CALPIRG does consumer study revealing that privacy laws are being ignored in California

Many believe that the reason behind the identity theft crisis is the irresponsible data mining and selling of people's personal and financial information. This information then gets stored in places, where it is obtained (bought or stolen) by people, who have more than a "marketing" interest in it.

The buying and selling of people's personal information is a multi-billion dollar business.

Given this, a lot of people and consumer groups now are questioning how this done and how the information is protected.

CALPIRG, the California Public Interest Research Group has just released an "interesting" report on this subject and is making some recommendations to the California legislature to make the practice of buying and selling people's personal information more transparent.

From the press release on the CALPIRG site:

California’s consumers are “Still in the Dark” when it comes to who has access to their personal information according to a privacy report released today by the California Public Interest Research Group (CALPIRG).

“This holiday shopping season millions of consumers surrendered their personal information to retailers across the country with no idea how or with whom that information is shared” said Pedro Morillas, CALPIRG Consumer Advocate. “Fortunately there is light at the end of the tunnel. California already has some good policies regarding this issue. A few additions to the existing policies will give consumers the tools they need to safeguard their personal information.”

Currently, California law requires that if a consumer requests to find out where their information went a company must reveal where the information went for the past calendar year, or provide a no cost "opt-out" opportunity.

The report -- which includes a survey of customers trying to to discover where their information went -- revealed that over one-third of the requests were ignored.

Even worse, in addition to not getting a response, many of the customers were given the run around by being sent to other places within an organization or getting responses that had nothing to do with their original request.

CALPIRG is now calling that the California Legislature make the laws stronger with additional measures. They are calling out that the following additions should be made to existing laws:

Companies that do business with California consumers to respond to privacy requests, regardless of whether they share information with third parties.

Companies to both disclose the personal informa¬tion shared, and the third parties with which it is shared, and provide consumers with an opportunity to opt out of future sharing.

Companies to place a box on their Web sites’ privacy pages allowing consumers to opt out of information sharing.

Companies to get an affirmative “opt-in” from consumers before sharing their information with third parties, as opposed to the current practice of requiring consumers to opt out in order to protect their privacy.

The full report from CALPIRG can be read, here.

Opting out and privacy notices with an abundance of fine print have been criticized as not being effective, or consumer friendly for awhile now. Here are two other posts, I've written on this subject:

How does a telemarketer get your unlisted number?

Not answering a Privacy Notice gives the sender permission to sell your personal/financial information

Schwarzenegger vetoes data breach bill

It appears the data breach bill, which went to Governor Schwarzenegger's desk for signature has been vetoed.

Cheryl Walker at the OC Register is reporting:

An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger.

In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards.

He also contended the bill lacked clarity and could increase the cost of compliance for small businesses.

There seems to be little press coverage on this and I couldn't find any comment from Arnold about it on his site.

There has been a lot of coverage about a NRF (National Retail Federation) letter calling out that businesses, who accept credit cards are forced to maintain credit card information for 18 months to protect themselves from fraud (chargebacks).

Here is a post, I did on that subject:

Retailers call for a level playing field on data security

Maybe this bill was too unfair towards businesses, who accept plastic, and favored the financial services industry a little too much? The bill would have pushed more of the financial responsibility towards businesses versus the card issuers, themselves.

The sad thing is that with all the bickering between these two large sectors, it's probably the little person, who will lose out in the long run.

Although, with a lot of litigation being raised, data breaches are becoming extremely costly. Maybe both sides of the equation need to get together and come up with something that will work for everyone?

After all, they do share one thing in common, which is their customers!

OC Register story, here.

The somewhat slow response to the hacking of California.gov

With all the technology that California is famous for, you would think their government websites were state of the art, when it comes to security.

Apparently, this is NOT the case. The result has been a lot of misdirection to sites of a pornographic nature.

Alex Eckelberry, CEO of Sunbelt Software, has been blogging on this subject:

Yesterday, we reported on a federal shutdown of “ca.gov” sites to fix a hack.

Well, we have a little more information on this. It was the Marin County government website that started all of this — something we reported back in September 12th.

Does anyone besides me wonder if there wasn't much of a sense of urgency on this issue?

Bezhou Feng at Neowin.net reported that:

The shutdown, initiated by the General Services Administration (GSA), a US agency in charge of all top-level ".gov" domains, began at roughly 4:00PM (PST), quickly turning into such a problem that Gov. Arnold Schwarzenegger even considered calling the President himself.

While the porn aspect is either amusing, or disgusting (depending on your viewpoint) -- this clearly shows that .gov sites should wake up and listen when experts are trying to tell them something is wrong.

After all, this type of activity could have been something far more serious than something that is disgusting, or amusing!

Of note, as of this writing, I ran a search on Google and the Marin site (TAM) is still misdirecting users to a number of pretty nasty porn sites.

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Sunbelt blog post, here.

Neowin.net story, here.

Update 10/09/07: Alex Eckelberry (Sunbelt), who has covered this problem for over a month did (what I consider) an amusing post to follow-up on this one, here.

Alex and his team at Sunbelt are my favorite place to learn about computer security issues. They routinely help a lot of people free-of-charge and are experts in what they do.

California Issues Alert on eBay Fraud Trend

The California Office of the Attorney General is issuing a consumer alert about fraudsters - who pose as sellers on eBay (after assuming a legitimate sellers identity) - and lure them into paying for something they will never receive.

Account takeovers and identity theft are nothing new on eBay. In most instances, they are accomplished by "phishing" legitimate members of the eBay community; who are tricked into giving up their information as a result of a seemingly legitimate e-mail.

Here is the consumer alert:

Scam Artists Posing As Sellers on eBay

Consumers should be on the alert for scam artists posing as sellers on eBay, the California-based Internet auction site, who victimize bidders through bogus second chance offers. To avoid falling victim to this scam, we offer some tips and precautions below.

In the emerging fraud scheme, scam artists try to lure bidders interested in a product away from the e-Bay web site by using “My Message,” which allows seller and buyers to communicate on the auction site. Through posted messages, legitimate sellers are able to build a positive reputation from customer ratings, product reviews and favorable reports on business transactions.

Manipulating the eBay messaging system, the scam artist posing as the seller contacts bidders to announce the winning bid fell through and offers a second chance to buy the product by wiring the purchase price to the non-eBay email address provided. The scam artist is counting on consumers being tricked into a direct sale and being lured by the positive feedback seen on eBay.

However, the message is actually from a con artist who assumed the identity of the legitimate seller who already sold the item to the winning bidder. The second chance bidder who falls for this scam is left empty handed, paying for a product that will never arrive.

For the full consumer alert, link here.

Here are two resources to seek help, if you become a victim:

Attorney Generals Office Complaint Form and Federal Trade Commission Complaint Form.

These resources are only applicable in California and the United States, here is a list where you can find victim assistance worldwide:

Consumer World: Consumer Agencies

Here are some other tips on how to avoid fraud on eBay:

25 Ways to Avoid Auction Fraud From a Seller's Perspective

Here is a post about how accounts are taken over on eBay:

Phishy E-Mails from eBay/PayPal are at a Record High

California Predicts the Top Ten Scams for 2006

Much of the legislation to curb Fraud, Phishing and Financial Misdeeds enacted worldwide can be traced to laws in California. This is probably because of the amount of fraud that the Golden State has suffered in recent times.

Based on this, it would make sense to pay attention to what California predicts when it comes to fraud.

Here is what California predicts for 2006, courtesy of the Department of Corporations:

Senior Investment Fraud. The elderly are targeted for fraud for several reasons, such as older Californians are most likely to have a nest egg, own their own home or have excellent credit-all of which the con artist will try to tap into. As seniors plan for retirement, they may fall victim to such investment schemes as oil and gas, real estate, and annuities. They should be careful when solicited by mailers, telephone, and through free lunch or dinner seminars. In the past year, DOC assisted with a Southern California district attorney's office to bring criminal charges against three perpetrators for selling promissory notes offering a 12 percent annual return and then absconding with seniors' money. The defendants were charged with 850 felony counts of senior fraud.

Mortgage Fraud. Predatory mortgage lending involves a wide array of abusive practices and usually takes place in the subprime market, targeting borrowers with weak or blemished credit records. The most common lending abuses include excessive fees, abusive prepayment penalties, loan flipping, and other shady practices. In addition, foreclosure schemes are on the rise in which the prepetrators mislead the homeowners into believing that they can save their homes in exchange for a transfer of deed and up-front fees. The perpetrator profits from these schemes by remortgaging the property or pocketing fees paid by the homeowner. DOC, as part of a California task force comprised of local district attorneys and the California Attorney General filed a judgment in 2006 against a major subprime lender to resolve predatory lending allegations against the company, which will provide consumers $295 million in restitution and require sweeping reforms of the firm's business practices.

Affinity Fraud. These scams exploit the trust and friendship that exist in groups of people who have something in common, such as religious or ethnic communities, the elderly, military servicemembers, or professional groups. The fraudsters who promote affinity scams frequently are-or pretend to be-members of the group and enlist respected community or religious leaders from within the group to unwittingly spread the word about the scheme. In 2005, DOC brought enforcement actions against perpetrators of investment scams affecting members of the African American and the Korean American communities in Southern California, and a foreign currency scheme targeted at the Chinese American community in the Bay Area.

Identity Theft/Phishing. Identity theft is a trend that is often aided by technology and is the criminal activity of stealing someone's personal information for financial gain. More often than not, it involves "phishing," where Internet users believe that they are receiving e-mail from a specific, trusted source, or that they are securely connected to a trusted Web site, when that is not the case. As more investment and banking accounts, as well as 401(k) plans, are accessible online, thieves may attempt to obtain your access codes and passwords so they can transfer all of the assets out of accounts.

Online Escrow Fraud. In 2005, DOC enforcement actions to crack down on online escrow fraud increased by 16 percent from 2004. Escrow services fraud involves a perpetrator proposing the use of a third-party escrow service to facilitate the exchange of money and merchandise. The buyer sends payment to a phony escrow site that closely resembles a legitimate escrow service. Or, the seller sends merchandise to the bogus buyer, and waits for the payment through the escrow site, which is never received because it is a sham.

Commodities/Foreign Currency. Consumers should take special care to protect themselves from the many types of commodities fraud. They might be selling precious metals, such as silver or gold, or foreign currency, such as Euros, Yen or Deutschmarks. Be wary of any firm that offers to sell commodities or commodity futures or options, particularly if a firm promises high profits and low risks, or claims that they have made profits for all of their customers. The commodities and futures markets are very risky, and investors can lose their entire investment very quickly. In 2005, DOC took enforcement action against a firm and sales representatives in San Diego County who were not registered with the Commodity Futures Trading Commission to sell foreign currency contracts. Investors were not aware that the promoter had been barred from the National Futures Association, the self-regulatory organization for the futures industry, and a principal had been ordered by the NASD to pay damages in two separate incidents. Oil and Gas Scams. With oil prices at record levels and continued Middle East instability, DOC is concerned about the increase in oil and gas scams that it is experiencing. Perpetrators lure investors into unsuitable or fraudulent oil and gas ventures promising quick profits on a low risk investment. A San Diego scam using five different company names touted a 90 to 95 percent probability of striking oil in oil wells and returning investors' principal investment within a few years, which some customers never received. At least seven California residents invested more than $770,000 in the scam. The perpetrators failed to disclose prior convictions of mail fraud and wire fraud and that at least seven other states had taken administrative action against the sales agents for securities fraud.

Ponzi/Pyramid Schemes. Named for swindler Charles Ponzi, the premise is simple: use money from later investors to pay early investors. Instead of investing customers' funds, the operator pays dividends to initial investors using the principal amounts invested by subsequent investors. The scheme generally falls apart when the operator flees with all of the proceeds, or when a sufficient number of new investors cannot be found to allow the continued payment of dividends. Another very old form of fraud, a pyramid scheme, promises consumers or investors large profits based primarily on recruiting others to join their program, not based on profits from any real investment or real sale of goods to the public. A product may be used to hide the pyramid structure if the company's incentive program force recruits to buy more products than they could ever sell, or the sales occur only between the people inside the pyramid structure or to new recruits joining the structure, not to consumers out in the general public.

Military Fraud. There has been heightened concern at the federal and state government levels about the financial vulnerabilities of servicemembers and their families, particularly in light of recent deployments to Iraq and Afghanistan. Money woes can be especially difficult for National Guard and Reserve soldiers, who often have to make a rapid switch from civilian to military life when they get called up. DOC created the California Troops Against Predatory Scams (TAPS) program to provide financial education and consumer protection tips, supported by an effective and timely consumer enforcement program.

Disaster and Charity Scams. Scammers will attempt to capitalize on the aftermath of Hurricane Katrina and other disasters. Be careful of investment fraud scams which claim to be trading programs that guarantee high returns, with a portion going to aid relief efforts. Others promote businesses that stand to profit from relief and rebuilding efforts. Be cautious of the influx of Web sites soliciting for charitable donations to avoid phishing and identity theft.

It never ceases to amaze me at the lack of moral fiber fraudsters have. If California is correct, they will target the elderly, charities, people's homes, their identities, their retirement savings and even the military in time of war.

Besides supporting legislation to put these people away (for a long time), the most effective tool against fraud is awareness. It is a kind thing to share awareness to protect those, who might fall into harm's way by an activity that is becoming epidemic in nature.

I would like to thank the State of California for sharing this with us all.

Press Release link, here.