The Data Racket

Recent identity thefts highlight loopholes in the Privacy Act.

There's a certain sting that comes from being beaten at your own game, and no doubt ChoicePoint, the nation's biggest collector of personal information, is smarting from it right now. In February, the company acknowledged that a ring of Nigerian identity thieves had gained access to about 145,000 personal records in its vast data stores by posing as small business owners interested in market research. For a company that built its reputation-and a profitable business-on rooting out fraudsters from job applicant pools and alerting insurance companies to scam artists, the irony is all too painful.

Federal agencies have never been ChoicePoint's most lucrative clients-government business reportedly accounts for about 10 percent of annual revenues-but they're certainly among its most important. The FBI, the Homeland Security Department and a number of undisclosed intelligence agencies rely on ChoicePoint's data-and its analytic methods-to track down criminal suspects, discover hidden assets and find out whether individuals deemed a threat to national security have actually taken up residence in the United States. ChoicePoint can answer questions like this because it owns about 19 billion records on just about every adult in the country. That's about 65 times as many pieces of information as there are people living in the United States.

"While others merely sell data, ChoicePoint creates solutions that unite information with the most sophisticated technology available," one of the company's public sector marketing brochures attests. ChoicePoint proved its sleuthing prowess in 2002, when it used public records to help investigators capture the deadly Washington-area snipers. It was proof positive of ChoicePoint's best selling point-it knows more about people than the government does.

Uncle Sam relies heavily on the company's services-and those of other data aggregators, such as LexisNexis and Acxiom-because federal agencies are legally barred from doing what ChoicePoint does. The FBI can only keep tabs on individuals suspected of a crime or connected to an investigation. Intelligence agencies can't monitor people in the United States without clearance from federal judges. ChoicePoint has fewer restrictions. It mines public tax filings, property records, car registrations, insurance claims, criminal records and marriage licenses-to name a few sources-and builds personal profiles.

The government has a ravenous appetite for those profiles and other data analysis that it can't legally perform, and ChoicePoint has zealously marketed its strengths. A series of documents obtained by the Electronic Privacy Information Center, a watchdog group, shows that the company prepared exhaustive lists of the kinds of information it could access on the government's behalf, including Internet and e-mail accounts, drug test results and known addresses. An internal FBI memo, which EPIC also obtained, says that the bureau was "thrilled" to have secured the services of ChoicePoint and two of its competitors, LexisNexis and Westlaw, as part of its Public Source Information Program, launched more than five years ago.

Under the heading "What is ChoicePoint," the memo's author (whose name is redacted), writes, "Want to find anyone fast? This is your database. . . . You can locate addresses, companies, properties, vehicles, associates, phone numbers, relatives and more." The author notes that "over 5,000" FBI officials already are using ChoicePoint.

This enthusiasm for ChoicePoint and others' data reflects just how badly the FBI wants, needs and appreciates access to information. And to be sure, even ChoicePoint's critics say that the company provides a necessary service. "There's a place for ChoicePoint and contracts with them," says Chris Hoofnagle, EPIC's resident expert on the firm. But he fears that by using ChoicePoint, the FBI has found a loophole in the privacy laws and that there are few, if any, means to ensure that government agencies aren't misusing the personal information they buy.

And therein lies the troubling question that ChoicePoint's recent security breach raises: If the company couldn't monitor a small group of supposed businesspeople using its products, what confidence can the public have that ChoicePoint is scrutinizing how the government uses its data? Privacy laws limiting government's collection capabilities are built on a foundation of mistrust. If you let agencies collect citizen information unchecked, the logic goes, then they will abuse the power such knowledge accrues. Indeed, it was a series of illegal investigations by the FBI that prompted the 1974 Privacy Act. But that law never envisioned that a corporation would assume official-like powers. Indeed, the law was enacted to prevent personal information from falling into nefarious hands, which is precisely what happened with the ChoicePoint records theft.

"The Privacy Act was meant to prevent a federal citizen data center," Hoofnagle says. "And now ChoicePoint has created that data center and the government simply buys information from it. . . . I don't think that's the outcome [lawmakers] had in mind in 1974."

ChoicePoint wants the public, and investors, to take its commitment to privacy seriously. So, in March, it hired Carol DiBattiste, the deputy administrator of the Transportation Security Administration, as its new chief credentialing, compliance and privacy officer. DiBattiste will lead an independent office in Washington, overseeing "improvements in customer credentialing processes," ChoicePoint said in a statement, which means keeping a closer eye on who's buying the company's information.

But putting stronger controls to work could require some fundamental changes to ChoicePoint's corporate ethos, which has been built on pleasing, and trusting, its customers. Company officials declined a request to comment on their work for the government. But in an interview with Government Executive a year ago, Jim Zimbardi, ChoicePoint's vice president of strategic sales, considered this hypothetical scenario. Say a U.S. intelligence official presented a list of 5,000 names and said, "We can't tell you why we need to know about these people, but we need to know everything you have." Would ChoicePoint comply and take the government's word that the search was warranted? Without hesitating, Zimbardi said, "Yes."