The Implications of ChoicePoint for Those Outside the U.S.
posted by:Marcia Hofmann // 04:16 PM // March 01, 2005 // ID TRAIL MIX
It was reported earlier this month that ChoicePoint -- a U.S.-based company that maintains massive databases of information about individuals -- sold personal information about tens of thousands of Americans to identity thieves posing as legitimate businesses. As more information about the ChoicePoint sale became public, the number of individuals potentially affected climbed to nearly 150,000. ChoicePoint, which first learned of the problem four months ago, responded by characterizing itself in a press release (which has since been removed from its web site) as the victim of "a fraud committed against us." The company noted that "the incident did not involve any of ChoicePoint’s customer information" -- that is, information about the corporations and agencies that purchase consumers' information from ChoicePoint. "Nevertheless," ChoicePoint continued, "this is a serious issue which ChoicePoint is addressing aggressively."
The story has continued to unfurl for two weeks. Just yesterday, a news report said that ChoicePoint has been sued no fewer than eleven times since 2000 for illegally making available personal information protected by law, as well as for selling incorrect personal information to insurers and potential employers.
News of ChoicePoint's actions is certainly troubling to those in the U.S., most of whom are continuously affected by what the company does with their information. But why should anyone outside the U.S. care about this company or what it does? Because ChoicePoint does not maintain information solely on U.S. citizens. Through the U.S. Freedom of Information Act, EPIC learned (pdf) in April 2002 that the former U.S. Immigration and Naturalization Service, now part of the Department of Homeland Security, had purchased personal information from the national ID databases of several Latin American countries. The documents showed that ChoicePoint had a contract with the agency to provide citizen registry, motor vehicle, and other information about residents of Brazil, Argentina, Mexico, Columbia, and Costa Rica. Another set of documents obtained by EPIC from the INS revealed (pdf) that ChoicePoint offered the agency unlimited direct access to international databases for a $1 million fee. It is unclear how extensive ChoicePoint’s international databases are, or which countries' citizens are included in them. However, the ChoicePoint documents obtained by EPIC show that as of 2001 the company had partnerships that extended its reach into Latin America, Europe, and the Pacific Rim.
Those outside the U.S. should also know that ChoicePoint has its figurative fingers in many, many figurative pies. Washington Post journalist Robert O'Harrow reported in January that ChoicePoint currently provides "actionable intelligence”"to more than 50,000 corporate and government clients. On the government side, ChoicePoint provides services to 35 local, state, and federal agencies in the U.S., including the Federal Bureau of Investigation, Central Intelligence Agency, Drug Enforcement Administration, and, of course, the former INS. These are agencies that make critical, life-altering decisions every day about Americans and non-Americans alike -- and they rely on ChoicePoint's data to do it.
ChoicePoint has been mentioned in the press often since the company's debacle became public. The media often omits the important fact, though, that ChoicePoint isn't the only company of its type. There are other mammoth information conglomerates -- including Acxiom and LexisNexis -- that combine to create a full-blown industry of data dealers.
This industry has very little obligation to the people about whom it sells information, regardless of their nationalities. Such companies are generally not covered by the Privacy Act of 1974, which regulates how government agencies collect and maintain personal information about Americans and permanent residents. In the absence of any comparable regulation, data brokerage companies are generally free to use American residents' personal information in ways that the U.S. government legally can't. Non-Americans who aren’t permanent residents strike out altogether -- they have no rights in personal information maintained by the U.S. government or data brokers.
Despite its lack of accountability, the information brokerage industry provides a number of services to the U.S. government, often in high-stakes contexts involving law enforcement or homeland security. In particular, the data industry is becoming increasingly involved in verifying and authenticating individuals' identities, the service ChoicePoint CEO Derek Smith has called his company's "core competency."
When data from information brokerage companies contribute to law enforcement or homeland security decisions, erroneous information is uniquely situated to impact a person's life and liberty. This danger becomes more serious as the government increasingly depends on the data brokerage industry to verify identities and help determine how threatening people are, or how risky it is for the government to trust them.
ChoicePoint has already been sued by a job applicant passed over for a position when his potential employer paid ChoicePoint to conduct a background check and learned that the applicant was a convicted felon when the applicant had, in fact, never been convicted of a felony. This scenario is bad enough.
It will be another matter when a foreign visitor can't enter the United States because inaccurate information from ChoicePoint or another data broker triggers suspicion that the visitor may be dangerous or otherwise untrustworthy. Suppose the visitor loses the privilege to ever enter the U.S. Suppose the visitor tells the U.S. government that a mistake has been made and asks to see the information on which this decision was based. Suppose the government refuses to disclose the information because it contributed to a decision involving homeland security, and because the U.S. government has no legal obligation to allow visitors to see the information it has about them. Suppose the visitor's only recourse is to prove the inaccuracy of information he is not allowed to know. Suppose the visitor must live with the stigma of being branded "suspicious," not just in his dealings with other people, but also in databases that will affect his life for years to come in ways he can’t begin to fathom.
Data brokers face an awesome responsibility to the people whose information they buy, sell, and profit from. The U.S. government also is responsible to people when it makes decisions drastically affecting their freedom. Unfortunately, U.S. law imposes no obligation on data brokers or the U.S. government to assume these responsibilities, particularly as far as non-Americans are concerned.
ChoicePoint's checkered history underscores how important it is for data brokers to be legally responsible for the accuracy of information they provide to the U.S. government. In turn, the government must be legally responsible for verifying the accuracy of information it uses to make important determinations about people. Regardless of nationality, individuals need convenient avenues by which to learn, challenge, and correct information maintained about them by data brokers.
The episode also raises an issue at the core of On the Identity Trail: who controls the disclosure of personal information? Privacy advocates believe that one solution to problems created by companies such as ChoicePoint is to give individuals greater control over the disclosure of their personal information held by others. In the credit reporting context, for example, one reform would allow consumers to "freeze" their credit reports so that their financial information would only be revealed when they choose to do so.
