FBI will tap into personal profiles

San Diego Union Tribune ^ | 8/03/2002 | Bruce V. Bigelow

[dalereed]

FBI will tap into personal profiles

No legal basis for suspicion needed

By Bruce V. Bigelow

STAFF WRITER

September 3, 2002

When direct marketing consultant Mike DeCastro gets hired to plan a campaign pitching vacations in Mazatlan or cell phone service in San Diego, one of his first moves is to consult an online catalog of customer lists.

Such lists are the lubricant that keep the wheels of our consumer society spinning. If you applied for a loan or used a credit card, your name is on a list. They identify almost everyone who has attended school, subscribed to anything, or bought anything from a catalog, direct mail or online merchant.

Ultimately, such lists also provide the raw material used to build sophisticated computerized databases that have become a multibillion-dollar industry.

"Just about anything that you want to know about anybody is available in a commercial database," said DeCastro of San Francisco.

Most people don't have a clue that such databases compile information from a variety of sources, linking their names to their Social Security numbers, credit profiles, employment histories, travel records, court records, personal interests and chronic health conditions.

And now, under changes ordered by Attorney General John Ashcroft, the FBI is moving to use commercial databases in its efforts to prevent acts of terrorism in the United States.

The change was part of a broader decision, announced by the Justice Department May 30, to loosen the internal policies that guide federal terrorist investigations.

Now, even if they don't have a specific suspect or legal basis for suspicion, "FBI agents under the new guidelines are empowered to scour public sources for information on future terrorist threats," Ashcroft said.

The attorney general did not specify how the FBI would use commercial databases, and a Justice Department spokesman did not return calls seeking elaboration.

Experts say the FBI would likely use special software and advanced "data-mining" techniques that can sift through enormous fields of data to identify patterns and characteristics of potential terrorists.

Given the potential threats to American security, some say the changes were long overdue.

"The computer systems that were available to the general public were not available to agents like me," said Darwin Wisdom, a former FBI agent who runs the Baker Street Group, a San Diego investigative firm. "I was always dismayed by our inability to access information that was available on computer just about everywhere else."

'Dragnet-style'

Before Ashcroft changed the guidelines, the FBI could not even use standard Internet search engines such as Google to look for information concerning terrorist activity, said Mitch Dembin, who resigned two years ago as a federal prosecutor specializing in computer crimes. Investigators first had to have suspicion. "The guidelines cannot be so strict that they shut out from law enforcement the very tools that are available to you and me," Wisdom said. "That's preposterous."

Ashcroft's changes have stirred some opposition. The American Civil Liberties Union says the new FBI guidelines reversed many self-imposed restraints the Justice Department adopted in the 1970s after revelations of FBI illegal spying.

"For over a decade, the commercial data collectors have promised Americans they would not turn this data over to law enforcement," said Chris Hoofnagle, a lawyer with the Electronic Privacy Information Center in Washington, D.C. "This was a guarantee that has staved off legislation and allowed this data collection to continue."

The new capabilities of these technologies now allows "suspicionless, dragnet-style investigations of all Americans," Hoofnagle said.

FBI agents could use commercial databases before Ashcroft changed the guidelines, but only after indications of criminal activity were established, Hoofnagle said. A prosecutor would then obtain a warrant that allowed a search, as well as electronic eavesdropping.

"Under the old guidelines, they were not allowed to engage in prospective searches – meaning they could not sit down and say all Protestant men between 20 and 24 are likely terrorists and print out a suspect list," Hoofnagle said.

By using commercial databases, DeCastro said, the FBI could generate lists of potential suspects based on a profile using such criteria as race, religion, travel, bank accounts and even grocery-store purchases.

"It's a disaster," said John Perry Barlow, a fellow at Harvard Law School's Berkman Center and a co-founder of the Electronic Frontier Foundation. "This information has been gathered with an assurance to the consumer that his privacy was being protected, except when warrants were issued for a specific release."

Said Barlow: "We have increasingly what strikes me as the foundation for a police state in the United States."

But Wisdom, who spent 27 years as an FBI agent before retiring in 1995, said it's premature to become alarmed about potential abuses.

"The key is not whether the FBI can access databases," Wisdom said. "The key is what they do with it. You have to trust your law enforcement community that even though they have access to privileged information, that they have the good judgment to use it properly."

Troubling tactics

Privacy advocates and others, like DeCastro, who are knowledgeable about the industry say they are alarmed by the consumer marketing industry's practices. Many people would be horrified if they understood the scope of personal information collected in commercial databases, said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.

Much of that personal data comes from supermarket loyalty-club programs and credit-card purchases, which can be used to build customer profiles, Givens said. Other data comes from consumer surveys offering giveaway merchandise and from product warranty cards that can mislead consumers into believing they must complete the form to activate the warranty.

Using advanced computing capabilities, many companies then "enhance" their database by combining data from public records and other sources, Givens said.

Acxiom Corp. of Little Rock, Ark., compiles information from many sources, then uses advanced data-mining techniques to produce specialized marketing lists. In this way, Acxiom can identify thousands or millions of people who fit particular profiles: for instance, 18-to 28-year-old men who purchase certain products or drive certain cars.

Such profiles can be highly specific, but Givens said they also can generate misleading and bogus information.

Larry Ponemon of Privacy Council, a Dallas consulting firm, said in an interview in June that one study reportedly done on the 19 airline hijackers involved in the Sept. 11 attacks found a pattern in their orders for pizza.

"Most college kids order pizza all the time," Ponemon said. "But most people pay cash for pizza. These guys paid with a credit card. That was an odd thing. That became one of the correlates for doing a profile."

Other major companies, such as Experian, Equifax and TransUnion, have long used data-mining techniques to assess and score consumers' credit risk, detect fraud and conduct other data-crunching services.

Off-limits data

Another goliath, ChoicePoint of Alpharetta, Ga., has emerged in recent years as the nation's biggest job-screening concern. The FBI and Immigration and Naturalization Service also have used ChoicePoint to find fugitives, illegal immigrants and other subjects of investigations. Prospective employers use ChoicePoint to compare job candidates' names against a database of 14 billion records, including arrest records and credit data.

DeCastro said such databases also can turn up information that employers are legally prohibited from asking job candidates, such as an applicant's age, marital status or HIV diagnosis.

Much of the information collected in databases also is wrong, said Givens, who notes people are not always truthful when they fill out consumer surveys and product warranty cards.

"By trolling through such a large amount of data from disparate sources, the FBI is likely to add one and one and get three," Givens said.

There also are disturbing examples of how information in databases gets misused, such as the personal example that Ponemon described in the April 2000 issue of CIO magazine.

In 1995, when Ponemon was part of PricewaterhouseCooper's compliance risk group, he provided information about his family to a Jewish organization building a database to reunite families who had moved or changed their names after the Holocaust.

While conducting an audit of a direct marketing company's database 21/2 years later, Ponemon discovered the organization to which he had given his information had sold its database to a direct marketing group to raise money. That marketing firm integrated the information with its own data, and the compiled information was bought, added to and sold at least 10 times after it left the marketer's hands.

Ultimately, the database, which by then included enhanced details about Ponemon's family, credit and occupational history – and thousands of others – went to a neo-Nazi group in Idaho.

DeCastro said many organizations sell their membership rosters and enrollment lists. Some even count on income from selling their lists as a regular source of revenue.

-------------------------------------------------------------------------------- Staff writer Kathryn Balint contributed to this report.

Bruce Bigelow: (619) 293-1314; bruce.bigelow@uniontrib.com

Copyright 2002 Union-Tribune Publishing Co.

[dalereed]

Scarry stuff!

[dalereed]

The only thing holding back a total police state now is funding and personel.

[Donald Stone]

Excerpt from New York Times article 8/22/02:

WASHINGTON, Aug. 22 — The nation's secret intelligence court has identified more than 75 cases in which it says it was misled by the Federal Bureau of Investigation in documents in which the bureau attempted to justify its need for wiretaps and other electronic surveillance, according to the first of the court's rulings to be released publicly.

The opinion by the Foreign Intelligence Surveillance Court, which was issued in May but made public today by Congress, is stinging in its criticism of the F.B.I. and the Justice Department, which the court suggested had tried
to defy the will of Congress by allowing intelligence material to be shared freely with criminal investigators.

In its opinion, the court rejected a secret request made by the Justice Department this year to allow broader cooperation and evidence-sharing between counterintelligence investigators and criminal prosecutors. The court found that the request was "not reasonably designed" to safeguard the privacy of Americans. The court generally operates in secret and is responsible for approving warrants to eavesdrop on people suspected of espionage or terrorism.

[Ramius]

The FBI should be denied access to public information?

[j271]

I wonder what kind of support there would be for an anonymity amendment to the constitution, stating that the federal government has no right to collect any information of any kind on citizens without their express written consent.

As public and private databases accumulate, the potential for abuse is only going to increase. Shouldn't the government step in now to protect citizens?

[dalereed]

I'm for stopping data collecting whether it be public or private other than that necessary to complete
a transaction and not be allowed to be stored in a database.

As far as i'm concerned it should be illegal to send direct mail advertising or do telemarketing. Of course I despise all advertising or have a salesman try to sell me anything and I can't think of one thing that i've ever bought because of an advertisment.

[Hostage]

"The key is not whether the FBI can access databases," Wisdom said. "The key is what they do with it. You have to trust your law enforcement community that even though they have access to privileged information, that they have the good judgment to use it properly."

Prior to Clinton, I would have gone along with this agent's sentiment.

Who of us doesn't want to support our government agents, to stand with them in proud patriotic unity?

But those same agents are capable of being manipulated by a vindictive group with a political agenda. And this is precisely why the ideas for the United States of America were framed as they were, to impede these developments.

The time for civil disobedience has arrived. Other than for the purpose of employment, the SSN should be denied to all that request it. This includes medical insurance plans, credit bureaus, supermarket chains, driver licensing bureaus, passport agencies, court dockets, banks and brokerages.

Our governments can proceed to track non-citizens with this scheme, but American citizens enjoy the rights given them by God unless they submit to those that view such rights as granted by government.

[Doctor Stochastic]

We don't need suspicion; we're just going fishin'.

[j271]

Good comments.

Considering how valuable consumer information is for companies, this information must be considered the property of its owner (the private citizen), with all the constitutional and statutory protection that implies.

Any transfer of this information to an entity that stands to profit from using it should be accompanied by a formal licensing agreement consented to by the citizen-owner, including applicable royalty payments to the citizen-owner and a fixed date of expiration for the licensing agreement.

Personal privacy, database use and abuse, and Americans' desire to remain anonymous will become huge issues as we head further into the 21st century.

[stimulate]

Much,much harder to track non-ciizens without use of SSN.It might even be impossible in practical terms.

[Hostage]

There is the alien registration number and there is capability to assign identifiers to non-citizen travelers as part of their visa documents and their passport checks.

It is not difficult to track aliens.

It is more difficult to reverse the mindsets of LEOs who are more than happy to access all of our private matters. They enjoy the thrill in the same manner as a peeping Tom staring through someone's window or a hunter following animal tracks through the forrest. It is a game.

When tracking terrorists, the game is condoned. When spying on anyone and everyone, the game is over.

The real problem is in tracking the terrorist cells that already exist on American soil. They exist because they were not tracked from the outset. But it is not cumbersome to file a request for a wiretap on persons suspected of association with an alleged terrorist cell. Therefore the trend must be reversed.

[Hostage]

At the very least, Congress should audit the performance of law enforcement agencies that use these databases. The audit should include a comparison evaluation with arrest and conviction outcomes against traditional data utility. If there is no clear and substantial improvement attributable to accessing massive commercial databases, the access priviledges must be denied.

The SSN, public commercialization of personal data and privacy is a campaign issue that will see alot of growth in the next few years.

[Hostage]

Good points and proposals. I completely agree. Have you written of this to any legislator offices?

[MileHi]

Anyone have a link to such a website?

[goo goo g'joob]

Do you mean Hillary is going to give them access to her files?

[RightWhale]

Most people don't have a clue that such databases compile information from a variety of sources, linking their names to their Social Security numbers, credit profiles, employment histories, travel records, court records, personal interests and chronic health conditions.

It's as if Vance Packard's 1965 book, "The Naked Society," had never existed. None of this is new.

[schmelvin]

The time for civil disobedience has arrived. Other than for the purpose of employment, the SSN should be denied to all that request it. This includes medical insurance plans, credit bureaus, supermarket chains, driver licensing bureaus, passport agencies, court dockets, banks and brokerages.

My hubby and I have always refused to give our social security numbers out to those who have no right to ask us for this information. We carry a copy of the law with us at all times, which specifies who may legally ask us for this info and more importantly states the severity of the penalties for those insisting on this info when they have no legal right to it. It works like a charm. (Although, I must admit our main concern had always been identity theft rather than the government's ability to track us.)

I'm getting very tired of the government expanding its snooping powers over anyone and everyone, when we all know who poses the real threat. If FBI agents hadn't been so busy chasing every American with a gun & a copy of the US Constitution, they might have been more aware of what Mr. Atta and his pals were up to. This wide spectrum snooping is just more of the same unfocused BS that got us 9-11.

Instead of setting up an elaborate system of database profiling, they need to drop the PC nonsense and do the kind of profiling that will get them real results. Otherwise they're just wasting their time, manpower, and money. (What the government does best, eh?)

I really don't want the government tracking my purchases. My book buying habits alone could give them the wrong idea, since I tend to read up on a wide range of topics from varying viewpoints, sometimes agreeing with the authors, sometimes wanting to throttle them.

Tracking me would be quite an undertaking though, requiring more than one agent for sure, because no matter how hard I try, I can't seem to get anyone to spell my last name right. It drives me batty sometimes. And, the spelling boondoggles keep getting worse as the number of "English as a 2nd language" speakers increases. (sigh)

[schmelvin]

I found a cool site that may be helpful:

"Frequently Asked Questions on SSNs and Privacy"

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html

[Uncle Bill]

"Acxiom Corp. of Little Rock, Ark., compiles information from many sources, then uses advanced data-mining techniques to produce specialized marketing lists. In this way, Acxiom can identify thousands or millions of people who fit particular profiles: for instance, 18-to 28-year-old men who purchase certain products or drive certain cars."

Isn't that special?

I'm sorry, but well, you're a terrorist

Be prepared, plan ahead, the government is

OUT-SOURCING BIG BROTHER - Systematics - Alltel - Acxiom - Jackson Stephens

Stephens Inc. hires Internet team lawyer

Retired Gen. Clark joins Stephens Group Inc.

George W. Bush Inaugural to Lack Stephens Inc. Presence But Not Their Money

The Jackson Stephens Empire - Death, Money Laundering, Spying and the Octopus

[freebilly]

I can't think of one thing that i've ever bought because of an advertisment.

Sure....