Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.

I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].

Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise's actions were inappropriate and they'd get in touch with the franchise.

Dear Curves, Respect Your Client and Employee

Viacom is arguing that it needs the data to prove that its copyrighted material is more popular than user created videos.

Wired says:

Although Google argued that turning over the data would invade its users' privacy, the judge's ruling (.pdf) described that argument as "speculative" and ordered Google to turn over the logs on a set of four tera-byte hard drives.

The judge also turned Google's own defense of its data retention policies — that IP addresses of computers aren't personally revealing in and of themselves, against it to justify the log dump.

The EFF has responded to the ruling, calling it "a set-back to privacy rights," that "will allow Viacom to see what you are watching on YouTube. "

Judge Orders YouTube to Give All User Histories to Viacom [Wired] (Thanks, Everyone!)
Court ruling will expose viewing habits [YouTube]

In case you needed more evidence that Direct Marketing Services isn't exactly a top-of-the-line company when it comes to data security, management, or customer relations, the breach wasn't even discovered internally:

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.

After the story broke last week, the company announced plans to contact the victims of the breach.

Direct Marketing Services says it now plans to contact the victims of the breach, but of course that's only to avoid further bad press now that the story has broken. Fortunately, they contacted credit card companies when they were first notified of the breach, so the industry has been monitoring suspect accounts and/or issuing new cards as needed. If you shopped at the Montgomery Wards website and found your Discover, for example, you may have been a victim. Congrats.

So why wasn't it reported? Because it's financially more rewarding to flout the regulations that require it if you're dealing with online transactions:

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order. Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

You know what would make for some good PR? If an online company stepped forth and made a commitment to reveal data breaches in a timely manner, and hired an outside auditing firm to enforce said pledge. Instead, we'll start the countdown to a class action lawsuit against Direct Marketing Services.

"Wards didn't tell consumers about credit card hack" [Associated Press]

Maybe her friend, Mr. Moneybags, can shower Congress with cash and buy some of that tasty warrantless wiretapping immunity! Whoops, too real!

So who are the other members of the Online Liberation Movement, you ask? The ironically-named Ms. Proof and Ms. Forgetful, obviously.

Isn't this so !@$% fun? It's like we're living in a book!

AT&T's Latest Ad a Sick Joke [Reading For Dummies via Boing Boing]

Charter had planned to begin the program as early as this month in the test markets: Fort Worth; San Luis Obispo, Calif.; Oxford, Mass.; and Newtown, Conn.

Earlier Tuesday, Connecticut’s attorney general, Richard Blumenthal, released a letter calling on Charter to drop the plan. A Charter spokeswoman, Anita Lamont, said the decision to do so was unrelated to Mr. Blumenthal’s letter.

Update:On the New York Times' "Bits" blog, Charter admits they're not ending the program—just postponing it until the heat's off:

Anita Lamont, a spokeswoman for Charter, said the company wanted to take stock of “customer concerns about privacy.” Its executives, she said, were “just wanting to make sure everybody was comfortable.” Ms. Lamont said that Charter hopes to proceed with the system at some point in the future, but she wouldn’t say when.

“This is something we would move forward with when we think it’s time,” she said.

"Charter Won’t Track Customers’ Web Use" [New York Times]
"Charter Suspends Plan To Sell Customer Data to Advertisers" [Bits - New York Times]
(Photo: Getty)

The new regulation doesn't apply to those passengers who claim to have forgotten their ID— so essentially you are barred from claiming that you have a constitutional right to refuse to show ID to get on a plane. Here's how the TSA explains it:

Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.

It turns out that "and other measures" include questions about political party affiliation and other questionable invasions of privacy, according to David:

So you know how the new TSA regulations went into effect yesterday, where you can only fly without ID if you "cooperate" with the TSA? Well, it turns out you also have to take a test about your personal life. They call up a service to administer it, and the last question they asked was which political party am I registered under (I correctly answered "democrat" and they still let me on board).

Anyway the full story is that I had to go Florida for a funeral, and accidentally left my driver's license in my apartment in Manhattan. I made it through LaGuardia on Thursday the 19th in about 3 minutes, but when I tried to fly back through Fort Lauderdale Airport yesterday, it took about 45.

When I first approached security, I told the initial guard screening all passengers for ID that I had none. Instead of immediately calling the supervisor over like at LaGuardia, he paused and asked if I was sure I didn't have any ID on me, like a social security card or something. I said I only had a credit card, so he then radioed for the area supervisor. She arrived in just a few seconds. Her name was Brenda, and she very politely and apologetically informed me that things had changed, and that the TSA supervisor for the whole airport needed to handle this situation because of the new regulations.

Luckily I had arrived an hour early so had plenty of time. I chatted with Brenda while we waited for the main supervisor to arrive. I started to get a little nervous that I wouldn't be allowed on board, and Brenda repeatedly assured me it wouldn't be a problem — they just had a few additional steps to go through.

After about 15 minutes, the main supervisor, Laurie, arrived. Again, Laurie was exceedingly nice and professional, but seemed a little more concerned than Brenda. She asked if I was sure I didn't have photo ID, like a credit card with my picture on it, or even a CostCo card. I wound up going through my wallet in front of her to show that I didn't, and she pointed to various cards and receipts in it to ask if they were IDs. I wound up showing her everything to prove I was telling the truth. She repeatedly said they had no way of "verifying" that I was who I said I was, and that someone could have stolen my credit card and traveled under my name. I didn't want to mention that they shouldn't need to verify who I am, because I was afraid they could then say I wasn't cooperating and deny travel on that ground. In fact, I even mentioned several times that I wanted to fully cooperate with them because I was aware that was a component of the new regulation, and they assured me that I was.

Finally satisfied that I didn't have ID, Laurie took my boarding pass and went away. She came back a few minutes later having photocopied it, and also had an affidavit that she requested I sign. It asked for my name and address, and stated in small print at the bottom that I did not have to fill it out, but if I didn't I couldn't fly. It also said that if I choose to fill it out and then provided false info, I would be in violation of federal law.

After filling out the affidavit, Laurie called a service to verify my address. The service needed me to then correctly answer three questions about myself, which Laurie relayed to me. The first was my date of birth, the second was a previous address (which I only got right on my second try), and the third was "You are registered to vote. Which political party have you registered with?" I got all three right, and only then did Laurie clear me to go through security.

Of course, I still had to submit to secondary screening, including a full-body pat-down and total luggage search. Brenda and Laurie stayed with me to make sure the process went as quickly as possible, and were again incredibly helpful and nice. They kept explaining over and over how necessary it was to "verify" who I was, and how times have changed, and how these new regulations must have been as a result of someone trying to get away with something, because there's always a reason for these thing but they don't always know what those reasons are. They were so nice and considerate that I waited until the very end before I finally said that I do not agree with the new regulations, but that I was thankful that the two of them acted so professionally and considerately to me. Laurie actually seemed a little dejected when I said this, because I had been playing along the entire time out of fear that I would not appear cooperative otherwise.

But I made it onboard my flight, and am back in Manhattan. I have flown without ID in the past, a couple years ago, and it was no problem. I almost preferred it because I got to skip the line. This time around though, it was incredibly burdensome, and involved the full attention of two high-level local TSA employees for a considerable period of time. I kept wondering if Laurie and Brenda were so busy with me for so long, what if someone really bad was doing something in another terminal or area? So even though I cannot say enough good things about how these particular TSA employees handled it, I still feel the new regulation is entirely inappropriate and unnecessary. Why do you need to provide a home address to fly? And what if I refused to answer the question about my political party allegiances? Luckily I kept my cool and even befriended the screeners just so they couldn't resort to the subjective lack-of-cooperation carve-out, but 45 minutes of standing at security not knowing if you'll make your flight seems specifically designed to test people's mettle and upset them. The TSA has turned flying without ID into an overly cumbersome and almost unmanageable chore.

We agree with CNet's Chris Soghoian when he says that this new rule is just more security theater— at the cost of your privacy.

While TSA's announcement stated that the goal of the change was to "increase safety," this blogger disagrees. The change of rules seems to be a pretty obvious case of security theater. Real terrorists do not refuse to show ID. They claim to have lost their ID, or they use a fake.

TSA's new rules only protect us from a non-existent breed of terrorists who are unable to lie.

Your papers please: TSA bans ID-less flight [CNet]
(Photo: Kevin Dean )

The FTC claims that CompuCredit didn’t properly disclose that it monitored spending and cut credit lines if consumers used their cards at certain places. Among them: tire and retreading shops, massage parlors, bars, billiard halls, and marriage counseling offices. "What they didn’t say was that you could be punished for specific kinds of purchases."

The FTC has a problem with CompuCredit not disclosing its usage-monitoring policy, but not with how it determines creditworthiness—and this is where it gets a bit creepy.

With competition increasing, databases improving, and technology advancing, companies can include more factors than ever in their models. And industry experts say financial firms increasingly are looking at consumer behavior, as CompuCredit did.

BusinessWeek says the worry is that companies may use race, gender, or sexual orientation to rank borrowers, and since companies never disclose their formulas for determining creditworthiness, consumers will be in the dark on what's being collected about them and how it's used.

"Your Lifestyle May Hurt Your Credit" [BusinessWeek]
(Photo: Getty)

As provided Rule 5.6.3, Additional Cardholder Identification, of the MasterCard Rules manual, a MasterCard merchant must not refuse to complete a transaction solely because a customer who has presented a valid MasterCard card refuses to provide additional identification information, such as a personal ID, except as MasterCard specifically permits or requires.

A merchant may require additional identification if the information needed to complete the transaction, such as for shipping purposes. For transactions at unattended terminals such as card-activated gas pumps or transactions conducted on the Internet, by phone, or by mail, a merchant may request address information in order to use the MasterCard Address Verification System (AVS). By using AVS, the merchant can confirm that the address information provided matches the information that the card issuer has on file. Additionally, if the MasterCard card is unsigned, a merchant must request personal identification (but not record it) and require the cardholder to sign the card before completing the transaction.

If a cardholder encounters a MasterCard merchant that refuses to honor a MasterCard card without additional identification information, the cardholder may complete the Merchant Violation form found in the FAQs/Contact Us section of www.mastercard.com. The MasterCard Rules manual is also available at www.mastercard.com(click on “MasterCard Worldwide Rules”).

Regards,

Daniel F. Balistierri
MasterCard WorldWide

(Photo: Sam Wilkinson)

The article says,

While it allows the security screeners — looking at the images in a separate room — to clearly see the passenger's sexual organs as well as other details of their bodies, the passenger's face is blurred, TSA said in a statement on its website.

The scan only takes seconds and is to replace the physical pat-downs of people that is currently widespread in airports.

TSA began introducing the body scanners in airports in April, first in the Phoenix, Arizona terminal.

The installation is picking up this month, with machines in place or planned for airports in Washington (Reagan National and Baltimore-Washington International), Dallas, Las Vegas, Albuquerque, Miami and Detroit.

But the new machines have provoked worries among passengers and rights activists.

"People have no idea how graphic the images are," Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union, told AFP.

The ACLU said in a statement that passengers expecting privacy underneath their clothing "should not be required to display highly personal details of their bodies such as evidence of mastectomies, colostomy appliances, penile implants, catheter tubes and the size of their breasts or genitals as a pre-requisite to boarding a plane."

Besides masking their faces, the TSA says on its website, the images made "will not be printed stored or transmitted."

"Once the transportation security officer has viewed the image and resolved anomalies, the image is erased from the screen permanently. The officer is unable to print, export, store or transmit the image."

Lara Uselding, a TSA spokeswoman, added that passengers are not obliged to accept the new machines.

"The passengers can choose between the body imaging and the pat-down," she told AFP.

Even if we trust the TSA to blur the faces of travelers and properly dispose of the naked images, and we don't, we believe the TSA has reached yet another milestone in violating our privacy. We appreciate the fact that the TSA is allowing us to choose between the full-body-scan and a pat-down, as if giving us some choice absolves them from any criticism. So which would you prefer, being groped by the TSA or letting them take your naked picture?

Scanners that see through clothing installed in US airports [AFP] (Thanks to Bladefist!)
(Photo: Getty)

The woman says "attached was a copy of my personal check with my name, my address, my phone number, My account numbers, my signature... nothing was blacked out...Nothing! And a copy of my comcast statement."

Here's her story as she tells it, from the Comcast Must Die website:

My gripe with comcast started when i received my first bill after signing up for the Comcast Triple Play. $99 a month, right? No...It was an additional $30 on top of that because i was already a comcast customer. If you have cable in my area, yes, you have to be a comcast customer.

So my first bill was for $228. When i paid my bill i paid $200. Leaving a $28 balance to be tacked on to next months bill. When i had family visiting, my cable wasnt working for a few days, finally i called and the reason was because my account was past due. In order to get it turned back on i had to pay $169 (not my $28 balance)by phone immediately. So i did, electronically... and before i hung up the phone the tv was on again. That fast. Embarrassing.

So since i paid over the phone i disregarded my next payment and instead sent my check to the "Comcast vampires" and paid in the amount of "My right Arm and zero dollars" memo "Robbing customers blind". Haha, i got my little dig in there, so i thought.

About 2 weeks later, i was out of town visiting family when my husband calls from home telling me that he just recieved a strange phone call from a woman in Colorado. We live in Pennsylvania. She just recieved an email that said "This is too funny not to pass on. This is an actual payment we recieved via yesterdays mail." And attached was a copy of my personal check with my name, my address, my phone number, My account numbers, my signature... nothing was blacked out...Nothing! And a copy of my comcast statement.
Immediately, i called my bank, then comcast, then the police. I had to cut my visit short to come home and take care of this situation. That was last August. Since then i have filed complaints with the BBB, Attorney General, and the FTC. I have searched for an attorney to file a case against them. No Luck. There are 3 Consumer Rights attorneys in Pittsburgh. I am afraid of the whole identity theft thing. A comcast employee put all of my personal information out there, its just a matter of time in my eyes. They have given me so much runaround, i dont even want to go there. I even spoke to a comcast security agent that couldnt even tell me her last name, she just had an Agent ID B!<. How ridiculous is that. She gave the the number for the comcast legal dept, 1-800-871-6298 and fax, 1-720-267-2794. She claimed that she had reported the incident and it was now out of her hands.
Nothing has been done, i have had to change my bank account, get new checks, and constantly keep an eye on our credit report. They issued me credit for 3 months of services.
A few people got fired, but that doesnt help me any. For all i know, the email could still be circulating. Now i am not sure where to go now. I just know that this incident could haunt me for years to come. And i still write my checks out to the comcast vampires.

The Associated Press says Comcast has no comment.

Woman sends Comcast check for 'my right arm' [Post-Gazette]
(Photo: cmorran123 )

Julie Kruger, sales manager for Ogden Directories Inc., said the company bought listings for inclusion in the phone book from Verizon without knowing unlisted numbers were involved.

"(Verizon) is never to pass on unlisted numbers," Kruger said. "Verizon is at fault."

The phone books containing the unlisted numbers were delivered across Washington County, according to Kruger, who said she thought the mistake was limited to Washington County.

Ogden asked the postal service to stop delivering the books, but a majority already had been delivered, Kruger said. Phone books that hadn't gone to print will be corrected, she said.

Yvette Singh, a U.S. Postal Service spokeswoman, said post offices stopped distributing the book Friday.

Aside from general privacy issues related to telemarketing and spam, the listings could impact the safety of domestic violence victims, the Herald-Mail points out.

"Phone directory has about 13,000 unlisted numbers" [Herald-Mail.com] (Thanks to Adam!)

RELATED
"Unlisted Verizon Numbers Made Public" [Washington Post]
"Verizon Admits Selling 12,500 Unlisted and Unpublished Numbers in Washington County" [Leo P. Hylan, P.A.]
(Photo: Getty)

Dan writes:

I got an interesting call from my father today. Turns out that when I moved to California and called Bank of America to change my billing info and phone number, they didn’t do it. Instead, they kept my old address and phone number, which is where my parents currently live.

I was a little late making a payment this month (my bad, and I intend to pay immediately). So, Bank of America calls the number they have on record, and the man who picks up tells them I’m not there. They then tell the man my account balance, that I’m overdue to pay, and the amount I’m overdue. Now, mind you, this is before the man they called tells them who he is. Strike one: Giving my account information to a perfect stranger who has already told them that he’s not me.

Then, when he questions the fact that they just gave him my account information, the rep asks who they’re speaking to, and he identifies himself as my father. At that point, they don’t apologize, but instead ask him, “Well, would you be willing to make a payment on his behalf?” He responds with, “No, I wouldn’t like to pay the bill for my 25-year old son.” Strike two: Asking my father, who is not on my account, the father of a 25-year old (not a 16 or 17 year old that he’s responsible for) and has nothing to do with my loan, to pay my bill.

No strike three yet, and I hope there won’t be one. I called to complain, and was forwarded to the voicemail of a call center manager. Since I’m on the west coast and it was already about 6pm my time, I’m cutting them a break and giving the benefit of the doubt that I’ll get a call back first thing tomorrow.

-Dan

That's kind of you Dan. We wouldn't be so generous. If you do decide you want to rid yourself of Bank of America, here's a tip: Ask them about your interest rate.

(Photo: epicharmus )

Reader Jesse writes (emphasis added):

I spent a long time last night looking into the way Charter is handling this program, and based on their own explanation it's obvious that the cookie is not a "real" opt-out. Here's why.

When a customer clicks a link, advertisement, or visits a page, Charter will capture the browsing data and send it to the third-party advertising provider. If Charter wanted to offer a functional opt-out, it would be at this deep-packet inspection level. The do not offer a way out of that service, however. The only thing they offer is the cookie-based solution you've previously covered, which merely tells the third-party organization not to match the machine with the DPI-harvested data or deliver the advertising. Customer browsing is still being captured and is still being turned over regardless of anyone's individual opt-out status, but the third party is just blocked from doing anything with it by the cookie.

I might also point out that by doing this Charter is explicitly requesting that their customers choose not to follow safe browsing best practices. Every modern browser available today has an option for clearing cookies when the browser is closed, and many people choose to take advantage of this practice, myself included. Charter is either demanding that I and many others either fill out their form several dozen times per day (every time we open our browser) or specifically switch off browsing features intended to keep customers safe. Neither of these are acceptable, of course.

I am going to contact Charter's executive team again this morning on the matter, as well as an attorney. I have not been notified of Charter's changes through a letter or email, and learned about this program last night via other means. Having read through the Cable Privacy Act, which governs Charter's use of personally identifiable information, I have discovered no fewer than three potential violations. Moreover, Charter is required by law to make any collected data available to its customers, so I would suggest that all Charter customers request their DPI browsing data on a daily basis, and file appropriate complaints when they fail to deliver it as required by law.

They're not going to stop doing this until or unless they lose more money than they make on it. We have vehicles available to us to lose them vast sums of money on this project, if only the word gets out.

Subsection D of the Cable TV Privacy Act states, in part: "A cable subscriber shall be provided access to all personally identifiable information regarding that subscriber which is collected and maintained by a cable operator. Such information shall be made available to the subscriber at reasonable times and at a convenient place designated by such cable operator." It's debatable whether the data Charter is collecting is "personally identifiable information" under this statute, which excludes from the definition "any record of aggregate data which does not identify particular persons." Maybe a subpoena would clear things up.

Cable TV Privacy Act, 47 USC § 551 [Cornell Law]
(Photo: Getty)

The answer of course, is "false." If you managed to guess correctly, you're smarter than the average Californian. Two researchers at Berkeley conducted a scientific poll in an effort to determine how much Californians knew about their state's privacy laws. It turns out that large amounts of consumers have no idea that it's perfectly legal for lots of different kinds of companies to sell their information without their consent, including pizza delivery places.

From the research paper:

Pizza delivery companies, since they are called so frequently by consumers, are a hub for collecting personal information. A delivery company can collect and aggregate caller identification information (typically name and phone number), ask the customer for their phone number (which may be different than what is displayed by caller identification), and in order to process the order, acquire the delivery address. Pizza delivery information is used by private investigators and by governments to track individuals. In the marketing context, pizza delivery databases have been discussed as source for phone numbers for wireless 411 databases.

When we asked Californians whether they thought pizza delivery companies could not sell personal information without their consent, 54.7% incorrectly answered true and 5.8% said they didnʼt know.

Other scenarios in which consumers assumed they were protected from sale of their personal information: donating to a charity, registering a product warranty, giving a phone number to a cashier at checkout, registering a product rebate, and ordering from a catalog.

Research Report: What Californians Understand About Privacy Offline [via CL&P Blog]
(Photo: Tyler Durden's Imaginary Friend )

Reader Matt copied us on a letter he sent to Charter's VP of Customer Operations and CEO:

Dear Mr. Stackhouse,

I am a high speed internet subscriber in the Fort Worth, TX area. For the last year or so I have had Charter’s 10 Megabit service and I am a satisfied customer. I am writing, however, because I am concerned by your recent letter discussing the “enhancement” that will be coming soon to my Charter web browsing experience (targeted, in-line advertisement manipulation). I appreciate Charter’s respect for my privacy, but the method that Charter has provided to opt-out of this tracking scheme is insecure and woefully inadequate.

The method that you provide to opt-out is as follows. First, a customer must visit www.charter.com/onlineprivacy. Once at the site, the customer must enter his or her complete name and address. Upon submission of this personal information, the customer must accept a cookie from Charter that indicates his or her opt-out status. While this process sounds simple on face, further consideration reveals that this opt-out method is fraught with privacy concerns and places the burden on your paying customer, rather than Charter.

The most pressing privacy issue with this opt-out method is that the opt-out form presented at the aforementioned URL is not encrypted. As I’m sure you realize, this means that a user submitting his or her address to Charter is doing so in the clear, leaving this personal information open to eavesdropping. It is not difficult to create an SSL-encrypted web form. It is troubling that Charter has not done so in this case.

The fact that this opt-out system relies on a cookie to keep users opted out is also a privacy issue. By telling customers who visit the opt-out page that, “if you delete your cookies or cache files… you will have to opt-out again,” you are encouraging users to keep those files that good privacy practices dictate should be frequently purged. Ironically, the best reason to purge one’s cookies often is to prevent internet marketers from tracking one’s behavior online.

In addition to the critical privacy concerns, the steps required to avoid being tracked by this new advertising system place the burden on your customers, rather than on Charter where it belongs. A customer should be able to opt-out of this advertising tracking system in a manner that will rarely, if ever, require the customer to opt-out again. Instead, because the system uses cookies, a customer must insecurely opt-out of being tracked on each PC in his or her home. Further compounding the work that the customer has to do, if the he or she deletes cookies in accordance with safe browsing techniques, it will be necessary to insecurely opt-out on each and every PC again.

I suggest that rather than force your customers through unending iterations of opting out of this advertising system, you should allow customers like me to opt-out at the cable modem level via a secure, encrypted form on your website. I’m glad to hear that Charter has an appreciation for my privacy, but please change your opt-out process to demonstrate that you also have an appreciation for my time and security online.

Matt's letter focuses on the flawed opt-out clause, but the program itself, an implementation of "deep packet inspection," is more worrying to us. Deep packet inspection allows an ISP to monitor not only its users searches and visited websites, but also the type of activity (e.g., email or peer-to-peer), which could be used for traffic shaping and threatens net neutrality.

Charter to Monitor Surfing, Insert Its Own Targeted Ads [DSLReports]
(Photo: Getty)

Why can't people set up filters to turn off unwanted spam text messages, especially when they're sent by unknown parties to a phone number that's never been (knowingly) listed by the owner? Maybe it's because Verizon gets to charge you 20 cents per message, suggests this reader who can't figure out why her grandfather's mobile number suddenly became a spam magnet after switching to a new Verizon phone.

Dear Consumerist,

My family and I wanted to relay a recent experience we had with the phone company Verizon. Over the last couple of months my grandfather's phone started receiving e-mail and web-based spam text messages. His phone is part of our family's plan, and he never put his phone number on the internet (for this reason) nor does he know how to send or receive text messages. Mind you this was a brand new phone with the same number, which had not received any sort of messages like these before the new phone. Just for clarification, he did not release his number before the new phone either.

We discovered on our phone bill that we were being charged for these spam text message at $.20 a text (up from the $.10 price just a few months ago). My mother spent several hours on separate days inquiring on how to turn off just the computer generated text messages. Even as the primary on the account, she was unable to turn them off. The salesmen in a local Verizon store stated that you could only turn off ALL text messages, not just web-based ones, which she knew to be untrue. She contacted the customer service at 611 and spent the many hours with tech support trying to accomplish this task. 611 was only able to help my mother when she had the phone in question on hand after registering an online account (at vtext.com) with Verizon for that specific phone (we had to make a new account for each phone) and provided the last four digits of her social security number. We had to repeat this process for each phone, which meant that phones had to travel from over an hour away so that we could do this for my grandfather's and grandmother's phones.

Our concern here is that Verizon is making big money off spam and this feature is nearly impossible to disable, even on the master account. The customer service has only occasionally reversed these charges. Somebody needs to step in (perhaps the FCC) and force Verizon to make disabling this feature far easier—-like offering an uncomplicated, free option to opt out.

Long story short, Verizon should not be allowed to make money off spam.

Sincerely,

A frustrated Verizon customer
(Note: this is the name my mother provided when talking with customer support)

We agree, and we think it would be fairly easy (but less profitable, which is why it won't happen) to implement a policy that allows CSRs to automatically credit, no-questions-asked, any charges for text messages sent by companies, known spam IP addresses, or unlisted numbers. The number of jerks who would game the policy to get a few free text messages each month would be far outweighed by the goodwill earned from customers who will no longer feel Verizon's taking advantage of them with sms spam.

(Photo: *nomad*)

The clerk told Pete it was for loss prevention. Wait, what? Pete had the parts in his hand, and the receipt that showed he'd paid cash for the parts the day before. You mean there's no way RadioShack can track its purchases more precisely than matching up mailing addresses of anyone who walks into the store?
 
Here's Pete's email:

Dear Consumerist,
 
I have been avoiding RadioShack for ages ever since they started asking you for your street address and phone number just to sell you something. Once they stopped that practice, I reluctantly began returning to buy the odd piece for my electronics projects when I ran out of something and didn't want to wait for an order to be shipped from on-line retailers. At any rate, I was out running errands the other weekend and saw a RadioShack, remembering that I needed a couple of potentiometers for an amplifier I was working on, I stopped to make my purchase. Wading through the overly "helpful" employees I found the electronic components area. But, I couldn't remember the exact values of the potentiometers I needed so I grabbed all they had, paid with cash and was on my way.
 
I went back the following day to return the un-opened potentiometers that I did not need - receipt in hand. The process went smoothly until the clerk asked for my street address. I told him that I prefer not to give that information out. They claimed that it was for "loss prevention purposes". I say "they" because another cashier came over, presumably for moral support to his co-worker. I told them to make an address up - no dice, claiming the "system" "will kick you out". I tried to explain that I have the receipt and the un-opened parts and that I paid with cash so they would have no way of knowing that I was the person who originally purchased them anyway, no luck. I tried for store credit, same result.
 
I suppose, I could have made up an address, or even given them my real one but i didn't feel like it. I shouldn't have to be put through a personal information wringer to complete a legitimate transaction that happens every day at normal stores. I felt like I was being accused of theft or had to in some way, justify my actions.
 
I will say that the employees weren't rude and they were just carrying out what they were trained to do. In the end, I took the ~$10 worth of potentiometers home with me, where they sit waiting for a new project.
 
Is this normal business practice, or is it time for RadioShack to get with the times for its data mining?

(Photo: Brave New Films)

Until recently, the law said that unwarranted computer searches constituted an "intrusion of the mind", but those days are now over in light of the new rulings. The latest rulings stem from a case where airline passenger, Timothy Arnold, was pulled aside for secondary questioning upon his arrival into LAX from The Philippines in July, 2005. Customs agents searched his laptop and found images depicting child pornography. Initially, it was ruled that agents didn't have reasonable suspicion to search his laptop, however, that ruling was overturned. Arnold was later charged with possessing and transporting child porn and with traveling to a foreign country with the intention of having sex with children.

U.S. Attorney Thomas O'Brien praised the decision, "The government needs to have the ability to restrict harmful material from entering the country, whether that be weapons used by terrorists, dangerous narcotics or child pornography." However, many disagree.

Travelers now have new concerns about the security of their private and corporate data. Some fear that poorly trained officers could accidentally corrupt or erase data during such searches. Also unknown, is where and how long data will be stored, perhaps making it vulnerable to theft or breaches. As it stands, all retrieved data can be kept indefinitely.

Despite the governments' new far-reaching power into your privacy there are a few things you can do to help secure your data when you travel. CNET offers a handy article that outlines different types of encryption and other techniques that can help keep your data secure.

The added delays and headaches seem almost insignificant when considering how much our personal liberties are being systematically revoked. We can understand the need to search for weapons and contraband but suspicionless searches of data is a bold new level of privacy invasion. Our laptops and personal information, once considered an extension of the mind, are now considered luggage. We wonder how long it will be until our minds are also considered luggage and subject to search without suspicion.

Border Agents Can Search Laptops Without Cause, Court Rules [Information Week]
9th Circuit OKs Border Guards' Search of Traveler's Laptop [Law.com]
Security guide to customs-proofing your laptop [CNET news]
(Photo: Getty)

We've done a bunch of posts on how it's a violation of their credit card merchant agreements to ask for additional ID in order to complete a purchase. An IHOP threatened to call the police on one reader when he wouldn't show additional ID. A Walmart tried to hold a man's ID and credit card hostage. Debate erupted amongst Consumerist commenters. Like a scythe through ripe wheat, here is an official VISA statement on how stores can't do this, unless the credit card itself is unsigned:

Merchants may not refuse to honor a Visa card simply because the cardholder refuses a request for supplementary information. The only exception is when a Visa card is unsigned when presented. However, "See ID" is not considered a valid signature. In these situations, a merchant must obtain authorization, review additional identification, and require the cardholder to sign the card before completing a transaction.

To report any merchant practices that you feel are inappropriate, please notify the disputes area at the financial institution that issued your card account. Your card issuing bank has access to the appropriate Visa rules and regulations as well as to the Notification of Customer Complaint forms which should be used by your bank to document and file merchant complaints.

As an alternative, you may contact the Global Customer Care Services to report merchant practices that you feel are inappropriate. Please contact the Global Customer Care Services at 1-800-VISA-911 (1-800-847-2911). Please advise them that you were referred to file a complaint. The staff will be able to initiate a complaint form over the phone.

(Photo: Getty)

On Sunday, May 4, 2008 I went to the Home Depot on Joppa Rd, Baltimore County Maryland. My purchases includes several plants, pots, and tile sealer. I went to the self check-out line because of the speed and scanned my items. Before I could indicate I was paying by cash the machine wanted me to enter a zip code, I entered 11111 because it's really none of their business. The next screen wanted me to key in if my items were for home or business use. I had no ability to bypass this screen even thought I did not want to answer this question.

I requested assistance from the employee assigned to the area because again I do not feel I need to report to Home Depot where I plan to use items I purchase. I was told my transaction would not be completed without providing the information requested. I left without my items.

What next? Is "big brother" going to screen my cholesterol levels before allowing me to by diary products at the grocery?

I have e-mailed my concern over this interaction to Home Depot and all I have in response is some statement about sending this on to someone else in their system. Clearly, most individuals who utilize the self-checkout want to get out quickly and do not stop to question the invasion of privacy issue. If this is an attempt by the Home Depot to collect information as a survey, I would hope they would have the sense to request an individual's cooperation.

Thank you for the forum where I can at least vent to a group who seems to care.

Sincerely:

Helen

Yuck. You already emailed the store, but if you're really concerned about letting Home Depot know that this stupid survey cost them your business, feel free to launch an EECB (executive email carpet bomb). The CEO's email address is Frank_Blake@homedepot.com. For more information about launching an EECB, click here.

What do you think about "surveys" like this one? Do they affect where you choose to shop?

(Photo: cmorran123 )

Once again, the lesson is to keep a separate hard drive just for stuff you don't want people in the repair shop to see.

Geek Squad: A matter of trust [Star Tribune]

Statements + Lawsuit (PDF)

This afternoon I visited the Kohl's store in Moline, Illinois. When I was checking out I elected to pay with my Visa card. After sliding my card through the card reader I signed the screen when prompted. My cashier asked to see the card, which I handed over to her. She handed my card back to me and then asked to see my identification, to which I respectfully declined. She said I had to show my ID or I could not leave the store with my purchases...

I explained to her that customers using Visa credit cards do not have to show identification as a condition of purchase as long as the back of the card is signed (mine is) and to compel them to do so is a violation of the store's agreement with the credit card company.

She flatly denied that this was true and again asked for my ID. It was at this point I realized I was dealing with someone who through her persistent need to argue with me has no interest in customer service and told her I was not going to show her my ID and demanded she void the transaction. I told her I did not need to give Kohl's my money if they were going to argue with me about something which I know to be fact.

I found her request especially odd since she took my Visa card, handed it back, and then asked for my ID. What was she going to do with the information on my ID?

I thought I would bring this matter to your attention. Perhaps the management team at the Moline store need to be brought up to speed on merchant's agreements with credit card companies.

If there are questions about this matter, I direct you and the Moline store's management to please see page 29 "Rules For VISA Merchants."

Therein you will find:

"Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures. Laws in several states also make it illegal for merchants to write a cardholder’s personal information, such as an address or phone number, on a sales receipt."

Afterwards, I went to the Target store next door and made a similar purchase with my Visa card and did not have to surrender my personal identification to do so. After that I visited Best Buy, a local grocer, and another department store and not one of them batted an eye at my Visa card or asked for my ID.

So, please, enlighten me: what is going on at Kohl's where a customer is treated in such a manner?

In these days of rampant identity theft I find it unreasonable beyond belief that a small, simple purchase in a department store warrants me handing over my "government papers" to a retail cashier when it clearly is not necessary.

Your former customer.

Asking for identification is a one-way street, and you are the traffic cop. Let's review:

• Good: Stores accepting your credit card without requesting identification.
• Good: Writing "Ask for ID" on the back of your credit card, allowing merchants to request identification.
• BAD: Stores demanding identification as a condition of using your credit card.

See the difference? You have the power. If you don't want to show identification, don't. Nothing a store says or does can make you provide identification.

Straighten out ill-trained merchants by reporting them. Here's how to contact Visa:

Visa
Phone Number: 1-800-VISA-911 (International: 1-410-581-9994). Or call the number on the back of your card
Mailing Address:
Visa U.S.A. Inc.
P.O. Box 194607
San Francisco, California 94119-4607
Online: Your card issuer's website may let you send them complaints about merchant violations and start a dispute if your were charged a fee to use your card.

Visa will fire off a stern letter to the store in question, and your next shopping experience should be hassle-free.

PREVIOUSLY: Writing "Ask For ID" On Your Credit Card Won't Stop Fraud, But It's Still A Good Idea
How To Report Merchants For Requiring A Minimum Purchase Or Making You Show ID
(Photo: Getty)

Here's Cole's email. We're going to pull out the actual URLs so we don't encourage more snooping, but we tried Cole's method and were able to pull up customer infor screens on our own:

My friend pre-ordered GTA4 from BestBuy.com and since he doesn't have a printer he forwarded me the confirmation email of his purchase so I could print it out. The confirmation email contained a link to print out the page if you were having trouble viewing the email from within your email client. I was (since the message was forwarded to me the styles and images were all messed up), so I clicked the link which took me to [redacted]. I was curious how random the &e parameter was so I decided to play around with it and discovered it isn't really random at all and by incrementing a certain part of it I was able to find home addresses of other users of BestBuy.com who had packages shipped to them.
 
This seems like a pretty serious privacy issue as I am now able to find full names and addresses of people that have bought something from BestBuy.com and had it shipped to them.
 
Cole

From the BBC:

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Facebook responded by saying that they remove applications that violate their terms of use.

'Identity' at risk on Facebook [BBC]

(Thanks, T.J.!)

First up:

I believe all credit card companies print "not valid unless signed" on the back of the cards they issue. The credit agreement is with the credit card company, so why would someone think they can circumvent this requirement? Many say they are protecting themselves against fraud.

[...]

Technically, cards must be signed with the holders' names, according to both Visa Inc. and MasterCard International Inc., the two largest payment networks, and cards with "See ID" or "Ask for ID" written on the back are not a valid substitute.

Next up:

Some customers may think writing the terms on the panel on the back of the cards would deter fraud or forgery. But Visa's rules for merchants say that "In reality, criminals don't take the time to practice signatures: They use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signatures - they may even have access to counterfeit identification with a signature in their own handwriting."

Some readers don't like showing identification, which is fine. Nothing in the cardholder agreement forces you to take out your driver's license.

"Ask for ID" appears on our card next to our signature. Few people ask for ID. The ones that do, though, almost always ask when we're making a large purchase, the kind we don't want surprising us on our credit card statement.

It doesn't relieve us from protecting our card from misuse, but those three simple words make an excellent last line of defense.

What do you think? Annoying invasion of privacy, pointless distraction, or essential safeguard? Duke it out in the comments.

'See ID' phrase on back of credit cards doesn't deter fraud [Boston Globe]
(Photo: Getty)

I too like other readers had signed up for this service. After a few months (and a few $14.95) charges, I decided their service wasn't worth it. I have no issue with the money spent, that is my fault..
 
However, when I went to cancel my monthly subscription, the first thing the operator asked for was my SSN... not the last 4, but the full SSN.. Why in the world would a company who's job it is to alert you to credit issues ask for something like that? I mean, one of their services they offer is related to identity theft.
 
But it gets worse...
 
After the CSR was able to (through some sort of magic or wizardry) pull up my account via my phone number, in oder to "verify" who I was, she wanted my mother's maiden name !!!! After being on-hold for 20 minutes while she escalated to a manger, the call was disconnected..
 
Can you imagine the audacity of a company who's job it is to "protect" your credit report and help with identity theft asking for full SSN and Mother's maiden name? Keep in mind, all I was trying to do was cancel a subscription to a credit monitoring agency I was able to register on-line with...
 
I then called back in, and this CSR was able to cancel my account with my phone number and birthday (yes, he too asked for my SSN and mother maiden name, but again, through some magic he pulled my account using other info. I will say, while he tried to up-sell me, (Sir, I realize you think this service is ineffective, but for only 29.95 a month you can add this service and get more info) and then tried to convince me that I still had some time left on my account, and I should call back closer to my billing date to make sure I got full utilization , I stood strong and insisted on canceling my account..
 
I think I will be checking my credit card to make sure they canceled it...

I went to IHOP(INTERNATIONAL HOUSE OF PANCAKES) on March 30th with my wife to eat. After our meal I went to the counter to pay and presented my Visa as payment. I was asked for photo ID, and kindly declined. I was then told that they were not going to be able to accept my card without photo ID.

I then offered my MasterCard(so that I could later fill out a complaint) and was also told a photo ID would be required. I then explained that I had no other form of payment, that it was against both Visa & MasterCard's merchant rules. I was then directed to the manager, who I politely explained to that if he expected to be paid for the meal he offered me, he had the choice of accepting and honoring my card, or not getting paid.

At this point the manager called the police and was attempting to have me arrested for Dine-and-Dash, even though I was the one trying in good faith to present payment, and they were the one's refusing, based on a 'store policy' that was in a direct breach of contract, their merchant agreement. My wife then showed her Visa(same account number) and her ID, and was fully embarrassed and outraged that they were trying to have me arrested because THEY refused to accept payment. I found this completely unacceptable, I called their Corporate Headquarters in Glendale, California, as did my wife, and filed complaints. We were told a Field Rep for the area would call us, but none ever did. I'd plan on going back there with just my card and no ID and let the police come, but as a matter of principal I can simply not got back there after something like that.

— Jered,

MasterCard Merchant Manual (PDF) [MC]

The Charlotte Observer says that the lender has increased its security and filed a civil lawsuit in Orange County, CA. The lawsuit names "three California-based mortgage lenders, eight individuals and two other businesses as co-defendants."

LendingTree did not say how many customers' accounts were exposed, but the article did say that the company was notifying consumers who they believe were affected.

LendingTree tells clients of breach [Charlotte Observer] (Thanks, Sarah!)

UPDATE: Reader Chris forwarded the letter that LendingTree is sending out:

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don't believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree's loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don't believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree's Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers .

Sincerely,

R.L. Harris

If such a list became popular, would it reduce the ad model of the web to the blind shotgun blasts of TV advertising? That would suck—personally, if I'm going to see an ad, I want it to be about something that interests me. I don't like the idea of a third-party harvesting my data and packaging it with other users' data to profit from it, but I do think targeted advertising is an improvement over traditional advertising. Besides, how would