PRC's Privacy Update No. 4, Iss. 1

In this issue . . .

  1. Privacy Tips for Tax Season
  2. The Sale of Cell Phone Records Shines Spotlight on the Lack of Regulation of Online Data Brokers
  3. Google Desktop Search: Better Safe than Speedy
  4. Our Newest Fact Sheet ñ Dealing with Security Breaches


[1] Privacy Tips for Tax Season

You may be resigned to giving the government your money this tax season, but watch out for fraudsters looking for a piece of the action. Your tax forms contain sensitive information, including your Social Security Number.

This tax season offers consumers a number of methods for completing their returns. Taxpayers have a choice of filing by mail or electronically. Consumers may use personal software, professional services, or old-fashioned pencil and paper. Either way you can bet there is a fraudster ready with a scam.

Heed these privacy safety tips:

- If you are filing electronically, check your computer for spyware.

- If filing by postal mail, send the mail from a secure location.

- If you use a professional tax service, check out its privacy policy and security practices.

- When throwing out old records that are no longer needed (after the IRS record retention period expires), shred anything containing personal information.

The PRC offers more tax season privacy tips at

Not only should you be smart about how you file your return, you should also be aware of refund scams. The IRS has warned consumers about fraudulent emails requesting personal information to process refunds. The IRS cautions taxpayers that it does not send unsolicited email asking for personal information. For more on this scam see the PRC alert available at: m #3

For more information on avoiding tax scams, see the IRS listing of its ìDirty Dozenî scams available at:,,id=136337,00.html

The IRS also offers specific tips for Identity Theft victims available at,,id=136324,00.html


[2] The Sale of Cell Phone Records Shines Spotlight on the Lack of Regulation of Online Data Brokers

Recent revelations that our cell phone records are for sale on the Internet has led to outrage and most importantly proposed legislation in Congress and several states.

Online data vendors offer complete details of cell phone calls for as little as $110. It is suspected that the phone records are obtained through a method called ìpretexting.î For example, phone records can be obtained by pretending to be the customer and asking that the phone statement be faxed or emailed.

For tips on protecting your cell phone records see the PRC alert at:

Unfortunately cell phone records are just the tip of the iceberg. The Internet is a haven for disreputable companies that offer to sell Social Security numbers and virtually every sensitive piece of information you can imagine. One even claims it can create lists of all medical clinics, dentists, or specialized doctors a person has visited.

The Federal Trade Commission explains that pretexting comes in a variety of forms. For example, a pretexter may call, claim he's from a survey firm, and ask you a few questions. When the pretexter has the information he wants, he uses it to call your financial or medical institution pretending to be you or someone with authorized access to your account. He might claim that he's on a business trip and has forgotten his checkbook and that he needs information about his account faxed to him at the hotel.

To help prevent these companies from accessing and potentially selling your personal information, especially if you are a stalking or domestic violence victim, a prominent public figure, or you are going through a contentious legal battle such as a divorce or child custody case, put passwords on your various financial, phone, wireless, and medical accounts. To further protect yourself eliminate hints or ìreminder questionsî as a prompt if you forget your password. Instead require in-person verification of your identity before your password is revealed. Often the reminder questions are too easy for a thief to guess.

In addition follow these tips on avoiding pretexting.

- Don't give out personal information on the phone, through the mail or over the Internet unless you've initiated the contact or know who you're dealing with.

- When creating passwords avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers.

- Ask your financial and medical institutions for their policies about sharing your information. Ask them specifically about their policies to prevent pretexting.

To take control of this problem, write to your Congressional and state legislative representatives. Companies offering to sell your information are unregulated. The online broker industry has been allowed to develop and grow with virtually NO government oversight. You can find the contact information of your state and Congressional representatives at

Consumers Union has a sample letter to send to your representatives about cell phone records.

The FTC has more information on pretexting at

For tips on protecting your cell phone records see the PRC alert at:

[3] Google Desktop Search: Better Safe than Speedy

The ability to quickly search the hard drives among your several computers might cost more than you think. The latest version of Google Desktop has a feature called Search Across Computers. It allows you to access files created on one computer, your laptop for example, from a second computer, such as your home or work desktop computer.

But this convenience comes at a price. By necessity, personal data you share between computers will be temporarily stored on Google's servers. Although Google encrypts and removes the data after 30 days, your privacy protection is greatly diminished once the information is turned over to a third party.

The Electronic Communication Privacy Act of 1986, or ECPA, gives specified reasons, including compliance with a subpoena, which enable third parties to access the information you store on their servers. Google, the most popular search engine, represents a particularly acute concern because of the potential to retrieve a vast amount of information from a single source.

In addition, medical offices and educational institutions may be implicitly required by law not to use Google Desktop Search. Federal laws including the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) regulate the sharing of personal information. At least one university has already banned the use of Google Desktop Search out of concerns that it will be too difficult to control the information once it is released to Google.

Until the law is amended to increase your privacy during third party transfers, other methods of transferring personal data, such as storing files on CDs and DVDs, memory sticks, portable hard drives, and even floppy disks, are a slower but safer option.

To read more about the privacy implications of using Google Desktop Search, see the Electronic Frontier Foundation's press release:

[4] Our Newest Fact Sheet ñ Dealing with Security Breaches

A day doesn't go by, it seems, that we don't learn of a new security breach ñ a lost or stolen laptop, a hacking incident involving sensitive personal information, a web site that inadvertently exposes personal data.

The PRC's latest Fact Sheet explores what to do if you receive a letter informing you that your personal information has been compromised by a data breach. First and foremost ñ don't panic. You are protected from financial loss by federal law. And you can take some identity theft prevention steps. Check out our Fact Sheet 17b at

We are collecting security breach letters. If you have received a notice about a security breach, feel free to fax or mail it to us. Our contact information is below.

And don't forget to check our Chronology of Security Breaches at



  To subscribe to our free email newsletter, go to