Big Brother's little helper (My edit: Part one, Biometrics mentioned in part 2)
How an Atlanta-based company won millions of federal dollars to mine information on Americans in the name of toppling terrorism
BY MARA SHALHOUP
Even when he is alone he can never be sure that he is alone. Wherever he may be, asleep or awake, working or resting, in his bath or in bed, he can be inspected without warning and without knowing that he is being inspected. ... Not only any actual misdemeanor, but any eccentricity, however small, any change of habits, any nervous mannerism that could possibly be the symptom of an inner struggle, is certain to be detected. He has no freedom of choice in any direction whatever.
-- George Orwell, 1984.
Visit www.ChoicePoint.com and you'll see the company's motto -- "Smarter Decisions, Safer World" -- pasted over the faces of children running across a field, or coasting on a swing set, or cuddling a puppy. You'll find promises about how ChoicePoint Inc. upholds the PATRIOT Act, assists in criminal investigations, and serves the needs of the federal government. And you'll read upbeat descriptions of what ChoicePoint does, such as "harness the positive power of information to make smarter decisions in a world challenged by increased risks."
When ChoicePoint talks about "increased risks," it means an event as horrendous as another 9-11. And when it mentions "the positive power of information," it's referring to expansive dossiers the Alpharetta-based company -- one of the world's largest private data miners -- keeps on just about every American.
Are you a little queasy about unwittingly revealing your life's most minute details to a company that sells them to big business and the government? No worries, says ChoicePoint. Privacy, as we once knew it, is a thing of the past.
"We are beginning to see a shift in the traditional privacy debate from simply focusing on an individual's right to privacy, to also including consideration of society's right to protect itself," says a letter from ChoicePoint CEO Derek Smith in the company's most recent annual report. "ChoicePoint as a company and I as an individual continue to believe, however, that in a free society -- particularly in today's society -- we do not always have the right to anonymity."
Smith has a point. The world we live in is not the world we inhabited before 9-11. In today's world, it's obvious how serious the consequences can be when government intelligence fails.
As a result of that failure, ChoicePoint has assumed a powerful role, doing what even the feds aren't allowed to do -- and at the same time raising fears that corporations are harnessing technology to intrude on our privacy.
ChoicePoint's mission is simple. The company amasses oodles of gigabytes of little pieces of just about every American's existence. Some of the information may be public and obvious, like property records or criminal histories. But one might mistakenly consider other pieces confidential or inconsequential, such as DNA samples turned over in a criminal investigation, or responses to a magazine survey asking where you last bought toothpaste, and what brand you chose.
ChoicePoint then packages the pieces for sale -- to employers, insurance companies, direct marketers, state governments and at least 30 federal agencies. Corporate clients buy access to records to investigate job applicants -- or, in the case of the 90 percent of American insurance carriers who do business with ChoicePoint, to determine if an individual seeking car or homeowner's coverage might be a risk. If ChoicePoint shares your records with companies with whom you're seeking insurance or a job, you must first give ChoicePoint permission.
But that's not the case with the government, whose agencies commonly access ChoicePoint's records to aid in criminal or terrorist investigations.
"They are part of this new multibillion dollar industry to record as much information as they can about as many people as they can," says Jay Stanley, of the ACLU's technology and liberty program. "Most Americans have no business relationship with ChoicePoint, aren't really aware that it exists. I think that they would be quite spooked to discover that this company has many dossiers about their private lives."
Piecing together government-sponsored dossiers, particularly on the lives of Americans who aren't suspected of any wrongdoing, is precisely the type of behavior the Privacy Act of 1974 was written to prohibit. There's just one hitch with the 29-year-old law: It merely forbids the feds themselves from building the database. Back in the '70s, Congress wasn't convinced anyone but the government would be inclined to do such a thing.
Lawmakers didn't count on the advent of the Internet, and they failed to foresee that technology would make it a cinch to build what privacy advocates have long considered their greatest fear: a grand, centralized database. The result? What ChoicePoint and other data miners do is perfectly legal.
Sitting in his second-floor office, overlooking the company parking lot and the restricted-access data center behind it, ChoicePoint Chief Marketing Officer James Lee contends that a company like ChoicePoint does a far better job protecting privacy than the feds could. The real intent of the Privacy Act wasn't to prevent the government from accessing databases, Lee argues, but to keep the feds from carrying out fishing expeditions in their own sea.
Lee says ChoicePoint's data is set up in such a way that the government can't fish -- because the company doesn't actually sell its databases, but rather provides regulated access to them. In the absence of federal laws governing the use of private databases, Lee insists ChoicePoint has taken it upon itself to keep its own actions, as well as the government's, in check.
"It sounds counterintuitive, but we are far more accountable than the federal government or the state government or any other government agency," Lee claims. "We don't believe in violating anybody's privacy. We don't want any information that we shouldn't have. And what information we do have, we don't want to share it in any way it shouldn't be shared."
But with so little outsider access to ChoicePoint's databases, who's to ensure ChoicePoint always stays within its self-imposed guidelines?
For a company built on the idea of collecting information about everyone else, ChoicePoint's practices are surprisingly inscrutable. Even getting a peek at the info ChoicePoint has compiled on you isn't easy. Lee says the company is devising a service to make it simpler to review your own file. But as the self-check process stands, it's discouragingly complicated and mind-numbingly time-consuming for an individual to use ChoicePoint's services. (See "Adventures in Data-Mining," below.)
Digging up the data is a far easier task for ChoicePoint's more privileged customers, such as the Justice Department, the Internal Revenue Service and the Department of Homeland Security. Some federal agencies even have special ChoicePoint sites, where government employees can log on and plug into the company's databases. There's ChoicePoint for the U.S. Drug Enforcement Agency at www.cpdea.com, for example, and ChoicePoint for the U.S. Immigration and Naturalization Service (which has since been absorbed into the Department of Homeland Security) at www.cpins.com.
But the public can't access those sites, which means ChoicePoint and its government clients just might know more about you than you know about yourself.
Not being able to see a ChoicePoint dossier sold to the government means not being able to correct mistakes. Want a really scary example of what can go awry when data collectors hand out bad information? Consider what happened in Florida leading up to the 2000 presidential election.
In 1998, the state hired a company called Database Technologies to scrub its voter rolls of ineligible voters. The scrub list was mandated by Florida legislators after a voting fraud investigation revealed dead people had cast ballots in the 1997 Miami mayoral election.
DBT combed through Florida's rolls and handed over the "ineligible" list to elections officials in May 2000 -- within days of the company's merger with ChoicePoint.
The problem was that DBT'S list purged the voter rolls not just of convicted felons, who are disqualified from voting in Florida, but of eligible voters whose names resembled those of the felons.
While Florida and DBT failed to check a number of criteria that could have distinguished the actual felons from the non-felons, one criterion that DBT did bother cross-referencing was race. BBC reporter Greg Palast and a handful of U.S. journalists reported that the majority of the felons on the list were black, so thousands of legitimate black voters with the same names as black felons were struck from the rolls. Because Florida blacks vote heavily Democratic, a disproportionate number of votes for Al Gore were thrown out.
According to analyses by news organizations, somewhere between 8,000 and 22,000 qualified votes went uncounted. Whatever the number, it towers over 537 -- the margin by which George W. Bush won Florida, and therefore the national election.
The most jarring part, according to Palast, who broke the story, was that DBT knew the list was flawed -- because a Florida official told DBT, in a 1999 e-mail, "Obviously, we want to capture more names that possibly aren't matches and let the county supervisors make a final determination." Palast claims that even though DBT alerted Florida officials to the need to check the list, the fact that the company would even hand over known mistakes shows that it doesn't always do its best -- contrary to its corporate mantra -- to protect the government against itself.
"They warned the state repeatedly, 'We are giving you names of people who are not felons,'" Palast told CL. "And what's frightening about that is that they knew it and they kept silent. ... And until they were caught, they continued to boast, publicly, that these lists were deadly accurate."
No evidence has suggested that the purge of black voters was intentional, although it was a remarkably sloppy endeavor in a state long considered a key battleground in the 2000 election.
ChoicePoint denies responsibility for what happened in Florida. The scrub list was already complete when the company took over DBT, Lee notes. He also argues that ChoicePoint would never have been interested in such a project, because when it comes to anything so precious as voting rights "anything less than 100 percent accuracy is not acceptable." The DBT databases ChoicePoint absorbed will never again be used to purge voting rolls, he says.
On at least one other occasion when its databases became controversial, ChoicePoint again backed away from a project. Earlier this year, Latin American citizens protested ChoicePoint's sale of their personal information, including passport numbers and even blood type, to the U.S. government. "As soon as someone in Mexico said some -- but not all -- of this data may be -- but not definitely is -- confidential, we immediately segregated it and deleted it," according to Lee. "We discontinued the entire market line." He says the government contract for Latin American data expired Sept. 30.
Unfortunately, most of the work ChoicePoint does for the feds isn't open for public review, meaning that oftentimes no controversy can arise -- even if the data is flawed.
The casualty of business opportunities both in purging voter rolls and in Latin America won't exactly maim ChoicePoint. There remain scores of possibilities for the company to wield its knowledge and win government contracts.
Within the burgeoning post-9-11 industry of rooting out terrorists, ChoicePoint is constantly hunting new ways to develop information-gathering technologies. The company's mission is to protect us against immediate threats, perhaps at the expense of protecting age-old ones. That mission aligns nicely with the current goals of government and with the fact that protection at all costs has grown increasingly fashionable.
ChoicePoint has only stepped into the role that the American government and many of its people have created for it. It's a brilliant business. Because as much as we claim to love civil liberties, the bloodshed of 9-11 is centuries fresher than blood spilled for the Constitution. A company like ChoicePoint doesn't thrive because it manipulates our wants. It thrives because it's a product of them.
If ChoicePoint were a library, it might be the largest building on Earth. Its computers will soon hold 200 terabytes of information. Compare that to the Library of Congress, whose 18 million books would constitute a mere 20 terabytes. To manage the 17 billion records in its various databases, ChoicePoint employs 4,200 staffers in 70 offices in 28 states and Washington, D.C. The mountain of data that ChoicePoint amassed is headquartered inside two, 200,000-square-foot glass and brick buildings 30 miles north of Atlanta.
The company began as an insurance-claims division of Equifax, the Atlanta-based credit-reporting agency. In 1997, Equifax spun ChoicePoint off with an initial public stock offering. Over the years, the company has attracted a board manned by some heavy, mostly GOP-leaning hitters, including astronaut Frank Borman (who's since left the board) and Home Depot co-founders Bernie Marcus and Kenneth Langone.
The new entity would gobble 42 competitors and complementary companies, all of them gatherers of different varieties of data. The acquisitions ranged from the leading provider of birth, death, marriage and divorce certificates, VitalChek, to the country's largest private DNA forensics lab, Bode Technologies, to a criminal database more voluminous than the FBI's, the National Criminal File.
In less than a decade, ChoicePoint has become a startling financial success. It pulled in almost $800 million in fiscal 2002 revenue. After six years of trading -- mainly in a bear market -- the company's share price has shot up from less than $10 in 1997 to more than $37 last month.
In October, the magazine Business 2.0 listed ChoicePoint as one of the country's 100 fastest-growing companies. The Atlanta Journal-Constitution ranked it Georgia's 10th best-performing business, one slot above Coca-Cola. The newspaper also reported that ChoicePoint CEO Smith was Georgia's second-highest paid chief executive in 2002, taking home $17.4 million in salary, bonuses, stock options and other compensation. Even the chiefs of BellSouth, Coke and Delta earned less; only Home Depot's Bob Nardelli made more.
One key to ChoicePoint's trajectory has been the government's reaction to 9-11. ChoicePoint is among a handful of companies -- including Acxiom and Seisint -- that have jumped at the awesome opportunity to help the feds decrease the risk of another terrorist attack. Indeed, while the rest of the market plummeted, ChoicePoint's stock was on the rise in the weeks after the Twin Towers fell.
ChoicePoint believes that businesses, armed with as much information as possible, will be better able to protect themselves against fraud. Law enforcement will have an easier time solving crimes. And government will be better equipped to fight terrorism. This is the Information Age, after all. What's the point of having so much data if you can't use it?
The company's various databases have come in handy in several high-profile tasks. After 9-11, ChoicePoint's DNA lab, Bode Technologies, received thousands of fragments of human remains -- mostly bone -- and matched the fragments' DNA to DNA lifted from toothbrushes and combs provided by the victims' families. When District of Columbia and Virginia police suspected that a sniper was operating out of a white van, ChoicePoint, using a massive registry of motor vehicle records, was able to provide a list of all white vans registered to residents in the vicinity of the shootings.
ChoicePoint even claims that had the government taken advantage of its airline passenger screening capabilities prior to 9-11, the 19 hijackers might never have boarded four planes.
But ChoicePoint's work also has revealed the inherent trouble posed by collecting massive amounts of personal information. Not only can mistakes be made but basic American rights can be jeopardized -- the right to vote, the right to be free from unreasonable searches, and the right not to be investigated on the government's whim.
The search for the white van, which proved not to be the vehicle used in the sniper attacks, doubles as a good example of how uses of certain information can violate privacy.
In September, ChoicePoint Chief Operating Officer Douglas Curling told a group of investors gathered at the company's headquarters: "We are the largest purchaser of data from the state," adding that he knows of no other company "that spends almost $500 million a year buying motor vehicle records and driver histories from the 50 states."
Four months earlier, however, the company had been slapped with the second of two class action lawsuits alleging violations of the federal Driver's Privacy Protection Act, according to ChoicePoint's filings to the Securities and Exchange Commission. "The complaints allege that the Company has obtained, disclosed and used information obtained from the Florida Department of Highway Safety and Motor Vehicles in violation" of the law, the SEC filings state. A similar lawsuit was filed two months later, in Louisiana.
ChoicePoint denies the allegations in all three complaints.
But the allegations sound a lot like those recently raised in Georgia against a ChoicePoint competitor. At issue was an interstate crime-fighting database, developed by Florida-based Seisint and called, appropriately enough, MATRIX (the Multistate Anti-Terrorism Information Exchange).
In October, Gov. Sonny Perdue and state Attorney General Thurbert Baker pulled Georgia motor vehicle records out of MATRIX. "I have held serious concerns about the privacy issues involved with this project all along," according to an Oct. 21 press release by Perdue, "and have decided it is in the best interest of the people of Georgia that our state have no further participation."
But what about ChoicePoint? Both it and MATRIX supply motor vehicle records (among other data) to state and federal law enforcement agencies. Why haven't the governor and state attorney general addressed the possibility of privacy breaches by a data collector in their own back yard?
There's a difference between the two companies, according to ChoicePoint's Lee, and it lies in the ways they store and release information.
With Seisint's creation of MATRIX, he says, "there was no actual requirement to have an ongoing police investigation before you could do a query." ChoicePoint, on the other hand, requires that there be a relevant, open investigation before its databases are searched.
And while the MATRIX database is one big pool of motor vehicle records voluntarily turned over by the states and accessible, without restriction, to each state and the feds, ChoicePoint only sells the right to search for what's needed in an investigation, and the company doesn't pool its data.
"Regardless of the source, if [the data] comes in for a specific purpose, that is the only purpose for which it can be used," Lee promises. He says that's true of every type of record ChoicePoint amasses. "It will not be co-mingled with other data. The background check information cannot be loaded in to the law enforcement database. The law enforcement information can't be used for hiring purposes. There are Chinese firewalls between all of these products. There's not even the possibility of an inadvertent cross-sharing of information."
Those safeguards, however, might not appease everyone. It could be that the only reason the state hasn't cracked down on ChoicePoint's use of motor vehicle records is the state doesn't know about its use of the records.
Russ Willard, of the Georgia attorney general's office, and Susan Sports, of the state Department of Motor Vehicle Safety, were surprised to learn that ChoicePoint was selling access to drivers' records to the feds. Willard points to state law, which says businesses can access motor vehicle and drivers' records only for insurance underwriting purposes -- and that "the personal information obtained by a business ... shall not be resold or re-disclosed for any other purpose without the written consent of the individual."
After speaking with Willard, CL contacted Lee again, to clarify ChoicePoint's purchase and uses of the records. He responded in an e-mail: "Some [records] we get directly from government agencies, but separately from our insurance record gathering, and the rest of the data is obtained from other third party providers who obtain the data from government agencies."
Willard says the state is interested in the extent of ChoicePoint's use of motor vehicle records outside the company's insurance division.
"ChoicePoint, as far as DMVS is aware, is an insurance-support organization, where they basically compile records for insurance companies," he says. "If you have any information that they're using information for other than those purposes, please let us know."
This is the part of the story where you're supposed to be learning the details of dozens of contracts ChoicePoint has signed with the feds.
Instead, we're presented with a checks-and-balances breakdown -- and the irony that a company, built on the foundation that information on private citizens should be collected and disseminated at will, is shrouded from scrutiny.
Theoretically at least, the public can view the government's contracts with data-collectors under the federal Freedom of Information Act (FOIA). But in response to FOIA requests CL filed with a half-dozen federal departments, the excuses for withholding information range from the somewhat understandable need to protect "trade secrets" and "national security" (and therefore keep secret a few hundred pages) to the months-long backlogs that force many agencies to put requests on indefinite hold.
After filing requests for copies of contracts with ChoicePoint, CL received the following responses:
- From the U.S. Department of Housing and Urban Development: "Based upon our experience and current inventory, we estimate that it may take 60 days to complete processing ... your request," dated Oct. 2, 2003, 27 days after the agency received the request and a week after the 20-day deadline for answering the request, a deadline set by federal law, had passed. The letter notes the law allows for an extension if "unusual circumstances exist."
- From the U.S. Department of Health and Human Services: "Staff reorganizations and reductions, and an increased number of FOIA requests and appeals contributed to a workload that exceeds the resources necessary to process these matters as quickly as our requesters ... would like," dated Oct. 16, 2003, 42 days after the request was filed. HHS did not cite any right to ignore the 20-day deadline, but the letter did "sincerely apologize for any inconvenience the delay in responding to your request has caused."
- From the Transportation Security Administration (a division of the 18-month-old U.S. Department of Homeland Security): "At the present time, ... based on a preliminary review of your request and our current backlog, we do not expect to be able to respond to your request until four months from the date of this letter," dated Oct. 9, 2003, three days after TSA received CL's request. TSA later sent a letter stating that the agency didn't have the documents anyway, referring CL to the Justice Department.
The Department of Defense did provide a list of 11 contracts between ChoicePoint and the Army. But Suzanne Council, the last in a string of Army employees handling the request, says the contracts could not be released until ChoicePoint commented on whether releasing them might cause the company harm. As of press time, CL was unable to determine whether the Army had received ChoicePoint's comments.
CL did manage to get records from two federal departments -- a pittance considering ChoicePoint has claimed to hold contracts with close to 40 federal agencies.
Although the Internal Revenue Service withheld 179 pages of the records requested by CL, the 80 pages it did hand over describe a renewable, annual contract totaling $5 million and signed in August 2000. The contract grants the IRS online access to as many as 19 distinguishing data sets that ChoicePoint keeps on most Americans, including property records, incorporated businesses, bankruptcies, civil judgments and motor vehicle info.
The other contract CL received, signed by the Justice Department in 2001 and totaling $67 million, describes 141 categories of personal information ChoicePoint provides federal law enforcement, such as Social Security numbers, neighbors' identities, driver's license numbers and a service called "Faces of the Nation."
Another Justice Department document, a memo titled "Guidance Regarding the Use of ChoicePoint" sent from the FBI's legal office to its National Security Division, states that the feds are to gather intelligence using "the least intrusive means." The memo, parts of which are heavily blacked-out in "the interest of national defense or foreign policy" states that "an individual does not have a reasonable expectation of privacy in personal information that is made publicly available by others." |
