The End of Privacy

Adam L. Penenberg
Forbes (cover story), 11.29.99

THE PHONE RANG AND A STRANGER CRACKED SING-SONGY at the other end of the line: “Happy Birthday.” That was spooky-the next day I would turn 37.
“Your full name is Adam Landis Penenberg,” the caller continued. “Landis?”

My mother’s maiden name.

“I’m touched,” he said. Then Daniel Cohn, Web detective, reeled off the rest of my “base identifiers”-my birth date, address in New York, Social Security number. Just two days earlier I had issued Cohn a challenge: Starting with my byline, dig up as much information about me as you can.

“That didn’t take long,” I said.

“It took about five minutes,” Cohn said, cackling back in Boca Raton, Fla. “I’ll have the rest within a week.” And the line went dead.

In all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life-whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them. Okay, so you’ve heard it before: America, the country that made “right to privacy” a credo, has lost its privacy to the computer. But it’s far worse than you think. Advances in smart data-sifting techniques and the rise of massive databases have conspired to strip you naked. The spread of the Web is the final step. It will make most of the secrets you have more instantly available than ever before, ready to reveal themselves in a few taps on the keyboard.

For decades this information rested in remote mainframes that were difficult to access, even for the techies who put it there. The move to desktop PCs and local servers in the 1990s has distributed these data far and wide. Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The Web seamlessly links it all together. As e-commerce grows, marketers and busybodies will crack open a cache of new consumer data more revealing than ever before. It will be a salesman’s dream-and a paranoid’s nightmare. Adding to the paranoia: Hundreds of data sleuths like Dan Cohn of Docusearch have opened up shop on the Web to sell precious pieces of these data. Some are ethical; some aren’t. They mine celebrity secrets, spy on business rivals and track down hidden assets, secret lovers and deadbeat dads. They include Strategic Data Service (at datahawk.com) and Infoseekers.com and Dig Dirt Inc. (both at the PI Mall, ).

Cohn’s firm will get a client your unlisted number for $49, your Social Security number for $49 and your bank balances for $45. Your driving record goes for $35; tracing a cell phone number costs $84. Cohn will even tell someone what stocks, bonds and securities you own (for $209). As with computers, the price of information has plunged.

You may well ask: What’s the big deal? We consumers are as much to blame as marketers for all these loose data. At every turn we have willingly given up a layer of privacy in exchange for convenience; it is why we use a credit card to shop, enduring a barrage of junk mail. Why should we care if our personal information isn’t so personal anymore?

Well, take this test: Next time you are at a party, tell a stranger your salary, checking account balance, mortgage payment and Social Security number. If this makes you uneasy, you have your answer.

“If the post office said we have to use transparent envelopes, people would go crazy, because the fact is we all have something to hide,” says Edward Wade, a privacy advocate who wrote Identity Theft: The Cybercrime of the Millennium (Loompanics Unlimited, 1999) under the pseudonym John Q. Newman.

You can do a few things about it. Give your business to the companies that take extra steps to safeguard your data and will guarantee it. Refuse to reveal your Social Security number-the key for decrypting your privacy-to all but the financial institutions required by law to record it.

Do something, because many banks, brokerages, credit card issuers and others are lax, even careless, about locking away your records. They take varied steps in trying to protect your privacy. Some sell information to other marketers, and many let hundreds of employees access your data. Some workers, aiming to please, blithely hand out your account number, balance and more whenever someone calls and asks for it. That’s how Cohn pierced my privacy.

“You call up a company and make it seem like you’re a spy on a covert mission, and only they can help you,” he says. “It works every time. All day long I deal with spy wannabes.”

I’m not the paranoid type; I don’t see a huddle on TV and think that 11 football players are talking about me. But things have gone too far. A stalker would kill for the wealth of information Cohn was able to dig up. A crook could parlay the data into credit card scams and “identity theft,” pilfering my good credit rating and using it to pull more ripoffs.

Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops, retired military men, accountants and research librarians. Now 39, he grew up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own agency to investigate insurance fraud and set up shop in Florida. “There was no shortage of work,” he says. He invented a “video periscope” that could rise up through the roof of a van to record a target’s scam.

In 1995 he founded Docusearch with childhood pal KennethZeiss. They fill up to 100 orders a day on the Web, and expect $1 million in business this year. Their clients include lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer, and Citibank’s legal recovery department uses Docusearch to find debtors on the run.

Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the top floor of a dull, five-story office building in Boca Raton, Fla., sitting in cubicles under a fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You click through it and load up an on-line shopping cart as casually as if you were at Amazon.com.

The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as “pretext calling,” fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, “and you’ll never figure out how he is paid because there’s no paper trail.”

Yet Cohn claims to be more scrupulous than rivals. “Unlike an information broker, I won’t break the law. I turn down jobs, like if a jealous boyfriend wants to find out where his ex is living.” He also says he won’t resell the information to anyone else.

Let’s hope not. Cohn’s first step into my digital domain was to plug my name into the credit bureaus-Transunion, Equifax, Experian. In minutes he had my Social Security number, address and birth date. Credit agencies are supposed to ensure that their subscribers (retailers, auto dealers, banks, mortgage companies) have a legitimate need to check credit.

“We physically visit applicants to make sure they live up to our service agreement,” says David Mooney of Equifax, which keeps records on 200 million Americans and shares them with 114,000 clients. He says resellers of the data must do the same. “It’s rare that anyone abuses the system.” But Cohn says he gets his data from a reseller, and no one has ever checked up on him.

Armed with my credit header, Dan Cohn tapped other sites. A week after my birthday, true to his word, he faxed me a three-page summary of my life. He had pulled up my utility bills, my two unlisted phone numbers and my finances.

This gave him the ability to map my routines, if he had chosen to do so: how much cash I burn in a week ( $400), how much I deposit twice a month ( $3,061), my favorite neighborhood bistro (the Flea Market Cafe), the $720 monthly checks I write out to one Judith Pekowsky: my psychotherapist. (When you live in New York, you see a shrink; it’s the law.) If I had an incurable disease, Cohn could probably find that out, too.

He had my latest phone bill ( $108) and a list of long distance calls made from home-including late-night fiber-optic dalliances (which soon ended) with a woman who traveled a lot. Cohn also divined the phone numbers of a few of my sources, underground computer hackers who aren’t wanted by the police-but probably should be.

Knowing my Social Security number and other personal details helped Cohn get access to a Federal Reserve database that told him where I had deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account.

A few days later Cohn struck the mother lode. He located my cash management account, opened a few months earlier at Merrill Lynch &Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker.

That’s too much for some privacy hawks. “If someone can call your bank and get them to release account information without your consent, it means you have no privacy,” says Russell Smith, director of Consumer.net in Alexandria, Va., who has won more than $40,000 suing telemarketers for bothering him. “The two issues are knowledge and control: You should know what information about you is out there, and you should be able to control who gets it.”

How did Cohn get hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned Merrill Lynch and talked to one of 500 employees who can tap into my data. “Hi, I’m Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg,” he told the staffer, knowing the words “licensed” and “state” make it sound like he works for law enforcement.

Then he recited my Social Security, birth date and address, “and before I could get out anything more he spat out your account number.” Cohn told the helpful worker: “I talked to Penenberg’s broker, um, I can’t remember his name….”

“Dan Dunn?” the Merrill Lynch guy asked. “Yeah, Dan Dunn,” Cohn said. The staffer then read Cohn my complete history-balance, deposits, withdrawals, check numbers and amounts. “You have to talk in the lingo the bank people talk so they don’t even know they are being taken,” he says.

Merrill’s response: It couldn’t have happened this way-and if it did, it’s partly my fault. Merrill staff answers phoned-in questions only when the caller provides the full account number or personal details, Merrill spokesperson Bobbie Collins says. She adds that I could have insisted on an “additional telephonic security code” the caller would have to punch in before getting information, and that this option was disclosed when I opened my CMA. Guess I didn’t read the fine print, not that it mattered: Cohn says he got my account number from the Merrill rep.

Sprint, my long distance carrier, investigated how my account was breached and found that a Mr. Penenberg had called to inquire about my most recent bill. Cohn says only that he called his government contact. Whoever made the call, “he posed as you and had enough information to convince our customer service representative that he was you,” says Russ R. Robinson, a Sprint spokesman. “We want to make it easy for our customers to do business with us over the phone, so you are darned if you do and darned if you don’t.”

Bell Atlantic, my local phone company, told me a similar tale, only it was a Mrs. Penenberg who called in on behalf of her husband. I recently attended a conference in Las Vegas but don’t remember having tied the knot.

For the most part Cohn’s methods fly below the radar of the law. “There is no general law that protects consumers’ privacy in the U.S.,” says David Banisar, a Washington lawyer who helped found the Electronic Privacy Information Center (www.epic.org). In Europe companies classified as “data controllers” can’t hand out your personal details without your permission, but the U.S. has as little protection as China, he contends.

The “credit header”-name, address, birth date, Social Security-used to be kept confidential under the Fair Credit Reporting Act. But in 1989 the Federal Trade Commission exempted it from such protection, bowing to the credit bureaus, bail bondsmen and private eyes.

Some piecemeal protections are in place: a 1984 act protecting cable TV bills; the 1988 Video Privacy Protection Act, passed after a newspaper published the video rental records of Supreme Court nominee Robert Bork. “It’s crazy, but your movie rental history is more protected under the law than your credit history is,” says Wade, the author.

Colorado is one of the few states that prohibit “pretext calling” by someone pretending to be someone else. In July James Rapp, 39, and wife Regana, 29, who ran info-broker Touch Tone Information out of a strip mall in Aurora, Colo., were charged with impersonating the Ramseys-of the JonBenet child murder case-to get hold of banking records that might be related to the case.

Congress may get into the act with bills to outlaw pretext calling. But lawyer Banisar says more than 100 privacy bills filed in the past two years have gone nowhere. He blames “an unholy alliance between marketers and government agencies that want access” to their data.

Indeed, government agencies are some of the worst offenders in selling your data. In many states the Department of Motor Vehicles was a major peddler of personal data until Congress passed the Driver’s Privacy Protection Act of 1994, pushing states to enact laws that let drivers block distribution of their names and addresses. Some states, such as Georgia, take it seriously, but South Carolina has challenged it all the way up to the U.S. Supreme Court. Oral arguments are scheduled for this month.

As originally conceived, Social Security numbers weren’t to be used for identification purposes. But nowadays you are compelled by law to give an accurate number to a bank or other institution that pays you interest or dividends; thank you, Internal Revenue Service. The bank, in turn, just might trade that number away to a credit bureau-even if you aren’t applying for credit. That’s how snoops can tap so many databases.

Here’s a theoretical way to stop this linking process without compromising the IRS’ ability to track unreported income: Suppose that, instead of issuing you a single 9-digit number, the IRS gave you a dozen 11-digit numbers and let you report income under any of them. You could release one to your employer, another to your broker, a third to your health insurer, a fourth to the firms that need to know your credit history. It would be hard for a sleuth to know that William H. Smith 001-24-7829-33 was the same as 350-68-4561-49. Your digital personas would converge at only one point in cyberspace, inside the extremely well guarded computers of the IRS.

But for now, you have to fend for yourself by being picky about which firms you do business with and how much you tell them. If you are opening a bank account with no credit attached to it, ask the bank to withhold your Social Security number from credit bureaus. Make sure your broker gives you, as Merrill Lynch does, the option of restricting telephone access to your account, and use it. If a business without a legitimate need for the Social Security number asks for it, leave the space blank-or fill it with an incorrect number. (Hint: To make it look legitimate, use an even number between 10 and 90 for the middle two digits.)

Daniel Cohn makes no apologies for how he earns a living. He sees himself as a data-robbing Robin Hood. “The problem isn’t the amount of information available, it’s the fact that until recently only the wealthy could afford it. That’s where we come in.”

In the meantime, until a better solution emerges, I’m starting over: I will change all of my bank, utility and credit-card account numbers and apply for new unlisted phone numbers. That should keep the info-brokers at bay for a while-at least for the next week or two.

Copyright 1999 Adam L. Penenberg (penenberg.com)