< Return To Hearing
Testimony of Robert Douglas
My name is Robert Douglas and I am the CEO and founder of PrivacyToday.com located in Steamboat Springs, Colorado. I provide consultation to the private and public sectors on issues involving all aspects of identity theft, identity fraud, and personal information security. During the past eight years my work has centered on assisting the financial services industry, the general business community, government, and law enforcement agencies to better understand the scope and methodology of identity crimes through educational materials, presentations, auditing, and consultation.
I have provided consultation and expert testimony for civil and criminal investigations brought by private parties and state and federal law enforcement agencies. Most relevant to today's hearing, I served as a consultant and expert witness for the Federal Trade Commission in the design and execution of Operation Detect Pretext, a sting operation to catch and civilly prosecute individual and corporate offenders participating in the illegal "information broker" industry. I served as an expert witness to the Florida Statewide Grand Jury on Identity Theft. I served as an expert witness and consultant for the plaintiffs in a federal civil action brought by the parents of Amy Boyer, a young woman slain in a murder committed by a man who purchased Ms. Boyer's social security number, date of birth, and place of employment from a web-based information broker. I have lectured before local, state, federal and international law enforcement associations on the topic of identity crimes. I have been a private investigator and security consultant for the past twenty-two years. This is my fifth appearance before the United States Congress to discuss personal information security.
The Murder of Amy Boyer
Far too often as we grapple with the issue of balancing the privacy of Americans with the necessary and legitimate uses of Americans' personal information the debate centers on discussions of "data", but not the lives behind the "data". In order to illustrate what I've learned over the course of more than twenty years using and investigating the good and harm of database information, I'd like to begin by focusing on one life behind one set of data. The untimely and violent end to that life encapsulates all the issues that surround securing personal information while balancing privacy with legitimate uses of information. Further, investigating this one act of violence led me to a more complete understanding of how personal information is being used and abused in the United States today. This case also demonstrates that the problem is much larger than the recent ChoicePoint breach and other instances that have recently been in the headlines. The problems of securing personal information and balancing privacy with legitimate use are intertwined and impact every business and government sector.
On a quiet fall afternoon in October of 1999 Amy Boyer, a young Nashua, New Hampshire woman, was leaving work with two co-workers. The small group was discussing plans for that weekend as they walked to their cars parked on a side street less than a block from the office. As Amy said good-bye and closed her door, a car driven by Liam Youens sped up the street and stopped driver's door to driver's door with Amy's car. Youens yelled out Amy's name as he fired 11 bullets into the head and upper body of his unsuspecting 20 year-old victim. Youens then fired one last shot into his head, instantly killing himself as Amy lay just feet away mortally wounded.
Liam Youens was a demented young man. He glorified the Columbine killers and toyed with the idea of doing the same at Nashua High School. He openly planned Amy's murder and the intended murder of others for more than a year. The reason we know so much about Youens is that he documented his plans to murder Amy on a web site he created to publish his sick desires.
But that web site contained far more than just the perversity of Liam Youens. It contained the starting point for a trail of evidence that proves how personal information of all Americans stored with good intent in myriad databases across this country can be easily obtained and used for incalculable harm. The trail that began on a quiet Nashua street led to the shadowy world where a small but persistent number of illegitimate information brokers and private investigators, in addition to a growing number of identity thieves and other criminals, access databases holding our most important personal information and use that data for criminal purposes.
In Amy's murder the evidence showed that Youens decided to ambush Amy as she left work. But Youens had a problem. He didn't know where Amy worked. So he started using information brokers and private investigators that run Internet based operations that specialize in obtaining and selling personal information on Americans. In separate Internet transactions Youens purchased Amy's date of birth, social security number, home address, and finally her place of employment.
Youens himself was struck by how easily he was able to purchase Amy's personal information while concealing his evil intent. Here is a small sampling of Youens own words from his web site where he was documenting his step-by-step activities to locate and kill Amy:
When I finished finding [street name redacted] residents in the phone book I thought my best bet was apt. number 7 so I entered the information. It wasn't 7, but who cares I got a HIT! I fell to the floor and let the endorphines fly. Her address was [residential address redacted] she didn't move from home yet, no other information was provided in the background check.
I found an internet site to do that, and to my surprize everything else under the Sun. Most importantly: her current employment. It's accually obsene what you can find out about a person on the internet. I'm waiting for the results.
The Internet site Youens found to get Amy's "current employment" and "everything else under the Sun" was Docusearch.com. To obtain Amy's "current employment" Docusearch provided Amy's social security number, date of birth, and home address to Michele Gambino, another private investigator/information broker operating as Gambino Information Services out of New York City. Gambino has at times described her specialty as "proper pretext", "subterfuge phone calls", or "informative telephone conversations". Those are nice titles for deceit, fraud, and lying. In short, Gambino uses lies to deceive people out of personal information.
At the time of Amy's murder, Gambino and others who worked as subcontractors for Docusearch specialized in defeating the information security systems of financial institutions (including many of the nation's largest banks and brokerage houses), telecommunications companies (obtaining non-published phone numbers and records of phone numbers dialed from any phone in the country), utility companies (power/cable/gas/water/satellite firms all maintain databases of personal information), and unsuspecting private citizens with information about loved ones.
In this case, Gambino conducted a "pretext" to obtain Amy's work address by impersonating an insurance company representative and falsely stating that she had a refund for Amy. By having Amy's social security number, date of birth, and home address, Gambino was able to sound authoritative as most Americans wrongly believe that only someone with legitimate access and authority would have their social security number and other personal information. Gambino was able to deceive Amy and/or Amy's mother out of Amy's work address on the pretext that the work address was needed to process the insurance refund.
The reality is, as far as Docusearch and Gambino were concerned, obtaining Amy's work address by fraud was just another transaction to put money in their pockets. And a lucrative business it is. With just two employees and a handful of independent contractors like Gambino, Docusearch was grossed over $1 Million per year selling and re-selling Americans' personal information.
Outrageously, while Docusearch was in the business of accessing and stealing Americans' personal information and continues to this day to brag about how they can find anything about anybody, neither Gambino nor Docusearch took any constructive steps to determine who Youens was, much less why he needed the employment address of Amy. Had Docusearch or Gambino simply typed Amy's name into any free search engine they would have found Youens' web site documenting his intent to kill Amy.
Docusearch was on notice that their Internet site was being used by potential stalkers with intent to do harm. Just days before Gambino used a "pretext" to obtain Amy's work address, Docusearch learned that another "client" was attempting to obtain an address on a young woman in Texas for potential harm. In the Texas case, Docusearch was once again using a pretext to learn the address of the young woman from the woman's mother. Fortunately, the mother was savvy enough to realize they were trying to deceive her out of her daughter's address and told the Docusearch "investigator" that her daughter had a restraining order against Docusearch's client.
While Docusearch, Gambino, and others in the information brokerage and investigative fields often argue that they shouldn't be held responsible for the unforeseen consequences of selling "data", those defenses ring hollow. Not only is there ample evidence in the files of Docusearch and Gambino of potential harm caused by the personal information they are selling on demand, the information brokerage/private investigative industries have been aware since at least the early 1980s of criminals using their services to carry out violent and non-violent crimes.
Congress Passed the DPPA and Other Statutes to Protect Americans
In March of 1982 the information broker/private investigative professions and all who maintain databases with personal information learned first-hand that personal information in the wrong hands can lead to severe physical harm or murder. In a scenario frighteningly similar to what happened to Amy, actress Theresa Saldana was repeatedly stabbed and slashed by a stalker at the front door of her home. To find Saldana, the stalker hired a private investigator to obtain Saldana's mother's non-published phone number. The stalker then called Saldana's mother and tricked her into providing Saldana's home address by using the "pretext" that he was Martin Scorcese's assistant and needed Saldana's home address in order to reach Saldana for a movie role.
Following the Saldana attack, came the 1989 murder of actress Rebecca Schaeffer. In that case, a private investigator obtained Schaeffer's home address through the California motor vehicle database and sold the address to a stalker. The stalker used the address information to stalk and kill Schaeffer. The attack of Saldana and the murder of Schaeffer, combined with a growing body of evidence that personal information contained in state motor vehicle records (at that time routinely provided to anyone requesting it) was being used for criminal purposes, led to passage of the Drivers Privacy Protection Act (DPPA). A federal law that I would argue is violated thousands of times each day.
But the trail of evidence in Amy's murder does not end with an obsessed killer and a couple of greedy private investigators operating Internet information brokerages. Quite simply, the evidence in Amy's murder leads to thousands of documents demonstrating in real time how databases maintained in a wide range of American businesses and entire industries that contain our most personal information are breached everyday.
Commercial/Government Information Security Systems Are Breached Every Day
On a daily basis Docusearch, Gambino, and other associates of Docusearch were penetrating the information security systems of this nation's financial services industry, postal service, telecommunication and other utility companies, and selling that personal information to just about anyone. Contained within the files of Docusearch, Gambino, and hundreds of other similar companies is evidence that not only can any piece of information about anybody or any company be obtained by anyone willing to pay for it, but clear and convincing evidence that when it comes to being guardians of critical personal information both government and commercial entities deserve a failing grade.
Unfortunately, Docusearch and Gambino are not rare examples that limit the scope of the problem to a finite few. The reality is there are hundreds of "Docusearchs" combined with thousands of identity thieves conducting arguably tens of thousands of breaches of information security systems across all business and government sectors each day in this country. You don't get ten million identity theft victims and fifty-plus billion dollars in losses to identity theft related financial fraud from dumpster divers.
To further illustrate the scope of the problem, consider what we already know when it comes to the black market of personal information provided by unscrupulous information brokers and private investigators. Remember, these unscrupulous companies are a window into the very same methods used by criminals, identity thieves, and potentially terrorists.
Following my second of two appearance before the House Banking Committee , in which I assisted the Committee with a surreptitious survey of online Internet information brokers and their offerings that confirmed financial information of Americans was for sale, I worked with the Federal Trade Commission to design a sting operation to civilly prosecute Internet based information brokers selling financial account information (including specific account numbers and balances) in violation of the Gramm-Leach-Bliley Act. Operation Detect Pretext, as it was named, revealed that there were hundreds of Internet based information brokers and private investigators advertising the sale of Americans' most personal information in violation of any of a number of federal statutes including but not limited to Gramm-Leach-Bliley, the FCRA, the DPPA, and the Unfair and Deceptive Trade Practices Act. There was also evidence in the files of at least one of the FTC targeted information brokers of the broker selling personal information (perhaps unknowingly) to identity thieves.
The reality of how the Docusearchs, Gambinos, and identity thieves (as we know from the recent ChoicePoint case) defeat the information security systems of so many companies is that they often begin by acquiring the personal information of the victim of the intended crime. Using this personal information the criminal or unscrupulous information broker can impersonate the victim in order to obtain further personal information or carryout a criminal act by convincing the rightful custodian of personal information to reveal it to the criminal posing as the victim.
As an information broker once explained the process to me:
Illegitimate Subscriber Access - The Resale Market
Unfortunately, many of the illicit information brokers who will steal and sell any information about anybody have subscriber access (through a variety of legitimate and illegitimate means) to the legitimate information brokerage companies. They need the biographical information contained in the databases of the legitimate information brokers in order to carry out their pretexts like Gambino did to Amy. Specifically, to carry out the 5 steps outlined above, the unscrupulous information broker, private investigator or identity fraud criminal will purchase the biographical data needed (from either a legitimate information broker via a fraudulent subscriber agreement as in the instant ChoicePoint case, or via a reseller who obtains the information from a legitimate broker and willingly violates the no resale contract) in order to impersonate an individual that desired information will be released to.
There are a number of information brokerage companies, in addition to ChoicePoint, that have maintained relationships with information brokers and private investigators that I classify as resellers. While ChoicePoint and several other brokers have announced they will further restrict access to full social security numbers, dates of birth, and other personal identifiers to some clients of certain size and business lines, there is no doubt that absent legislation other companies will step in to fill the void--even if the ChoicePoint-styled self-remedy is effective. The hottest topic in the private investigative and information brokerage fields right now is where can you obtain full social security numbers and from what companies. The information resellers and investigative markets will flock from ChoicePoint to other mainstream information brokers willing to accept the revenue until Congress acts.
Indeed, for many years information resellers have easily deceived the major information brokers in the application process or violated the no resale clauses of their contracts. This is the worst kept secret in the information broker/investigative world.
Information Security in the U.S. is Laughable at Best
But even if all legitimate information brokers were to appropriately and effectively secure the data in their electronic warehouses, the flow of information would continue. Criminals and others will just access, and in many cases continue to access, databases from the government and private sector to find the personal information they need for their crimes.
When it comes to the overwhelming majority of databases in this country from government maintained military, postal, education, tax, welfare, and child support records to commercially maintained financial account, telecommunications, utility, medical, and business records, the information can almost always be obtained by an individual named in the records. Often this is the actual account holder. For the unscrupulous information broker or criminal, it is merely a matter of piecing together enough personal information about the targeted victim to impersonate the victim to the custodian of the information. And with far too much frequency, the key to unlocking most personal information is the social security number.
As I demonstrated a week ago in a story by Jonathan Krim of the Washington Post, it is a simple matter to go on the Internet and purchase from any one of a number of information brokers the social security number of any American. But even if social security numbers were not easily obtained from information brokers through direct or indirect (the illicit resale market), the indisputable fact is social security numbers have been compromised in this country in many ways for such a long period that it is laughable that either government or commercial enterprises use the number as a personal identifier for maintaining security of databases.
Yet this is the method chosen by more than 50% of the nation's banks, telecommunication companies, hospitals, doctor's offices, universities, utility providers, government programs, and almost any government or commercial entity one can name. I can inform this Committee and easily prove to this Committee based upon my experience investigating and studying information security practices and criminal methods for defeating those practices, and from the documents available in the Boyer murder case (that I would gladly share with this Committee in a closed setting), that any information security system using personal biographical information as the primary security identifier to allow access to the information is a fatally flawed system.
Congress Should Outlaw the Use of
Let me blunt. If this Committee and this Congress want to take a giant step down the road to securing Americans' data stored across all government and commercial entities, that step should be to prohibit the use of social security numbers, dates of birth, addresses, phone numbers, mothers maiden name, and any other personal biographical identifiers as information access security protocols. The reason for prohibiting the use of personal biographical information as security protocols for access to information maintained in databases is simple. Anyone can find them for free or buy them in hundreds of locations and databases across the country and on the Internet.
Why is it critical that we maintain the security of these databases? Because the vast majority of personal information contained in databases across this country is used for purposes that benefit Americans every day. Those benefits include commercial applications that assist citizens in transactions that weren't possible even ten years ago, but that we now take for granted. Additionally, the personal and biographical data maintained in a wide range of storage methods can be of critical value for government in fulfilling constitutionally mandated societal welfare, law enforcement, military, and national security functions. In the commercial sector personal information databases can assist in expediting transactions resulting in lower costs in addition to fraud prevention, detection, and prosecution.
The challenge is to determine a way to maintain this information which can be used for good and harm in a secure way that guarantees it is available for good, but not harm. As with any challenge, we must first understand the scope of the problem.
As I've tried to demonstrate through the evidence uncovered in the Boyer murder case, the scope of the problem far exceeds the ChoicePoints of the world. I am not here to make excuses for ChoicePoint or the other "legitimate" information brokers who after all do provide critical information to government and the private sector as discussed above.
In fact, I think the most recent breach that was the catalyst for this hearing is inexcusable given ChoicePoint's prior knowledge of attempts to fraudulently obtain subscriber access.
Legislation Must Address All Commercial and Government Entities
Yet to limit any proposed legislation to the information broker industry would be short-sighted in my opinion. After all, information brokers are nothing but aggregators of data contained in a wide variety of storage media. From courthouses; state, local, and federal offices; and, the military to marketing lists; phone directories; credit bureaus; insurance companies; and, dozens of commercial industries, information brokers gather "data" that is re-packaged and sold for a wide variety of uses.
If Congress takes action that only affects the commercial information broker industry while ignoring the government and the private business sector databases where information brokers obtain their raw data, there will be little accomplished. This is because criminals and others who would use information for illegal purposes will turn to the original sources of that raw information.
To place the question as to scope of the problem and how to curb it in the framework of the recent ChoicePoint breach, ask the following question: What good is to mandate that ChoicePoint have adequate security protocols to protect our personal information if the banks, telecommunication companies, universities, hospitals, doctors offices, insurance companies, utility providers, car dealers, and governmental agencies don't have adequate security protocols and are as porous when it comes to information security as ChoicePoint was?
If the ChoicePoint debacle causes this Committee and Congress to begin to seriously re-think how we protect all forms of data in this country, particularly at a time of war when our enemies have proven adept at understanding and using to their advantage information systems (such as deficiencies in driver's license cross-reference verification systems that allowed issuance of multiple driver's licenses from multiple jurisdictions to the 19 September 11th hijackers) then a complete understanding will be needed of how information too easily accessed and used for harm can be secured across the board and used for the benefit of individuals and the security of the nation.
But it must be a holistic approach. There are far too many sources of personal information in this country to either believe we can put the genie back in the bottle when it comes to social security numbers and other personal biographical identifiers or that we can solve the problem of securing information by addressing industries on a piecemeal basis.
In fact, Congress has tried the piecemeal approach for years with different issues, governmental agencies, and commercial industries. From the Privacy Act (restrictions on government use of personal information) to the Fair Credit Reporting Act (restrictions on consumer reporting agencies use of personal information) to the Driver's Privacy Protection Act (restrictions on state motor vehicle agencies handling of personal information) to most recently Gramm-Leach-Bliley (restrictions on financial institutions use and handling of personal information) Congress has addressed issues of privacy, data protection and data access on a case by case basis.
I would urge this body to recognize and accept as fact that many of the same challenges when it comes to securing personal data while balancing the legitimate privacy of Americans with the legitimate needs of government and beneficial commercial practices permeate all aspects of American government and private business. It is time to mandate that all government entities and the business community develop practical and effective information security programs that address 1) appropriate use questions (who gets access) and 2) authentication issues (how access is granted in a secure method).
If we don't take this approach across all sectors, criminals and this nation's enemies will do just as the unscrupulous and illegitimate information brokers I've discussed throughout this testimony do should they be effectively cut off from access in one database. They'll just turn to the next database in the next industry that has not been protected.
Need For A GAO Investigation
I have seen a number of investigations done by the GAO which provide a blueprint for an investigation this Committee might find beneficial as it grapples with the issues at hand. The two most relevant investigations were: 1) An investigation as to how easily undercover GAO investigators using movie prop badges and fake law enforcement IDs created with off the shelf software were able to access secure government facilities and secured areas of airports; and, 2) An investigation as to how easily undercover GAO investigators were able to obtain state issued driver's licenses by submitting obviously fraudulent identity documents to counter clerks.
Perhaps this Committee would consider requesting the GAO to perform an investigation of how easily they can access telecommunication company databases; financial services companies databases; utility companies databases; hospital databases; university databases; and, state and federal government agency databases, all by means of social engineering/pretext. I think the results would be enlightening.
Oversight and Enforcement Are Critical
Additionally, Congress needs to exercise oversight on the agencies already charged with enforcing the FCRA, GLBA, DPPA, and other applicable privacy and data security laws. From credit reports, to financial account information, to driver's records and beyond--it is all for sale by hundreds of companies routinely laughing in the face of Congress and the laws that are not enforced.
Those laws were passed with reasons that were important at the time, but are even more important in the age of terrorism that has been visited upon our shores. Our porous information systems in this country are a terrorists dream and a potential terrorist tool. It is time we get serious about protecting information of all forms in this nation.
In addition to the dangers of criminals, terrorists, identity thieves, and illicit information brokers who violate Americans' privacy there is an equally compelling reason to take action to protect personal information. The very same information that is too often abused is the life blood of this country and all Americans. If Americans don't have faith that the information they provide is secure it will harm commerce, and more fundamentally, the trust we all place in those that we share our most important and private data with.
In closing, I'd like to make an offer to this Committee, any other Committee of the Congress, any individual Senator of Representative, or any agency of the United States government. I will gladly volunteer my time and resources, including the information and evidence I've gathered over the last 8 years, to provide as much assistance as I can to securing the personal information of Americans.
I have testified before the United States Congress on four previous occasions. The July 28, 1998 Hearing on "The Use of Deceptive Practices To Gain Access To Personal Financial Information" (U.S. House of Representatives Committee on Banking and Financial Services); the April 12, 2000 Hearing on "Establishing a Commission For the Comprehensive Study of Privacy Protection" (U.S. House of Representatives Committee on Government Reform, Subcommittee on Government Management, Information and Technology); the September 13, 2000 Hearing on "Identity Theft and Related Financial Privacy Issues" (U.S. House of Representatives Committee on Banking and Financial Services); and, the September 9, 2003 Hearing on "Homeland Security Threats Posed By Document Fraud, Identity Theft, and Social Security Number Misuse" (U.S. Senate Committee on Finance).
In addition to my previous testimonies before Congress, I served as a consultant and expert witness for the Federal Trade Commission in the preparation and execution of Operation Detect Pretext, a sting operation designed to catch and prosecute individual and corporate offenders participating in the illegal "information broker" industry. I also served as an expert witness to the Florida Statewide Grand Jury on Identity Theft. I continue to serve as an expert witness and consultant for the plaintiffs in a federal civil action brought in New Hampshire by the parents of Amy Boyer, a young woman slain in a murder/suicide committed by a man who purchased Ms. Boyer's social security number, date of birth, and place of employment from a web-based information broker. I have lectured before local, state, federal and international law enforcement associations on the topic of identity crimes.
To assist the private sector and the financial services industry in its efforts to detect and combat financial crimes involving identity theft, I have authored a number of training guides including: "Privacy and Customer Information Security - An Employee Awareness Guide" (2001); and, "Spotting and Avoiding Pretext Calls" (2000). I have served as a keynote speaker for the FDIC and I have been a frequent lecturer at state and national banking association conferences.
Finally, prior to founding American Privacy Consultants, Inc., I was a Washington, D.C. private detective specializing in criminal defense investigation. I have worked cases involving murder, international terrorism (including conspiracy to murder U.S. nationals and hijacking), political corruption, and government fraud. I have twice been appointed by the U.S. District Court for Washington, D.C. to serve as criminal defense investigator in matters involving international terrorism by members of known Islamic terrorist organizations.
For a complete curriculum vitae see http://www.privacytoday.com/douglas.htm
Statement by Robert Douglas