http://www.washingtonpost.com/wp-dyn/articles/A51929-2005Feb24.html
By Jonathan Krim
Washington Post Staff Writer
The Social Security numbers of millions of Americans, including Vice
President Cheney and celebrity heiress Paris Hilton, are available to
many subscribers of a widely used information database company,
U.S. Sen. Charles E. Schumer (D-N.Y.) charged yesterday.
Schumer called one feature offered by Westlaw an "egregious"
invitation to identity theft. The "People-Find" feature lets some
Westlaw users type in any name and receive personal data about that
individual, culled from public records, including addresses and Social
Security numbers.
Westlaw's subscribers include government and law-enforcement agencies,
law firms, corporations and news-gathering organizations. Westlaw, a
division of Thomson Corp., said Social Security information is
restricted to government agencies and a small number of corporations
that need it, such as insurance companies investigating fraud.
"Fewer than 10 non-government customers have access to this type of
information," the company said in a written statement. "Furthermore,
our terms of use restricting access go beyond federal law and current
industry standards."
But Schumer said the information is too easily available to any level
of employee, adding that his investigation was prompted by complaints
from consumers. He said the company has ignored his requests to
restrict access to only those individuals who demonstrate they need
the information, such as law-enforcement officers.
Schumer's concerns add to a controversy over companies that buy and
sell such data with little oversight to protect personal information.
Yesterday, Senate Judiciary Committee Chairman Arlen Specter (R-Pa.)
said the panel would hold a hearing in response to the recent theft of
Social Security numbers and other financial data of more than 100,000
people from ChoicePoint Inc., a Georgia-based database firm.
After setting up accounts with the company, identity thieves were able
to gather information on at least 145,000 individuals.
"It's time to turn some sunshine on these developments so the public
can understand how and why their personal information is being used,"
said Sen. Patrick J. Leahy (D-Vt.) in requesting hearings.
In the House, Rep. Joe Barton (R-Tex.), head of the Energy and
Commerce Committee, has directed his staff to investigate the storage
and security practices of database companies.
Schumer said comprehensive legislation is needed in an area that is
largely unregulated at the federal level and governed by a patchwork
of sometimes-conflicting state laws.
California, for example, requires companies to report breaches of
their systems that result in exposure of personal data, a law that
prompted disclosure of the theft at ChoicePoint.
Sen. Dianne Feinstein (D-Calif.) has proposed a similar federal law,
which has been opposed by many technology and database companies.
In a news conference, at which were shown reproductions of Web pages
displaying personal data of famous people, Schumer detailed how his
staff was able to quickly retrieve Social Security numbers and
addresses of former attorney general John D. Ashcroft, former homeland
security secretary Tom Ridge, executives of Westlaw and others.
They tried President Bush, Schumer said, but his address came up as
1400 Pennsylvania Ave., instead of the White House's address of 1600
Pennsylvania Ave.
"Westlaw's service could be entitled 'Identity Theft for Dummies,'"
Schumer said. "To my mind, what bank robbery was to the Depression
era, identity theft is to the information age. Everyone's
susceptible."
In a written statement, Thomson West, the firm that operates Westlaw,
said it shares Schumer's concerns about privacy and identity
theft. But the company denied the senator's claims that it has been
unresponsive to his inquiries.
Researchers at The Washington Post, a Westlaw subscriber, sought to
replicate Schumer's exercise and found that only the first five digits
of an individual's Social Security number were displayed.
But a Schumer spokesman said that a researcher at a major corporation
not involved in credit checks or other investigations was able to get
the complete numbers.
A spokesman for LexisNexis, a Westlaw competitor, said law-enforcement
agencies, insurance and financial institutions can also get full
Social Security data through LexisNexis's service. But even if a
potential customer is in the right industry, he said, they are
screened to ensure they are legitimate.
Privacy experts say that in addition to raising questions about how
well personal information is protected, the disclosures indicate an
extreme overuse of Social Security numbers for identification.
"It has become the default identifier" for many commercial businesses,
banks and Web sites, said Ari Schwartz, associate director of the
Center for Democracy and Technology, a Washington group that studies
digital rights and privacy issues.
When personal information is compromised, a Social Security number can
be used as a tool for identity theft.
Many privacy advocates have urged businesses to create unique
identification numbers for customers to use.
"The reliance on the Social Security number has created a false sense
of security for businesses and a source of vulnerability for
consumers," Schwartz said.
Copyright 2005 The Washington Post Company
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance Washington Post Company.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Marcus Didius Falco (falco_marcus_didius@yahoo.co.uk)