company’s subsidiaries, and a number of other private-sector data sellers, including Experian, Polk, Seisint, Acxiom, and Reed Elsevier.
Documents filed in a federal lawsuit in March 2003 in the Northern District of Georgia indicate that ChoicePoint is constructing a “Central Biometric Authority.” According to the complaint filed by International Biometric Group and ChoicePoint’s answer, the central biometric authority is intended to perform “secure and standardized acquisition, matching, and indexing of biometric data.” This biometrics database appears to be in development for ChoicePoint’s expanding employee and volunteer background check services.
Senator Ron Wyden (D-OR) has introduced 108 S. 1484, the Citizens’ Protection in Federal Databases Act. The bill would require the Departments of Justice, Defense, Homeland Security, Treasury, Central Intelligence Agency, and the Federal Bureau of Investigation to submit a report to Congress on use of private-sector databases, or lose funding for purchasing personal information from companies such as ChoicePoint and Lexis-Nexis.
- Dan Christensen, Major Information Brokers Face Class Action for Invasion of Privacy, Miami Daily Business Review, June 24, 2003.
- Complaint in Levine v. ChoicePoint, No. 03-80491 (S.D. Fla. 2003).
- Complaint in International Biometric Group v. ChoicePoint, 03-0831 (N.D. Ga. 2003).
- Answer in International Biometric Group v. ChoicePoint, 03-0831 (N.D. Ga. 2003).
- 108 S. 1484, Citizens’ Protection in Federal Databases Act, THOMAS Database.
On June 22, 2001, EPIC submitted Freedom of Information Act requests to the Department of Justice, Federal Bureau of Investigation, United States Marshals Service, Drug Enforcement Agency, Immigration and Naturalization Service, Internal Revenue Service, and to the Bureau of Alcohol, Tobacco, and Firearms for agency records relating to “transactions, communications, and contracts concerning businesses that sell individuals’ personal information.” Months later, many of the agencies had not responded. Accordingly, on January 14, 2002 EPIC brought suit in the U.S. District Court for the District of Columbia against the Department of Justice and the Department of the Treasury. This case is still being litigated. It is currently styled Electronic Privacy Information Center v. Dep’t of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).
- EPIC Complaint in EPIC v. Dept. of Justice et. al.
- Press release in EPIC v. Dept. of Justice et. al., January 15, 2002.
- FBI’s Reliance on the Private Sector Has Raised Some Privacy Concerns, Wall Street Journal, April 13, 2001 (subscription required).
- FBI turns to private sector for data, MSNBC.com (WSJ), April 13, 2001.
EPIC has obtained FOIA documents from nine different agencies concerning ChoicePoint. All of the documents provided by the government are scanned in PDF format below.
Bureau of Alcohol, Tobacco, and Firearms
- Release 1 of 1, April 9, 2002. This material is largely contracting documents between the agency and DBT Online and Lexis Nexis.
Drug Enforcement Agency
- Release 1 of 1, July 3, 2002. This material is largely contracting documents between the agency and ChoicePoint. It contains one document where the DEA agrees to comply with the Gramm-Leach-Bliley Act.
- Part A (2.3 MB).
Department of Justice
- Release 1 of 3, August 14, 2002. These documents contain detailed information on what information is available to the government through ChoicePoint.
- Part A (1.5 MB).
- Release 2 of 3, December 13, 2002. This is a memo discussing a “Report of Investigation into Misconduct Allegations…Concerning Unauthorized Disclosure of Information.”
- Part A (1.5 MB).
- Release 3 of 3, October 8, 2003. These highly redacted documents discuss a memorandum regarding ChoicePoint.
- Part A (575 KB).
Department of State
- Release 1 of 3, November 3, 2003. A series of news articles that were collected by the agency to track outrage in Mexico and other countries over the sale of personal information by ChoicePoint.
- Part A (1.8 MB).
- Release 2 of 3, December 3, 2003. These documents contain a cable from the American Embassy in Mexico to several different government agencies warning that a “potential firestorm may be brewing” as a result of sale of personal information by ChoicePoint.
- Part A (218 KB).
- Release 3 of 3, February 2, 2004. These documents discuss public relations strategies for the American Embassy to counter public anger surrounding the release of personal information of Latin Americans to ChoicePoint.
- Part A (1.3 MB).
Federal Bureau of Investigation
- Release 1 of 4, January 31, 2002.
- Part A (3.3 MB). These documents reference a secret, sole-source contract between ChoicePoint and the Federal Bureau of Investigation’s Criminal Investigative Division.
- Part B (2.4 MB). These contracting documents contain discussions of the definition of “public source information,” and negotiations regarding a non-disclosure agreement between the agency and ChoicePoint.
- Part C (2.7 MB). These contracting documents specify that ChoicePoint employees who have access to a developing FBI facility be cleared to receive “secret” level information.
- Part D (2.7 MB). These contracting documents discuss a FBI facility used with ChoicePoint located somewhere in Northern Virginia.
- Part E (2.3 MB). Handwritten notes and other documents describing the non-disclosure agreement.
- Release 2 of 4, April 30, 2002.
- Part A (4 MB). These documents contain a memo titled: “Guidance Regarding the Use of ChoicePoint for Foreign Intelligence Collection or Foreign Counterterrorism Investigations.” It analyzes law enforcement use of ChoicePoint in the context of federal privacy laws and the Attorney General’s Guidelines. The memorandum rationalizes use of private-sector databases as the “least intrusive means” of collecting personal information and concludes that ChoicePoint can be used for foreign intelligence and counterintelligence investigations. A presentation titled “The FBI’s Public-Source Information Program Fact Versus Fiction” highlights the agency’s access to property records, professional licenses, news articles, driver and DMV records, census records, and credit headers. It lists ChoicePoint, Westlaw, Lexis Nexis, Dun and Bradstreet, and credit reporting agencies as sources for this information. Reliance on these databases has increased by 9600 percent since 1992, according to the presentation. However, one unnamed credit reporting agency is no longer selling credit header information to law enforcement.
- Part B (473 KB). These documents are heavily redacted.
- Part C (2.8 MB). These documents are heavily redacted.
- Release 3 of 4, March, 2005.
- Part A (2.29 MB). These documents include: 1) a 34-slide Choicepoint powerpoint presentation titled, “A Partnership for the New Millennium.” The entire presentation, except for slides that only have a Choicepoint logo, have been redacted by the FBI. 2) A brochure discussing Choicepoint’s ability to detect fraudulent businesses. 3) A Choicepoint report discussing information collection, including e-mail account information, employment screening, driver records, drug testing, military documents, voter registration information, and marketing information. 4) A Choicepoint report discussing Social Security Numbers.
- Part B (1.5 MB). A 34-page memo discussing the types of business information that may be available to Choicepoint.
- Part C (1.3 MB). A 24-page memo on “The Information Industry,” entirely redacted; a memo discussing international data; a memo discussing drug testing in detail; and an announcement of the FBI’s access to Choicepoint.
- Release 4 of 4, February 2006.
- Part A (1.1 MB). This is a “Vaughn Index,” that explains the context and reasons for withholding information from documents in Part B and C below.
- Part B (2.3 MB). This disclosure contains interesting analysis concerning use of Choicepoint for counterintelligence purposes. It also has a memo evaluating Choicepoint as a provider for information.
- Part C (5.1 MB). This disclosure mainly contains contracting information from the FBI.
Immigration and Naturalization Service
- Release 1 of 1, March 25, 2002. These documents discuss contracts between the agency and ChoicePoint and Dun & Bradstreet. They contain detailed information on what personal information the government can obtain on Latin and Central Americans. There is a discussion of “cloaking,” a security measure that protects law enforcement queries from tracking by ChoicePoint.
Internal Revenue Service
- Release 1 of 1, September 10, 2001. These are among the most interesting documents obtained under this FOIA request. The documents discuss the use of ChoicePoint for asset location, and Experian for credit checks on suspected tax evaders. The documents contain a “vision” for 2003 where the IRS would mirror huge amounts of personal information on agency computers in order to perform investigations.
Office of National Drug Control Policy
- Release 1 of 1, February 5, 2002. These documents discuss the agency’s suspension of use of a CDB system because the company’s found was suspected of having ties to drug smugglers.
- Part A (228 KB).
United States Marshals Service
- Release 1 of 1, July 30, 2002
- Part A (3.5 MB). These documents contain information on Lexis Nexis and ChoicePoint, including contractor evaluations, and marketing materials from DBT Online to the agency.
- Part B (4.6 MB). These documents contain contracting information.
- Part C (3.2 MB). These documents contain contracting information.
- Part D (3.8 MB). These documents describe an interactive pager service that allows Marshals to obtain ChoicePoint information wirelessly. It contains marketing materials, including newsletters written for law enforcement access to ChoicePoint.
- Part E (5.3 MB). These documents contain marketing materials for ChoicePoint services that show that the company designed the databases for law enforcement. It also contains a document showing that the Marshals service runs 20,000 searches a month.
- Part F (6.6 MB). These documents contain a memorandum of understanding between the Marshals Service and the Department of Justice’s Management Division.
- Part G (5 MB). These documents contain contracting information.
- Part H (3 MB). These documents contain invoice summaries, showing that the agency ran between 14,000 and 40,000 ChoicePoint searches a month.
- Part I (2.6 MB). These documents describe ChoicePoint’s “linkit” feature that produces graphical representations of relationships in data.
- Part J (61 KB). This document contains a “sole-source” justification for ChoicePoint.
- Brian Bergstein, In this data-mining society, privacy advocates shudder, Seattle Times (AP), January 2, 2004.
- Jim Porter, Law Review: How much information is too much with former employee referrals?, California Sierra Sun, December 31, 2003.
- Mary Lou Pickel, Private eyes fight database company, Atlanta Journal-Constitution, December 18, 2003.
- Firms Dig Deep Into Workers’ Pasts Amid Post-Sept. 11 Security Anxiety, Wall Street Journal, March 12, 2002 (subscription required).
- Data Collectors Need Surveillance, Too, Businessweek Magazine, January 24, 2002.
- E-Legal: Uncovering Alleged Government Purchases of Electronic Personal Data, Law.com, January 22, 2002.
- Commercial Database Use Flagged, Federal Computer Week, January 16, 2002.
- My FBI File, Richard Smith Tipsheet, Privacy Foundation, May 11, 2001.
- What They (Don’t) Know About You, Wired, May 11, 2001.
- Putting Identity Theft on Ice: Freezing Credit Reports To Prevent Lending to Impostors, in Chander, Radin, Gelman, Securing Privacy in the Internet Age (Stanford University Press Forthcoming 2005).
- Chris Jay Hoofnagle, Big Brother’s Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, 29 N.C.J. Int’l L. & Com. Reg. 595 (Summer 2004).
- Daniel J. Solove, Access and Aggregation: Public Records, Privacy, and the Constitution, 86 Minnesota Law Review 6 (2002).
- Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy (MS Word Format), 53 Stanford Law Review 1393 (2001).
- Roger Clarke, Privacy and ‘Public Registers,’ May 11, 1997. In this article, Professor Clarke argues that public records should not be treated differently than other files containing personal information.
- Robert Gellman, Public Records: Access, Privacy, and Public Policy, April 21, 1995.