Data Collectors Need Surveillance, Too

Aggregators that sell info to government agencies aren't liable for its accuracy, nor are guidelines in place about how it's used

By Jane Black

On Jan. 15, the Electronic Privacy Information Center (EPIC), a Washington (D.C.)-based privacy watchdog, filed suit in a federal court seeking disclosure of records regarding the sale of personal information to law-enforcement agencies. The complaint alleges that the Justice and Treasury Depts. violated the law by failing to respond to a series of Freedom of Information Act (FOIA) requests. The latter sought records relating to "transactions, communications, and contracts" between law-enforcement agencies and private companies that sell personal information.

Ever since September 11, government access to personal data has become more controversial. As law enforcement steps up its vigilance against terrorism, lots of personal data are being collected. And it's a business opportunity. Atlanta-based information vendor ChoicePoint, for example, sells personal information to federal law-enforcement agencies, including the FBI, the Drug Enforcement Agency (DEA), the U.S. Marshals Service, and 7,500 local police departments across the country. All told, the company has 35 government contracts worth tens of millions of dollars.

ChoicePoint sells an aggregation of publicly available data, such as birth and marriage, property, and state motor vehicle records. The stuff is innocuous enough. After all, an enterprising FBI investigator would be able to get his hands on it simply by going to a courthouse and digging through old files. But technology's forward march has made it easier to collect information instantaneously on the Net -- and to put it at the feds' fingertips.


  All of this deeply worries privacy advocates. "Through the mining of public records and the purchase of credit-reporting data, private-sector companies are amassing troves of personal information on citizens for the government," says EPIC attorney Chris Hoofnagle, who filed the court challenge. "Serious questions exist involving citizen access to profiles, their accuracy, and the potential for misuse of personal information." Justice and Treasury Dept. spokespeople declined to comment, saying they had not yet reviewed the suit.

Hoofnagle has a point. Understanding how data, even public-record data, are used and by whom is important. After the September 11 attacks, Congress opened the gates for law enforcement to protect national security. Attempts to limit government access to information have been all but stopped in their tracks. Though no evidence indicates that law enforcement is misusing the information, now, more than ever, oversight is needed to ensure that information is used responsibly and for legal purposes.

Privacy advocates' concern isn't just paranoia that J. Edgar Hoover will rise again. Witness the admission of former top Chicago detective William Hanhardt. Last October, he confessed in a federal court that for almost 20 years, he had run a sophisticated jewel-theft ring across several states. To target his prey, Hanhardt used law-enforcement computers and other databases to get information, such as itineraries and car-rental information, on traveling jewelry salesmen. From the early 1980s to 1998, Hanhardt's gang stole more than $5 million in jewelry, gems, and watches -- mostly out the back of rental cars, court filings said.


  And last January, Emilio Calatayud, a 34-year-old DEA agent, was indicted for selling data from DEA databases to private investigation outfits. In total, Calatayud is charged with receiving more than $22,000 for supplying Los Angeles company Triple Check Investigative Services with information over the course of five years.

Equally worrisome is the quality of the data that ChoicePoint and others supply to law-enforcement agencies. Data aggregators don't check the validity of information, they simply collect it. Problem is, it's often riddled with errors.

Just ask Richard Smith, a respected privacy expert. He requested a copy of his records from ChoicePoint and was surprised to find that the company had collected more than 60 pages of information about him and his wife -- much of it incorrect, he says. In a tongue-in-cheek column about his discoveries, Smith recounted that according to ChoicePoint, he had been previously married to a woman named Mary -- and that he died in 1976.


  ChoicePoint's records also had Smith as a real estate agent in his town in Massachusetts as well as a company officer for more than 30 small businesses around the country. Amongst his wife's data, Smith discovered that she had a son named Kyle three years before they met. Who's Kyle, Smith wants to know? He says he's not sure from reading the report just how ChoicePoint made this connection or, he jokes, where Kyle is today.

Ironically, the report failed to account for the couple's two real daughters, though one was listed as a neighbor. (My own ChoicePoint "file" contained no errors but listed dozens of "possible" affiliations that were incorrect.)

ChoicePoint spokesperson James Lee says customers -- especially law-enforcement agencies -- know that all information must be confirmed. He adds that irrelevant information can be linked to a citizen's social security number in any number of ways. "Anyone using our data is told not to accept it at face value. They're advised to verify it," he says.


  How can we avoid blunders and misuse of such information? First, federal agencies should be required to keep detailed logs of who has access to information and why. "In this society, we need to exchange information to keep things safe. But let's at least know who's poking around," says expert Smith. Such a system would allow auditors to easily spot abuse or follow up on complaints.

Second, citizens should have legal and easy access to their public-information files, the way they do to credit reports. With so much questionable data, citizens run the risk of coming under suspicion unnecessarily. Imagine the trouble an innocent U.S. citizen of Middle Eastern descent might have if his information became confused with a suspected terrorist of the same name.

The Fair Credit Reporting Act requires credit agencies to make corrections to files. But companies such as ChoicePoint aren't held to the same standard. The reason? According to Lee, only a document's custodian can make a change to a public record. That may be true. But given that ChoicePoint is making money by selling individuals' information, it should be required to facilitate corrections.

These changes would ease concerns that personal data might be used for nefarious purposes. It would also help if federal agencies promptly responded to EPIC's request for information -- before they get sued. The law states that federal agencies must respond to FOIA requests within 20 days. EPIC has been waiting six months. In dangerous times like these, federal agencies should also go out of their way to prove they respect citizens' privacy.

Black covers privacy issues for BusinessWeek Online. Follow her twice-monthly Privacy Matters column, only on BusinessWeek Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.