Commercial website operators should be reviewing their online privacy policies to ensure they are in compliance with California’s new “do not track” law.  On September 27, 2013, California Governor Jerry Brown signed into law AB 370 which amends the California Online Privacy Protection Act of 2003 (CalOPPA). AB370, introduced by Asm. Al Muratsuchi, amends Section 22575 of the California Business and Professions Code to require commercial website operators to openly disclose how they will respond to a “do not track” signal from an internet browser.

A “do not track” signal is a mechanism by which an Internet user can click an option within their browser that will automatically tell every website (they) visit that the internet browser used does not wish to have their activity tracked. Despite much attention and effort devoted to the topic, the term “track” still does not have a widely accepted definition.  (However, it is most frequently assumed to mean that the user does not wish to have their personal internet browsing seen by third party websites). 

The W3C’s Tracking Protection Working Group (TPWG) was tasked with defining the term and establishing a self-regulatory system with rules dictating how a website should respond to a “do not track” signal from an Internet user’s browser. The TPWG was created more than two years ago and has made little to no progress on their goals. Due to the lack of progress, the Digital Advertising Alliance (DDA), a “consortium of the leading national advertising and marketing trade groups,” withdrew from the TPWG with DAA CEO stating, “the TPWG had yet to reach agreement on the most elementary and material issues facing the group.” The TPWG continues to function despite the departure of the DAA; however, some have lost faith in the group’s ability to effectively dictate policy.

With the passage of AB 370, California is giving the advertising industry a gentle prod because the bill does not attempt to define or regulate “do not track”, but does increase the transparency of which information is collected and how it is used. What the new lawdoes regulate is commercial websites’ privacy policies, thereby requiring that the commercial website operator explicitly state whether they will honor a “do not track” signal from a user’s browser. Although this is a California law, any commercial website that collects personal information from California residents should be aware of this new law and determine whether their privacy policies need to be updated.

AB 370 went into effect on January 1, 2014, so privacy policies should be updated already; however, a cursory review of several well-known commercial websites shows that many organizations have not yet updated their privacy policies. Website operators covered by CalOPPA have 30 days to comply with the new amendments after being notified or noncompliance or they can face fines of up to $2,500 per violation of CalOPPA.

“Happy New Year, Happy Updated Privacy Policy” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

These days more and more people are beginning to use their smart phone as their main tool for browsing the web, transferring documents, sharing and storing personal pictures, and managing financial accounts.

There is also an increasing use in the workplace. A smart phone can be a treasure trove of personal information and proprietary work information that can be exploited for financial or personal gain. Sensitive data can be found in a multitude of places on your iPhone:

  • Private emails containing passwords to other accounts, financial account information and attachments containing sensitive information such as a tax return.
  • Work emails containing confidential business communications, intellectual property or protected customer information.
  • Should your iPhone passcode be bypassed or left unlocked, a thief can use apps installed on your phone to manage bank or financial accounts and other sensitive transactions.
  •  Pictures in the iPhone camera roll may be of a private personal nature or contain scans of sensitive documents for personal or professional use.

Unfortunately, many people don’t realize just how much personal information is accessible via their iPhone and don’t take necessary steps to protect it. Sometimes people go beyond failing to take protective measures and actually take proactive measures to reduce the security of their iPhone. For example, many people opt to “jailbreak” their device which entails the owner making unauthorized modifications to the operating system of the phone.  These modifications allow users to download apps or perform other tasks normally not allowed by the iOS. This can result in severely reduced security measures that come with the iOS in order to protect your personal information and ward off malware targeted at your iPhone.  (Yes, there is malware designed to attack iPhones).

The latest iPhone has a fingerprint scanner that can be used to unlock your iPhone in lieu of entering a four digit passcode, but was successfully hacked about two days after the iPhone 5s was released.

New hacks and tricks are discovered every day by white hat hackers looking to expose iPhone’s vulnerabilities so that Apple can resolve them. Many of these hacks are short lived as Apple is good at providing updates to close security loopholes when they are discovered, but they continually surface  and this requires vigilance on the part of the iPhone owner to stay up to date on iOS updates. These hacks often include methods to bypass the unlock passcode to access limited capabilities of the iPhone via Siri or the control panel.

While there is no surefire way to avoid having your iPhone hacked, there are many ways to reduce your chances of unauthorized access:

  • Keep your iOS updated and be quick to install the updates as soon as they become available.
  • Disable access to Siri and Passbook while the phone is locked by navigating to Settings -> General -> Passcode Lock and switching Siri and Passbook to off.
  • Disable access to the Control Center while the phone is locked by navigating to Settings -> Control Center and turning off the “Access on Lock Screen” option.
  • Should you decide to use the fingerprint scan option to unlock your phone, use it in conjunction with a four digit passcode to increase security.
  • Whenever browsing the web using free WiFi in a public place, use a VPN service to prevent thieves from monitoring your Internet activity.
  • Always have your iPhone passcode lock activated and consider using the auto-lock feature to avoid accidentally leaving your phone unlocked in a public place.

“Protect Your Privacy on Your iPhone” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Critics of privacy practices argue that your personal information is so commonly disseminated, to so many various persons and entities, that any effort to mitigate the spread of your information is wasted effort.  But as ITRC CEO Eva Velasquez is often quoted saying, “Just because a rock will easily go through my window doesn’t mean I leave home with the front door unlocked.”

One of the ways that can be shown to statistically reduce your likelihood of becoming a victim of identity theft or financial fraud is to limit the number of times you allow your personally identifying information (PII) to be shared over any given period of time.  The first step then, is understanding when there is a legitimate need for a person or organization to request your information, and when you’d be better served to politely refuse to give out your social security number, bank account, or identification information.  Below are some examples of common scenarios and locations where you may be requested to share your PII and an analysis of whether the information is really necessary.

The Doctor’s Office:  The idea that you have to share your social security number or driver’s license number at your medical professional’s office is one of the most common misconceptions amongst the public today.  After all, there it is right at the top of their very professional looking sign in document; A block of space requesting your Social Security Number.

Here’s the thing: in the vast majority of cases, a social security number is not necessary for your Dr.’s office to have on file.  If you have medical insurance the insurance number and group number combined with your name and contact information is sufficient for them to process your method of payment and establish a medical record.  Usually if you inform them you’re uncomfortable giving out your PII or you simply leave the applicable spaces blank they will simply say “OK” and process your paperwork without it.  If they insist upon collecting your SSN, ask them what specific purpose they need it for? Additionally, it’s wise to inquire as to their procedures for storing sensitive information. Will your info be stored on a computer or in a hard file? Who has access to the information? What sort of e-security do they have if they will be storing your information on a computer?  These are all important things to understand before you leave your personal information in the hands of a stranger.  If they are unable to answer your questions to a satisfactory level you can always inform them that by law they cannot require you to give out your PII.

Job Interviews:   This one can be a bit tricky because at some point an employer will need a new employee’s PII, including but not limited to your Social Security Number.  So when is the appropriate time to share that information? Especially in today’s digital world this question is an important one.

As a general rule of thumb you should never give out any PII to someone you haven’t actually met face to face and shook hands with.  The job interview process in 2013 often starts online, but eventually it should progress to phone conversation and then a face to face meeting.  PII is appropriately requested by an employer when you are approaching the end of the hiring process.  That is: you’ve had several interviews, both parties clearly have some level of interest moving forward and hiring at some level seems imminent.  To process your paychecks and taxes and related HR issues, an actual employee will need to produce his or her PII.

It is not appropriate for the employer to send you an application form via email after your first correspondence asking you for PII before you’ve even identified who it is you’re actually talking to.  PII is not necessary to conduct any part of the interview process prior to background checks and credit scores, and again, the appropriate time for that conversation is after several communications and at least one face to face meeting with your potential employer.  Be wary of jobs posted online that seem too good to be true. Making 5,000 dollars a month just for receiving and shipping packages, for example is likely a re-shipping scam.  No legitimate employer will pay you just to cash checks either.

The Department Store:  Those of us who like to shop can be somewhat easily enticed by offers of significant discounts through signing up for a store credit card.  While a store clerk is completely on the straight when they ask you to fill out the application for credit to become a member, it’s important to consider the risk before providing them the PII they require to open a line of store credit.  Much in the same line of thinking as at the Dr.’s office you want to get a feel for how seriously they take security before you give them your information.  Ask them how and where that information is stored, and who has access to it.  Only after you’re satisfied they give due consideration to the safety of your PII should you consider filling out their application for credit. Weigh that risk against the convenience or amount of savings you’d miss out on by paying for your purchases with a non-store credit method.

You must remember that it is impossible to completely prevent identity theft.  You have to give out your PII for some purposes and often once you do that, you are no longer in control of how that information is protected.  However, using these tips will help you minimize the places you have to trust with your PII.

“Do They Really Need Your Information? was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The geo tagging feature on your smart phone can be a very cool way of allowing people to know where you took a beautiful scenery picture, attended an interesting event, or even serve you as a digital road map to locations associated with fun experiences you’ve had over the years in just a few clicks of the mouse or touches of the screen on your phone. Geo tagging makes it easier for you to arrange photos and let friends know where they might be able to replicate some enjoyable experience you had.

As with most modern technological conveniences, there is also risk to consider when using your Geo tag capabilities.  Primary amongst these is the risk of “social surveillance.”   Most of us who use social media regularly are familiar with social stalkers.  These modern creepers make use of the information you publish on social media pages in order to track your movement, your habits, and your associations.  Stalkers can make use of public geo tagging information to pinpoint your present location, find out where you live, and even how and where you spend your time with very little effort. This very fun feature of modern smart phones can also potentially put your safety and security at risk, depending on who you are, and the value to anyone who might want to track your movements.

The point is not to scare you, but to note the risks and be wary.  It pays to know the risks, and have an air of caution when using this feature.   Avoiding the risks of geo tagging is definitely something consumers need to be wary of as privacy continues to erode in our ever more electronically connected society.  What follows are a few best practices to keep you safe while geo tagging.

  1. Take the time to note your default privacy settings: This applies both to your smart phone or mobile device and the social media networks you access through your device.  To geo tag something is simply attaching GPS grid coordinates to a picture, video, website or text message.  Sometimes tagging a location maybe a default setting on your phone or on the social network you’re using.  It is important to be aware of these settings so you can consciously decide when and where you geo tag, and who the information will be available to.
  2. Understand the Risk:  Realize that geo tagging information gives anyone who views it the opportunity to know your exact whereabouts, particularly in instances where you’ve posted your location to multiple sites (e.g. Twitter, Facebook, and Instagram).  A check-in at the airport with the message “vacation for the next week!” for example lets anyone who might care to look know that you’ll be out of town for a week.  If you’ve also been geo-located at your place of residence in the past this information could be very valuable to a thief looking for an opportune time to break in.  Additionally, if you use the geo tag feature regularly, it can also give others an understanding of your movement patterns, which will give anyone with an interest in stalking you a picture of your routine, allowing them to predict where you will be and when.  Be aware of who in your network will have access to this information, as it’s possible that not all of them are really your “friends.”
  3. Know How to Disable the Geo Tagging Feature: Every smartphone has a geo tag feature, and many of them will be automatically set up to function without you consciously choosing to have it do so.  You need to take the time to figure out how to prevent it from doing this.  It’s a much better idea to consciously decide to geo tag each time you post rather than having to remember to opt out of geo tagging each time you post.  Leaving the default setting as geo tag operational will likely mean there will be times when you inadvertently post your location to the world when it is risky or unnecessary to do so.

For iPhones: Go to the “settings” page of the geo-tagging program.  Go to “settings” then “general” and then “location services.”  Disable those applications that automatically make use of your GPS tracking data.

For Android Platforms:  Start the camera application.  Open the menu and go to “settings.”  Turn off “geo tagging” or “location storage” (depending on the type of Android).

For digital cameras, be sure to consult the user manual.  Not all digital cameras come with a geo tagging feature, but it’s important you know how your particular camera operates in relation to location tracking.

“Geo Tagging and Do Not Track” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Privacy is becoming an ever more important issue garnering increased public discussion. Increased fear of misuse of personal information is slowly showing up in a multitude of consumer surveys. Facebook along with many other global powerhouses have at times been criticized for their perceived failure to adequately address the various infringements on individual privacy that can sometimes result from their services. In an effort to address these concerns, Facebook recently put a privacy tutorial in place for all new users.


Facebook created customizable privacy settings several years ago, but many users expressed unfamiliarity with how to effectively make use of these settings. Other users simply were unaware of or else never took the time to understand privacy implications. In an effort to generate greater awareness of privacy risks, as well as greater understanding of how to best make use of Facebook’s privacy settings, a tutorial for all new users has now become a part of the set-up process for any new Facebook account. In the tutorial, users are made to understand how their information is shared with others, what information is shared, and what options Facebook makes available in order that the individual may control what they share, how they share, and with whom.

For current users who wish to learn more about privacy settings, simply go to your account settings and find the tab labeled “privacy” and do a little perusing. If the Facebook tutorial specifically is something you want to help walk through the process of understanding the privacy settings, simply generate a new account (using a new email) and go through the start-up process. The tutorial will be one step in getting your new Facebook account fully set up and completed. Any questions about privacy issues can be directed to Facebook staff via message through the sites “contact us” listing.

“Facebook’s New Privacy Tutorial” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original article.

Recently at the ITRC, there have been several curious consumers who’ve contacted us asking how they can be more proactive protecting their privacy when they surf the web. Well, we like to give the consumers what they want, so here are a few tips on how you can control your privacy while you use your Google Chrome Web Browser:

privacyFirst, in order to set your privacy settings, you must find the privacy settings. When you open your Google browser, find the button at the far top right of the screen,  just beyond the URL/address bar; the one that has three horizontal lines. Click that button and a drop down menu will show. Select the 4th option from the bottom that says “settings.”

This will open your settings within the webpage space itself. Find the blue hot link all the way at the bottom that says “show advanced settings.” This will prompt a longer menu to drop down, where you will see some basic privacy preferences like “enable phishing and malware protection” or “offer to save passwords I enter on the web.” These settings are preset by Google and generally speaking the default settings are appropriate for most users.

The most important area to focus on is a button immediately below the “Privacy” headline that says “content settings.” This button takes you to the meat of web browser privacy. In this subsection you’ll find the setting tables for things like internet cookies, pop-ups, location, plug- ins, and handlers. Examine this section carefully and select the settings that most conform to your level of concern.

Some people don’t mind having their web activity tracked by advertisers for the purposes of customized marketing, others do. The Google Chrome browser is highly customizable and easily adaptable in this way. Take a few minutes to examine your privacy settings, and have peace of mind next time you go online.

“How Can I Secure My Privacy on Google Chrome?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.

Identity theft is a term now common in the American vernacular. Though the term is familiar, what it represents is often misunderstood by large segments of the consumer population. Many people commonly associate the term with someone making illegal use of a credit card number. By most current definitions however, that type of crime is more properly referred to as credit card fraud and is no longer considered a true example of identity theft. So what exactly does the term “identity theft” mean?

The best working definition of true identity theft is simple: The improper or illegal use of someone’s personal identifying Information (PII). It’s that simple. PII is defined as any information that uniquely identifies you as you. More specifically, your social security number, passport, birth certificate, driver’s license or state ID card, and similar documents that alone, or in combination, are unique to you as a person. ITRC considers that your PII can be used to commit several different types of identity theft. We classify these as five (5) basic types of identity theft: financial, criminal, medical, governmental, and cyber/reputational. There is also child identity theft, but other than the age of the victim, these are always one or more of the 5 types above.

  • Financial: Financial Identity theft is simply when someone uses another’s PII for financial gain. This can include using a SSN to open a new line of credit, a utility bill, a student loan, etc. Unlike the unlawful use of an existing, and legitimate credit card, these new fraudulent accounts may exist for extended periods of time before the victim becomes aware of them. Checking your credit reports or getting a call from a collection agency are two of the most common ways financial identity theft is discovered. Victims should file a police report and then dispute any fraudulent charges with the various affected merchants and creditors.
  • Criminal: Criminal Identity Theft occurs when someone has successfully impersonated the victim when dealing with law enforcement. This can be accomplished a multitude of ways. The most common is when a thief uses a victim’s SSN, Name, and perhaps date of birth to acquire a driver’s license. In the event this thief is cited or arrested by a member of law enforcement, the thief will pretend to be the victim thereby creating a fraudulent criminal history for the victim. Victims of this form of ID theft should have their local police fingerprint and mug shot them, and when appropriate send that information to whatever the arresting or citing law enforcement might be, so they can get issued a letter of clearance from the court, clearing them of responsibility.
  • Medical: This form of identity fraud occurs when a criminal makes use of the victim’s PII (such as an SSN or Medical insurance card/number/Medicare card etc.) to receive medical treatments and benefits and then leaves it to the victim and their insurance carrier to pay the bills. These events may also leave mixed medical records, which can be a significant problem to the victim. There is also a growing trend used by illegal pharmaceutical sellers as well as prescription pill addicts to use someone’s identity to steal prescription drugs without leaving a paper trail back to them for anyone to follow. Victims of medical identity theft need to get in touch with their insurance provider as well as the place where the procedures were performed, or where the medical supplies/drugs were purchased, and inform them of the fraud. This should include showing proof of that this misuse was brought to the attention of law enforcement.
  • Governmental: This is when the victim’s PII is used to acquire government benefits that the thief would not otherwise be entitled to. Things like government grants and loans, welfare assistance, even a large tax return a victim might be owed from the IRS are all strong motivators for criminals. Often those in this country illegally will have reasons to engage in governmental Identity theft in order to find gainful employment, or avoid detection. In addition to previously listed steps, victims should request an “earnings history report” at their local branch of the Social Security Administration. This report will show where someone has been working, and can be useful in mitigating the fraud.

Cyber/Reputational identity theft is the newest emerging form of identity theft. This involves the use of one’s name, likeness, online passwords or other associations in order to exploit or damage one’s reputation, or perhaps to gain access to their contacts or emails, or just to spam someone’s online relationships with advertisements or Trojans. Mitigation for this type of theft is best done through contacting the site administrator. (i.e. for a fraudulent Facebook profile, the only way to resolve the issue is through dealing with Facebook staff directly).

For additional questions or concerns, please contact the ITRC. ITRC provides no-cost toll-free assistance to consumers and victim at (888) 400-5530, or

“Classification to Mitigation: What You Need to Know about the Multiple Faces of Identity Theft” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to repost the above article, as written, giving credit to and linking back to the ITRC Blog.

Do you love a discount? You’re not alone. Most people do. And that’s just what Facebook is banking on with their new “Facedeals” project, which sends coupons and discount offers directly to your phone. The only catch: when you use your coupon they snap your picture.

Facebook dealThe program essentially functions as follows: a camera is installed in a business. The camera scans your face as you enter, checks you in on Facebook and sends your phone a text message offering you a targeted discount. A “targeted” discount or deal is a coupon for an item or service that’s viewed as within your range of interests, based on your Facebook “like” history. Merchants use this data to selectively advertise to you, making it more likely you’ll be interested and less likely that they will waste time and resources sending you a coupon for a product you’d never use.

Of course, in order for this program to take effect you must choose to sign up for it, and let Facebook scan and store facial recognition data about you based on your tagged Facebook photos. As more pictures are approved, the app gets more precise in its ability to identify you based on what you look like. Once you sign up for this program you will be automatically identified and tagged at any store or shop you frequent that has a Facebook Camera installed.

No doubt this is another impressive new development in our ever more rapidly advancing technological society. What’s the harm in offering you targeted deals seamlessly and easily right? Well, perhaps none, but certainly there is a potential for misuse and dangerous privacy implications. Mum’s been the word on how this data will be stored, what will be permissible uses for the data, and what if any third parties could request access to such data? Could the government access it under the right circumstances? What about retailers, marketers, or various merchants? You can see that without defined rules, the line could easily be blurred to a dangerous point.

Now everywhere you go, you could potentially be checked in without your knowledge. Every store you visit, every time you leave your house. Once you’ve signed up for this technology there isn’t a way yet to select where you do and don’t want to be checked in, or under what circumstances you feel comfortable broadcasting your whereabouts and purchasing habits to the general public. Once you sign up, it’s entirely plausible that your friends, family, and yes those ultra-aggressive creepy Facebook stalkers can track your daily movement and purchasing habits with a click of a mouse. It’s a spooky thought.

No doubt many will disregard the near certainty of significantly diminished privacy in favor of 50% off a sweet new smart phone cover. But when that creepy ex that you’ve been avoiding since high school just “happens” to bump into you at the mall, don’t say we didn’t warn you.

“Facebook Facedeals Raise Serious New Privacy Concerns” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC_Blog.

When surfing the internet in the privacy of your own home, one might think they are safe from prying eyes, and free to surf the internet without anyone knowing what they’re doing. Unfortunately, this couldn’t be further from the truth. What you do on the internet is information that every retailer and marketing firm wants to know. Why? It’s because these companies use that information to create targeted advertising, which increases sales and thus profits. Targeted advertising simply means that when a company pays for an advertisement they want that advertisement to go to people who will be most likely to purchase whatever the advertisement is selling. For example, sending an advertisement for an expensive boat to someone who is unemployed would most likely be a waste of money.

being watchedCompanies pay for information about your online habits to companies called data brokerage firms or information aggregators. These companies set up thousands of servers specifically to monitor people’s activity on the internet, organize the information to fit a retailer or marketing firm’s needs, and then sell it to the highest bidder. This type of information gathering has set off alarms within the privacy advocacy community as the information collected can at the very least have personal information about you, including age, race, sex, weight, height, marital status, educational level, politics, buying habits, household health worries, vacation dreams and more.

So far, the retail industry has for the most part been self-regulating when it comes to what is right or wrong when tracking you online. According to the World Wide Web Consortium (W3C), an international community where Member organizations, a full-time staff, and the public work together to develop Web standards, privacy advocates and retailers have come to a cautious agreement that an option called “Do Not Track” on web browsers should be available to consumers. When a consumer clicks the “Do Not Track” option, retailers would honor their request and stop their websites from tracking everything that a consumer does on their website. The problem is that all of this is voluntarily and the W3C has no power to enforce any of the standards they promulgate.

Microsoft has added to the controversy over this issue by declaring that their next web browser, Internet Explorer 10, will have the “Do Not Track” option activated as the default setting for their new browser. Retailers and marketers rebuked this idea, threatening not to comply because they believed the standard of complying with the do not track request is only valid if the consumer actively selects it themselves. This latest battle in the protracted war between privacy advocates and the retailing industry has many calling for legislation so that there is some method of enforcing companies to respect the “Do Not Track” option. Surprisingly, several bills have been introduced in both the Senate and the House regarding tracking online consumers. Not surprisingly, all of these bills have been languishing in Congressional committees since 2011. With the attention Microsoft’s move has garnered, the possibility of these bills gaining traction in Congress is becoming more likely.

A bill submitted by Rep. Jackie Speier, the Do Not Track Me Online Act of 2011, requires the Federal Trade Commission (FTC) to create new rules that establish standards for the required use of online opt-out mechanism to let a consumer choose to prohibit anyone from tracking them online. The standards must include a rule requiring covered companies to disclose to the consumer how they collect information and what they do with it, as well as a rule obligating companies to not track consumers if they elect to not be tracked. The FTC would also be given the authority to conduct random audits of covered companies to ensure that they are in compliance with the established standards. For companies not in compliance with these standards, any state attorney general would be permitted to bring a civil action imposing fines up to $11,000 per day with a $5,000,000 maximum cap.

The Do-Not-Track Online Act of 2011, submitted by Sen. John Rockefeller, largely mirrors Rep. Jackie Speier’s legislation; however, his bill lacks any language giving the FTC authority to conduct random audits of companies. While it lacks audit authority for the FTC, Sen. Rockefeller’s bill calls for fines up to $16,000 per day with a $15,000,000 maximum cap.

Lastly, Rep. Edward Markey has put forth the Do Not Track Kids Act of 2011 putting extra emphasis on the protection of children from being tracked online. This bill provides for the same kind of enforceable standards as above, but adds extra standards for minors. This bill would require covered companies to not track children unless receiving parental permission, stop companies from requiring children’s personal information in exchange for allowing the child to play a free online game, and to create an “eraser button” allowing users of a website to erase any current or past information already collected on a minor. While providing a multitude of protections for minors on online, this bill does not provide any recommendations on fines or damages to be paid by companies in violation of its rules.

While it is unlikely that any of these bills will be signed into law in the near future, it is a good idea to keep them in mind as the discord surrounding privacy on the web escalates. For now, the war between retailers and privacy advocates will continue as the struggle for meaningful self-regulation of online tracking makes slow progress. In the meantime, click that “Do Not Track” option if you feel uncomfortable having your online activity monitored and hope that companies are courteous enough to oblige.

“You Are Being Tracked” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Most people would think that the person or people who know them best are family members, close friends, or significant others. Unfortunately, one more category must be added to that list and it may be one that knows you better than anyone else: an information aggregator. Information aggregators, or data brokers, collect information regarding individuals and look to sell this information to marketers seeking to advertise their products to the best targeted audience possible.

watchingThis sounds fairly innocuous until one looks at the actual breadth and scope of information these aggregators are collecting. Reps. Edward J. Markey and Joe Barton along with six other congressman sent letters to nine major information aggregation companies citing an article in the New York Times (“A Data Giant is Mapping, and Sharing, the Consumer Genome”) which explains what exactly these companies do. The article focuses on a company called Acxiom which collects information on nearly “500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.” Among these data points include “your age, race, sex, weight, height, marital status, educational level, politics, buying habits, household health worries, vacation dreams – and on and on.” The article goes on to state that Acxiom has 23,000 computer servers processing more than 50 trillion data transactions a year.

Just the data points mentioned are disturbing enough, but to think that these companies have up to approximately 1500 is downright problematic. The Congressmen writing the letters to these companies express their concern that, in addition, to the privacy concerns involved with this so called “data mining”, how companies use this information may lead to another process called “weblining.”

Weblining is a process by which companies will grade each individual and base decisions about them solely in regard to the information they buy from companies like Acxiom. Privacy advocates warn that this way of profiling consumers can lead to different classes of individuals which will receive different offers and attention from different companies. Health insurance, higher education, employment, and financing could all be decided before you ever get in contact with an insurance agency, school, potential employer or lender, all based upon the information gathered and collated by information aggregators. The Congressmen behind these letters are especially concerned with what and how these aggregators are collecting information on children and minors, as this method of profiling could impact them the most.

The lack of transparency and the volume of legally collected information on consumers is not the only concern as these data brokerage firms are extremely attractive to criminal hackers. While it is unsettling to know that a corporation has such intimate details about you and your habits, they are at least following the law (as lacking as it may be) regarding privacy. They take measures to encrypt and protect your data to minimize any information reaching any unintended parties. A criminal hacker who successfully hacks one of these data brokerage firms would potentially have personal information on hundreds of millions of people.

With Congress struggling to pass any meaningful cybersecurity laws regarding protecting or collecting personal information from online consumers, it seems that, for now, the individual consumer can only hope his or her information profile doesn’t exclude them from opportunities in life or end up in the hands of a criminal.

“What is Information Aggregation and Why Should You Care?” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.