Singing the Bite Me Song

« The Dept of Homeland Groping | Main | Drive-Thru Workouts: the new way to go? »

December 10, 2003

ChoicePoint: right in my backyard

Atlanta's Creative Loafing has a story I wished I had researched and written. Wished I had thought of, cuz I love Greg Palast's work on the Florida election, and the removal of felons from the voting roles in both Florida and Texas.

Anyway, look at these links. These stories are great, worth reading in full, worth printing out and reading again. We gotta learn these lessons.


This is no different than the work journalists have done with Open Meetings Law, Government in the Sunshine laws, and the Freedom of Information Act.

The problem here is that journalists are too often technologically inept and woefully technophobic. So I'm here to say to them: "Now cut that out!" Technology isn't hard, so will you just get over this fucking blindspot and resume your watchdog function?!

Adventures in Data-Mining

Big Brothers little helper

How an Atlanta-based company won millions of federal dollars to mine information on Americans in the name of toppling terrorism


Even when he is alone he can never be sure that he is alone. Wherever he may be, asleep or awake, working or resting, in his bath or in bed, he can be inspected without warning and without knowing that he is being inspected. ... Not only any actual misdemeanor, but any eccentricity, however small, any change of habits, any nervous mannerism that could possibly be the symptom of an inner struggle, is certain to be detected. He has no freedom of choice in any direction whatever.
-- George Orwell, 1984.

Visit and you'll see the company's motto -- "Smarter Decisions, Safer World" -- pasted over the faces of children running across a field, or coasting on a swing set, or cuddling a puppy. You'll find promises about how ChoicePoint Inc. upholds the PATRIOT Act, assists in criminal investigations, and serves the needs of the federal government. And you'll read upbeat descriptions of what ChoicePoint does, such as "harness the positive power of information to make smarter decisions in a world challenged by increased risks."

When ChoicePoint talks about "increased risks," it means an event as horrendous as another 9-11. And when it mentions "the positive power of information," it's referring to expansive dossiers the Alpharetta-based company -- one of the world's largest private data miners -- keeps on just about every American.

Are you a little queasy about unwittingly revealing your life's most minute details to a company that sells them to big business and the government? No worries, says ChoicePoint. Privacy, as we once knew it, is a thing of the past.


ChoicePoint's mission is simple. The company amasses oodles of gigabytes of little pieces of just about every American's existence. Some of the information may be public and obvious, like property records or criminal histories. But one might mistakenly consider other pieces confidential or inconsequential, such as DNA samples turned over in a criminal investigation, or responses to a magazine survey asking where you last bought toothpaste, and what brand you chose.

ChoicePoint then packages the pieces for sale -- to employers, insurance companies, direct marketers, state governments and at least 30 federal agencies. Corporate clients buy access to records to investigate job applicants -- or, in the case of the 90 percent of American insurance carriers who do business with ChoicePoint, to determine if an individual seeking car or homeowner's coverage might be a risk. If ChoicePoint shares your records with companies with whom you're seeking insurance or a job, you must first give ChoicePoint permission.

But that's not the case with the government, whose agencies commonly access ChoicePoint's records to aid in criminal or terrorist investigations.

"They are part of this new multibillion dollar industry to record as much information as they can about as many people as they can," says Jay Stanley, of the ACLU's technology and liberty program. "Most Americans have no business relationship with ChoicePoint, aren't really aware that it exists. I think that they would be quite spooked to discover that this company has many dossiers about their private lives."

Piecing together government-sponsored dossiers, particularly on the lives of Americans who aren't suspected of any wrongdoing, is precisely the type of behavior the Privacy Act of 1974 was written to prohibit. There's just one hitch with the 29-year-old law: It merely forbids the feds themselves from building the database. Back in the '70s, Congress wasn't convinced anyone but the government would be inclined to do such a thing.

Lawmakers didn't count on the advent of the Internet, and they failed to foresee that technology would make it a cinch to build what privacy advocates have long considered their greatest fear: a grand, centralized database. The result? What ChoicePoint and other data miners do is perfectly legal.


But with so little outsider access to ChoicePoint's databases, who's to ensure ChoicePoint always stays within its self-imposed guidelines?

For a company built on the idea of collecting information about everyone else, ChoicePoint's practices are surprisingly inscrutable. Even getting a peek at the info ChoicePoint has compiled on you isn't easy. Lee says the company is devising a service to make it simpler to review your own file. But as the self-check process stands, it's discouragingly complicated and mind-numbingly time-consuming for an individual to use ChoicePoint's services. (See "Adventures in Data-Mining," below.)

Digging up the data is a far easier task for ChoicePoint's more privileged customers, such as the Justice Department, the Internal Revenue Service and the Department of Homeland Security. Some federal agencies even have special ChoicePoint sites, where government employees can log on and plug into the company's databases. There's ChoicePoint for the U.S. Drug Enforcement Agency at, for example, and ChoicePoint for the U.S. Immigration and Naturalization Service (which has since been absorbed into the Department of Homeland Security) at

But the public can't access those sites, which means ChoicePoint and its government clients just might know more about you than you know about yourself.


If ChoicePoint were a library, it might be the largest building on Earth. Its computers will soon hold 200 terabytes of information. Compare that to the Library of Congress, whose 18 million books would constitute a mere 20 terabytes. To manage the 17 billion records in its various databases, ChoicePoint employs 4,200 staffers in 70 offices in 28 states and Washington, D.C. The mountain of data that ChoicePoint amassed is headquartered inside two, 200,000-square-foot glass and brick buildings 30 miles north of Atlanta.

The company began as an insurance-claims division of Equifax, the Atlanta-based credit-reporting agency. In 1997, Equifax spun ChoicePoint off with an initial public stock offering. Over the years, the company has attracted a board manned by some heavy, mostly GOP-leaning hitters, including astronaut Frank Borman (who's since left the board) and Home Depot co-founders Bernie Marcus and Kenneth Langone.

The new entity would gobble 42 competitors and complementary companies, all of them gatherers of different varieties of data. The acquisitions ranged from the leading provider of birth, death, marriage and divorce certificates, VitalChek, to the country's largest private DNA forensics lab, Bode Technologies, to a criminal database more voluminous than the FBI's, the National Criminal File.

In less than a decade, ChoicePoint has become a startling financial success. It pulled in almost $800 million in fiscal 2002 revenue. After six years of trading -- mainly in a bear market -- the company's share price has shot up from less than $10 in 1997 to more than $37 last month.

In October, the magazine Business 2.0 listed ChoicePoint as one of the country's 100 fastest-growing companies. The Atlanta Journal-Constitution ranked it Georgia's 10th best-performing business, one slot above Coca-Cola. The newspaper also reported that ChoicePoint CEO Smith was Georgia's second-highest paid chief executive in 2002, taking home $17.4 million in salary, bonuses, stock options and other compensation. Even the chiefs of BellSouth, Coke and Delta earned less; only Home Depot's Bob Nardelli made more.

One key to ChoicePoint's trajectory has been the government's reaction to 9-11. ChoicePoint is among a handful of companies -- including Acxiom and Seisint -- that have jumped at the awesome opportunity to help the feds decrease the risk of another terrorist attack. Indeed, while the rest of the market plummeted, ChoicePoint's stock was on the rise in the weeks after the Twin Towers fell.


The company's various databases have come in handy in several high-profile tasks. After 9-11, ChoicePoint's DNA lab, Bode Technologies, received thousands of fragments of human remains -- mostly bone -- and matched the fragments' DNA to DNA lifted from toothbrushes and combs provided by the victims' families. When District of Columbia and Virginia police suspected that a sniper was operating out of a white van, ChoicePoint, using a massive registry of motor vehicle records, was able to provide a list of all white vans registered to residents in the vicinity of the shootings.

ChoicePoint even claims that had the government taken advantage of its airline passenger screening capabilities prior to 9-11, the 19 hijackers might never have boarded four planes.

But ChoicePoint's work also has revealed the inherent trouble posed by collecting massive amounts of personal information. Not only can mistakes be made but basic American rights can be jeopardized -- the right to vote, the right to be free from unreasonable searches, and the right not to be investigated on the government's whim.

The search for the white van, which proved not to be the vehicle used in the sniper attacks, doubles as a good example of how uses of certain information can violate privacy.

In September, ChoicePoint Chief Operating Officer Douglas Curling told a group of investors gathered at the company's headquarters: "We are the largest purchaser of data from the state," adding that he knows of no other company "that spends almost $500 million a year buying motor vehicle records and driver histories from the 50 states."

Four months earlier, however, the company had been slapped with the second of two class action lawsuits alleging violations of the federal Driver's Privacy Protection Act, according to ChoicePoint's filings to the Securities and Exchange Commission. "The complaints allege that the Company has obtained, disclosed and used information obtained from the Florida Department of Highway Safety and Motor Vehicles in violation" of the law, the SEC filings state. A similar lawsuit was filed two months later, in Louisiana.

ChoicePoint denies the allegations in all three complaints.

But the allegations sound a lot like those recently raised in Georgia against a ChoicePoint competitor. At issue was an interstate crime-fighting database, developed by Florida-based Seisint and called, appropriately enough, MATRIX (the Multistate Anti-Terrorism Information Exchange).

In October, Gov. Sonny Perdue and state Attorney General Thurbert Baker pulled Georgia motor vehicle records out of MATRIX. "I have held serious concerns about the privacy issues involved with this project all along," according to an Oct. 21 press release by Perdue, "and have decided it is in the best interest of the people of Georgia that our state have no further participation."

But what about ChoicePoint? Both it and MATRIX supply motor vehicle records (among other data) to state and federal law enforcement agencies. Why haven't the governor and state attorney general addressed the possibility of privacy breaches by a data collector in their own back yard?

There's a difference between the two companies, according to ChoicePoint's Lee, and it lies in the ways they store and release information.

With Seisint's creation of MATRIX, he says, "there was no actual requirement to have an ongoing police investigation before you could do a query." ChoicePoint, on the other hand, requires that there be a relevant, open investigation before its databases are searched.

And while the MATRIX database is one big pool of motor vehicle records voluntarily turned over by the states and accessible, without restriction, to each state and the feds, ChoicePoint only sells the right to search for what's needed in an investigation, and the company doesn't pool its data.

"Regardless of the source, if [the data] comes in for a specific purpose, that is the only purpose for which it can be used," Lee promises. He says that's true of every type of record ChoicePoint amasses. "It will not be co-mingled with other data. The background check information cannot be loaded in to the law enforcement database. The law enforcement information can't be used for hiring purposes. There are Chinese firewalls between all of these products. There's not even the possibility of an inadvertent cross-sharing of information."


Another Justice Department document, a memo titled "Guidance Regarding the Use of ChoicePoint" sent from the FBI's legal office to its National Security Division, states that the feds are to gather intelligence using "the least intrusive means." The memo, parts of which are heavily blacked-out in "the interest of national defense or foreign policy" states that "an individual does not have a reasonable expectation of privacy in personal information that is made publicly available by others."

Privacy advocates argue otherwise. When it comes to the definition of information "made publicly available by others," Chris Hoofnagle, an attorney for the D.C.-based Electronic Privacy Information Center (EPIC), claims public records taken out of their original context and lumped together are no longer "public" at all -- especially if only select customers can pay to see them.

"What [ChoicePoint] does is go out there and collect something that is free and public for good reasons," Hoofnagle says. "And they've twisted these beneficial collections of information into private and more dangerous purposes."

In other words, an individual record on file at the county courthouse showing how much you borrowed to buy your home should be available -- to the tax assessor or a nosy neighbor or whoever else feels like trudging down to the courthouse to dig it up.

But to give that record a new home, alongside the make and model of your car, every lawsuit filed by or against you, all your recent traffic tickets, the names and ages of your children, and any crime with which you've ever been charged, is to morph it from a benign court document into a crucial component of an unauthorized dossier, Hoofnagle claims.

Lee, of course, doesn't see things EPIC's way. "That's their view of the world," he says. "They're certainly welcome to that."


With only ChoicePoint and the FBI privy to who's being searched and under what circumstances, however, who's to control -- or even see -- what the government sees?


In August 2002, at a conference for the military's Defense Advanced Research Projects Agency in Anaheim, Calif., retired Adm. John Poindexter laid out his vision for protecting America against the threat of future terrorist acts. Despite his role in the 1980s Iran-Contra scandal, Poindexter had recently been named director of the government's new Total Information Awareness project.

"I think the solution is largely associated with information technology," Poindexter said. "We must become much more efficient and more clever in the ways we find new sources of data, mine information from the new and old, generate information, make it available for analysis, convert it to knowledge, and create actionable options."

Poindexter's ideas and the project he oversaw were among the most radical of the government's proposals in reaction to pre-9-11 intelligence failures. So it should come as no surprise that both Poindexter and TIA quickly raised some serious questions.

When new technologies develop, will politicians and the public have the gusto to ensure that the technologies' uses won't invade privacy? When emotions are cooked by an event of 9-11 magnitude, can one distinguish between the need to jack up intelligence-gathering skills in order to prevent another calamity, and the temptation to succumb to the kind of paranoia that heralds Big Brother?

In the case of TIA, the answer was a firm yes. Congress quashed funding for TIA before it got off the ground. Even after the name was changed to Terrorism Information Awareness, the program couldn't shake the stigma of an Orwellian police state. Soon after the speech in Anaheim, Poindexter resigned as TIA director.

But not all surveillance experiments are as hyperbolically named as Total Information Awareness, nor is it the norm for a mad admiral in the bowels of the Pentagon to be running the lab. The distinction between too little privacy and too much security is seldom so obvious.

The Constitution doesn't guarantee privacy, per se, but it does guarantee the right to be protected against unreasonable searches. Over the years the Supreme Court has equated that right to a guarantee of privacy.

But the meaning of an unreasonable search is in constant flux. In the 1970s, when the Privacy Act was drafted, there could be no unreasonable search carried out with the aid of the Internet. There was no Internet.


Among ChoicePoint's top officers, the PATRIOT Act is a reverent topic. The law makes it easier to deeply investigate individuals, presumably in the name of terrorism. But not only in the name of terrorism.

"I think that the opportunities that we have, whether they're in ... the PATRIOT Act or other areas are probably clear to us now," COO Curling told investors in September 2003.

Curling went on to say that ChoicePoint had received $10 million in Homeland Security funds in 2003, on top of $20 million the year before. During a conference call two months earlier, he told financial analysts: "Our success has been, and probably will continue to be, in taking the core competencies of ChoicePoint and finding opportunities to apply those in governmental or Homeland Security initiatives."

With that, Curling may have ushered in a new sort of Total Information Awareness: a centralized government database in corporate database clothing -- Poindexter's dream, privatized.


"The question is whether [federal surveillance programs] can be sneaked in," the ACLU's Stanley says, "in the shadows, when nobody's looking."

The list of Florida's erroneously purged voters, for example, almost dodged the light of day -- except that Palast, an American ex-pat working for the British media, broke the story.

Palast says he suspects that what almost went unnoticed in Florida does go unnoticed elsewhere, especially when it involves the federal government. Of course, he has no way of knowing for sure. "Ultimately, I was able to crack the system in Florida and get at the records," Palast says. "I can't with national security."


In July, Sen. Ron Wyden, D-Ore., introduced the Citizens' Protection in Federal Databases Act, which would require federal departments to report to Congress their use of private databases.

"Risks to personal privacy are heightened when personal information from different sources, including public records, is aggregated in a single file and made accessible to thousands of national security, law enforcement and intelligence personnel," says the bill, currently hung up in the Senate Judiciary Committee. "The Federal Government should be required to adhere to clear civil liberties and privacy standards when accessing personal information."

EPIC and the ACLU are backing the legislation, and EPIC's Hoofnagle calls it "one of the better bills out there."


ChoicePoint's hope for the future is to take data collection off the paper trail -- off the electronic paper trail, even -- and into the realm of biometrics.

Loosely defined, biometrics is a way of identifying individuals by their biological features, including fingerprints and DNA, as well as scans of our retinas, our facial bone structure and even the way we walk.

Hints about ChoicePoint's current biometrics experiment have surfaced in a federal lawsuit filed against the company in January. In the complaint, a New York technology consultant firm, International Biometric Group, is suing for breach of contract and violation of trade secrets.

According to court documents filed in U.S. District Court in Atlanta, ChoicePoint allegedly is $660,000 behind in payments for a "programming code for storing and transmitting biometric data ... that would result in the creation of central biometric authority." The complaint also states ChoicePoint has been providing access to technology, developed by IBG, that's "not commonly known to the public."

One privacy advocate says his reading of the lawsuit leads him to believe ChoicePoint might hold a clandestine contract with the FBI.

"It appears as though ChoicePoint has a contract with the criminal investigative division of the FBI that is so secret that they won't even tell us the contract number," says EPIC attorney Hoofnagle. "The FBI contract could deal with the issue of biometrics."

But according to Lee, ChoicePoint's biometrics project is not as cryptic as the complaint makes it seem. He says ChoicePoint's biometrics lab, Bode Technologies, intends to develop technology that will allow businesses to verify employees' identities using fingerprinting or some other biometric in the short term, DNA down the road. It will be a long while before DNA biometrics gets off the ground. "The usage of DNA and the acceptance of DNA," he says, "is one of those far-into-the-future applications."


Already, some U.S. airports have installed face-recognition systems programmed to find fugitives. The ACLU has expressed concern about technology allowing cell phone providers to receive signals tracking their clients' every move. Stanley, at the ACLU, says he's also concerned that private companies may be poised to record and sell buying patterns, or even an individual's every credit and debit card purchase.

"The fact that somebody has on record that you went to the Gap on Oct. 10, 2003, and bought a sweatshirt is not a big deal," Stanley says. "But that's like one pixel. When you start to put together every single purchase you've ever made and everywhere you've traveled and your educational records and your financial records ... it's like putting all those pixels together into a very high-resolution image of how you live your life."

If your exact location could be revealed by your cell phone, would you start thinking twice about where you go? Would you quit carrying the phone? If your purchases were monitored, would you reconsider what you're buying? Would you carry cash instead of plastic?


About his protagonist in 1984, Orwell writes: "He knew in advance what O'Brien would say. That the Party did not seek power for its own ends, but only for the good of the majority. That it sought power because men in the mass were frail cowardly creatures who could not endure liberty or face the truth, and must be ruled over and systematically deceived by others who were stronger than themselves. That the choice for mankind lay between freedom and happiness, and that, for the great bulk of mankind, happiness was better."

December 10, 2003 at 12:54 AM in Privacy & Free Speech | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference ChoicePoint: right in my backyard:


The comments to this entry are closed.