FBI will tap into personal profiles

When direct marketing consultant Mike DeCastro gets hired to plan a campaign pitching vacations in Mazatlan or cell phone service in San Diego, one of his first moves is to consult an online catalog of customer lists.

Such lists are the lubricant that keep the wheels of our consumer society spinning. If you applied for a loan or used a credit card, your name is on a list. They identify almost everyone who has attended school, subscribed to anything, or bought anything from a catalog, direct mail or online merchant.

Ultimately, such lists also provide the raw material used to build sophisticated computerized databases that have become a multibillion-dollar industry.

"Just about anything that you want to know about anybody is available in a commercial database," said DeCastro of San Francisco.

Most people don't have a clue that such databases compile information from a variety of sources, linking their names to their Social Security numbers, credit profiles, employment histories, travel records, court records, personal interests and chronic health conditions.

And now, under changes ordered by Attorney General John Ashcroft, the FBI is moving to use commercial databases in its efforts to prevent acts of terrorism in the United States.

The change was part of a broader decision, announced by the Justice Department May 30, to loosen the internal policies that guide federal terrorist investigations.

Now, even if they don't have a specific suspect or legal basis for suspicion, "FBI agents under the new guidelines are empowered to scour public sources for information on future terrorist threats," Ashcroft said.

The attorney general did not specify how the FBI would use commercial databases, and a Justice Department spokesman did not return calls seeking elaboration.

Experts say the FBI would likely use special software and advanced "data-mining" techniques that can sift through enormous fields of data to identify patterns and characteristics of potential terrorists.

Given the potential threats to American security, some say the changes were long overdue.

"The computer systems that were available to the general public were not available to agents like me," said Darwin Wisdom, a former FBI agent who runs the Baker Street Group, a San Diego investigative firm. "I was always dismayed by our inability to access information that was available on computer just about everywhere else."

Before Ashcroft changed the guidelines, the FBI could not even use standard Internet search engines such as Google to look for information concerning terrorist activity, said Mitch Dembin, who resigned two years ago as a federal prosecutor specializing in computer crimes. Investigators first had to have suspicion. "The guidelines cannot be so strict that they shut out from law enforcement the very tools that are available to you and me," Wisdom said. "That's preposterous."

Ashcroft's changes have stirred some opposition. The American Civil Liberties Union says the new FBI guidelines reversed many self-imposed restraints the Justice Department adopted in the 1970s after revelations of FBI illegal spying.

"For over a decade, the commercial data collectors have promised Americans they would not turn this data over to law enforcement," said Chris Hoofnagle, a lawyer with the Electronic Privacy Information Center in Washington, D.C. "This was a guarantee that has staved off legislation and allowed this data collection to continue."

The new capabilities of these technologies now allows "suspicionless, dragnet-style investigations of all Americans," Hoofnagle said.

FBI agents could use commercial databases before Ashcroft changed the guidelines, but only after indications of criminal activity were established, Hoofnagle said. A prosecutor would then obtain a warrant that allowed a search, as well as electronic eavesdropping.

"Under the old guidelines, they were not allowed to engage in prospective searches – meaning they could not sit down and say all Protestant men between 20 and 24 are likely terrorists and print out a suspect list," Hoofnagle said.

By using commercial databases, DeCastro said, the FBI could generate lists of potential suspects based on a profile using such criteria as race, religion, travel, bank accounts and even grocery-store purchases.

"It's a disaster," said John Perry Barlow, a fellow at Harvard Law School's Berkman Center and a co-founder of the Electronic Frontier Foundation. "This information has been gathered with an assurance to the consumer that his privacy was being protected, except when warrants were issued for a specific release."

Said Barlow: "We have increasingly what strikes me as the foundation for a police state in the United States."

But Wisdom, who spent 27 years as an FBI agent before retiring in 1995, said it's premature to become alarmed about potential abuses.

"The key is not whether the FBI can access databases," Wisdom said. "The key is what they do with it. You have to trust your law enforcement community that even though they have access to privileged information, that they have the good judgment to use it properly."

Privacy advocates and others, like DeCastro, who are knowledgeable about the industry say they are alarmed by the consumer marketing industry's practices. Many people would be horrified if they understood the scope of personal information collected in commercial databases, said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.

Much of that personal data comes from supermarket loyalty-club programs and credit-card purchases, which can be used to build customer profiles, Givens said. Other data comes from consumer surveys offering giveaway merchandise and from product warranty cards that can mislead consumers into believing they must complete the form to activate the warranty.

Using advanced computing capabilities, many companies then "enhance" their database by combining data from public records and other sources, Givens said.

Acxiom Corp. of Little Rock, Ark., compiles information from many sources, then uses advanced data-mining techniques to produce specialized marketing lists. In this way, Acxiom can identify thousands or millions of people who fit particular profiles: for instance, 18-to 28-year-old men who purchase certain products or drive certain cars.

Such profiles can be highly specific, but Givens said they also can generate misleading and bogus information.

Larry Ponemon of Privacy Council, a Dallas consulting firm, said in an interview in June that one study reportedly done on the 19 airline hijackers involved in the Sept. 11 attacks found a pattern in their orders for pizza.

"Most college kids order pizza all the time," Ponemon said. "But most people pay cash for pizza. These guys paid with a credit card. That was an odd thing. That became one of the correlates for doing a profile."

Other major companies, such as Experian, Equifax and TransUnion, have long used data-mining techniques to assess and score consumers' credit risk, detect fraud and conduct other data-crunching services.

Another goliath, ChoicePoint of Alpharetta, Ga., has emerged in recent years as the nation's biggest job-screening concern. The FBI and Immigration and Naturalization Service also have used ChoicePoint to find fugitives, illegal immigrants and other subjects of investigations. Prospective employers use ChoicePoint to compare job candidates' names against a database of 14 billion records, including arrest records and credit data.

DeCastro said such databases also can turn up information that employers are legally prohibited from asking job candidates, such as an applicant's age, marital status or HIV diagnosis.

Much of the information collected in databases also is wrong, said Givens, who notes people are not always truthful when they fill out consumer surveys and product warranty cards.

"By trolling through such a large amount of data from disparate sources, the FBI is likely to add one and one and get three," Givens said.

There also are disturbing examples of how information in databases gets misused, such as the personal example that Ponemon described in the April 2000 issue of CIO magazine.

In 1995, when Ponemon was part of PricewaterhouseCooper's compliance risk group, he provided information about his family to a Jewish organization building a database to reunite families who had moved or changed their names after the Holocaust.

While conducting an audit of a direct marketing company's database 21/2 years later, Ponemon discovered the organization to which he had given his information had sold its database to a direct marketing group to raise money. That marketing firm integrated the information with its own data, and the compiled information was bought, added to and sold at least 10 times after it left the marketer's hands.

Ultimately, the database, which by then included enhanced details about Ponemon's family, credit and occupational history – and thousands of others – went to a neo-Nazi group in Idaho.

DeCastro said many organizations sell their membership rosters and enrollment lists. Some even count on income from selling their lists as a regular source of revenue.

-------------------------------------------------------------------------------- Staff writer Kathryn Balint contributed to this report.

there's a big difference between that (with which I have no problem) and what they're proposing: hunting through data for people who might meet a specific profile. That puts us at risk of an investigation because we subscribe to certain magazines, or buy certain products, or spend cash instead of using credit cards. Things like that -- that are essentially an unwarranted investigation into the lives of private citizens -- is what has me nervous.

If they suspect someone, then they should have access to whatever information they need. However, they shouldn't go searching through the universe of data out there, hoping to find someone to suspect.

Presented as a public service.
(Done in reggae style)

Hey everybody, gather 'round. It's the privacy song!

"Well I don't have no privacy, neither do you.
The government is watching us, and Wal-Mart's watching too.
Your doctor keeps your urine for to clone your DNA.
Those albums that you bought last night, well now they know your'e gay.
The Interpol has got a file on you, so does the FBI.
McDonald's scans your face and there's a chip in your french fry.
You're scanned, recorded, sold and sorted to a database in the sky.
So whatever you do, when they're talking to you,
For God's sakes, LIE!
Lie, lie, lie lie lie.
Lie about your income, your age, gender and race.
Spell your name incorrectly, so it's harder to trace.
We can beat them back with bullsh!t, we can rub it in their face.
We can stick a big ol' monkey wrench right up their data base.
Lie lie lie lie, lie lie lie lie.
You see now Wal-Mart thinks I'm a seventy-five year old pensioner.
And Sony thinks I'm a single mother of ten.
The airline company thinks I make make seven hundred grand a year.
And Visa thinks I'm an Iniuit woman named "Ben".
Lie lie lie lie, lie lie lie lie.
You can lie to the man, you can lie right through your tooth.
They can take away our privacy but they can't have the truth.
Lie about your favorite drink, your viewing habits and the color of your sink.
Make up a phone number, make up a postal code,
if we all lie together the computer might explode!
So lie, lie lie. Lie lie lie lie lie.

Some come on everybody, let's beat those privacy invading bastards. Let's beat them with disinformation and organized chaos. Let's crash that computer, lets skew those statistics! Because let's face it, there's only one magical person who knows all our secrets.

And if Santa ever does sell his database, we're all screwed."

"The Privacy song" by Three Dead Trolls in a Baggie. Found on MP3.com. Presented as a public service by Billy_bob_bob.

Thank you. I have seen that website before. The comments there are general. The real danger is the evolution towards more and more subservient behavior.

Case in point (true story): A person with perfect credit applies for a mortgage in 2002. Here, perfect credit means all loans are current, all credit cards have zero balances, no bankruptcies and so on.

A credit report shows a parking ticket from 1994 against an automobile owned by the mortgage applicant. The auto was purchased by the applicant in 1996. The banker evaluating the mortgage application notes the parking ticket and approves the loan contingent on the parking ticket being paid off.

The applicant refuses to pay the parking ticket. The bank evaluating the applicant sees otherwise perfect credit in addition to a large savings balance. The bank removes the parking ticket condition and approves the loan.

Still the threat is there that any individual, business or government can enter derogatory information on anyone in a variety of databases.

I am personally not against a bank accessing all and any information that is necessary to minimize risk. However, the access should have permission of the applicant. The applicant must be aware beforehand what information is to be disclosed. In other words, access must be controlled by the person whose information is requested. Transfer of information must likewise have the permission of the person whose information is to be transferred. Each person with the exception of convicted felons should "own" their personal information.

Personal information includes:

SSN
addresses
telephone numbers
account numbers
credit card numbers
past lawsuits and judgements
vehicle driving records
medical records
past divorces
family members
business partnerships
board memberships
employer records
Personal IRS returns
tenant records
personal assets
insurance histories
annuity accounts
purchases

Others can think of more items to define personal information. Such information will always have some exposure. The key point is that such information be restricted from massive public databases.

The SSN ties all this information together. Name, SSN, DOB opens all the databases to virtually anyone. Personal IRS returns are accessible for bribe through legislators. Still the SSN is necessary. It facilitates the dissemination of personal information to anyone with a computer. Someone far away, say in Pakistan, can get a complete dossier on any American with simple point and click actions. Worse yet, a demented neighbor or rabid lawyer can profile their targets easily.

Ownership of personal information will never be obtained unless it is declared against the law for anyone to access it without permission from the "owner".

As Americans we always wait until disaster strikes before taking action. The recent new access powers given to the government will lead to personal disasters. When there are enough Americans feeling "naked", the new powers will be curtailed. The cycle will repeat itself.

Yes I am aware that often it requires force.

As a young man, I saw 700,000 people protesting the Vietnam War on the mall in Washington D.C.

There was some rioting, many arrests. There was some violence, throwing of bottles, trash cans into the street and so on.

There were some symbolic gestures that went much futher than violence such as throwing of silver star medals by veteran soldiers.

It took an outraged nation to make a difference.

It did not take very much money. People from all over the country got into their vans and buses and headed for the Mall where many of them camped out.

And they kept coming, again and again.

But it took several years.

Finally the political leadership in Washington changed their positions.

And Gerald Ford abandoned the War.

The war on privacy will be folded in with other issues of repressed Americans: repressive taxes, lack of due process, fourth amendment violations and so on.

But these issues are too obfuscatory to grab and internalize in comparison to the primitive horror of war savagery.

What it may take is an economic cataclysm.

But there may be an alternative in "a good idea" that may be used easily in a civil disobedience setting.

Perhaps from your perspective.

I saw Ronald Reagan conquer inflation and the Soviet Union.

I saw Newt Gingrich lead his party to control of the House of Representatives for the first time in forty years.

I do not see a conservative agenda at present. I pray conservatives in Congress will add privacy protections to their agenda.

I pray George W. Bush will not preside over an economic disaster which his opponents wish upon his party.

I pray that Republicans take back the Senate affording George W. the opportunity to follow up on his promise to appoint strict constructionists to the courts.

Strict constructionists in the highest courts would do more for privacy than any violent revolution, symbolic protest or economic disaster.

"Much,much harder to track non-ciizens without use of SSN.It might even be impossible in practical terms."

Not at all. I don't use SSN at all, and I have terabytes of data on 20 million americans. Actually, I don't have it, my client does, but I do much of the data mining for them. And this information is all public, if you are willing to invest the time and money to compile it.

That being said, I treat everyone like a number, for reasons related both to efficiency, and ethics. And my client goes to great pains to only market products to those who show an interest in their product, again for reasons relating to both efficiency (economic efficiency) and ethics.

But such information would be ideal for tracking criminal activity. It is already used by unethical and even criminal organizations. Ecofreaks are now putting together these types of databases, as are anti-RKBA groups. Such information could also be used by pedophiles, burglars, Scam artists, you name it.

Am I for changing the laws? I am on the fence; I don't really think it would do much good. Even if there were penalties for abuse (which there are to an extent), it would be difficult to prove, difficult to prosecute, and virtually impossible to undo. Not to mention that much of this data comes from the government itself, and still more is used by the government. And just like gun-control laws, it would be a burdon for ethical businesses and organizations, and ignored by others. Some of the telemarketing crap skirts the laws by basing operations in Canada, for instance.

"The key is what they do with it. You have to trust your law enforcement community that even though they have access to privileged information, that they have the good judgment to use it properly."

YOU HAVE TO TRUST YOUR LAW ENFORCEMENT COMMUNITY will do their best to completely destroy your home, possessions, and reputations when they knock on your door in the middle of the night, middle of the day, middle of your bath time.

JUST ASK HATFILL's girlfriend what they did to her abode when they came knocking. My 78 year old mother in CT was SHOCKED when the media showed what they did in her home.

The scarey part is this goes on all the time across America.

Some RAIDS are done on the WRONG house.

Some RAIDS end with innocent occupants STONE COLD DEAD.

ARE YOU NEXT?

Remember this, too. They can use the excuse that you're a terrorist because you have guns, you have gun magazines, you read Soldier of Fortune, you have a photo album of your kid taking a bath posed too provcatively and take you away and you won't see a lawyer, your family, or sunshine until they decide you will.

THINK ABOUT IT.

It's UNAMERICAN.

(/rant off)

I don't have quite that many records at my fingertips, maybe a couple of million businesess over the course of several years, but I share your concerns about this data. When I refuse to give out personal data to retailers and they question me about my hesitation, I simply tell them that I am protecting myself from people like myself with the capability to abuse data. I don't, but I could, and I fear the feds are getting ready to start abusing public-domain data - because, after all, what says more about you than what you buy?

OK... not having gotten any bites, I'll try again.

The problem here as I see it, is not that the FBI is wanting access to what is otherwise public information. If Joe Marketer at somecompany.com has access to this stuff then why should the FBI be left out?

The real question developing here, however, and wisely so, is about what should in fact be the definition of "public" and "private" information.

I think a common sense law that could be drafted and enforced is this: ** Anyone keeping information traceable to a person must report to that person, at least annually, the contents of that information **. What's wrong with that?

It would be a good start. It would apply to credit agencies, banks, employers, markets... whomever. If you have information on someone, you tell them what you have.

What do you think? pinging hair...

Hi Ramius.... Sorry I missed your ping earlier... I was over defending bachelorette parties against the fuddy duddies!

I think your proposal: ** Anyone keeping information traceable to a person must report to that person, at least annually, the contents of that information ** sounds like a big burden to a lot of businesses and agencies alike. Even I have information that fits that category in my work, and finding and sending that information to them every year would be a burdon.

Does this include my Outlook files of contacts I have made too? - I keep info on everyone I talk to, including names and addresses and phone numbers.

I should go read the article now, and see what it was about.... was just responding to your post.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.