The post-9/11 marriage of private data and technology companies and government anti-terror initiatives has created something entirely new: a security-industrial complex. In his new book, reviewed in Sunday's Book World, Post reporter Robert O'Harrow shows how the government now depends on burgeoning private reservoirs of information about almost every aspect of our lives to promote homeland security and fight the war on terror.
O'Harrow was online to field questions and comments.
A transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
St. Louis, Mo.:
In your opinion, do you think it's possible, or feasible, to develop an electronic "ID card" of sorts for individuals to have on hand, in case they become victims of identity theft and need to readily prove they are who they say they are?
St. Louis Post-Dispatch
Robert O'Harrow: Hi. Thanks for joining me. There are already a lot of interesting and smart questions about this stuff, so here we go...As for the idea of an ID card, they're already well under way. The Defense Department uses "hardened" IDs for many of its employees. There's a bill pending in Congress that would mandate stronger driver licenses. And there's a private identification company rolling out its services. The ID would include a fingerprint and - guess what? - one of the partners is ChoicePoint. There are some tremendous potential benefits from these kinds of IDs, but there are some potential drawbacks that we can get back to...
Dear Mr. O'Harrow:
After reading reviews in The New York Times and the Washington Post, I purchased a copy of your book last weekend. I was so fascinated that I read the entire book on Saturday. I was vaguely aware of companies like ChoicePoint and the chilling effects of data mining. Your book was an eye-opener, to say the least.
I am curious about the political and religious views of ChoicePoint CEO Derek Smith. If information is power, it struck me that Mr. Smith is well on his way to becoming one of the most powerful men in America -- even though he holds no elective office and produces nothing. I was especially troubled by the quote on page 136 where he describes himself as driven by "a higher power" and that data collection is a personal mission, an almost religious quest. Would you describe Mr. Smith as a pro-Republican religious fundamentalist? Are we all doomed to living the sort of buttoned-down life of a Ned Flanders on "The Simpsons" or risk political or economic ruin? It strikes me that America's "big tent" democracy is about to become a lot smaller. While it may be good for business, it will certainly stifle civil liberties and creativity.
Robert O'Harrow: Thanks for reading the book. As for Smith, I don't know his political views. I have never gotten the impression he's a religious fundamentalist, not even close. But he professes to be deeply zealous about using information - his company's main source of income - to make the country a safer place. Not this as well: He has lately said his company and others in the information industry need to operate with more oversight. Is he being crafty? Looking out for the long run interests of ChoicePoint. Maybe. Probably But he seems intent on pressing the issue in Congress. Let's stay tuned on what happens.
What is the general attitude in Congress about such an invasion of privacy by Choice Point, the CRAs, and other bureaus? Are our representatives and senators generally sensitive to privacy concerns or has the wave of anti-terrorism mitigated such concerns? Who are the privacy champions in Congress?
Robert O'Harrow: It's hard to gauge exactly. There are both Republicans and Democrats who have shown interest in the issues here. Among them: senators Shelby,Leahy,Feinstein. But these are complex matters. Folks on Capital Hill who think about this stuff worry about snuffing out the many benefits we get from the free flow of information. Credit, risk assessment, background checks and such. Some also worry about what will happen if we don't think hard about striking the right balances now, before the use of personal information, tracking, profiling and surveillance get out of control.
Why would any outside company need to be given so many peoples information at one time? Usually, when they do a check, it is on one person, or so we thought. Why should a company be able to prosper on my personal information and data? This is not only an invasion of my privacy, my private information is making someone rich at my expense and putting me in harms way thru such fraudulent actions,
Robert O'Harrow: The companies in the information industry argue - in some ways, correctly - that the more details they have the more accurate their services will be. Marketers want to know what you buy, where you live, the kinds of neighbors you have, the car you drive, your estimated income, etc., in order to refine their pitches to you. Police, private investigators and reporters can do a better, more efficient job the more details they have to work with. On the other hand, there's a question about whether the institutions doing so much with our personal details are taking all the needed steps to protect it. In many cases, they're not.
What purpose do these companies serve? Perhaps a purpose they serve is that it is somehow legal for them to collect data gov't agencies can't, but by purchasing the information they circumvent the existing prohibitions on privacy! If we don't want to be tracked and at the same time, not become a Luddite how can we protect ourselves?
Robert O'Harrow: Companies like ChoicePoint, LexisNexis, Acxiom and others you may not have heard about are becoming crucial parts of our Information Economy. Every major federal agency; local, state and federal law enforcement rely on them; some marketers have bet their futures on the use of personal data for targeting; instant access to public records reports is absolutely crucial to good journalism. I'd bet that every reader of this chat takes for granted the consumer benefits they get from these companies and the credit bureaus. The problem? Very, very few of us have any idea about the scope and pace of data collection,how our information is being use and, not least of all, how the government is embracing these services for the war on terror and to protect homeland security. There are regulations govern the use of some information. But there is very little oversight or transparency on this emerging public-private security system.
I'm a little bit confused as to what ChoicePoint does and how people (customers) can hold them accountable. I don't think I've ever used their services, but have no way of knowing.
Robert O'Harrow: Readers may have heard about ChoicePoint for the first time in the last few days or weeks. It's an information service based outside Atlanta. Since it formed in 1997, the company has acquired more than 50 other companies and, I just learned, now has something like 100,000 clients. It maintains about 19 billion records about nearly every adult American, according to the company, and that number is growing rapidly. It sells that information, as you have just read, in electronic reports to police, lawyers, national security, check cashing companies and on and on. It has helped out in many investigations and does background checks on increasing numbers of job applicants, volunteers, would-be tenants and the like.
Is ChoicePoint notifying all people whose information was stolen, or only those people who live in states that require notification?
Robert O'Harrow: A little background: Last week, ChoicePoint acknowledged that it sold reports containing names, addresses, address histories, Social Security numbers, driver license numbers and, in some cases, credit reports, to an apparent identity theft ring posing as legitimate business officials. The company said over the weekend it would notify up to 145,000 people their information was inadvertently sold to the bad guy. The company pledged to give each person access to a free credit report and credit monitoring service to help minimize the damage from the security breach.
Upper Marlboro, Md.:
It's interesting that Rick in Ohio thinks any religious belief immediately makes a person dangerous. In the Christian community, though not as a whole, there is a belief that this sort of centralized information gathering, and the power that comes with it, is highly dangerous and decidedly unholy. Many of us (the religious freaks that scare him so much) are afraid of the abuses of the system that will be so tempting to those who have no moral compass or that are under the control of (wait, here it comes) our spiritual enemy.
Enough huffing: I actually don't think there are enough checks and balances on private concerns who hold this sort of information on us as individuals. Though I enjoy the benefits of data mining and CRM that allow Amazon and Netflix to provide me with meaningful recommendations, I don't want them to sell my preferences or other information to anyone else. The more I learn about computer security (I'm working on a CISSP), the more concerned I am. How is this being regulated? Or can it really be?
Robert O'Harrow: Here's what I conclude in No Place to Hide (please forgive the shameless plug!):
1. We as a society have only the faintest understanding about the "data revolution" and the government's embrace of it since 9/11.
2. While there are an array of law government the use of information, they leave wide gaps in transparency and accountability. The information is often riddled with mistakes. Security is not sufficient.
3. We're only at the beginning of the data revolution. The ability to sift and analyze and derive intelligence - yes, intelligence - is very imperfect. But it's improving fast.
4. Figuring out how to maintain the considerable benefits from all this, while protecting our old fashioned notions of autonomy, privacy and the like is going to be very difficult. But we might as well begin our efforts to take stock of what is changing and figure out how to strike the balances we want.
I will be reading your book! I think you've hit on the main issue: transparency--which is one of the principles on which federal privacy laws rely. However, when these laws were passed no one anticipated the information industry and its ability to aggregate and share large amounts of personal information. What would be your recommendations to policymakers to address the need for additional transparency?
Robert O'Harrow: Thanks for reading the book in advance. As for policy recommendations? I'll pass. That's not for me to decide, except to say this: Don't be fooled into thinking this is simply about geeky stuff like computers and networks and data warehouses. To my mind, a good starting point is to think about these issues in terms of our values, as individuals and as a giant community. Some people argue that individuals don't really care about how we get the many, many Information Age conveniences that we like so much. Is that so? I often think about what president Eisenhower said when he left the White House. He warned we need to "guard against the acquisition of unwarranted influence" by the "military industrial complex." I believe we're witnessing the beginnings of a "security industrial complex." We should probably keep watch in a way that Ike would have approved.
I understand that the trial lawyers are salivating at the prospect of suing Choicepoint into oblivion. What are the chances that any of the owners of Choicepoint will be put into jail for their behavior?
Robert O'Harrow: Jail? For what? While lawsuits seem inevitable, what would merit criminal action? The company took steps to secure the information and relationships with clients that, in retrospect, were clearly inadequate. But jailtime? Probably best not to get too breathless about this stuff.
This may not be the right forum for this question, but what do I do when I get the letter from ChoicePoint telling me that they gave my identifying info to criminals? Monitoring my credit reports for a year hardly seems adequate.
Robert O'Harrow: Good question. Identity theft is a nasty crime, and the most obvious sign of how much information about each of us is sloshing about out there. Monitoring is a good important first step. There are some organizations that can help: The Federal Trade Commission knows a lot about identity theft and they want to help. There's a group call the Privacy Rights Clearinghouse in California that's also focused intently on the issue. The credit bureaus also maintain information about what to do at their Web sites. I suggest you do your homework. And be vigilant. And don't panic.
On the Web: FTC ID Theft Resource Page
It seems that most of the fear re: privacy relates to someone knowing something about us that we don't want revealed. I believe protections of your financial resources and medical information can be solved. But do you think that is only part of the issue? Do you think our fear of revealing more of who we are lurks behind the privacy issue?
Robert O'Harrow: I have been shying away from the word "privacy." As important as the notion is to all human beings at some level, I think of the key issue more as "autonomy." That is, the sense that we need room in life not to be meddled with unnecessarily. I sometimes ask myself: Who gave them the right...? Them being an organization or institution that has taken moves to get to "know" me or sell me or call me or somehow shape my experience without my permission? There's little room in our society for pure "anonymity." I'm not talking about that. It's just that to the greatest degree possible in our increasingly interconnected world, I want to be left alone, unless I choose to engage.
Robert O'Harrow: There are so many smart questions in the hopper. I hate to go. Stay tuned on this very interesting set of subjects. See you next time.