This story appeared on Network World at

http://www.networkworld.com/columnists/2006/112006bradner.html

ChoicePoint: Lipstick on a pig?

'Net Insider

By Scott Bradner, Network World, 11/16/06

ChoicePoint's data breach early last year was the first major such incident we actually heard about. That we heard about it was thanks to a then little-known 2003 California law requiring companies that suffer data breaches to tell the people whose data has been compromised and warn them they might be in danger. ChoicePoint had been sloppy with our data, and the sloppiness bit the company and us.

Now a recent multipage New York Times story would have us believe that ChoicePoint has learned from its experiences and is a model citizen. Maybe.

ChoicePoint was and is in the business of selling people data about you and me. We have no control over the data ChoicePoint gathers or to whom it is sold. ChoicePoint got into trouble for being sloppy about to whom it sold the data, not for selling data. In the past, ChoicePoint basically did not care about to whom it sold data or what data it sold. It sold data to anyone willing to give the company a few dollars and, as detailed in the Times article, basically did not bother to check whether the buyer even existed. ChoicePoint simply did not care about our privacy, safety or financial well-being. To this company, we were just collections of facts, some of which were accurate.

The Times story says ChoicePoint now is performing checks to confirm its customers' legitimacy before selling them data it might have collected about us. That is good news. The story also says ChoicePoint has stopped providing some types of information, such as Social Security numbers, to some types of customers, such as private investigators and small enterprises. The Times story says ChoicePoint lost some customers over this change of policy but went ahead anyway. This policy change also is good news, but not nearly good enough. Why indeed should ChoicePoint sell anyone my Social Security number?

I can understand why ChoicePoint wants to have my number, even if I do not want it to - it can be an all-too useful identifier for me and data about me. I also can understand why ChoicePoint would want to let people enter my number to get information about me, but I do not understand why ChoicePoint should provide my number to someone who does not already have it.

The basic problem is not ChoicePoint, however. The problem is a business' ability to monetize anything, no matter how private. Europe's attitude is different. Article 7 of the European Union directive on data protection puts individuals in charge of most of their personal information; for example, data cannot be collected without an individual's consent. It is hard to imagine that sort of law going into effect here - the data barons have far too much clout in Washington (see "Congress fails to grasp security risk").

ChoicePoint does seem to have turned itself around and is becoming an exemplary data baron. Some other companies are not doing as well - the customers that ChoicePoint turned away were welcomed by some of its competitors. So ChoicePoint may be a shining example, but in a sewer, that does not mean much.

Disclaimer: I'm sure some folk over in the Harvard Biology Department understand the details of life in a sewer, but the university has not, as far as I know, expressed an opinion on this particular sewer.