Privacy Alert: What the Web Knows About You

Social Security numbers, dates of birth, signatures, children's names, educational backgrounds, blood types, work histories and other personal data: Online state and county records offer a treasure trove for data aggregators, brokers and criminals.

1 2 3 Page 2
Page 2 of 3

With iSearch, users can search for social network content by name or by screen name. A name search on "Robert L. Mitchell" produced the same people search results I had seen before, and searches on all my screen names produced no results. A spokesperson stated that iSearch, a service launched by Intelius last September, was still building up the database for the service.

Delver, another social network search engine, indexes content and ranks its relevance based on what your social network of "friends" have to say about it. It indexes content from MySpace, Blogger, LinkedIn , YouTube, Hi5, FriendFeed, Digg and Delicious, as well as profile data from Facebook. A search on "Robert L. Mitchell" brought up 47,755 Web links. I found no personally identifying information but did find links to stories I have written.

I concluded by searching individual social networking sites. I didn't get much here, but private investigator Steve Rambam, who runs the Pallorium investigative agency in Brooklyn, N.Y., says the amount of self-contributed data available on many individuals is enormous.

"If you have a MySpace page, and Friendster, LinkedIn, Plaxo, Yahoo 360 and Monster.com, and you use Twitter and Flickr, in 90 seconds I'll have your photo, your likes and dislikes, where you live, what you do and so on -- all contributed by you," says Rambam. That search, he says, provides as much information as he used to gather during a 12-month investigation in pre-Web days.

If that sounds scary, the technology also has its limits. "You have the best defense against a casual investigation: a common name," says Rambam. To find people like me on social networking sites requires logging onto each one individually and using advanced search features to try to narrow down the field.

"Even then there are dozens of records that would have to be manually examined," Rambam says. But that just slows him down. "It would probably take a full day to compile a decent dossier on you," he says, while a unique name takes just a few minutes.

Source: Paid searches

Information discovered: Address history to 1985; real estate purchase dates, assessed values and mortgagors; 2004 property tax bill; nonprofit affiliations; Flickr account details; published stories; parents' names, address, phone number and first five digits of Social Security numbers; current and past neighbors' names, addresses, phone numbers, dates of birth and first six digits of Social Security numbers

At this point, I decided to invest a little money to see what premium searches would buy me.

Since no one had come up with my cell phone number, I decided to start small, with a US Search reverse phone lookup -- which means you provide the number and the company traces its owner. US Search indicated that the information was available on my number -- for a fee of $14.95.

I pulled out my credit card and purchased the report. US Search could not find any data initially. The next day it sent an e-mail that attributed the phone to "Josh (last name unavailable)." Address information was limited to a town name, which was incorrect. US Search refunded my money.

I tried other sites, also without success. One possible reason why: I never provide my cell phone number online or use it for business transactions.

Things did not go so well with USATrace.com , which claimed to offer an "SSN Search" background report on any Social Security number for $37.99. I had picked the company at random from a long list of businesses that came up after I ran a Google search on "Social Security number trace."

The company processed my transaction, but I received no report. Over the next few days, several phone calls and e-mails went unanswered. I ended up challenging the charge on my credit card bill -- a process that eventually resulted in a refund from American Express. Caveat emptor.

I then approached Intelius , a bigger name that also provides data to business partners such as ZabaSearch . Intelius waived its $49.95 background search charge for the purpose of this story. I requested a few extra bells and whistles, which would have brought the total cost to $77.

Among other things, the report included searches of criminal records, civil judgments, sex offender records, address history, real estate property records and death certificates. Intelius gets its information from public records, marketing databases and information that is scraped off the Web, says Ed Petersen, co-founder and executive vice president at Intelius. Much of the information is purchased from other data providers.

Inaccuracies in the data and the abundance of data on people who were not me made combing through the 67 pages of results a bit of a chore. After removing the irrelevant content, I was disappointed to find that the report contained just one piece of data that I had not found through my previous, free searches: a June 2004 property tax bill in the amount of $1,857.

Despite the fact that I'd entered my address and Social Security number, the bulk of the report consisted of state and federal criminal records of 156 Robert Mitchells from all over the country, none of which were me. It included incorrect names of "relatives" as well as records with my correct phone number attached to the wrong address and vice versa. It did not find my primary legal residence address or phone number at all. (We moved one year ago.) The business records section of the report did not turn up my position at Computerworld or my business phone number.

Intelius did aggregate a lot of data about me that I had already discovered, and might have saved some research time. However, I would still have had to do additional work to resolve the inconsistencies and other errors.

Next I tried a service called ReputationDefender , which tracks both what is being said about you (the MyReputation service; $9.95 per month) and personal information available about you on the Web (MyPrivacy; $4.95 per month). After a few days, the service uncovered my residential phone numbers, information about my work with a nonprofit organization, details of my Flickr account and a couple of Web sites I set up.

Finally, I tried searching public records through LexisNexis. Computerworld 's subscription includes a search function that combines data from public records databases ranging from motor vehicle records to court documents to hunting and fishing licenses. While much of the information LexisNexis returned was the same as what I'd found previously, it produced more information overall, and data accuracy was somewhat better.

I came away with a listing of past and present neighbors' addresses, phone numbers and partial Social Security numbers and a historical list of my real estate property transactions that included the amount paid, date of purchase and mortgage lender name. I found the assessed value for my residence for the year 1997. Also available: my mother's and father's names, ages, address, phone number and partial Social Security numbers.

While LexisNexis allows voter registration list searches, no information appeared for my name in New Hampshire. Voter registration lists have been consolidated into a central database to meet federal requirements. Currently, that database is exempted from New Hampshire's Right-to-Know Law , but legislators have given the Democratic and Republican parties exclusive access to it, says New Hampshire State Representative and privacy advocate Neal Kurk, a Republican.

"The parties take this information and sell it to candidates, and you can be sure that a disc containing all of this information goes to various marketers or charities or whoever," he says. So far, though, it wasn't accessible to me.

I also could have searched for other, more sensitive data, such as driver's license and motor vehicle registrations, on LexisNexis. Access to that data is controlled by government regulations, but to see it I simply had to pick a "permissible" use (litigation, debt recovery, insurer, etc.) from a drop-down list. While LexisNexis' terms and conditions do state that it keeps track of who has accessed regulated data, as far as I could tell, anyone can conduct a search without any verification of a permissible use claim.

At other sites, permissible use is simply a generic checkbox item under Terms and Conditions. At US Search, for example, the terms of use state that "By purchasing US Search services you agree that ... You will use the Service only for appropriate, legal purposes, and in compliance with all applicable federal, state and local laws and regulations." Not too reassuring.

What else is out there?

Did I find everything that was out there? Private investigator Rambam says the information I gathered in a few days of work was just the tip of the iceberg of what is available about individuals online. Rambam runs PallTech , an investigative database service for law enforcement and security professionals. Its 25 billion records on individuals and businesses include aggregated public records, telephone listings, marketing data, and more sensitive, regulated data such as vehicle registrations.

A single query performs 62 different searches and produces an average of 230 pages of results in 90 seconds, Rambam says. He quickly found my Social Security number, driver's license number, vehicle registrations, date of birth, e-mail address and other information.

PallTech's database isn't open to the public, but Rambam says much of the same information is out there for anyone who's determined to find it. For example, I didn't find my medical records or banking records online; both types of information are regulated. But, says Rambam, "Any competent social engineer can get that information. There's just too many places where it's available."

For instance, Rambam says he once tracked down a subject by calling pharmacies near the person's address, posing as the subject and asking if his prescription was ready. He quickly learned both the name of the prescription and the doctor who prescribed it. By calling the doctor's office, he was then able to get the time and date of the subject's next appointment. While all this is illegal (he did it with the subject's permission, as part of a friendly bet) and he says most professional investigators don't do that today, he's certain that scammers use the technique.

I also didn't find my state of birth or mother's maiden name online, but Rambam says that I could have found the information with a little more work. (For example, I didn't think to look on genealogy Web sites.) "The downside to all of this publicly available information is that it's now a lot easier to social engineer somebody," he says. If someone has access to a profile of personal information about you as well as your network of friends, that makes it easier for someone to pose as you to gain access to more sensitive data.

And much more personal information is tucked away in marketing databases, says Rambam. Data aggregators such as ChoicePoint and Acxiom , he says, maintain giant databases of information about individuals for risk management and marketing purposes.

To find out more, I spoke with Jennifer Barrett, global privacy officer at Acxiom , a large data aggregator and marketing services provider in Little Rock, Ark. Acxiom specializes in helping businesses build complete demographic profiles of their customers. It builds large, proprietary data warehouses that match up the client's marketing data on its customers (what they bought) with "intelligence" on those customers (who they are) that includes demographic data, interests, what types of products the subjects like to buy and so on. (For details, see "How much do marketers really know about you?" )

Acxiom and some other data aggregators do allow consumers to request, for a fee, a report summarizing the basic identifying and background screening information that the company has about them in its databases. (Acxiom does not release this information without a signed form and a personal check for $5 with name and address information printed on it that matches the name and address of the subject of the request.) I wanted to find out what details Acxiom had on me, so I made the request (the company waived the fee for the purposes of this story); however, the report I received did not include the full search results.

Interestingly, Barrett cites privacy as the reason Acxiom didn't reveal more of the data it owns about me. Search results often return information on other people who are linked to the subject's data in some way, such as through a common address or phone number. "It divulges details on other individuals and would invade their privacy," she says. But Acxiom does allow consumers to opt out of its marketing databases .

Assessing the risks

Perhaps the biggest risk that accompanies the proliferation of personal information on the Web is the increased danger that the information will be used for identity fraud. Although overall identity fraud has trended down somewhat, 8.4 million people were victims of identity fraud last year, according to Javelin Strategy & Research , which publishes an annual survey report on the subject.

Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents -- and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.

"Various arrest records released by law enforcement have included criminals' confessions of using bulk scans of both paper and electronic records access," says Javelin president James Van Dyke.

Related:
1 2 3 Page 2
Page 2 of 3
6 digital transformation success stories