In the autumn of 2003 I received a telephone call from a collection agency named the Mercantile Adjustment Bureau, which is located in Rochester, New York. It soon became clear that while the man they were interested in had the same last name as mine, our first names were different. Indeed, the man in question, who had an apartment in the building I live in in New York, was not unfamiliar to me. I had received other calls along these lines and was able to discover that he was using his wife’s name in his telephone account and had apparently given out my name and telephone number to a creditor.
The man from the collection agency said that he could find out who was living in any apartment in my building because of a computer program he had, and, indeed, he confirmed my story. When I expressed admiration for his program he noted that he could also tell me my Social Security number. At this point the conversation took a different tone and I insisted on knowing how he had gotten that information. He told me that he had obtained my number from Accurint, a subsidiary of a Boca Raton company called Seisint.
This was worrying. If someone has your Social Security number, you run the risk that he or she may use it for a variety of illegal purposes. For example, since Social Security numbers are now a common form of identification, someone can use your Social Security number and his or her own name to establish credit, with the result that the credit of the legitimate owner of the Social Security number is jeopardized when the fraud is discovered. The company granting credit may then track down your identity and report it to a credit agency. This is one of the reasons why people are advised to verify that there are no unexpected changes in their credit ratings. In June 2004 the Salt Lake Tribune reported:
Making purchases on credit using your own name and someone else’s Social Security number may sound difficult—even impossible—given the level of sophistication of the nation’s financial services industry…. But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match….
A Web search revealed that Seisint was founded by a former drug smuggler named Hank Asher. In 1982, he flew seven loads of cocaine in his private plane from Colombia to Florida before retiring. He began a new career by inventing a computer program that, given a street address, could locate every vehicle registered to that address. He next created a program called AutoTrack which could take bits of information such as your home address and come up with information on drivers’ licenses.
Some time later he founded Seisint. He remained on the board of the company until 2003, when his drug smuggling past was exposed and he was forced to sell his shares. But Seisint and Accurint are thriving. Indeed, Accurint’s Web site offers to sell you various kinds of information about other people: addresses, Social Security numbers, and business connections, among other things. These can be used for dozens of different purposes, ranging from confirming information that is already on the record to illegally making someone responsible for someone else’s debts. Accurint even offers to make a free trial search if you fill out a form, most of which concerns methods of payment to Accurint. In addition, you are asked to show that you represent some sort of business that has a need for information. Looking at this form one might conclude that it was easy to claim to represent a business, and then use the information from Accurint for one’s own purposes.
I immediately called Accurint and was told that if I had a complaint I should put it in writing, which I did. Then the “privacy officer” of Accurint, Helen G. Foster, replied that they would not remove the information that they had about me from their system. She inquired if the information they had about me was incorrect. I wrote her that I had no idea since I did not know what information they had. I added that this was beside the point. Accurint had no business having any private information. Indeed, I wondered if its activity was legal.
To understand my concern we have to review the history of Social Security numbers.* When these numbers were created in 1936, they were to be used exclusively by the federal government to track earnings in order to assess Social Security taxes. Until 1972, Social Security cards were issued by local Social Security offices. The first three numbers were determined by the state in which the office was located. Since 1972 the cards have been issued from a central location in Baltimore and the first three numbers are related to the zip code supplied by the applicant. Generally speaking, people on the East Coast have the lowest numbers and people on the West Coast the highest. The next two numbers, called the “group number,” are related to their regions within the state. Only the last four numbers are randomly generated. In 1961, the Congress authorized the Internal Revenue Service to use the numbers for tax identification. Until 1992 the Internal Revenue Service was printing Social Security numbers on the envelopes it sent to taxpayers. A case, Ingerman v. United States, was brought against the Internal Revenue Service to put an end to this practice, which the Internal Revenue Service won. But they stopped showing the numbers anyway.
The basis of this case was the so-called Privacy Act of 1974, a law that was primarily intended to stop the practice of a government agency’s demanding Social Security numbers and denying rights or privileges when people refused to give them. But it did not, apparently, make the piracy of Social Security numbers illegal. The law was revised in what is known as the Gramm-Leach-Bliley Financial Modernization Act of 1999, a convoluted measure that seems to have been designed to protect companies like Accurint from being regulated. It applies, among others, to non-bank mortgage lenders, loan brokers, tax preparers, and debt collectors, but not to companies that sell information about private persons.
If I have read the act correctly, what the Mercantile Adjustment Bureau did to obtain my Social Security number was legal. But the man I spoke to acted illegally when he told me my number over the phone without properly identifying me in the first place, since he had no idea who I was, and I had no debts he could want to collect. Still the act gives Accurint the right to sell the data about me to the collection bureau. Some states have taken steps to discourage such sales. For example, Arizona no longer allows its major universities to use Social Security numbers as student identification and New York and West Virginia have similar statutes.
This does not really address the matter of selling information about private persons without their permission. What about Florida? Here the relevant statute seems to be “119.0721 Social Security number exemption.” Paragraph 3 contains the sentence:
An agency shall not deny a commercial entity engaged in the performance of a commercial activity as defined in s.14.203 or its agents, or contractors access to social security numbers provided the social security numbers will be used only in the normal course of business for legitimate business purposes….
I am not a lawyer, but Accurint claims that this law gives it the right to obtain and sell Social Security numbers.
On Saturday, March 5, The New York Times reported that the commercial data broker ChoicePoint had had its data base raided by thieves posing as legitimate businesses. At least 145,000 American consumers had had private information about themselves revealed to people who could use it for a variety of unauthorized purposes. Worse still, ChoicePoint kept this break-in secret for five months. Testifying about Social Security numbers before Congress on March 15, Derek V. Smith, the chief executive of ChoicePoint, said, “There are certain circumstances where the sale of those numbers are, in fact, in the consumer’s best interest.” He did not say which circumstances, or what interest.
And what about Accurint? It has now been sold to LexisNexis, one of the largest providers of information in the US. On March 10, according to The New York Times, it had been broken into, with the result that the private information on about 30,000 people was now in the hands of thieves. LexisNexis has announced that anyone whose information was stolen will be able to obtain free information on their own credit status for one year. Most of us don’t want credit reports; but those who do might more appropriately get free credit reports for a lifetime. What will LexisNexis do if someone’s identity is used illegally because of this break-in?
I grew up in Rochester. For old times’ sake I called the Mercantile Adjustment Center there. I asked the man I spoke to if the company was still using Accurint. “You bet,” he said. I asked if he had heard about the break-in. He seemed genuinely surprised. LexisNexis claims that it is going to send out letters about it, and I wonder if the Mercantile Adjustment Center will get one. I asked if they still had my Social Security number on file. He checked his data base and said no. If he was telling the truth, it still could have been stolen before it was deleted. If you have any hope, under present laws, of keeping your Social Security number and much other personal information private, forget it.
April 28, 2005
A very useful source of information is the Web site for the Electronic Privacy Information Center. ↩