To many, it’s not a surprise to find out the privacy dangers associated with some online quizzes, and things of that sort. A recent PCWorld article entitledSecrets of Online Quizzes talks about how some of the quizzes out there are using the data collected to target online ads to the recipient. It also refers to an article that talks about how facebook quiz developers are automatically granted access to your profile when you agree to take their quiz.

I consider both of these to be frightening scenarios. It also got me thinking again about one of the other big privacy and security loopholes I’ve seen out there. The online name quiz. I suspect you’ve seen it… “what’s your Jedi name?” or “your stripper name?”

A quick google search gave me some of the sample questions:

DETECTIVE NAME:(favorite color, favorite animal)
Red Kangaroo

DRAG QUEEN NAME: (first pet + mother’s maiden name)
Margo Webster

MOB NAME (Dad’s name, favorite Italian restaurant)
Bill Regina

MOVIE STAR NAME: (grandfather/grandmother on your Mum’s side, your favorite candy)
Evelyn Reese

MOVIE STAR VAR 1: (grandfather/grandmother on your dad’s side, favorite candy)
Graham Reese

MOVIE STAR VAR 2: (favorite snack food + grandfather’s first name)
Doritos Graham

MOVIE STAR VAR 3: (first pet’s name + Favorite teacher’s name)
Margo Levine

NASCAR NAME:(first name of your mother’s dad, father’s dad)
Sidney Bill

NEWSCASTER NAME (your middle name, moms maiden name)
George Webster

PORN NAME: (1st pet, a street you grew up on)
Duff Veronica

PORN VARIATION: (first pet and current street name)
Duff Verdun

PORN VARIATION 2: (middle name, father’s middle initial, street you grew up on)
George T. Randall

PORN VARIATION 3: (current pet’s name, street you grew up on)
Amber Veronica

SOAP OPERA NAME:(middle name, city where you were born)
George Syracuse

WITNESS PROTECTION NAME:(mother and fathers middle names)
Julie Tracy

WITNESS VARIATION: (grandfather and grandmothers first name
Graham Ruth

(I’ve changed the answers that I’d pulled off the website, so as to not endanger the person who posted it.)

See the problem? These are all questions that banks, financial institutions, and other groups out there might ask you, as ‘questions that you’ll only know the answers to’ to prove your identity. With the current state of the internet, once that data is out there, it’s out there forever.

People really need to understand the implications of what happens when they put their data out there. I still think we’re in for a big problem very soon with all of this. This just makes identity theft that much easier.

I was reading Bruce Schneier’s recent post on his blog and was thinking “hey, I’ve been meaning to write this.”

In general, this bothers me. What bothers me just as much is the blind acceptance that goes along with it. I’ve often heard the argument of “Oh, I’m sure that all of that information is out there anyhow, it’s no longer worth my effort to try and protect it.” More disturbingly, I’ve heard this argument from people who have been entrusted with the data of others.

On the whole, the US has been lulled into a complacent attitude towards their personal information and privacy. With the steady rise in identity theft, and a weak economy, I really have to wonder when we’ll reach the point of personal identity information being worthless, since none of it can be trusted.

I often think of my bank. Banks are built with the image of security involved. What could be physically safer than a big thick vault? In fact, when I hear of a bank being robbed, it is usually a daytime robbery, which involves bypassing the humans, and not cracking the vault.

Compare that to modern life on the internet. You may do your banking on the internet… how do you know that it’s safe? More importantly, how does the bank know that it’s really you? There are basic protections in place, but with the amount of data about people on the internet, it’s getting very hard to be sure that the person on the other end of the wire is really who they say they are.

I’m increasingly convinced that there is going to be a big technology/privacy “incident” sometime soon. I don’t know what it will be, or who it will effect. I hope we all survive it. More so, I hope we all learn from it, finally.

This has bothered me since I first read it.

Let’s look at how this works, step by step:

Florida illegally sells the personal information of all of it’s residents, for $27 million per year, over a 4 year period, bringing in a total of $108 million dollars.

They get sued, and lose.

Their fine is $10.4 million dollars,

Yet they’ve still brought in $108 million, so really, they’re still coming out ahead by $97.6 million dollars.

What exactly is their incentive not to do this? Apparently there is none. Florida has done this before, selling the pictures of all of their licensed drivers back in 1999, for a penny a piece.

To their credit, Florida does have laws
designed to limit this. Note the paragraph that says:

DPPA is designed to limit public access to your social security number, driver license or identification card number, name, address, telephone number, medical or disability information, and emergency contact information contained in your motor vehicle, driver license, and vehicular crash records.

Now go back and read the original article. The information that was sold was:

The personal information that was sold included a driver’s photo, Social Security number, driver ID number, name, address, phone number and medical condition.

I believe that they’re at least in violation of some federal laws by selling the information. It’s even more surprising that they’ve passed a law that prohibits them from doing exactly what they’ve done. The ACLU was involved in the case as far back as 1997, in an incident involving the same firm.

I think it’s appalling that the State of Florida would sell out it’s residents private information. It will be curious to see if incidents of identity theft increase dramatically for Florida residents. The state is, after all, potentially helping that be the case. The initial article claims this was done to make up for a budget shortfall, yet this action goes back over 10 years. This isn’t a budget shortfall, they’ve decided that this is a regular money-making opportunity.

I hope there aren’t other states doing similar things. If you know of one, I’d love to hear about it.

As reported here.

The article reports:

The personal information that was sold included a driver’s photo, Social Security number, driver ID number, name, address, phone number and medical condition.

That’s more than enough information for identity theft to occur, and yet the state is taking the view of:

”No one’s hurt, no one’s injured, and we’re paying $10 million?” said Sen. Larcenia Bullard, D-Miami.

”It’s $10 million or the potential is in the billions,” replied Steven Fielder, lobbyist for the Department of Highway Safety and Motor Vehicles.

So, it’s $10 million in revenue for the state, with the licensed drivers of the state incurring all the risk.
I’m very happy I don’t live in Florida. Given the state of the US economy though, I have to wonder how many other states are (or will be) following suit.

It’s distressing that the article doesn’t even mention if it provided specific data, or aggregate demographics. Similarly, state residents weren’t made aware, or given the option to opt out. This is a very very bad trend.

I’ll be watching this closely.