copyright notice
link to published version: IEEE Computer, May, 2014


accesses since March 31, 2014

PII, THE FTC, CAR DEALERS, AND YOU

Hal Berghel


Personally identifiable information (PII) is among the most digitally delicate data and deserves maximum government protection. So why isn’t it better protected? Here are some thoughts on the matter.


Science Fiction writer Robert Heinlein is said to have remarked that privacy laws only make the bugs smaller. This remark abounds in pith. At a practical level, the cornucopia of surveillance gadgetry confirms its validity. But most of all, this observation belies the painful truth that there's really no end to the potential abuses to personal privacy by corporations, criminals, and governments.

The most sensitive information about us is labelled personally identifiable information, or PII. While there are many definitions and contexts in which PII may arise, we will consider it to be information that may be used, either independently or collectively, to identify, contact, or locate a unique individual. (cp. http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf ). I'll discuss some historical causes of vulnerability of PII and suggest some tactics for minimizing your PII footprint.

The FTC and Mission Slip

We live in a world where good ideas get so corrupted by politicians that it's often hard to recognize the original intent from the result. Such is the case with the National Do Not Call Registry that was specifically drafted with loopholes to accommodate political robocalls, not-for-profit solicitations, unsolicited contact by surveyors and pollsters, and “follow-up calls,” – all to benefit special interests. The goal of preventing the use of a public communications infrastructure for unwanted, bothersome nuisance communications somehow got lost in the Congressional debate. This process of accommodating political interests at the expense of the public has become so widespread at this point that it's become laughable. The CAN-SPAM Act has come to be known as the “You-Can-Spam Act” in some circles, and the Junk Fax Prevention Act is called the “Junk Fax Protection Act.” Incidentally, these three relevant federal statutes have two things in common: they were products of the George W. Bush presidency, and they never worked as envisioned.

In plain terms, these statutes were a product of a dysfunctional Congress and a Federal Trade Commission (FTC) that has lost much of its consumer and citizen advocacy stamina during the past thirty years of deregulation frenzy. At this point, even the well-intentioned FTC is hamstrung by the business lobbies, anti-regulationists who think of consumer protection as regulatory overreach, and a leadership selection process that is inherently partisan. Like many of you, I have developed a daily routine around separating myself from unwanted faxes, email, text messages, and telemarketing – all of which are explicitly illegal under these federal statutes, and all of which could be trivially prevented with current technology and a pro-active government. And yet, like the Nigerian 419 scam, the intrusions into our privacy won't go away.

And I don't blame the FTC. It is between a regulatory rock and a pro-business hard place. Despite their worthy aspirations, they lack both the manpower and political independence to remain effective beyond the periphery of their mission. I call this “mission slip.” Their notable accomplishments, like suing LifeLock for false advertising ( http://www.ftc.gov/news-events/press-releases/2010/03/lifelock-will-pay-12-million-settle-charges-ftc-35-states ) or security company ADT for failing to disclose that their “expert witnesses” were paid endorsers ( http://www.adweek.com/news/advertising-branding/ftc-busts-adt-failing-disclose-paid-endorsers-156146 ), tend toward the inconsequential , and are noteworthy for minimal penalties to organizations and corporations which can't bite back. Don't expect aggressive prosecution of multi-billion dollar multi-level marketers, financial institutions that are too-large-to-regulate, stakeholder media interests, or energy or communication oligopolies with a strong base of support and endless legal resources. The Sherman and Clayton Antitrust Acts won't be able to rely much on the FTC: trust busting is no longer in the FTC's vocabulary!

One may derive some sense of how the FTC rolls these days from a September 24, 2013 speech by one of the Republican Commissioners ( http://www.ftc.gov/sites/default/files/documents/public_statements/ftc%E2%80%99s-role-shaping-antitrust-doctrine-recent-successes-and-future-targets/130924globalantitrustsymposium.pdf ). Note that the recent antitrust successes mentioned were FTC v. Phobe Putney Health Systems that challenged a Georgia immunity doctrine for a small hospital authority, and FTC v, Actavis that challenged a “reverse payment” settlement between small brand and generic pharmaceutical companies. The health care industry and big pharma won't quiver over these cases.

So, look for the future FTC to weigh in on matters relating to teeth whitening, nutrition, and the most outrageous deceptive advertising. The FTC has done little of late to impede the concentration of ownership in industries from healthcare to food processing to the financial sector to big pharma to big oil. You can see why that is in the FTC's most recent merger and acquisitions guidelines ( http://www.ftc.gov/sites/default/files/attachments/merger-review/100819hmg.pdf ).

BLACK BOXES, ORANGE BOXES, AND CAP'N CRUNCH REVISITED

As an aside, our statutes actually created a cottage industry for lame technologies such as caller-ID and special information tone (SIT) generators that used in-band technology to detect and circumvent telemarketing. These technologies were as ineffective as the statutes they sought to reinforce. Caller-ID was rendered largely ineffective by caller-ID spoofing (which, incidentally, remains in use in the current IRS phone scam - http://money.cnn.com/2014/03/20/pf/taxes/irs-phone-scam/ ), and SIT tone generators were simply ignored by nexgen predictive dialers. Now that the telcos have moved to the newer, packet-based SS6 and SS7 protocol suites, the criminals can be counted on to use modern, packet-based hacking tools. Attempts to use simple technological tricks to thwart telephony scams will never work - criminals will always find a new, son-of-blue box, orange box, or Cap'n Crunch whistle to circumvent telco technology. For a good overview of modern digital telephony and the next wave of vulnerabilities introduced therewith see https://www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf and https://www.youtube.com/watch?v=yK19yXYlFOY .

This game of technology leap frog could be avoided by closing the statutory loopholes demanded by the business lobbies and written into the statutes by a beholding Congress combined, some consumer-friendly telco refinements, and a few rounds of aggressive enforcement. On the telco-side personalized call-blocking by individual source at the handset would be a great start. Complimentary subscription to call-blocking blacklists would serve modern telephony as well as spam and web blacklists serve the Internet. These things are not implemented because they're expensive or complicated, but because they would incur the wrath of special interests.

JUST SAY “NO!”

So that's the federal backdrop against which the vulnerability of our PII must be placed. As a consequence of the feckess legislation and uncooperative telcos, safeguarding is pretty much left to us.

As a starting point, there are online federal ( http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure ), and NGO ( http://www.bbb.org/us/storage/0/Shared%20Documents/secure%20your%20id%20day/everyday%20habits.pdf ) resources, but they tend to make fairly obvious and ineffectual recommendations. A better online source is Robert Ellis Smith's Privacy Journal ( http://www.privacyjournal.net/bio.htm ) – a resource that I recommend without reservation. In addition, I offer the following modest embellishments.

When your Social Security number is requested, get in the habit of saying “no.” Don't give it out, period! Your physician, health insurance company, landlord, lawyer, and car dealer have no compelling legal reason to even ask for it – or your mother's maiden name, place of birth, or sexual history for that matter. Federal law only requires the use of Social Security numbers for use by selected federal agencies like the Social Security Administration, the Internal Revenue Service, and Medicare. That said, if your doctorrefuses to serve you without it (they build as complete a profile on you as they can to ensure payment), tell him to put his stethoscope where the sun don't shine and find another physician.

But let's go one step further. For your own protection, don't have your Social Security number (and especially not your card) on your person unless legally required to present it. Social Security cards belong in safe storage with your other important papers. Government agencies move in geological time anyway, so you'll likely have plenty of time to fetch your documents from a safe deposit box. Everyone who needs to know the number either already has access to it or can confirm it through the SSA directly if so authorized.

And while we're at it, don't have anything on your extended person (including mobile technologies, cars, offices, lockers) that has your physical address on it. If criminals separate you from personal property, and like what they got, you don't want to incentivize them to return for more. Progressive states have allowed the use of P.O. Box addresses on auto registrations, driver's licenses, and IDs for many years. The last time I looked into this, only a few states were hold outs. You can find out by which direction your state faces history by calling local law enforcement. Follow this theme, so that criminals can't use your possessions to find you. And it goes without saying that mobile devices should have minimal contact information out of respect for the PII of your contacts.

I continue to be surprised how many people have entered their home address for “home” on their GPS. Use a convenient building or cross street a few miles from your home to return-navigate on long trips. If you can't find your way home from the nearest post office or shopping mall, you may want to consider a designated driver. Needless to say, your contact information in public registries (e.g., telephone books and online directories) should refer to post office boxes and, whenever possible, answering services or machines. I also recommend using email aliases or forwarding services for all public disclosures of your email address together with a munge of your email address to make it more difficult to harvest from online directories with screen scraping software. The munge doesn't have to be terribly fancy – throw in random spaces, corrupt the spelling of “at”, use “period” or “dot” instead of periods, etc. “h lb –a*t*-- com pu ter __dot--org” works fine for me. Screen scrapers harvest the lowest hanging fruit – they typically do not employ computationally expensive parsers to re-construct email addresses from munge. They get enough email addresses using simple algorithms.

Use the onion routing service, TOR, for web access whenever possible, and track the status of anonymizing email services. The more popular email anonymizers (TorMail, Silent Mail, Lavabit) closed during Fall, 2013 after a spate of FBI National Security Letters seeking to force ISPs and mail services to reveal contact information of users. If and when these services return, they're worthy of your consideration. I'll have more to say about this in a future column.

Use a manual “cross tear” for all printed media that has your contact information on it. For junk mail, tear the entire envelope through the address field, put the smaller part in the trash and the larger part in the recycle bin – it's the green thing to do. And don't carry a debit card on your person. If you're into plastic, use credit cards that provide fraud protection capability.

CAR DEALERS AS WEAPONS OF MASS INTRUSION

Finally, One of the most offensive and brutish intrusions into PII-space comes from car dealers. Always a handy source for brutish and rude behavior, the digital age has allowed them to deploy weapons of mass intrusion. It is not unusual for them to (1) ask for information from you for which there is no legal justification, (2) sell private information about you to 3rd parties, (3) request of you actions that are against your economic and legal interests, and if that's not enough, (4) misrepresent their product and the laws that govern the transaction. In the best of cases, we would all have an attorney present when we deal with car dealers. Failing that, my final suggestions may provide you with some information that can at least make you aware of the important issues involved.

An automobile is considered "personal property" under the law. In fact it's considered "tangible" personal property in the same class as your watch, your toaster and your pet hamster (vs. "intangible" personal property like stocks and bonds). Under the law, if you own property you are entitled to control its use, benefit from it, sell it, and recover damages if someone else uses/damages it without your permission. In most cases the owner of a car will have actual possession, meaning that he/she will maintain physical control over it. In the simplest case, when a vehicle is bought and sold, the seller transfers a title or certificate of ownership to the buyer. However, the seller cannot sell a better title than he/she has (i.e., the seller can only pass on the right, title and interest that he/she has - which may be nil - so caveat emptor applies.)

In the United States, property rights are determined by the states. Issues like who may own personal property, how different classes of personal property are distinguished, how personal property is taxed, how personal property is secured, how transactions are recorded, and so forth are resolved at the state level. This is important because automobile transactions are regulated by state law. Some car dealers are “creative" with regard to their interpretation to the law, and may seek to impose this creativity on the un-suspecting public.

To give one such example, even if there are no age requirements with respect to the legal age of ownership of personal property, some dealers claim that under law the dealer must retain a copy of the driver's license from all co-owners whose names appear on the bill of sale. You may list your 14-year old as a co-owner of a new car for estate. How could a State reasonably expect that he/she has a driver's license at 14? They may want this information for their records, or to derive income by selling it to third parties, or for some other reason they aren't disclosing to the buyer -- - but no dealer has ever been able to produce a statutory reference for me. Of course, may want to assure themselves that anyone who drives the vehicle away from their lot is of has a valid driver's license for liability reasons, but this a separate issue.

Here's another example. Some car dealers may require the customer to sign a privacy notice that waives their customer's rights to privacy or a loan application form – even for cash sales. There's no legal justification for this, and the car dealer has no reason to expect the customer to agree to it. Industry insiders have suggested to me that there are two main reasons for the use of this form: (1) the dealership is under investigation of has been the subject of complaints regarding their business practices, and they require this signed form so that the customers cannot later sue them for unauthorized use of personal information, and (2) the dealership relies on the income from the sale of personal information to 3rd parties. In either case, this works against the interest of the customer. I would go so far as to recommend that you avoid doing business with any dealership that uses general privacy waivers like this. There are plenty of car dealers.

THE HOUSE OF CAVEATS

I first expressed my concerns about digital invasions of privacy in Computer in January, 2001 ( http://www.berghel.net/publications/c_priv/c_privacy.pdf ). From then to now, things have gone from bad to worse. Unfortunately, when it comes to PII, all of the legal caveats (emptor, venditor, lector, utilitor, …) still apply. The only escape from merchant abuse is eternal vigilance.