Consumer Reports has a detailed information page about companies that track and sell your personal information. The data comes in the form of consumer credit reports, insurance credit reports, your health history, your checking and banking account history, your criminal background, your history of retail returns, and your property rental history.

In most cases, you can pull free copies of these reports periodically, which is good because errors can pop up in these reports just like they can in a consumer credit history. But who has time to pull and monitor that many databases of personal information? The website PrivacyRights.org suggests you stick with yearly monitoring of your consumer credit report (the one you can get for free only at www.annualcreditreport.com), and pay attention to the other ones only under certain circumstances:

• New homeowner's or auto insurance: order your CLUE or A-PLUS reports
• Victim of check fraud or general checking or savings account problems: order your ChexSystems report
• Employer (current or potential) asks for permission to run background check: ask for name of the screening company and contact them as soon as they've issued the report
• Applying for a new job: order Employment Data Report from Work Number if any past employers used that company; also consider ordering a ChoicePoint Full File Disclosure
• Renting an apartment or home: ask the landlord for the name of the screening company, as there are several
• Health, life, long-term care, or disability insurance: order your MIB report from Medical Information Bureau
• General overall check-up on what you look like as data: order a ChoicePoint Full File Disclosure and a Lexus-Nexis Accurint Person Report

There is one time when you may want to go crazy and order everything, and that's if you've been a victim of identity theft.

(Thanks to commenter mac-phisto, whose advice in an earlier post on auto insurance triggered this one.)

"Big Brother is watching" [Consumer Reports]
"What You Should Know about 'Specialty' Reports" [Privacy Rights Clearinghouse]
(Photo: Erik Pitti)

Storm8 makes games like Vampires Live and iMobsters, that operate very similar to the popular Facebook game "Mafia Wars," including letting you spend real money to get better weapons and more energy in the game. Many of Storm8's titles are top iPhone game app downloads, probably because each game says that you can get extra points in it if you download one of their other games.

BoingBoing reports that the number harvesting was hidden until the company noted it in August, chalking it up as a bug. However, the lawsuits says that only "very specific and specialized software code" could do that. Storm8 has not returned BoingBoing's requests for comment.

Lawsuit text (PDF)

iPhone game dev accused of stealing players' phone numbers [BoingBoing] (Photo: Cаvin 〄)

That's what a man in Illinois claims, and he's suing the manufacturer for selling him the $100 device without a warning that its video feed is somehow shareable to other devices:

"This gives rise to serious safety and privacy concerns for consumers who have unwittingly purchased and are using the monitors believing that in doing so, their children and household members are safe and in the privacy of their home when, in fact, by virtue of the monitors' capabilities, they are not."

The man says he tried to get a refund from the manufacturer, Summer Infant, but they refused and told him to buy a more expensive model if he wanted security.

"Baby Video Monitor Lets Neighbors Snoop On One Another, Class Claims" [Courthouse News Service]

On September 28th, 2009 I saw a shirt that I wanted to buy on the famous shirt.woot.com website. I clicked the "I want one" button and created an account by supplying a username and email address. I was then taken to my account information page to fill in my personal information. This is where the problem began. To my surprise, almost all of the fields on this page were already pre-populated with another user's information. This included the following information about that user:

- Their name
- Pieces of credit card information (xxxx-xxxx-xxxx-, expiry date)
- Their shipping address (this user's place of work)
- Their billing address (this user's apartment)

Although this user's credit card number was luckily not revealed in its entirety to me, I am guessing that if I had left it untouched and simply clicked the "this info is correct" button I would have been able to complete my order and have it charged to this user. Upon seeing this user's information, I immediately sent am email to Woot's bug reporting address codeslaves@woot.com, alerting them to what had happened and to what I referred to as a "Massive Security/Privacy Breach". I attached a screenshot of the information that was shown to me and I also asked that they remove the account I had created from their site and disassociate my email address and username from the compromised user's account.

Two weeks passed, and I had still not received a response from Woot. So on October 12th, I then sent them a second email, this time to privacy@woot.com. I found this address in their privacy policy, and it is to be used to request removal of personal information from their database. I told them that I had not heard back from them and included my original email and screenshot. 18 days have since passed, and I have still not received any responses from anyone at Woot. I can also still log on to their site using the account I had created and see the other user's information. I should also probably point out that this user works for what I will call a fairly well known organization in New York City. A simple web search confirmed this, as I was able to find this person's name and email address on this organization's website.

So, in total, it has now been 32 days and I have yet to receive any response from Woot. I personally find this unacceptable, considering the fact that I am trying to bring a problem with their site to their attention. I am wondering how I should proceed from here. Should I try contacting the other user and alerting them to the fact that their personal information has been leaked to me and potentially many other people? I would like this person to know that their information has been compromised, but I don't know how they would react. I would prefer to do this anonymously. Also, should Woot not be obligated to respond to a personal information removal request within a certain time frame? If so, do you know what it is? What do I do If i never hear back from them?

As far as my relationship with Woot is concerned, I think it's clear that I wont be purchasing anything from them anytime in the future.

Any e-commerce experts have any ideas about what could be going on? Have any other readers experienced customer database strangeness at Woot?

UPDATE: Woot has contacted Robear, and the company's founder and CEO showed up in the comments to this post to express his point of view and concerns. Click here to go to the thread.

Unfortunately, this is indeed the first our team has been aware of this report or any similar circumstance. Robear, thank you for identifying the glitch and taking steps to contact us. My apologies for our communication problems after your unsettling experience. Our customer service team's primary email (service@woot.com) should have been in the loop on the privacy address and we're tracking down what may have occurred whether it was missed on our end or if perhaps a follow up was lost to you - in either case it is clearly our mistake for this not elevating to our development team with urgency. I would also like to confirm that we have the screenshot you supplied at this time and that is of great assistance in the matter.

As to the issue reported, be assured, no credit card information or even the ability to order would have been available with the profile mismatch that is described. We use ASP.net profile management web services from Microsoft that are in widespread secure use, but security of actual transaction information is protected by other features designed at woot. However, the population on your order form of a users name and address is an unacceptable fault to have occurred and we will take steps to ensure it doesn't occur again.

As privacy geeks ourselves, we are obsessive about these matters and value the trust that others place with us. If anyone has a privacy related concern, I would like to make sure future communication issues do not occur. My email at woot is mrutledge@woot.com - if you or anyone else has a security issue that needs my awareness, please cc me on any correspondence. (also, side topic but if you have a service issue that's not taken care of to your satisfaction, I would enjoy a direct report on that as well - while we set expectations low on service levels, we pride ourselves on responsiveness and take quick corrective action when necessary)

Thanks to the Consumerist and readers for being there as a resource to bring this to our attention, and thank you again Robear for your time involved. Once this matter is comfortably resolved, I hope we can share a chuckle on the irony of the shirt that it occurred on.

Matt Rutledge
Founder & CEO

(Photo: Brian Jackson Now)

He writes:

I feel good about Dell verifying orders, even as small as $500. Plus, it's good business. I was definitely not prepared, however, to be asked by the Indian call-center rep my birth date and the last four digits of my SSN!

I would guess a verification phone call requires confirmation of addresses, phone numbers, email, and maybe credit card numbers and codes. She asked for the pertinent information, but she didn't ask me to confirm my credit card number.

When she asked for my date of birth, I immediately asked why. She said it was for verification purposes, and of course knowing that I had never given Dell my birth date, I asked her how she planned to verify that information? She said she had that information right there in front of her, and I asked her what it said. Of course she wasn't going to divulge that to me because she was performing a verification!

After a couple more rounds, she finally relented and said I was able to verify my order with the last four digits of my SSN. What?!? Now, I can imagine how Dell might have obtained my birth date. It's possible I put it in when I created my website account (though I usually use the same false birth date on insignificant sites for obvious reasons). But I know darn well that I never gave Dell my SSN for any reason whatsoever. Ever!

I told her I refuse that information and we went rounds again, finally culminating in my telling her that I've had higher-priced items sent to my office using the same credit card several times before, and nobody ever bothered to question or verify the order, and that I would never agree to divulge that information to Dell for any reason. Once she looked at my previous orders, and after I told her that she could cancel the order if she insisted on my most-personal information, and after nearly 45 minutes of holding and haggling, she verified the order and sent it to production.

What on earth is Dell doing with this information? Why in the world are they asking for birth dates and SSNs? Isn't it technically illegal for Dell to be asking for an SSN, especially considering that Dell is not checking credit reports (I hope), or offering credit (except through Dell Financial Services, which I've never used)?

It never hurts to give everyone here a reminder that just because a business asks for this information, it doesn't mean
that they are entitled to it or that you should tell them.

Whatever Dell wants with Zach's birthday, I'm betting it's not to send him a present. If you've got an anecdote about any other corporations asking for TMI, leave it in the comments.

(Photo: yoshiffles)

We're putting the finishing touches on our shiny new site, and we'll be ready to show it to you in just a few short weeks (if you want a preview, come visit us at the Consumers Union Annual Meeting, this Saturday!). Before we launch the new site, we need to ask you for something, if you want to keep commenting using the same name that you're using now: your email address. Hit "profile" at the top when you're logged in, then click "edit my profile" and add your email there. Here's why.

When we relaunch, we'll be on a new platform, and all current commenters will have to reestablish their accounts. To do this, we'll be sending you a one-time email, with a link to reset your password.

We're doing our best to make this as simple a transition as possible, and we know you have some questions. The FAQ below covers most of the questions we've received so far. If you have other issues, please add them in the comments, and we'll do our best to get the answers to you.

Account Transition FAQ:

Q: Why are you moving to new servers?

A: When Consumerist was acquired by Consumer Media in January, Gawker agreed to continue hosting the site for up to a year. That year's almost over, so we need to move.

Q: Will you be keeping or adding x Gawker feature?

A: Gawker has its own platform, and some features are unique to it. Some features we'll be keeping are threaded comments, user profiles, and the ability to follow your favorite commenters. Oh, we'll also be keeping disemvoweling and banning.

Q: Why do I need to reactivate my commenting account?

A: Right now, your account is a Gawker network account. It will only work on Gawker-hosted sites (and will still work there after we're gone). Consumerist accounts will need to be reactivated when we move to the new platform.

Q: Why do I need to give you my email address?

A: Since we won't be able to transfer your password, the only way you can prove that you're you is by letting us send you an email to allow you to reestablish your account.

Q: What if my email address is already part of my profile?

A: You don't need to do anything, unless you'd like to use a different email address.

Q: How do I add an email address to my profile?

A: If you're not logged into the site, first login with the "Login" button on our menu bar. Once you're logged in, click on the "Profile" link in the menu bar. That will take you to your Profile page. From there, click on "the Edit My Profile" link next to your name. On the next screen, you'll be able to add an email address to your profile.

Q: Why can't you transfer my password?

A: Passwords are encrypted on Gawker's servers, and nobody can read them — not us, not the Gawker technical staff, nobody. So, they can't be transferred over to our new platform. From a privacy standpoint, this is a good thing, even if it means a little extra work to make the transition happen.

Q: What if I don't give you my email address now?

A: Your commenting ID will be deactivated on Consumerist (though your old comments will still be available). You'll be able to open a new account any time, by re-registering, though you may not be able to get the same user name.

That's it! Post any questions we haven't answered in the comments, and we'll do our best to answer them.

(Photo: adam reker)

I bought a netbook through an internet-based retailer, and got a mail-in rebate. The rebate was issued in the form of a Citi prepaid card, issued by a company owned by Citi called "e-count". After about 4 months went by the rebate finally arrived, and I opened it and everything looked in order, so I set it aside. Tonight I was going through the papers on my desk and found all the various papers that were enclosed with the card. I was throwing them away, when I noticed a very small form with very small text that said something about privacy. I decided to read it on a whim, and discovered that apparently Citi reserves the right to sell all of your information to the highest bidder WITHOUT your consent, unless you mail them an opt-out form or call a phone number. To be more specific, the section of the form in question says:

"We may disclose personal information about you to the following types of nonaffiliated third parties:

-Financial services providers, such as companies engaged in banking, credit cards, consumer finance, securities, and insurance, and

-Non-financial companies, such as companies engaged in DIRECT MARKETING and the selling of consumer products and services."

So my understanding is that since I got this rebate card, my name is probably on mailing lists for tons of junk mail. Since this thing took 4 months to finally arrive, I'm sure my information has been bought and sold several times by now, so my opting out probably won't mean anything. Plus, it says on the form that there's a 30 day waiting period for your "privacy choices" to become effective, should you choose to opt out, so opting out is probably technically impossible anyhow. People really ought to be made aware of Citi doing this, as I almost missed it myself. I am not happy.

Has anyone used a prepaid Citi card and found themselves bombarded by marketers?

(Photo: frankieleon)

Peter writes:

So I'm contemplating dropping my American Express Blue card, not because of the recent APR increases, but because of their website's password policy.

According to their website:

Your Password should:

• Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
• Contain no spaces or special characters (e.g., &, >, *, $, @)
• Be different from your User ID and your last Password

That last one makes obvious sense, but to restrict a password to between 6-8 characters, and not allow special characters? That is HIGHLY insecure. I know I did my best to make as secure a password as possible with these limitations, but what about people who common, easily remembered, and highly guessable words as passwords? The limitation of 6-8 characters alone makes brute force a much more simple prospect. This complete disregard for security is quite bothersome

I've contacted a customer service rep about this in the past, but they of course had no acceptable answer. Any suggestions on how to bump this one up the chain?

Peter, you can try calling or writing using this American Express executive customer service contact info (it worked for another reader as recently as May 2009), but you might just want to look for another card provider altogether. You know, one that will let you create a decent password to protect your account.

(Photo: subcircle)

This is not so problematic when it's the misrouted Girl Scout meeting agendas or kids' poetry I tend to receive. It's horrifyingly problematic when a bank employee accidnntally e-mails the personal data of 1,325 customers to a random, unknown Gmail user. Now Rocky Mountain Bank is suing to learn the account holder's identity in order to make sure that they didn't send the account information to Russian gangsters, or my 11-year-old cousin.

The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.

After realizing what he'd done, the employee "tried to recall the e-mail without success."

When that didn't work, the employee sent a second e-mail to the recipient instructing the person to delete the e-mail and attachment "in its entirety" without opening or reviewing it. The employee also asked the recipient to contact the employee to "discuss his or her actions."

Silence ensued.

That's when the bank sued Google to identify the recalcitrant recipient.

The best part is that the customers affected by the breach have not yet been notified. In the meantime, the courts will decide whether he e-mail's recipient should be revealed.

Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google [Wired via Walletpop]

Jonathan noted all the ways in which the DMA doesn't do an adequate job of helping people opt out. Among them are:

• You can't permanently remove yourself from their lists.
• You aren't notified when your "enrollment" expires.
• The DMA won't use change-of-address lists to update your information (although they do use such lists for people who haven't opted out, proving that it's a capability).
• You can only enter five names per account; if you have more than five family members to opt out, you have to create a second, third, etc. account.
• Sometimes the website "doesn't work" and you get a blank screen. The DMA is aware of this and their response is that you have to mail in your request.

That list is enough evidence for us that the DMA isn't acting in good faith on its opt out program, but then Jonathan contacted the organization to ask them to investigate his second account (the one where he received a blank screen and no confirmation as to what happened). In response, a DMA rep did this:

The folks at the DMA to whom I complained about the problems on their site decided that the right way to respond was by emailing me my account passwords in plaintext, thus proving that (a) the people who designed the site don't have a clue about secure Web applications (secure Web applications NEVER store passwords in plaintext!), and (b) the people who support the site don't have a clue about Internet security (NEVER email passwords!).

What makes this so egregious is that people tend to use the same passwords everywhere, which means that if someone manages to steal the DMA's user database (and it doesn't have to be hacker — apparently there are people at the DMA who have access to the data), they can use the email addresses and passwords in it to break into OTHER sites that the DMA users are registered at.

It's a bad, bad scene.

Update, September 25, 2009: It turns out the DMA didn't like our post or Jonathan's complaints, and they sent Ben a lengthy, point-by-point rebuttal. As per his instructions, I'm pasting it below.

1. With regards to the statement that "the DMA doesn't really care so much," DMAchoice (www.dmachoice.org) empowers consumers to easily opt out of mailings that they would prefer not to receive. DMAChoice is intended to aid a consumer on an individual basis, and can aid with family members at the same address. DMAchoice gives consumers the flexibility to choose which categories of mail that they do/do not want, while companies can address the wide array of individual preference requests. Also, DMAchoice allows a consumer to enter up to three variations of their name to ensure adequate and accurate suppression of unwanted mail. In addition, DMA provides for an individual caring for a dependent, allowing him/her to fill out the caretaker form, and those with a recently departed loved one who can fill out the deceased form.

2. With regards to whether names are removed permanently: Names are removed for a period of three years, not permanently, due to change of address, name variations or other data updates needed to facilitate name suppression and ensure that is effective. Unlike other name removal services that simply contact marketers and nothing more, members of the DMA are obligated to accept the requests as a best practice under the DMA's ethical guidelines. If there is a company that is not honoring the request made, an individual can contact DMA by going to http://www.the-dma.org/guidelines/complaintprocedures.shtml. The DMA handles cases against member and nonmember companies, and will contact the company to ensure they honor the request for compliance purposes.

3. With regards to whether you are "notified" when the enrollment expires: Since this is a name removal service, we want to respect that individual's preferences and proceed with caution by limiting the number of email communications sent to the individual. After an individual registers, we do not contact them further except for a service update if they have provided an email address and are allowing us to communicate with them in the future, or if they have a question, concern or comment. Enrollment expiration information for a registered individual is easily obtained by contacting DMA's customer support team via dmachoice.org.

4. With regards to the statement that DMA won't use a "change of address lists" to update your information and that they do for those not opting out proving that is a capability: We are not certain what this is referencing since the DMA is not a company, but is instead a nonprofit trade association that represents for-profit and nonprofit organizations that market to consumers (and businesses). The DMA itself does NOT market to consumers and, hence, there is no need for it to utilize suppression lists intended for companies that market to consumers. However, the DMA does maintain and enforce a set of self-regulatory Ethical Guidelines that its members are obliged to follow as a condition of membership. The Guidelines span all media and cover list management, among many other things. To review the Guidelines, please visit http://www.dmaresponsibility.org/Guidelines/. To learn more about DMA's Ethics Committees which enforce the Guidelines, please visit: http://www.dmaresponsibility.org/Committee/. In addition, the DMA's Board of Directors passed an Environmental Resolution in 2007, which laid out the DMA "Green 15," a set of eco-responsible business practices. Among the Green 15 tenets, companies are expected to run their marketing lists through the National Change of Address (NCOA) system of the United States Postal Service. To learn more about DMA's Green 15 tenets and many other environmental initiatives, please visit www.the-dma.org/environment.

5. With regards to the statement that the DMAchoice system runs only 5 names per account: As noted above (#1), DMAchoice is set up to aid a consumer on an individual basis and allow for an individual to provide his/her name variations. Nonetheless, additional accounts may be created. In addition, DMA makes a special exception for an individual caring for a dependent, allowing him/her to fill out the caretaker form, and those with a recently departed loved one who can fill out the deceased form.

6. With regards to the statement that sometimes the "website doesn't work," and there is a blank screen: If an individual is having a technical issue we are happy to assist the consumer, they can email us at dmachoice.org. Just as any other product or service that is offered to consumers, there will be some technical issues that need to be resolved. We are striving to provide an excellent consumer service and such a technical problem should not lead a consumer to believe that the DMA membership "does not care" as was stated. In fact, members of our organization are committed to honoring consumer preferences (see www.dmaccc.org for more information) and are running the DMAchoice name removal file on a monthly basis. This system has reduced unwanted mail for consumers and improves the relevance of the marketing offers to those consumers that are interested in receiving marketing offers that may save them money or provide services they are seeking.

7. With regards to the statement that there was a potential security risk when the individual that ran into a blank screen was provided his account passwords in plain text by a customer service rep: We appreciate the concerns raised and will follow up immediately with our team to verify what happened in the process and ensure that we are following the appropriate security protocols.

"DMA's Mail Preference Service: Once a fraud, always a fraud" [Something better to do]
"DMA site is not only broken, but insecure" [Something better to do]

Time says:

A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association. Of the 80 medical-school deans questioned, 60% reported incidents involving unprofessional postings and 13% admitted to incidents that violated patient privacy. Some offenses led to expulsion from school.

The article went on to explain that in focus groups, younger people were more likely to think that sharing their personal opinions and thoughts was ok, "regardless of their potentially damaging or discriminatory impact on others."

Sharing information about cases with personally identifiable information isn't allowed, but apparently not everyone is aware that "personally identifiable" doesn't just mean "don't say the person's name." Sharing other details and characteristics can be a violation of confidentiality.

Are Med-Student Tweets Breaching Patient Privacy? [TIME]
(Photo:RedandJonny)

One of their customers wrote to us:

I am in a domestic violence protection program, and must keep my private information (address, T#, etc.) confidential. One way I do this is by password-protecting my accounts, including my utility bills.

When I called Southern California Gas Company today to find out why it had not changed my mailing address to my protected one, I learned that the Gas Co. had "dropped" my password without notice — meaning anyone with basic information about me could access my account and, with good social engineering, get my street address and T#.

The first rep told me that the Gas Co. drops passwords "after six months," but then she noticed my account was only four months old. She told me that my password, apparently, was dropped after 90 days. She could not tell me why.

A second rep told me that all passwords are dropped after 90 days, but mine "stayed on for a little more than that" (120 days) "for some reason." Her supervisor confirmed that SoCalGas drops all passwords after 90 days, but does not notify consumers of this when they initially place passwords on the account. She said they are expected to notice it missing and request it be reinstated for another 90 days.

I called one more time to ask a third rep about this password policy. I did not give my account number, but said I was moving and wanted to know if I could password protect my account. The rep said "yes, no problem." And when I asked if it would remain intact while my account was active, the rep hesitated, first said "yes," then said "oh, but there's a policy that we drop it off after 90 days because we don't know how long you'll be living there."

This is terrible security procedure, and, in my case, places me in danger. It's unbelievable that a company would drop passwords from its customers' accounts without prior or current notification.

It wouldn't be as bad if Southern California Gas Company actually notified its customers when removing the password, or if their CSRs fully understood the policy and gave out the correct information when customers called in. Maybe they feel that it's sort of unnecessary—but as the customer above can demonstrate, there are certain situations where you really might want to keep your account info protected.

(Photo: Preconscious)

The defendant, 21-year-old Kenneth Applegate II, denied being the person who slipped a small video camera under the door in a pile of clothes, but co-workers found a video camera they recognized as his few days later, and on that camera's memory card was footage of the teen.

The teen included A&F in the lawsuit because she says Applegate the Deuce had been banned from the mall one month before the incident, and the store was therefore negligent in hiring him. Clearly he would be better suited for the all-sex-all-the-time branding of American Apparel.

"Teen sues after she was taped in dressing room" [WKRN] (Thanks to Christopher!)
(Photo: woodleywonderworks)

We asked Andy if he'd had the occasion to use this pocket smackdown yet, but he said no one has tried to require a minimum purchase since he started carrying it a couple months ago. We hate credit card transaction fees, minimum purchase requirements, requests for ID, and all the other bogus crap that stores try to pull when you try to use a credit card, so we're going to print out a copy for ourselves and see what happens.

If any readers have tried carrying a pocket merchant agreement or tried a similar method to fight these charges, let us know in the comments.

Don't Fall for Minimum Credit Card Purchases Again [NonToxicReviews]

While some parts of Facebook's privacy policy will change thanks to the Canadian government, some of these changes will take up to a year. So take a few minutes to learn what information someone is learning about you and your friends when you take a silly little quiz to figure out what flavor cupcake or breed of cat you are.

Of course, the ironic part is that you'll have to install the ACLU's Facebook quiz application.

What Do Quizzes Really Know About You? [Facebook] (Thanks, Craig!)

Some consumers think that the system used by many popular retailers to track shopper return behavior across chains, Verify-1 by The Retail Equation, is too much. The core of Verify-1 is a massive database of shoppers and their return behavior, and identities are verified against this database by scanning customers' identification.

For retailers, the question becomes whether such a requirement is a good idea, especially in an era of identity theft paranoia.

"I think it is a huge invasion of privacy and I personally get very defensive when asked for photo ID," said Lila Delilah, who runs the popular retail blog Madison Avenue Spy. "After a while, however, it becomes less shocking and you know when to expect it. The downside is that I think twice about shopping at a store like Victoria's Secret because I may not want to go through the ID ordeal if I need to make a return."

Would you avoid a store if you knew before shopping there that they use Verify-1 or a similar program?

Driver's license scanning reduces fraud, but may alienate shoppers [Retail Customer Experience]

PREVIOUSLY: Why Is This Store Scanning My Driver's License?

Some of the provisions of Facebook's privacy policy sort of violate current Canadian law, and Facebook has agreed to make changes accordingly. The policies Canada had problems with included:

• Third-Party Data Mining - Applications will need to explain what personal information they will take from your profile, and get specific consent to do so.
• Account Deactivation - Users will be given the choice to deactivate or delete their accounts — the latter isn't currently an option.
• Non-Users' Privacy - This probably involves the contact list import feature, and e-mail addresses obtained through it.
• Information in Memorial Accounts - Accounts can be either deactivated or put in "memorial" mode when a user dies. The privacy policies will need to better explain what the site does with the profile information of dead users.

Thanks, Canadian government! Facebook users in the rest of the world appreciate it.

Canada wins Facebook fight [Toronto Star]
Thanks, Canada: Facebook's 4 Big Privacy Fixes [PC World]

(Photo: avlxyz)

"ID Guard Stamp Obfuscates Your Personal Info" [Oh Gizmo!]

After a technician began looking through the computer, images of naked 10- to 13-year-old girls in suggestive and explicit poses were found, according to court documents.

...

Court documents show Miller came into the store Sunday afternoon because his Power Mac G5, a high-end desktop computer, was pulling photos from its hard drive and using them to overwrite thumbnails of other pictures in his photo libraries.

When an Apple technician told Miller they would need to keep his computer overnight he refused to let them keep it because he needed to pay bills with the computer, court records show.

At least we know that the technician had a valid excuse to see random folders full of image files on the computer, and didn't go randomly looking for porn. Illegal material found during the process of computer repair is admissible in court.

Move over, Chris Hansen. Catching a predator: there's an app for that.

Fairfield man arrested after Stamford Apple store worker allegedly finds child porn on computer [The Advocate]
Apple Genius Finds Child Porn on G5 In Need of Repair [Gizmodo]

RELATED:
Delete Your Porns: Court Says You Have No Right To Privacy When Your Computer Is Repaired

(Photo: Stamford Advocate)

Once you install the application, your friends in turn receive a notice that you commented on a photo of them. Ha ha! Self-replicating!

Here's the actual application screen, once it's installed:

The "Continue" button is part of the banner ad, not a useful part of the application. Not that sending a hideous 3D smiley is something you would want to do, anyway.

"Your Photos" [Application page]

The DOJ says:

As alleged in the Indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example, according to the Indictment, Gonzalez and an individual identified in the Indictment as "P.T." would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale ("checkout") machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.

According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims' computer systems. The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims' computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims' servers and placed onto servers controlled by Gonzalez and the coconspirators.

In addition to searching for credit and debit card data on the victims' computer systems, the Indictment alleges that Gonzalez and the coconspirators installed "sniffers" which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims' computer servers.

The hackers would then sell the credit card information to people who would attempt to use it to make fraudulent purchases or withdraw money.

The NYT says the Gonzalez has been in custody since 2008 — when he was arrested for his involvement in a data theft at Dave & Busters. He was also indicted in the 2005 TJX data breach.

Erez Liebermann, an assistant United States attorney in the Justice Department's New Jersey office, said Mr. Gonzalez's involvement in so many data breaches suggested that "perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought."

Ya think?

The other, unnamed co-conspirators in the case are identified as "Hacker 1" and "Hacker 2," and are disappointingly located in Russia, rather than in a copy of The Cat In The Hat.

Three Men Indicted for Hacking into Five Corporate Entities, including
Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and
Debit Card Numbers Stolen (PDF) [Department of Justice]
3 Indicted in Theft of 130 Million Card Numbers [NYT]
(Photo:taberandrew)

"Marriott withdraws claim in rape case" [ConnPost via Negais]

Update: Thanks to our readers who continue to follow up on this story and post links to more detailed articles, we now know a lot more about the situation. We thought, considering how scandalicious the accusation is, the fair thing to do is to repeat Marriott's side of the story—which is that the hotel's lawyers never made the claim directly, and that they tried to get it removed from their defense well before anyone else heard about it.

Here's what Marriott has claimed in this Associated Press article:

• Marriott says they did not subpoena anyone yet, and have not disclosed the woman's identity:

  Marriott attorney Donald Derrico said the company was trying to determine the effect of the crime on the victim and that subpoenas have not been issued. The hotel will decide whom to subpoena on a case-by-case basis, he said.

  "Her name was never, ever, ever disclosed to anyone," Derrico said.

• Derrico "said that Marriott officials asked his law firm to withdraw the claim in July, but that his associate had not done so because his mother died."

  In this article from Greenwich Time, Marriott's lawyer says pretty much the same thing:

  "From its inception, the legal case involving this tragic incident has been handled by the insurance company and its lawyers under the terms of the hotel's insurance policy, as is customary where an insurance company bears the risk of loss," said Stamford attorney Marc Kurzman in a statement from the hotel. "Interestingly enough, when we recently learned of this defense we requested that it be withdrawn."

(Photo: vale_blos)

From the NYT:

Like many other people, Ms. Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them - including not only the name and dosage of the drug and the name and address of the doctor, but also the patient's address and Social Security number - are a commodity bought and sold in a murky marketplace, often without the patients' knowledge or permission.

This could apparently change if a little noticed portion of the stimulus bill that bans the sale of health information in most cases is enforced. The NYT says the law also prevents your pharmacy from marketing new drugs to you on behalf of the pharmaceutical company, a practice that is already illegal in California.

Still, the law doesn't prevent companies from selling "anonymous" health data — and it's apparently not that difficult to "reidentify" the users — which is probably what happened to the consumer mentioned above.

So... just make sure not to have any health conditions that you might want to keep to yourself. Ok?

And You Thought a Prescription Was Private [NYT]
(Photo:voteprime)

According to Facebook, this has never been allowed:

Please remember that developers have never been allowed to send user data received from Facebook to ad networks, and we take firm action against this. If you run code provided by an ad network in the operation of your application, be sure you understand what this code does.

Except of course for the part where it happened and they made money of it.

Jacking people's personal content without their consent to use in ads has never been okay, says Facebook, but now the smack is being laid down, now that the rest of the internet has noticed one month after we posted about it.

A point of clarification: in a previous post about this, we said that there was a way within the settings to opt-out of the ads using your photos in Facebook. That's just for official Facebook ads themselves, not for ads deployed by 3rd-party apps. Apologies.

Good Ads Make for a Good Ecosystem [Facebook Developer's Blog]
Facebook Advertising Guidelines [Facebook]

(Photo: Gauldo)

The New Hampshire House of Representatives recently introduced a bill that would ban the practice. The Nashua Telegraph took a look at the origins of and potential problems with the practice.

As part of the program, non-account holders who want to cash a check drawn on Bank of America must provide two pieces of identification, along with a thumbprint on the check. If the person refuses, the bank won't cash the check.

The bank says the practice is a deterrent to would-be fraudsters - proof that the person presenting the check is who he or she claims to be. It's also a resource for law enforcement to identify a person if the check turns out to be fraudulent, the bank said.

Some people have privacy concerns with this practice due to the storage of thumbprints. Storage? Yes, the banks maintain a digital image of checks, which for non-customers includes the thumbprint. They're not building a massive database of thumbprints for use in a massive government biometric ID program, but some people find it troubling that the bank has their thumbprint on record.

RELATED:
BofA Throws Out Customer Who Refuses To Give Thumbprint
Chase Refuses To Cash Check Without Thumbprint

Thumbing their noses: Customers take umbrage over bank policy requiring thumbprints [Nashua Telegraph]

(Photo: stelladiver)

The Carterton man, who asked to remain anonymous, told the Herald that when he and his wife noticed the Auckland purchase they called BNZ to ask what went wrong.

He said he was "astounded" when a staff member denied the bank was responsible and then gave him Mrs Hansford's home address, work address, mobile phone number and private email address so he could sort the situation out himself.

"We were advising them of a fraudulent transaction and they couldn't care less," he said.

"I was incredulous and surprised and wondering why the bank didn't do basic checks like the person's name and address before the transaction. Their basic response was 'tough - if you don't like it - tough'. Which was when we cancelled the account."

Bank of New Zealand offered the woman $2,000 to apologize for sharing her personal information. She turned it down and canceled her account.

Customers' anger as bank passes on personal details [New Zealand Herald]

The internet has woken up to the fact that Facebook can steal photos from your profile page and use them in ads targeted at your friends.

We first reported on this on June 24th in the case of reader Rob who was invited on Facebook to meet hot singles who were waiting for him. The Facebook ad used a picture of his wife in the picture. Now a front-page Reddit story and people on Facebook itself are spreading the news about the privacy concern and making a stink.

To opt out, you can just go here and select "no one." Or to do it from within Facebook, click settings -> privacy -> news feeds and wall -> facebook ads. If you have Ad-block, you have to disable it to do the opt out, as ad-block considers it also an ad.

The ads themselves are not served by Facebook but by third-party companies exploiting a part of the application platform which lets app developers see all the friends of a user who has added the app, even if that user's friends haven't themselves added the app.

In the description, Facebook says, "Facebook Ads make advertisements more interesting and more tailored to you and your friends," but what it should really say is "Facebook Ads slap your picture on stupid IQ test and dating site ripoffs."

When endofweb.co.uk noticed this issue and asked Facebook for a response, Facebook said they were in the process of investigating the deceptive ads and getting them shut down. David Swain, of the Product and Platform Communications department. at Facebook said, "It's an important issue, and one we take seriously."

[Reddit]
PREVIOUSLY: Facebook Encourages Open Marriages-Just Ask Dan's Wife

This is an apology for the way we previously handled illegally sold copies of 1984 and other novels on Kindle. Our "solution" to the problem was stupid, thoughtless, and painfully out of line with our principles. It is wholly self-inflicted, and we deserve the criticism we've received. We will use the scar tissue from this painful mistake to help make better decisions going forward, ones that match our mission.

With deep apology to our customers,

Jeff Bezos
Founder & CEO
Amazon.com

Meh. We're not mocking it, and he's probably sincere, but still... meh. When we see a clarification to the licensing terms, then we'll take real interest.

"An Apology from Amazon" [Amazon's Kindle Discussion Forum]
(Photo: spud murphy)

Read the details of the prank over at Zug.com. (That's right, if you're one of those readers who can't watch the video, you can read a full description of the prank there.)

"How Easy Is It To Get the Private Cell Phone Records and Address of Verizon's CEO?" [Zug via IntoMobile]

On his blog post about the event, he describes how Pro Softnet Corp brushed him off when he called to complain:

called iDrive's parent company Pro Softnet Corp and their operator kept pushing me to voicemail when I asked to be transferred to a supervisor. I have a feeling I'm not the first to call in and complain.

After SkokieGuy's comment below, we headed to the iDrive Lite website (the company provides a link on the iTunes App Store info page) to look for any information about contact scraping. We found none. We checked out their privacy policy and it doesn't address this practice at all. Here's their Terms of Usage for all iDrive products, but again we couldn't find any assertion of their right to access your contacts and spam them.

"iDrive spammed my Gmail contacts" [Aviary.com]

From the researchers' sample, it was possible to identify in a single try the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born from 1973 to 1988. It was possible to identify all nine digits for 8.5 percent of those born after 1988 in fewer than 1,000 attempts.

The accuracy of the prediction system increased for smaller states and for people born after 1988. The accuracy was higher for those born in the late 1980s and after because of rules that led increasingly to the assignment of Social Security numbers at birth. The researchers, for example, reported that they needed 10 or fewer tries to predict all nine digits for 1 out of 20 Social Security numbers assigned in Delaware in 1996.

The study points out that although it's technically possible for criminals to repeat the results of the study, it's currently unlikely. Still, it underscores that SSNs are an "aging technology," in the words of one law professor quoted in the article. Or as one of the co-authors of the study says,

"My hope is that publishing these results may open a window of opportunity, so to say, to finally take action," Mr. Acquisti said. "That S.S.N.'s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address."

"Social Security Numbering System Vulnerable to Fraud, Experts Say" [New York Times]
(Photo: TheLawleys)

According to Forbes, the collected trade groups represent 5,000 Internet and advertising companies, "including Yahoo, Microsoft and Google."

So what do the new guidelines address? Transparency mostly, says Forbes:

They call for third-party and service providers to include a notice on their Web sites that describes the types of data being collected, and how it is used, as well as a way for consumers to block the collection and use of data for behavioral advertising purposes, or selling that data to a third party.

We think there's already an excellent example of this sort of full disclosure on a mainstream website—All Things Digital by the Wall Street Journal. On your first visit to the site, this is what you see:

It's simple and clear. It's visually appealing so it won't be ignored or treated as dreaded legalese (we like the subtle touch of making it float behind Mossberg's head, so that it feels like an organic part of the site). And it appears above any content to grab your attention immediately. Start with that, ad trade groups, and you'll have taken a good first step.

"Ad Groups Aim To Inform Consumers About How Their Data Is Used" [Forbes]
(Photo: blakespot)

Hector writes:

On Tuesday June 23 I went down to my local bank to deposit some money. Things started out weird right away with the teller I got, as she didn't seem to have a working computer, and as so she had to go into the back to place a money. She also ended up putting my funds into my checking account, instead of a savings account but hey, no biggie. When she came back with my deposit slip she informed me I was approved for a 3, 500 credit line. The interest she quoted me was actually lower than the one I had in one of my credit cards, so I was kinda interest. I asked her how long the interest held up for and what the interest would be after the initial offer. She couldn't give me that answer, so she waved a personal banker over to answer that.

The personal banker gave me the information I needed, and I told her I would think about it and would come back I I decided to take up the offer. Please keep in mind that at no point did I agree to anything, nor did I sign any paper or such. The total time I spent discussing this credit line was about five minutes.

I didn't think about BOA and their offer until Thursday evening when I logged into their website to check my funds. This is when I found a powermaster visa card now under my name, with a 3,5000 credit limit. To say I was surprised was an understatement.

I instantly called up BOA customer support, who told me that the card was opened by the bank location on June 23. I then I asked about filing a complaint and wanting to find out how exactly this happened. The woman on the phone was more than happy to take my complaint, but told me that the only answer I would receive would be through mail two to three weeks from now. I asked if I could have anyone phone me or email me, as I didn't want to get some sort of form letter and she told me that there was no way to do that.

On Friday morning I headed to the bank and asked to speak to a manager. I ended up speaking with a Tony, who sat me down on the personal banker side of the location. I gave him all my information and he once again verified that yes, a credit was opened under my name. I told Tony not to do anything with the account yet, as I needed to find out whether this would affect my credit. I also told him that I wanted someone to contact from their location to provide me with some answers.

I have not heard from anyone yet, but I just logged into my BOA website and see that the card is no longer there. I'm slightly bothered by the fact that they just closed the card even though I told them I first wanted to be contacted and find out whether this would affect my credit.

A Business Mirror story on the matter goes:

"Most advances in online privacy protection have come as a result of industry initiatives and self-regulation," Anne Toth, Yahoo!'s head of privacy, said in written testimony submitted to a joint House hearing. "Market forces drive companies like Yahoo! to bring privacy innovations to our customers quickly."

The hearing on industry practices and consumer expectations was held before the House Subcommittee on Communications, Technology and the Internet and the Subcommittee on Commerce, Trade and Consumer Protection.

The hearing concerned a debate over how companies use customers' personal information. Charter Communications Inc. halted a plan to track customers' Internet use for a targeted-ad campaign after lawmakers objected last year.

In February the Federal Trade Commission urged providers of Internet advertisements, such as Mountain View, California-based Google Inc., to gain consent before collecting personal data.

Closely held Facebook Inc., operator of the world's largest social networking site, revised privacy principles in February after users complained about a policy change that let the company keep customers' photos and content, even if users closed their accounts.

Representative Joe Barton, a Texas Republican, called loss of personal privacy "a big deal for most Americans, and it's a very big deal to me."

"People should have the option to prevent any kind of data collection in the first place," Barton told the hearing. "The public calls for action have reached a deafening pitch."

So that's why we're going deaf. It wasn't that rock and roll music (that Big Brother didn't realize we downloaded because our internet privacy is so secure) we've been listening to and playing too loud.

Yahoo! says consumer online privacy has improved [Business Mirror]
(Photo: Therrol)

Dawn gave us some examples of friends that Facebook is suggesting for her:

A couple of examples of people facebook has suggested to me (again, none of the addresses were imported to facebook) - a client (work email stored on my outlook contacts, but that is it, no mutual friends or common networks), the current wife of an ex-boyfriend, a former co-worker from 10+ years ago (again no current email anywhere), my now deceased mother-in-law (this one puzzles me less, but she died two years ago, why is she coming up now??)

Freaky. So what's going on here? Reader Megan turned up this blog post, where Tony Ruscoe formulated a theory about why this is happening, then tested it with his own Gmail contacts list, Facebook account, and some accomplices. What did they discover? Well, when you import your e-mail contacts and choose to skip over and not add certain people to your friends list, Facebook doesn't forget. Facebook also forms relationships based on other people's imported contact lists, meaning that even if you've never imported your own lists, Facebook sees your address in other people's contact lists and figures out relationships based on that.

How can you get Facebook to cut it out? You can start by removing any stored contact lists that Facebook has for you. If you're logged in to Facebook, do that at this link. If you want to take it a step further, change your privacy settings so you're not visible in search results.

How Facebook Uses Your "Skipped" Webmail Contacts [Blogoscoped]
Remove Contacts Imported using the Friend Finder [Facebook]

(Photo: avlxyz)

ReadWriteWeb says:

The form (PDF) is a standard waiver that allows the city to perform a background check, which is obviously a routine procedure, but in addition, the city asks prospective employees to "please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." The form provides three lines for entering this information.

Handing over your password, of course, allows the City to poke around in all of your business — including search history and email archive.

The local TV station picked up the story and, according to city attorney Greg Sullivan they don't look at, "the things that the federal constitution lists as protected things," and maintains that no one has removed their name from consideration because of the requirement.

So why do they even need your passwords? Mr. Sullivan says the City has "positions ranging from fire and police, which require people of high integrity for those positions, all the way down to the lifeguards and the folks that work in city hall here. So we do those types of investigations to make sure the people that we hire have the highest moral character and are a good fit for the City."

My moral character says it's wrong to poke around in an applicant's personal life, but what do I know.

Want to Work for the City of Bozeman, MT? Hand Over Your Social Network Logins and Passwords [ReadWriteWeb] (Thanks, David!)

Let this serve as a warning: don't sign up with tagged.com, and warn anyone in your life who you think may be susceptible to this kind of scam.

The text of the message looks like this:

[Name redacted] has added you as a friend
Is [Name] your friend?

Click Yes if [Name] is your friend, otherwise click No.
But you have to click!

Please respond or [Name] may think you said no :(

Guilt-tripping me with a frowny face? That's low. Now, the e-mail claims that either your friend wants to share pictures with you or has added you as a friend, but neither is true. The site has simply harvested your entire address book.

This behavior is item F under their Terms of Service:

E) Notice Regarding Commercial Email

MEMBERS CONSENT TO RECEIVE COMMERCIAL E-MAIL MESSAGES FROM TAGGED, AND ACKNOWLEDGE AND AGREE THAT THEIR EMAIL ADDRESSES AND OTHER PERSONAL INFORMATION MAY BE USED BY TAGGED FOR THE PURPOSE OF INITIATING COMMERCIAL E-MAIL MESSAGES.

It's the only item in all caps, so you know it's important. Caps lock: cruise control for importance.

The e-mails asking you to sign up for Tagged include a URL to block all future e-mails from the service. That address is http://www.tagged.com/no_more_conf.html?blckd=youremail@here.net.

Tagged.com [McAfee Site Advisor] (The company considers the site "safe," but look at the user complaints)
Tagged [Snopes.com]