The Federal Trade Commission charged social network MySpace LLC with falsely representing the protection of its millions of users’ personal information. On May 8, 2012, the FTC made public its press release noting the conditions of the agreed settlement between the FTC and MySpace LLC.

So, what did MySpace do? According to the FTC, MySpace LLC led millions of users in the wrong direction about how the social network shared and protected their personal information that was collected via their personal profiles. The FTC said that MySpace provided its advertisers with its users’ Friend IDs; the unique identifier for each profile created on MySpace. The problem was not only that advertisers were able to use the Friend ID to find a user’s profile, but they were also able obtain the personal information that was made public by the user on his or her profile (age, gender, display name, user’s full name, profile picture – if provided, hobbies, list of user’s friends, and possible interests). This information was used to link web-browsing activity to the user.

MySpace LLC provides their privacy policy statements, which have not been revised since December 7th, 2010. Per their site, MySpace’s privacy policy is divided into different sections: Privacy Policy, Collection and Submission of PII and non-PII on MySpace, Notice: MySpace will provide you with notice about its PII collection practices, Choice: MySpace will provide you with choices about the use of your PII, Use: MySpace’s use of PII, Security: MySpace protects the security of PII, and Safe Harbor. These sections, in essence, advised its users that MySpace LLC would not share information for purposes other than those noted under each section, and that prior to use a user would be notified. Furthermore, another section promised that individual users would not be personally identified to third-parties, especially when it came to sharing web-browsing activity that was not anonymous. The privacy page further explains that MySpace is in compliance with the U.S. – EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework – framework which is set forth by the U.S. Department of Commerce. However, the FTC noted that MySpace’s privacy statements were deceptive in addition to violating federal law. In other words, MySpace was not practicing what they preached.

In the end, the social network agreed to settle. The FTC’s proposed settlement comes with several requests:

  1. Requires that MySpace LLC establish a “comprehensive” privacy program specifically designed to protect consumer information.
  2. MySpace is to engage and be subject to continued privacy assessments for the next 20 years by independent, third-party auditors. \
  3. The agreement “bars MySpace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S. – EU Safe Harbor Framework.”

In a 4-0-1 decision, the Federal Trade Commission accepted the consent agreement. However, this agreement is now open for public comment – closing June 8th, 2012. Then, the FTC will come to an accord whether it will make the consent order final.

“Shame on you MySpace” was written by Gabby Beltran. Gabby is the Public Information Officer and a Bilingual Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

A year ago in May, the ITRC posted ITRC Fact Sheet FS 143, which provided an overview of what the IRS was doing to combat identity theft, and help those victims who specifically had IRS issues because of tax problems created by the identity theft. The content of Fact Sheet 143 was provided by the IRS Office of Identity Protection, and this document is definitely a necessary starting point for anyone who has encountered issues with the IRS caused by returns being filed with your SSN, or reports of a work history that do not belong to you.

The IRS established internal procedures in 2009 to give IRS employees guidance on identity theft issues, and provided the IRS business units methods for handling the unique aspects of identity theft cases. Since 2008, the IRS has also provided a specialized identity theft unit as a service to taxpayers who have been victims of identity theft, and wanted to notify the IRS. This unit has a toll free number (1-800-908-4490) and will work with victims to review their taxpayer accounts and history, and provide guidance on what steps to take to mitigate their identity theft case. This unit has handles hundreds of thousands of consumer calls in English and Spanish. Using these methods, the IRS has been able to mark taxpayer accounts when identity theft has been indicated, establish communications with the affected taxpayer, and proactively investigate returns tied to marked accounts to prevent additional fraud on these accounts. In addition, those identified as identity theft victims may now receive an Identity Protection PIN to ensure that only their verified return is processed, and without delay.

So, what’s new?

In a hearing of the Congressional House Committee on Ways and Means on 5/8/2012, the IRS gave testimony that directly answers the question posed by this blog:

“Over the past few years, the IRS has seen a significant increase in refund fraud schemes in general and schemes involving identity theft in particular. Identity theft and the harm that it inflicts on innocent taxpayers is a problem that we take very seriously. The IRS has a comprehensive identity theft strategy comprised of a two-pronged effort, focusing both on fraud prevention and victim assistance.”

In the area of fraud prevention, the IRS noted that in 2011 identity theft screening filters were put in place to detect fraudulent returns before processing. This is a huge task given 100 million returns to process, and the fact that 10 million taxpayers move and 46 million change jobs each year. IRS has now instituted a correspondence with the sender of a flagged return before that return is processed, and is issuing Identity Protection PIN’s to those who are known to be identity theft victims. For the 2012 tax filing season, over 250,000 “IP PINs” were issued.

Prevention of tax fraud using the identity of deceased taxpayers is also being addressed. The IRS is coding deceased accounts that have been used fraudulently to prevent further future misuse, and marking the accounts of recently deceased taxpayers so that future attempt to use the account will be prevented. The IRS is also working with the SSA to shorten the time required to update Death Master File information into IRS records. They are also working with SSA on a potential legislative change which could help reduce the use of the Death Master File as a source for identity theft SSN’s. And, the IRS has developed methods to us information from law enforcement agencies to flag high risk accounts and help block returns that are filed by identity thieves. Altogether, it is apparent that the IRS is putting serious effort into identity theft prevention methods.

The IRS also testified about their efforts to ease the plight of identity theft victims. By the end of this fiscal year, they will have almost 2500 employees dedicated to identity theft work. In addition to the IP PIN program, IRS has dedicated significant training to employees and call center assistors in order to improve their response to identity theft victims. Coupled with a healthy taxpayer outreach and education effort, it appears to ITRC that the IRS is engaging in a serious campaign to reduce identity theft related fraud and provide needed support to victims.

The full testimony can be found here: http://waysandmeans.house.gov/Calendar/EventSingle.aspx?EventID=293593

‘What the IRS is Doing About Tax Fraud’ was written by Rex Davis. Rex is the Director of Operations at the Identity Theft Resource Center.

Last August, Facebook released their Facebook Messenger app for smart phones. This app is great for communicating with large groups of people (like party planning) so that everybody is involved, and also for allowing a friend to locate you in case you are lost or are meeting up at an unfamiliar location. In many ways, this app is a great convenience to many people and does make communication easier, but like with all social networking, users need to know about the privacy concerns and what they need to keep in mind to protect themselves.

The number one thing that consumers have shown concern for is the GPS tracking. When messaging somebody you can have it show everybody in the conversation your location via GPS. They all can see where you are messaging from and use GPS to get directions to you. Though is very useful in some situations, it is important to only use this function when necessary. You might not know everybody who is participating on messenger, nor do the people viewing your conversation have to be on your friends list to see your texts. Be sure you know who you are giving your location to and turn the function off if you aren’t sure.

This situation dovetails into another concern many consumers have. This new app does show everybody invited to the conversation. However, until they make their first post, it only shows their first name. This means, if you know 3 people named “Dave” you don’t know which one could be invited to chat until they say something. This can cause some awkward and embarrassing moments to those who aren’t careful. It also means that people you don’t know could be invited to the conversation and you might think it was actually a friend. Be careful with what you post. Make sure you know everybody before stating things or giving away your location.

The last item that has consumers concerned is that you can tell if a message you have sent has been read or not. For general purposes this is useful, but somebody could use this information to spy on you. It is also a way for spammers to know if your Facebook profile is active and if you have connected your phone to it. By knowing if you have read a message, they could then send you more messages in an attempt to trick you and steal your identity. You cannot turn this function off. The best thing you can do is delete anything that looks suspicious.

“Is Facebook’s New Messenger App a Privacy Risk?” was written by Kat Rocha. Kat is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Victims of Identity theft are confronted with a problem that is unique among victims of crime in the US. Unlike more traditional crimes, a victim of identity theft is forced to prove his or her innocence; not to one group or entity but to many. With identity theft, it will be assumed the victim is really the perpetrator until proven otherwise. As one tries to sort through the damage and clear their name, it is imperative that a victim knows the rights they have under the law, and where to go for legal resources and assistance in their efforts to get past this problem.

 

In the US, most consumer protection for financially related identity theft and fraud will fall under one of three major pieces of federal legislation. These are the FCRA (Fair Credit Reporting Act), FACTA (Fair and Accurate Credit Transactions Act), and FDCPA (Fair Debt Collection Practices Act). It is imperative that a victim of financial identity theft familiarize themselves with all three of these laws, in order to have a better understanding of just what their rights and protections as consumers and as potential victims are.

For financial or criminal identity theft it is also important to review the state laws and statutes directly related to identity theft, both in the state of the victim’s residence and the state where any portion of the theft or fraudulent use of the information occurred. A good place to start for any victim at the state level is to contact the state’s attorney general’s office, or review the state AG’s website. This will give the victim a far more thorough understanding of what their legal rights are, and the means of mitigation provided to victims in that particular state. In addition, for victims who may need to seek an attorney for any necessary litigation that may result from the theft, but who lack the necessary means to hire their own attorney; contacting the state’s associated Legal Aid Society will often provide insight into where pro-bono or discounted legal services may be found.
In many cases simple knowledge and understanding of the laws already in place will be sufficient for a victim of identity theft or financial fraud to successfully mitigate their case without the assistance of an attorney.

However if the determination is made that the only way to mitigate the fraud is to go to court, having an attorney is a really good idea. In that eventuality, the victim should ensure that whoever they enlist to be their legal counsel, has a clear understanding of identity theft related crimes, and understands that the victim’s legal defense rests solely on the fact that they are a victim of financial crime. Traditional legal education often doesn’t specifically address this niche area of the law, and any attorney who lacks at least a basic understanding of identity theft issues can often make things worse for their clients, despite the best intentions. A victim who has taken the time and effort to educate themselves will be able to determine who will be a good fit in any pre-hire legal consultation.

Above all, a victim needs to become their own legal advocate. Do a little research and come to an understanding of what protections are provided them under the law. A thoroughly educated victim is a hard one to take advantage of.

“What Are My Rights?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog

Last spring, it was revealed that iPhones and Android mobile phones send individual’s “user location data” back to their respective companies, Apple and Google. Initially the news was met by an angry uproar from citizens concerned that their right to privacy was being collectively violated. It didn’t slow down sales of either iPhones or Androids however, both of which posted significant gains last year. While Google is quick to point out that the information is stored anonymously, consumer concern has prompted Reps. Ed Markey (D-Mass) and Joe Barton (T-Texas) to call on the Federal Trade Commission to investigate whether Google’s privacy policies violate a previous settlement reached with the FTC last year.

This is in addition to the ongoing FTC antitrust probe into Google and Google+. Last June Google was answering questions about apparent manipulation of search results to accommodate its own products. The more recent probe includes Google +, and questions whether Google + has been given preferential treatment in Google’s vast network of online products and services. “The FTC is examining whether the company unfairly increases advertising rates for competitors and ranks search results to favor its own business, such as its networking site Google. According to the latest report, the FTC wants to find out “whether the company is using its control of the Android mobile operating system to harm competition.”

Google’s opponents have called for an investigation into Google’s search protocols for some time. Responding to reports of an imminent investigation, which originally surfaced in June of last year, FairSearch.org applauded the news. FairSearch.org represents companies such as Expedia, Travelocity, Kayak and Microsoft; all entities that have objected to Google’s actions.

“Google engages in anticompetitive behavior across many vertical categories of search that harms consumers,” the organization said in a statement. “The result of Google’s anticompetitive practices is to curb innovation and investment in new technologies by other companies.”

As of May 2011, Google had a 65.5 percent share of the U.S. search market, compared to 16 percent for Yahoo and 14 percent for Microsoft’s Bing. The European Commission began a similar antitrust investigation into Google’s search practices last year after numerous complaints from small businesses. That case is still pending. The gist of the FTC probe, prompted by the Senate, is that 1) since Google is a dominant gatekeeper to access competitive commercial opportunity online, and 2) if it deceptively represents that it is an equal opportunity search engine, 3) then favors the search results with Google products and services, then 4) Google is effectively using deceptive practices to steal the competitive opportunity of competitors and depriving Internet users’ of free choice to choose competing products and services.

While it is so far unclear what the long-term ramifications are for Google, the fact that this call to investigate has widespread bi-partisan support in Washington could lead to more trouble for the information conglomerate before all is said and done. Most recently Apple was subpoenaed regarding the Apple iOS use of Google products on their smartphones. Should Google be found to have violated the terms of their 2011 settlement, serious punitive action from the federal government may be in Google’s future.

“FTC and Google’s Ongoing Battle and its Implications:” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Late last week we launched a new survey here at the ITRC. This survey is intended to measure how well parents monitor their children’s social media and mobile device usage. There have been many stories in the news lately addressing serious problems with children on the internet. Issues such as bullying, sexting and identity theft have become a daily staple in the media. Questions are once again being asked as to the appropriate age for children to begin using social media and mobile devices. Another important factor being studied in this survey is what role do parents play in their child’s usage of social networks and mobile devices.

Parent surveyWe are trying to analyze these issues in order to find the best answers for parents and children. Parents are seeking knowledgeable advice on how to ensure the safety of their children. Our latest survey aims to do just that. We are hoping to better understand the practices of parents and children in the social media / mobile devices sphere, so that we may develop a set of best practices to recommend to parents and children alike. A successful completion of the survey will give us the data we need to move forward with creating those best practices based on the reality of today’s parenting.

Of course we wanted to give survey takers some incentive for taking the time out of their day to complete our survey. In conjunction with the survey we launched a contest to win one of five $100.00 gift cards. To enter the contest just visit the ITRC’s website and click on the Do You Have Children Who Use Social Media? link or click here to take the survey directly. The contest will run from May 1, 2012 through May 31, 2012. Five $100 prize winners will be announced and contacted on June 1, 2012. The survey results will be released on the ITRC website shortly thereafter.

The long awaited 2012 Child Identity Theft Report by AllClear ID was recently released, and it revealed alarming information regarding children and identity theft. AllClear ID’s conclusive investigation revealed that 10.7% of children were victims of identity theft in 2011 – a .5% increase from the 2011 Child Identity Theft Report. This report is based upon an extensive database scan of actual accounts rather than a survey, and it concluded that 2875 out of 27,000 American children were victims of identity theft.

The analysis of records revealed that 6,273 records or 59% of cases involved the credit bureaus – showing credit problems. The next category revealed 6, 273 records or 22% of cases involved utility accounts, followed by 1,459 records or 14% of cases involving either property assessments, mortgages, foreclosures, or deeds. The next two categories presented 345 records or 3% of cases involved vehicle registrations, and 214 records or 2% of cases involved Driver’s Licenses. Interestingly, one may wonder why the number of records may be higher than the actual number of confirmed child identity theft cases in the report. According to AllClear ID, many of these records involved cases that faced more than one type of identity theft, which drove the number of records up. In addition, many of these child identities were used for what appeared to be multiple different cases of identity theft.

In recent years, the ITRC has seen an increase in cases that involve more than one type of identity theft. These cases become more complex and difficult for the victims to mitigate. Child identity theft is a serious issue because a child’s identity provides the opportunity for different exploits – financial, governmental, criminal, and medical. Although the ITRC tracks child identity theft cases, we do not recognize child identity theft as a standalone type of identity theft because a case of child identity theft will involve one or more of the types of identity theft mentioned above.

In addition, the AllClear ID report states that children under the age of 5 are being heavily targeted. The percentage of victims in this age range is said to have more than doubled compared to that of last year’s study. The logic behind these findings clearly show that criminals are targeting children of this age because they recognize the value of a younger child’s identity – they are likely to get much more time using the identity before discovery. A child’s identity is recognized as a ‘blank slate’ – posing opportunity, potential and long term options. Children’s Social Security numbers are valuable to thieves because the crime can go undetected for years. A child does not begin to use his or her own identity until he or she has reached the age of 18 – the age a young adult applies for his/her first credit card, purchases his first auto, applies for student loans, applies for a job, or gets ready to do all the things adults do. Younger children pose an opportunity for a thief to enjoy the exploits for longer periods of times, all the while creating a devastating impact on the child’s identity and future.

Just how is it that companies always seem to know just how to advertise to us? Ever get a chill up your spine when Target sends you a coupon for the exact type of jacket you’d been thinking of purchasing for the last week? If it feels like internet marketers know what products you’re likely to be interested in, it’s because they do. It is well known that internet activity can be tracked by marketers and used to more effectively reach the consumers who are likely to be interested in the product or service they offer. What is less widely understood is how different websites track your information, and how they use it. Simply changing your privacy settings in your browser can limit the information that you share across the entire spectrum of internet advertising. But what if you want to go deeper?

 

In order to truly understand how each site you interact with tracks your information, and just who they share it with, would require the consumer to read each individual privacy policy for every single website they frequent. By law the terms of use and related privacy policy must outline exactly what information they harvest from you, exactly how they use it, and with whom they are sharing it. There is no law however, against making your terms of service long, using lots of tiny print, or against writing it in legalese jargon that makes it very difficult for the average consumer to understand.

There is a company with a new product that seeks to address this particular issue. PrivacyChoice has developed a digital service that indexes and disseminates privacy policies from a multitude of various websites, and has developed a scale designed to rate these sites based on how they collect and use your personal data. Their idea is to provide a one-stop easy tool that will allow consumers, site publishers, and administrators to compare various privacy policies across a given field at a glance. The hope is that not only will this spur more careful web shopping and browsing by the consumer, but will also provide greater exposure to how companies act with your information, making it advantageous from a public relations perspective for companies to create stronger privacy policies, and to encourage more responsible handling of consumer data.

Specifically, PrivacyChoice measures whether a website shares personal user data with other sites, how long the site retains that data, and whether there is a confirmation process to confirm eventual deletion of that data. Users who visit privacyscore.com can search for Web sites they wish to have scored. Users also can download a plug-in app for their web browsers that, when activated, will show a privacy score at the top of each Web site they visit. There is also a downloadable plug-in that will function like an additional tool-bar in your browser that will show you the privacy score of various sites as you surf the web.

“What Is PrivacyScore and What Does It Do?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.

So you’ve discovered that you’re a victim of identity theft, and you need to file a criminal complaint with law enforcement. Having a clear understanding of what your expectations should be in dealing with law enforcement, and what their role is and should be in mitigating the damage to your identity will give you the best chance of successfully cleaning up your good name.

The first thing a victim of identity theft should understand is that law enforcement probably won’t be able to catch your identity thief. It’s not that they’re not law enforcementcompetent, or that they don’t care. As any regular reader of ITRC blogs is likely already aware, the problem is that identity theft is a very 21st century crime and our jurisdictional system was designed in the late 19th – early 20th century to effectively police crimes that existed at that time. Identity theft as we think of it today did not truly become a major issue until the last few years of the 20th century.

Many cases of identity theft transcend traditional jurisdictional boundaries. A police officer in Arizona may or may not have the time and resources, let alone the authority, to help catch an identity thief in Florida. While there

are some exceptions to this general trend (as when the victim and the thief live in the same area, or the thief is known to the victim), generally the victim’s focus should be on cleaning up the damage and preventing future incidence of fraud, and not on catching the bad guy. Deliver what information you have to the police when you file your report, and let them determine the likelihood of bringing the thief to justice.

The good news is you don’t need to catch the thief to mitigate the damage from past identity theft, and protect your identity from future harm. The principle value of contacting the police for identity theft is simply to get the incident report. The existence of a police report gives your status as victim credibility. In order to mitigate the damage done from identity theft you may need to contact creditors, collection agencies, government offices, or anyone else who may have been affected by the illegal use of your personally identifying information.

The ability to provide a complaint made to law enforcement shows that you’re not just someone trying to cleverly skate on paying a bill. Having a police report is also a critical component to invoking your protections under federal laws such as FACTA, FCRA, and FDCPA. Understanding that in most cases of identity theft the report itself is a greater asset in your fight to restore your good name than seeing the criminal brought to justice is paramount when you seek the assistance of law enforcement.

“Helping Law Enforcement Help You” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original article.

A company called OneID is developing some innovative and interesting solutions to identity and password security. Vinod Khosla, Founder of Khosla Ventures, one of the principle groups that invested heavily in bringing OneID to market, briefly outlined why his company was willing to infuse 7 figures of capital into this relatively unknown company in the information security space.

“We believe OneID will attract the most forward-thinking businesses to offer a more secure alternative to the way we sign in to sites and share personal information.”

Information security is an issue for every consumer today. In attempting to make their personal information as secure as it can be, consumers are routinely expected to handle a multitude of different usernames and passwords across various internet portals to manage each of their virtual profiles or identities. This obviously can be problematic, forcing the account user to choose between remembering literally dozens of different username/password combinations, or using the same username/password (or close derivatives) for multiple account credentials. Sadly, there is a great deal of potential damage which can occur if through cyber hacking or phishing, any one of these online identities is exposed. A hacker will understand that the email address and password for your Facebook account that they just harvested will likely be very similar to credentials used for your financial accounts.

When the hacker successfully opens a user account, it can often place the account owner in a “guilty until proven innocent” scenario, where they must actively prove they are not responsible for a certain online action or transaction credited to their identity. Businesses that rely on online transactions must invest more and more in password security, fraud mitigation processes, and consumer compensation issues. And, this problem is definitely not going away. As the prevalence of online commerce continues to grow, so too will the issues surrounding digital security.

The idea behind the OneID approach is to allow both consumers and online businesses to benefit from a highly secure digital identity system without sacrificing convenience. For consumers, the advantage will be that they will no longer need to remember multiple usernames and passwords; allowing for greater control of their personal, financial and credit card information. For online businesses, OneID hopes to provide a one-stop convenient, secure, and relatively thrifty solution to the digital authentication problem. It remains to be seen whether or not this will significantly reduce the costs and headaches associated with digital identity verification, but what is clear is this is an innovative, elegant new solution in the battle against digital fraud and identity theft. Now, which version of “GreenElephantTusks” did I use for my Yahoo password…..

“Introduction to the “OneID” System” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.