Apple took its turn in the privacy hot seat this week, but it was a short stay.  Before the company could press-release its way out of trouble over its location-tracking iPhones, Sony grabbed that spotlight with a far more serious data transgression.

When Sony's PlayStation disaster distracted us from Apple's geolocation fiasco, we lost much more than 77 million accounts' worth of data.  We lost a tremendous learning opportunity, a chance to focus on the greatest privacy question of our time, or perhaps any time:

Should we let corporations and governments know where we are all the time?

When researchers discovered last week that there was enough information in a file on most iPhones to determine the owner’s whereabouts dating back several months, disturbing location maps began appearing all over the Internet. But really, they were just visual representations of something most of us already knew deep inside: Cell phone companies know where we are all the time.  We also know grocery stores track what we eat and that governments know when we drive through toll booths.

The problem is this: We've never talked about whether this is a good or a bad idea.  We are all being tracked now, and our whereabouts logged.  But what should we do about it?

Complex discussions about privacy are one thing. Allowing the world to know where you are, and to keep that information indefinitely, is another.Most of us shove these spooky thoughts out of our mind, until there's a news incident with just the right elements -- a big company that is cavalier with our data, secretly surveils us, misleads us or falls prey to a dramatic hack --  that we sit up and notice.  Visualizations, like the Apple tracking maps we saw, help too.

The concern usually only lasts for a day or so, but the issue remains: What rules should govern the capture and retention of location information? The maps generated through Apple's secret location file are no different than the map I generated recently using an app called Cree.py, which scours the Internet grabbing as much location data as it can from Targets.

 If that's not enough to unnerve you, it should at least be enough to convince you that now is the time for this discussion.  Geolocation-enabled software like Twitter, Facebook and Foursquare is all the rage. Computers can tell you lots of interesting things when they know where you are -- like where your friends are, or where there's a good deal on pizza. That's great. 

The real problem is the retention of location information over time. Even if you completely trust individual companies like Apple not to abuse such information, you can't assume the culture of that firm will never change.  More important, by now we should all know that no business can be trusted 100 percent to keep information out of hackers' prying hands. Meanwhile, cell phone providers basically admitted to Congress this week that they have no control over third-party software developers and what they do with location information. Maybe it doesn't bug you that a cell phone company and its partners knows where you've been for the past six months, but what about a random hacker?

There are serious political concerns with storage of this level of information. If a company has data on its computers, it can share it with another company; a law enforcement agency can get it; a lawyer with a court order can get it Meanwhile, if a hacker can get it, so can a foreign government.  It’s not hard to imagine a scenario in which the Chinese government could learn the physical location of millions of Americans over time. 

Msnbc.com's Rosa Golijan constructed this map from her iPhone's location data file.

Apple was hit with a lot of flak this week for its relatively slow response to the crisis. The explanation that it didn't collect cell phone locations, but rather the location of nearby towers and hot spots (at this point, I'll repeat again for them -- some “more than 100 miles away") was meaningless. Obviously, anyone with access to the file on the iPhone could figure out where you were for months, and that's terrible. The firm says long-term storage of the information was essentially a bug that will be fixed. Sure, but when might a similar bug occur?

On the other hand, if you sensed from Apple -- and Apple sympathizers -- a bit of, "everyone does this, why is this such a big deal?” that's because they're right.  It's true that location information greatly helps their network function. Anyone who's ever turned on a GPS and waited five minutes for the gadget to get a "fix" can appreciate the enhancement Apple was implementing.  Plenty of other companies do collect and use detailed location information about us.  Many will tell you they “anonymize” the information, they have strict policies about how it is used and stored,  that they always get users’ permission before collecting it, that  they secure it, yadda, yadda, yadda. The Apple incident shows that location information is toxic, and the consequences of its collection can be very hard to control.

Here's the problem.  Consumer data -- particularly location data -- is the nuclear waste of the digital age.  Companies collect as much of it as they possibly can, and keep it as long as they can. They can't help themselves.  But the half-life of personal information is infinity. Long after the data is useful, it hangs around like so many spent fuel rods, waiting for hackers to steal it or someone to accidentally load it onto a USB stick. There are hundreds of examples of this every year. 

Apple may now be shrinking the time it stores location data from months to seven days, but it's doing so out of the goodness of its heart. It could reverse this decision – or another bug could appear that causes longer-term storage again.  The only consequence would be another embarrassing news story.

A location data map created by msnbc.com with Cree.py.

That’s lunacy.  Laws – not promises -- are needed to codify what location information can be used for, and how long it can be stored. 

The law governing health care personal information law, HIPPA, has many flaws, but it served one important purpose. HIPPA created a mystique around health care information, a culture of very conservative information sharing among health care workers.  The seriousness with which doctors, nurses, dentists, etc., take HIPPA's secrecy policy is striking. I have several friends who volunteer at hospitals and are deathly afraid of talking about patients in even the most general terms.

Those who collect location information should be forced into a culture at least that sober. Apple should know, for example, that if it ever stores a year of location information anywhere again, there will be consequences that will immediately impact the company’s bottom line, and its stock price.

I know many people really believe they have nothing to hide. Clearly, millions of Internet users are comfortable broadcasting their location to the world, and can't imagine any serious consequences coming from it.  They might be right. It's certainly their right to take advantage of the fun things location-enabled software can do, and no one wants to take that away from them.

I would respectfully argue that this is unsophisticated thinking, however.  Today's neat location perk is a scant trade-off for unknown consequences that might come 5, 10, even 25 years from now. I think most people, confronted with the reality that a foreign government might build a case against them someday based on detailed information about their whereabouts, would come to more moderate conclusions about what they have to hide. How easy would it be to determine your religion, your employer, perhaps even your political views, from an intelligent search of your location information?  Why should that ever be possible?

It's crazy that we're walking into a world where companies and governments know where we are, and where we’ve been, without guiding principles to save us from ourselves.  Location information should be deleted immediately after it is not needed for the exact purpose it was collected for.

We need a law of the land before we permanently lose the idea that where we are, and where we've been, is a sacred secret.

                           COMMENTS BEGIN BELOW

NOTE: Red Tape comments are aggressively moderated. Readers desire a thoughtful discussion of the issues, and that's what we aim for.  Comments that include inappropriate language, personal attacks on others, or are off-topic will be hidden, and writers risk a ban.

TO COMMENT ANONYMOUSLY: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, noting the anonymity request.

TO COMMENT WITHOUT A FACEBOOK LOGIN: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, attributed to you.

Follow Bob Sullivan on Facebook by clicking here. 

Fine print in everyday consumer contracts can include provisions that require Americans to surrender their rights to file class-action lawsuits, the U.S Supreme Court ruled Wednesday, overturning a lower court ruling.

The ruling could have immediate impact on consumers' ability to fight against companies when they feel their rights have been violated. It also raises questions about the future of class-action cases.

Consumer advocates roundly criticized the decision.  

"(The ruling) is a devastating and far-reaching betrayal of the most fundamental principles of American justice," said Nan Aron, president of the Alliance for Justice, a civil rights advocacy organization. "(The court) has effectively removed any incentive for corporations to behave within the law."

When consumers sign up for everything from cell phone service to rental cars, terms of the contracts signed often compel them to forgo traditional legal mechanisms when a dispute arises, forcing them to mandatory binding arbitration instead.  Such provisions have been struck down in many state cases as "unconscionable," with various courts deciding consumers could not be compelled to surrender basic legal rights granted by the state. That is especially true in what are known as "contracts of adhesion" -- standard form contracts offered on a "take it or leave it" basis, where consumers have little bargaining power, the courts have said.

Last year the U.S. Supreme Court agreed to review a case filed in a California federal court in which AT&T's arbitration clause had been voided, a decision that was later upheld by a federal appeals court.

By a 5-4 margin, the Supreme Court overturned the appeals court ruling on Wednesday, with the majority essentially saying that federal law encouraging use of arbitration trumps state laws aimed at preserving consumer rights.

“Because it stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress ... the judgment of the Ninth Circuit is reversed," wrote Justice Antonin Scalia in his opinion.

Justice Stephen Breyer wrote the dissent for the divided court.

"California courts believe that the terms of consumer contracts can be manipulated to insulate an agreement’s author from liability for its own frauds by ‘deliberately cheat(ing) large numbers of consumers out of individually small sums of money,’ " he wrote. "Why is this kind of decision — weighing the pros and cons of all class proceedings alike — not California’s to make?"

Class-action lawsuit advocates say that grouping consumers together is often the only way to force a misbehaving company to clean up its act. Most consumers can't or won't complain about small transgressions, such as erroneous $30 fees -- and many companies ignore such complaints. But pooled together, the voices of a million complaining consumers have much more power, and the ability to attract professional legal help.

Detractors say that victims in class-action cases often receive minimal compensation – sometimes, only a coupon -- while lawyers earn millions in legal fees.  Binding arbitration, they say, can result in larger awards for consumers and dramatically reduce their legal fees.

Tort reform advocate Ted Frank, writing before the Supreme Court decision was issued, argued that class-action lawyers would benefit most from a decision against AT&T.

“In every single one of my cases, my clients would have been better off … with the  AT&T Mobility arbitration provision than with what class-action attorneys negotiated for them,” he wrote. “The media is uniformly describing this case as one of consumers vs. businesses, when it's really one of consumers vs. lawyers trying to protect their monopoly on dispute resolution procedures.”

But some studies have called into question the fairness of arbitration boards, and their composition. In 34,000 California arbitration cases filed with the National Arbitration Forum between 2003 and 2007 and studied by Public Citizen, consumers prevailed only 4 percent of the time.

Harvey Rosenfield, founder of California-based organization Consumer Watchdog, said the Supreme Court ruling "effectively eliminates" protections against unfair small print.

"This decision means it will be open season on consumers,” Rosenfield said. “It slams the courtroom doors shut on Americans who are nickeled and dimed by big corporations. Knowing they can never be held accountable, American corporations will be emboldened to fleece their customers."

Now, consumer advocates are worried that Americans will have a hard time standing up to large companies when small-dollar issues are involved.

"Through this ruling, the court’s ultra-conservative majority continues its relentless effort to shift power to corporate interests while hobbling the ability of everyday Americans to band together within the legal system to fight back against corporate misbehavior," said Aron, the Alliance for Justice president. "After today’s ruling, corporations will now be able to decide on their own which civil rights and consumer protections they want to obey, knowing that there will be no effective means available to their victims to find redress."

The issue of binding arbitration isn't settled, however. The financial reform law passed by Congress last year that created the Consumer Financial Protection Bureau mandated that the agency study the arbitration issue and ban techniques that are deemed "anti-consumer." The law creating the agency gives it the task of conducting a six-month study of arbitration agreements, then grants it the ability to void such agreements in contracts involving consumer financial issues.

Legislation banning binding mandatory arbitration clauses in consumer contracts also has been introduced in Congress, most recently by former Sen. Russ Feingold, D-Wis., and Rep. Ed Markey, D.-Mass., but has stalled several times.

                                             COMMENTS BEGIN BELOW

TO COMMENT ANONYMOUSLY: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, noting the anonymity request.

TO COMMENT WITHOUT A FACEBOOK LOGIN: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, attributed to you.

Follow Bob Sullivan on Facebook by clicking here. 

You might have heard over the weekend that skyrocketing gas prices have finally "plateaued." If gas prices were like gravity, you would anticipate they would start plummeting soon.  Raise your hand if you expect that.

Me neither.  While the words "skyrocketing" and "gas prices" often end up in the same sentence, "plummeting" and “gas prices” rarely occupy even the same paragraph. In a perfect free market, prices should float up and down with equal speed. But in our market, what goes up doesn't seem to come down, at least not at once.  What gives?

We've been told for months that instability in the Middle East spooked the traders who set gas prices, which are almost $1 per gallon more at the pump than a year ago. Prices jumped 30 cents from mid-March to mid-April alone, to an average $3.88 a gallon.  What are odds, do you think, that average prices will return to $3.58 by mid-May?

The quick rise/slow fall phenomenon will feel familiar to most consumers, who often explain it with this conventional wisdom -- greedy retailers take advantage of temporarily high prices as long as they can to sock away a little extra profit.  

Economists tend to scoff at conventional consumer wisdom, but basic economic theory holds no explanation for the sharp rise/slow fall price pattern. Twelve years ago, economist Sam Peltzman -- a free market advocate not known for consumer-friendly research -- conducted a vast study of price "shocks," which could have dispelled these complaints as yet another whiny consumer myth. Instead, it fueled the fire. His review of 77 consumer goods that had been subject to abrupt price increases – including gas -- led Peltzman to write a paper called simply "Prices rise faster than they fall."

 "The title summarizes the main result: the person in the street is right and we are wrong," Peltzman wrote.(PDF) In fact, the results were so vexing he called it “a serious gap in a fundamental area of economic theory."

Consumers might call it price gouging; economists like Peltzman have settled on a more neutral term: "asymmetric price adjustment." And while economists have conceded this time that whiny consumers happened to be right, they aren't yet ready to sign up for their conspiracy theories.

For economists interested in the more general problem of pricing, gas prices are a fantastic real-world laboratory.  Nearly all consumers need gas.  Prices fluctuate often, and there is (theoretically) widespread competition, making gas stations a nearly ideal marketplace to study.  And nowadays, thanks to services like GasBuddy.com, it's relatively easy to gather price data across wide geographic regions.

The first research into what some called gas price “stickiness” was published in 1997 by a research team headed by Severin Borenstein, who found that gas prices fall about twice as slowly as they rise after a price shock. For example, if prices rise 50 cents in four weeks, and the cause of the increase is eliminated, it’ll take about eight weeks for the prices to return to pre-shock levels.

Matt Lewis, an economist at Ohio State University, has been studying gas prices for more than a decade. He's considered some of the usual allegations, like pricing fixing and collusion among stations. He doesn't entirely discount those, but he thinks he's found a better explanation for the fast rise/slow fall phenomenon.  Here's his theory in a nutshell: When prices fall, consumers are so relieved that they stop shopping around for the best price. That eliminates the normal downward pressure on gas prices and allows stations to squeeze out a few more cents of profit while prices slowly fall.

Matt Lewis

One chart from Lewis' research, showing the inexact relationship between wholesale and retail gas prices during 2003-2005 in the Los Angeles market. Notice the soft, rounded peaks on retail prices, as opposed to the sharp peaks on wholesale prices, showing that prices don't go down as quickly as they could. Also notice that stations' profit margins often shrink as prices rise.

"Consumers shop around more intensely when prices are going up. When they are falling, they don't shop around as much," Lewis said. 

A key element of his theory is something economists call a "reference price."  Your local car salesman might know it as "framing." Once consumers get a number in their head -- $10,000 for that car, $3.70 for that gallon of gas -- all subsequent choices are impacted by a new price's relation to that reference price.  When the car dealer says, "OK, $9,500," you think you have a good deal. When the nearest gas station drops the price to $3.63, the average consumer impulsively stops searching.

"If prices are falling, you pull into a station and think 'I have a good deal,'" Lewis said.

The last big gas price shock -- the speculation price bubble of 2008 -- created a perfect opportunity for Lewis to test his theory.  Consumers can use GasBuddy.com to search for the lowest gas price in their area.  As prices soared in the first half of 2008, Lewis charted a similar spike in GasBuddy.com traffic.  When prices fell that fall, GasBuddy.com Web traffic fell, too -- showing gas shoppers became less interested in shopping around while gas prices waned.

Lewis' more recent research has added another nuance to his theory that might make consumer conspiracy theorists feel a bit better. Lewis has, for years, observed several Midwestern retail gas markets that don't behave like other U.S. markets. Intense competition in some small towns near his Columbus, Ohio, home has led to regular cyclical price wars. Stations undercut each other on a daily basis, engaging in short-term price wars that might drop prices from $2.50 to $2.38, for example. But after a few weeks, one station will bite the bullet and raise prices back to $2.50.  Other stations follow suit.  Then, the cycle begins again.

In these areas of cyclical price wars, Lewis has found that the fast rise/slow fall phenomenon doesn't apply.  In other words, stations facing intense competition can't get away with what consumers might call "gouging" and economists call asymmetric price adjustment. 

Lewis isn't ready to generalize those observations just yet, but conventional wisdom will tell you there's not enough real competition in gas prices. Twelve years ago, Pelzman predicted imperfect competition would be blamed for the sharp rise/slow  fall price pattern. He dismissed that explanation as "unlikely to be rewarding."

But Lee Branstetter, an economist at Carnegie Mellon University, said that local monopolistic behavior is probably the fundamental cause of “downward price rigidity.” When prices go up, retailers who don’t react immediately lose money.  Failing to raise prices in lockstep with higher wholesale prices leads to an obvious, quantifiable loss. But when wholesale prices go down, many gas station owners play the game every retailer does – “How much extra can I get away with charging before I lose consumers?”  And even with competitor’s prices so obviously posted, station owners face little risk in trying to grab a few extra pennies per gallon from drivers 

“Retail gas sellers in the same neighborhood can function as a kind of local oligopoly,” Branstetter said -- a small group of businesses that collectively operate with monopoly power. And consumers are often loath to change their buying habits.  “If you are lagging behind a little bit --  all your consumers aren't going to desert you immediately. … (Consumers) are willing to be abused a little bit in the short run.”

Any study of retail gas prices risks ignoring complex factors in a market that is anything but pure: The spot price is controlled by speculators making bets on the whims of the oil producing nations’ cartel, the threat posed by government-subsidized energy alternatives and the likelihood of another environmental disaster, to name a few.  A mysterious wholesaling and distribution system adds to the cost in difficult-to-measure ways.   Also, gas stations often make very thin margins on retail gas sales – many use gas as a loss leader for chips and soda sales.  As prices go up, their razor-thin margins shrink toward zero, Lewis said – and station owners naturally try to recover some of those lost profits as prices head back down.

Making the issue even murkier, behavioral economists will tell you, is the fact that gas shoppers are anything but rational agents who constantly seek out the best price. Instead, many are pesky realists for whom the nearest station will do.  On the other hand, some consumers overestimate the true value of a cheaper gallon of gas, because they underestimate the cost of driving to get that cheaper gas (what economists call "search costs”). 

In "The Cheapest Gas in Your Area Can Cost More," Loyola College Professor Joseph Ganem makes the argument succinctly.

"If you drive five miles out-of-the-way to purchase gas in a car that gets 25 miles per gallon, that 10-mile round trip burned 0.4 gallons. If you drove that distance to pay $2.95 per gallon to fill a 12-gallon tank, instead of paying $3.00 at your local pump, you actually spent almost a nickel more per gallon for your tank of gas," writes Ganem, author of “The Two-Headed Quarter: How to See Through Deceptive Numbers and Save Money."  He has a nifty "Is it worth it" calculator on his Web site.

It should also be noted that while retail gas prices – in fact, all commodity prices -- remain artificially high temporarily, retailers can’t get away with exorbitant overcharges for long. Gas price history bears this out.

“While it takes much longer for price of retail products to adjust downward, eventually you do observe adjustments,” Lee said. “The forces of competition do eventually assert themselves.”

Still, Lewis' theory has implications far beyond the gas market. If there is a general lack of price sensitivity when prices fall, basic supply and demand just took another body blow, and comparison shopping just isn't what we thought it was.  The lesson for consumers is clear: As gas prices fall during the next few months, don't abandon the good price shopping habits you've acquired. While consumers tend to be hyper-vigilant while the price of gas is soaring, the real rip-offs will occur when it’s declining  –  when you’re likely to have stopped paying attention.

                                                         COMMENTS BEGIN BELOW

TO COMMENT ANONYMOUSLY: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, noting the anonymity request.

TO COMMENT WITHOUT A FACEBOOK LOGIN: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, attributed to you.

Follow Bob Sullivan on Facebook by clicking here. 

Cellbrite.com

The "UFED Physical Pro" helps law enforcement suck all data out of a cell phone in moments.

The "Universal Forensic Extraction Device" sounds like the perfect cell phone snooping gadget.

Its maker, Israel-based Cellbrite, says it can copy all the content in a cell phone --  including contacts, text messages, call history, and pictures --  within a few minutes.  Even deleted texts and other data can be restored by UFED 2.0, the latest version of the product, it says.

And it really is a universal tool. The firm says UFED works with 3,000 cell phone models, representing 95 percent of the handset market.  Coming soon, the firm says on its website: "Additional major breakthroughs, including comprehensive iPhone physical solution; Android physical support – allowing bypassing of user lock code, (Windows Phone) support, and much more."  For good measure, UFEC can extract information from GPS units in most cars.

The gadget isn't a stalker's dream; it's an evidence-gathering tool for law enforcement. Cellbrite claims it’s already in use in 60 countries.

That apparently includes the U.S. The American Civil Liberties Union in Michigan says it has learned that state police there have purchased some of the gadgets.  What is it doing with them? So far, Michigan authorities aren't telling. A public records request for information by the ACLU was met with a prohibitive $500,000 bill to cover the supposed cost of making the documents available.

"They did produce documents which confirmed that they have them," said Mark Fancher, a staff attorney at the ACLU office. "We have no idea what they are doing with them."

 Technology and the Fourth Amendment have had a rocky relationship. When The Founding Fathers created protections against unlimited search and seizure, they never imagined the kind of tools that would be available to 21st century police officers.

Cell phone data is an indispensible tool in both investigations and prosecutions. A drug dealer's contact list is an obvious treasure trove. Location information stored in the phone can prove (or disprove) an alibi.  Texts are at least as valuable as emails. Increasingly, smartphone s are used as mini-laptops, placing even more ready-made evidence in one small package -- as long as law enforcement can get to it before it's destroyed. 

Because handsets are nearly always with suspects, it's easy for a would-be criminal to delete information during a traffic stop.  Remote wiping programs exist that mean critical evidence could be destroyed even after a police officer takes possession of a suspect's phone. That means law enforcement official s have great interest in slurping up all the secrets that a handset might contain as quickly as possible.  Enter Cellbrite.

But how fast is too fast?  Fancher and the ACLU argue that most cell phone searches  are an invasion of privacy that requires law enforcement officials to get a court order before rummaging through a suspect's handset data.  While UFED could be used after an order is obtained, its obvious focus is on time-critical searches -- those that would occur, for example, right after a "routine traffic stop."

"The Fourth Amendment protects citizens and allows them to have some confidence that law enforcement can't go in on a whim and take a look at most private details of our lives," said Fancher.  "Our concern is that the device can empty a cell phone within 90 seconds, offering law enforcement a powerful ability to intrude on and infringe on people’s rights."

Do cops need a court order to search the contents of a cell phone?  The law is still evolving, but at least one recent major decision chose police over privacy. The California Supreme Court recently issued a ruling that allowed police to use text message evidence they'd obtained without a court order. The ruling seemed to open the door to widespread use of warrantless cell phone searches in California.

But Fancher cautioned against generalizing too much from a single search-and-seizure case.

"They often involve a lot of nuance," he said.  "You really have to go case-by-case when searches are involved."

There are clear-cut cases where court orders wouldn't be required to search cell phones -- if police are in hot pursuit of a crime or have probable cause to believe that evidence is in immediate danger of being destroyed.  Such situations are exceptions, however, Fancher said. He's concerned that the easy-to-use gadgets in the hands of field officers would make cell phone searches the rule, rather the exception.

Cellbrite didn't immediately respond to a request for comment. On its website, the firm says it was founded in 1999 and was purchased by a Japanese company in 2007. Its data-slurping technology grew out of products it sells that are used to transfer contact information from old phones to a new phones at cell phone retailers.

The Michigan State Police did not respond to a request for comment.

Technology continues to throw major legal headaches at law enforcement officials and Fourth Amendment rights advocates. 

The U.S. Supreme Court is currently mulling a related issue involving the use of persistent GPS monitoring of suspects without a warrant.  In that case, the FBI placed a GPS monitoring device on a suspect's car without a warrant and then tracked his driving for driving weeks. The Department of Justice says the technique is akin to surveillance on public roads, but a federal appeals court ruled that such aggregation of movements over time constituted a Fourth Amendment violation. Because the ruling conflicts with other appeals court rulings in similar cases, the Department of Justice recently asked the Supreme Court to take the case and settle the matter.

Fancher said his quest for information about the cell phone data copying device from the Michigan State Police began in 2008. After receiving a $500,000 bill for records requests, along with a demand for a $250,000 down payment, the ACLU tried to narrow its requests to reach a more reasonable cost. It filed 70 FOIA requests last November, for example. But the method also proved fruitless.

"We have tried everything we know of to work with FOIA personnel to get the documents we seek and had no success, so we've taken the opportunity to go to the top and try to shake things loose," Fancher said.  On April 13, the ACLU sent a letter to State Police Director Kriste Etue, and made that letter public to the media.

"The ACLU should not have to go on a fishing expedition in order to discover whether the state police are violating the privacy of individuals through the use of new, sophisticated technology," the letter read.

The ACLUs real concern with the gadgets is that they will prove too tempting for state troopers, and abuses will occur.

"We're not accusing the state police of using them improperly.  It's not illegal or improper for them to have them," he said. "Our concern is, what are they doing to insure they are complying with constitutional requirements? ... We'd be interested, for example, in what kinds of supervision there is over their use."

                                          COMMENTS BEGIN BELOW

TO COMMENT ANONYMOUSLY: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, noting the anonymity request.

TO COMMENT WITHOUT A FACEBOOK LOGIN: E-mail BobSullivan@feedback.msnbc.com.  Your comment will be reviewed and posted by msnbc.com, attributed to you.

You might notice we've changed the blog format today. Using msnbc.com's Newsvine blog publishing format, and Facebook commenting, creates exciting new capabilities to Red Tape users. For example: It’s easier to leave comments, easier to share entries with friends, and there will be a new e-mail newsletter. Your thoughts are welcome at BobSullivan@feedback.msnbc.com

Follow Bob Sullivan on Facebook by clicking here.

Who says people won't pay to protect their privacy? Mark Swartz is one of millions of U.S. consumers who pay dearly every month to keep personal information out of the hands of marketers. In fact, Swartz figures he's paid well over $1,000 through the years for the simplest of privacy protections -- an unlisted home telephone number.

The $4.95-a-month fee that Swartz pays is a relic from times of the AT&T monopoly, when consumers leased everything from the phone company, including handsets.  But Swartz, who lives near Boston and has had the same phone number since the 1980s, is wondering what he's getting for $60 every year.

"Despite privacy laws and the fact that there is no ongoing expense to Verizon to not publish my number -- it's programmed into their system just once -- I have to pay them to not divulge my number," he said. "Absolutely ridiculous."

It's also of questionable value. In the age of Google, paid search services like Spokeo and the Do Not Call list, it's debatable how effective unlisted numbers are. 

Consumers who don't want to be bothered with marketing phone calls can place their numbers on the Do Not Call list -- now 200 million strong. While unscrupulous marketers ignore that list, maintaining an unpublished number isn't enough to avoid such lawbreakers either. Plenty of paid search services promise to sell unlisted numbers, gleaned from records as far-flung as pizza delivery services.

It's also debatable how well the price corresponds to the cost of providing the service.

When Swartz initially signed up with New England Telephone in May of 1980 -- it's now Verizon -- the fee was less than $1.

"Back then things weren't all on computers and it took some recurring expense to provide the service," he said. "But now, with everything on computers, a one-time effort to code a number as nonpublished is all that is required. I cannot understand the justification for a recurring fee for this service."

Unlisted number fees vary by state, and Massachusetts has among the highest in the country. There, the price is still regulated by the state utility commission is $4.95 for everyone, according to Verizon.

A 'privacy penalty'
In other states, like California, the rate is "competitive," and is set by the local phone company. Competitive isn't exactly the right term, however, as most communities have only one land-line provider. When California deregulated the unlisted fee in 2006, it jumped from 28 cents to $1.25 per month.

"We call it a privacy penalty," said Mark Toney, executive director of The Utility Reform Network (TURN), a California-based consumer advocacy organization.  "We don't think people should have to pay to keep their name out of the phone book. To the phone company, it's just free money."

And it's a lot of it.  TURN estimates at half of all Californians pay for unlisted numbers -- which adds $150 million annually to AT&T's bottom line.  In 2008, lawmakers considered legislation supported by TURN to eliminate or reduce the unlisted number fee.  It failed, as did a similar initiative last year.

"We found that AT&T had contributed to all but eight state legislators," Toney said. "When push came to shove AT&T was able to kill the bill."

Unlisted number fees persist in part because they are a state issue -- few state-level consumer groups have the clout to take on large companies like Verizon or AT&T. And in some states, the fee is modest enough not to attract much ire -- in the Chicago area for example, consumers pay $1.70 monthly, according to that state's Citizens Utility Board.

Still, Toney thinks the cost is out of line.

"In this day and age, there are so many other ways to find people's contact information," he said.

Verizon spokesman Lee Gierczynski said he "can't speculate" on the effectiveness of unpublished numbers.

"Verizon knows that we have customers for whom privacy in a high priority, and we offer them an option to help protect that privacy and ensure that their numbers will not be publicly available," he said.  And he defended the $4.95 Massachusetts price as a "regulatory-approved" rate.

But Swartz is still left wondering if he's getting his money's worth.

"Several years ago I complained and to the best of my recollection the response was that the rates are approved (by regulators.)  Very difficult to get to speak with anyone who really knows what's going on or has any authority to satisfy a customer," he said. "To add insult to injury, they include my telephone numbers in routine emails to me -- so much for protecting my privacy even when I pay for it."

RED TAPE WRESTLING TIPS: Courtesy of the Illinois Citizens Utility Board

*Always ask what "unlisted" or "nonpublished" means before you sign up for the service. Unlisted means simply that that the phone number is not in the phone book. It's probably still available through directory assistance and shows up on Caller ID. "Nonpublished" probably means that the number will not be in the phone book, directory assistance or show up on Caller ID. But you should still double-check.
*AT&T callers can block Caller ID by hitting *67 before dialing. Doing so blocks your name and number from being sent on calls – and prevents others from capturing your unlisted number. It's free and you can read more about it here.
*Phone companies can lure people into even pricier privacy services. AT&T has Caller ID and "privacy manager," which screens calls marked "private" on Caller ID. This, again, is probably a waste of money for most customers.
*If you're worried about telemarketing, join the free Do Not Call list. It's free. Call 1-888-382-1222.  But signing up won't prevent you from getting all telemarketing calls. Charities and political calls, for example, are exempt.

Kelly Collis feels safe sharing her location information.

You probably know that some Internet and cell phone applications like Foursquare or Twitter can broadcast your location to the world.  And you might know that Web sites with names like PleaseRobMe and ICanStalkYou have been created with shock value in mind to call attention to the potential consequences of broadcasting such information. But those sites picked on random individuals and exposed their whereabouts one at a time.

A new software tool created by Greek programmer Yiannis Kakavas goes much farther in the shock category.  Called "Creepy," Kakavas' tool makes it easy to gather all the location-based digital breadcrumbs that people leave online and plot them on a map.  The map and associated time stamps make it easy to discern their routines -- "It looks like Bob goes to this coffee shop every Friday morning around 10:30" -- a tool of incalculable use to a would-be stalker. For Web users who loyally leave breadcrumbs everywhere ("Now at Whiskey Bar!" "Now at Park Diner," "Finally home") it's possible to recreate much of their daily lives using Creepy.

What's more, unlike ICanStalkYou, users can search for any Foursquare, Twitter or Flickr user they want.  Kakavas tool also adds a handy handle-search tool, in case you only know your stalking subject by their real name.

When I reached Kakavas in Germany, where he is finishing his dissertation on computer security, he took pains to make clear he wasn't trying to make life easier for stalkers. 

"I was trying to make a point," he said. "I'm trying to raise awareness among users of social networking platforms that they actually do share a lot of information and this can potentially be used by people with malicious intentions." 

The name, by the way, derives from the programming language he decided to use when writing his tool -- python, which creates files with the extension .py. So the name for the program, strictly speaking, is Cree.py.

The tool takes only a few moments to download. There's a Windows version along with more hacker-friendly Linux versions.  Users simply enter a handle, hit "Geolocate," and then sit back and wait for results.  "Hits" can come from moments-old Tweets or Flickr images posted months ago. The hits then are plotted on a map, similar to the markers that appear on Google maps after a search for a restaurant.  Clicking on a single hit allows a user to zoom in on a precise location, and offers the time and any media associated with it, such as "Enjoying lunch with @RedTapeChron."

No one should be surprised that their location data ends up on Creepy -- software tools like Twitter are deliberate in asking consumers if they want to post their location and it's not hard to turn the feature off. Clearly, people who tell Foursquare where they are located know they are sharing this information with the world. Still, it's jarring to see all your location declarations plotted on a big map. 

But is it dangerous? There are no shortage of breathless local television exposes suggesting that cell phones are telling pedophiles where your children's bedrooms are.

The fear might be exaggerated, but if it gets parents to think twice about promiscuous use of social media, that's fine.

To get a realistic view of how scary Creepy is, I called someone I know who's an avid location service user and asked if I could "stalk" her. She agreed.

Kelly Collis runs a local online deal-a-day service called CityShopGirl, which is a bit like Groupon or Living Social, but only for the Washington D.C. area. She focuses on telling women about luxury experiences like "Make-Up Monday" at a local spa or a "Hammers and High Heels" event at a local hardware store. Telling followers her whereabouts is part of her marketing strategy – and, frankly, her credibility.

Creepy even finds Twitter handles for you.

"I think it's good for my business," she said. "I want people to know I'm trying that new bar, at that hot event, and sometimes I want people to know who I'm with."

A search for Collis on Creepy turned up nearly 100 hits, showing she has a clear predisposition for the Georgetown and Dupont Circle neighborhoods. In fact, it's easy to tell that she's often near M Street, Georgetown's retail area, or Connecticut Avenue, the main drag through Dupont. I sent her screen shots of these findings, and some examples that were even more specific.  Like this: At 8 p.m. on Feb. 4 she told followers she was at Whole Foods in the Glover Park neighborhood, and that "Some dude was just kicked out for sneaking a beer in the seating area."

Collis said the results were "a bit unnerving," but in general, she was undeterred from using location services.

"I know the rules of the social media.  If you want to go out and play, you have to know people are watching," she said. 

Where Collis went during the past few months.

She's careful not to check in and broadcast her location incessantly, so she doesn't leave a complete trail of breadcrumbs behind her. In fact, she only checks in to specific places "with a purpose" in mind, to let readers know she's really out pounding the pavement, looking for new deals and hot spots.  She has two children, but never uses location services when they are with her, and she never checks in from anyplace alone.

"I am constantly updating myself on privacy policies and settings, but even then ... you have to know when you play in social media, you are exposed to consequences, and you may not know what those consequences are," she said.

And she has faced consequences.  She once received a text message from a stranger who found her cell phone number online -- she thinks from an errant display on Foursquare, which she has now removed -- and got a message saying, "I know you're (at a bar), I'm going to come meet you."

She blocked the user, and never heard from the stranger again. Despite the experience, she believes in the positive potential of location services.

"The other night I was home doing nothing and saw on Foursquare that two of my friends who didn't know each other were at the same place," she said. "So I texted one of them and said, 'Hey, you should go over and talk to (him).' He did, and they ended up hanging out all night."

But Collis is both a believer and an expert user of social media.  It's easy to imagine others being much more alarmed at what they find about themselves using Creepy. It's trivial to plot regular location service users on a map and determine when they normally arrive at work and when they get home.

"The name Creepy doesn't refer to how scary the tool is, it refers to how scary it is that people willingly share this amount of information about themselves, information that in other contexts they would treat much more carefully," said Kakavas, the programmer.  

Kakavas said he hasn't received any negative feedback since he released the tool earlier this month. In fact, he's gotten a lot of support from programmers in the computer security world, who right away picked up on the other function Creepy offers –  a tool that could make hackers' social engineering efforts much easier.

"Say you are a security expert and you are hired to evaluate the security a company," he said. "You pick (an employee of the company who uses location services), then using Creepy you can deduce where he has morning coffee, or his favorite club. ...Then you can try to create a pretext for the target using this information."

For example, you could learn that a certain employee is always on Interstate 90 heading to work at 8:45 a.m. One morning, when traffic is particularly bad, you could call the company and say, "I have an emergency. I'm stuck in traffic and need that big presentation. Please e-mail it to me at my private address so I can access it in the car."

Or, a simpler trick might be to visit the target at his or her favorite coffee shop or restaurant and "shoulder surf" for critical information – a task made easier by knowing precisely when to expect the target.

"It's a whole different level when we can combine all this information about use of these services over time and can create a profile of user habits," Kakavas said. "Many people just don't realize how much they've been sharing."

RED TAPE WRESTLING TIPS

It's important to note that all information which Creepy finds is already available to anyone with a Web browser – Creepy merely aggregates it. Social media users have offered the data to the world by agreeing to broadcast their location. 

In general, I think use of these services is a bad idea -- the potential for unforeseen consequences is enormous. Who knows what it might look like eight years from now that you were "Partying at Whiskey Bar with @JimmyS @BobbyV and @HornyFrog?" 

But Collis points out one of the many potentially fun ways to use services like Foursquare.  If you must, review your privacy choices carefully -- Twitter users can restrict who sees their location broadcasts, for example, and it's smart to pick the most limited group. Doing so foils Creepy's efforts to follow you. 

Check your privacy settings more than once. Internet services are famous for "upgrading" privacy settings that lead to accidental disclosures. 

Twitter also offers a handy button that allows users to delete all location information they've ever posted. That's a good idea. What positive use is there for three-month-old location data attached to your tweets?

That reinforces the most important point here: It can be perfectly innocent and safe to check in to conference or a club and look for nearby friends, when viewed in isolation. But privacy choices can have far-reaching, unpredictable consequences.  When will a marketing company start barraging you with ads because of the places you shop? When will a health care company raise your premiums because you went out too often when you were young?  Unless, like Collis, you know exactly what benefit you're getting and you're willing to deal with the occasional stalker, why take that risk?

Click here to follow Bob Sullivan on Facebook

There's only one way to get the best price on a service: Shop around. And there's only one way to shop around: Compare prices. But banking consumers who try to engage in this pillar of free market economic activity often simply can't, according to a study released Tuesday by a consumer group. 

At nearly one in four banks, consumers can't learn the price of doing business because fee schedules are unavailable before they sign up, according to the Public Interest Research Group (PIRG), which conducted the study. Those banks are breaking the Truth in Savings Act, which requires such up-front fee disclosures, it said.

The results are all the more concerning because they mirror results from a similar study conducted by Congress' Government Accountability Office three year ago, which spurred government regulators to reiterate banks' obligation to offer fee disclosures in 2010.

PIRG conducted an extensive "secret shopper" study to craft the report, "Big Banks, Bigger Fees: A National Survey of Bank Fees." PIRG sent staff members to 392 banks and credit union branches in 21 states and reviewed online fees at banks over the past six months.

Only 38 percent of banks produced fee schedules after the first request, PIRG found. After three requests, compliance jumped to 55 percent.  Still, about one-quarter of banks provided incorrect information and 23 percent never produced fee information at all, it said.

"Shopping for banks is harder when they don't obey the law and provide up-front information about the fees they charge," said Jon Bartholomew, consumer advocate at PIRG's Oregon office. "Local community banks and credit unions are more likely than national banks to provide fee schedules."

Virtually no banks made the query easy: fee brochures were nowhere to be found on brochure racks near the doorway, and tellers often couldn't produce the information. In many cases, consumers were referred to banks sales staff sitting behind loan desks, who often tried to act as "closers" at car dealerships, according to the report, aggressively pushing consumers to sign up for accounts. Even then, the undercover PIRG staffers received "a variety of versions of 'no,' such as 'look online,' or 'you need to open an account.'"

Other anecdotes provided by researchers offer more insight into frustration consumers might feel when shopping around.

In one Massachusetts bank: "They said they didn't have any pamphlets on fees, that there were no overdraft fees because you can't overdraft with them, and when I asked for a pamphlet on fees they said the only option was to sit down and discuss my 'personal situation.'"

In Florida: "They didn't give me the info until I listened to their whole spiel about different accounts."

In New York: "We don't USUALLY give these out."

Even when banks offered answers, the quality of those answers was inconsistent. 

"Many banks had no information. Some banks had incomplete information," the report said. "Wells Fargo had detailed fee schedules, but its affiliated bank, Wachovia, instead merely included suggestions to consumers to 'call this number for detailed fees.' Other banks said, 'see fee schedule,' but had no links to one. Other web pages urged consumers to 'visit a branch' for details."

As banks engage in a massive round of fee increases -- and as free checking accounts begin to fade into the sunset -- fee disclosures will become more important than ever.  Consumers struggling to find cheaper accounts might become discouraged and perceive that the so-called "switching costs" are too high. That could make them victims of banking inertia - paying too much to stay at their current bank.

"Avoiding higher bank fees by shopping for a bank account is not easy," the report concluded. "The lack of enforcement has even extended to the laws requiring simple disclosures, so consumers cannot shop around."

Click here to follow Bob Sullivan on Facebook

Confused about your credit score and where to get it?  That's intentional, according to a new lawsuit filed in a California federal court.

Many consumers who think they are buying a peek at their credit scores are being defrauded, according to a lawsuit against credit bureau giant Experian. The case, which seeks class action status, claims that Experian is intentionally confusing customers, engaging in false advertising and not giving consumers what they pay for when they sign up for services at the firm's popular FreeCreditReport.com and FreeCreditScore.com Web sites.

"It's a classic consumer fraud case," said David Woodward, one of the lawyers who filed the case. "The law is designed to prohibit exactly this kind of egregious advertising practice. ... The defendant is profiting from deception."

Experian, through its ConsumerInfo brand, aggressively markets access to credit scores as a benefit of subscribing to its credit monitoring service.  Knowing your credit score, ads suggest, is essential before borrowing money and could save consumers thousands of dollars.

The vast majority of lenders use a three-digit number called a FICO score to make lending decisions. Developed by Fair Isaac and Co., the FICO score takes data from credit reports maintained by the nation's three credit bureaus -- Equifax, Trans Union and Experian -- and boils it down into one three-digit number for each bureau report to provide a quick assessment of a consumer's creditworthiness.  All consumers in the system have an Equifax FICO score, an Experian FICO score and a Trans Union FICO score.

The credit scores that Experian sells to consumers, however, are not the Experian FICO scores, the lawsuit contends. Instead, subscribers who sign up for a $14.95 per month service at FreeCreditReport.com get access to a similar three-digit number developed by Experian using its so-called PLUS Score model. While the value is meant to give consumers a sense of their creditworthiness, Plus Score ratings are not sold to lenders, and are not used in lending decisions, the lawsuit alleges.

It's unclear how much the Experian FICO score and the PLUS score can vary.  But that is immaterial to Woodward, who says Experian intentionally blurs this distinction in its advertisements.

"It's simple. ConsumerInfo doesn't sell PLUS Scores to lenders," he said. "Fraud is inherent in the advertising."

Experian currently has 3.1 million credit monitoring subscribers through its ConsumerInfo group, which has also doled out 20 million credit reports, the company says.

An Experian spokeswoman said the firm would not comment on the accusations because they stem from ongoing litigation.

The plaintiff in the case is David Waring, a California consumer who signed up at FreeCreditReport.com and now says he was duped.

In one advertisement cited by the lawsuit, a notice on Experian site FreeCreditScore.com says, "Only One Number Matters! Your CREDIT SCORE." Later in the text, the site says that membership includes "credit score alerts," which allow consumers to "find out when your score changes. This could help you qualify for better interest rates."

Text on FreeCreditReport.com uses similar language: "Lenders use credit scores to help them determine the 'credit worthiness' of consumers applying for credit cards, lines of credit, or loans."

In each case, the sites suggest that consumers will receive access to the score lenders use when making credit decisions, and that's misleading, said attorney Woodward.

"The defendants represent that they are selling a credit score, a number to determine credit worthiness. But it's not that. It's a score based on an in-house model that lenders do not use," he said. 

Experian sites do indicate in various places that the score they are selling is not a FICO score. Accessed this week, FreeCreditReport.com indicates towards the bottom of its home page that the "Experian Credit Score indicates your relative credit risk level for educational purposes and is not the score used by lenders." 

But Woodward says Experian's disclosures are not "clear and conspicuous," and many consumers who view the marketing materials are left with the impression that they are buying a score used by lenders.

Experian's FreeCreditReport.com has been the target of many legal actions and accusations of deception, including several run-ins with the Federal Trade Commission.  Accusing the firm of tricking consumers into paying for credit reports that they could obtain for free, the FTC last year forced Experian to add a link atop FreeCreditReport.com that sent consumers to AnnualCreditReport.com, the congressionally-mandated website where consumers can obtain their credit reports for free. In turn, Experian changed its business model for the site and began focusing on selling credit scores and credit monitoring services.

For years, credit experts (and this blog) have warned consumers that not all credit scores are created equal, and that many outlets selling credit scores aren't selling the real thing. In 2006, Fair Isaac sued the nation's three credit bureaus over the creation and sale of such alternative scores. In 2009, a jury ruled against Fair Isaac, in what became essentially a trademark violation case.

Still, consumers could buy their three FICO scores using a Fair Isaac Web site named MyFico.com -- until February 2009, when Experian stopped letting Fair Isaac sell Experian FICO scores at the site. That means today, there is no way for consumers to obtain this number, unless they receive it as part of a mandatory disclosure from a lender following a negative credit action.

Purchase of Experian's PLUS Score is a poor substitute, Woodward said. More important, the resulting marketing blitz for Experian's score has led to great consumer confusion, he said.

"Accurate credit scores are critically important to consumers, especially now, in a down economy," he said.  "Consumers have a right to receive truthful advertising about them."

 See also: 5 Red Tape Traps: Getting a credit score

Click here to follow Bob Sullivan on Facebook

Customers received this alarming message.

A credit reporting glitch has temporarily torpedoed an undisclosed number of consumers' credit scores, msnbc.com has learned. The error came to light after many consumers who pay for credit monitoring services received alerts about the drop. 

Credit bureau Experian erroneously reported HSBC credit card customers as having balances exceeding their credit limits, causing scores to plummet. One consumer said his score dropped 60 points.

Several consumers claim the glitch dropped the last two digits of the HSBC cardholders' credit limits. For example, a consumer with a $1,500 credit limit suddenly was reported as having a $15 limit -- which in turn caused the consumer to have a balance far larger than the limit. That in turn spiked the consumer's so-called  credit utilization, which has a big impact on scores.

"My CL (credit limit) is $1350 and my latest report shows the CL as $13," wrote one consumer on MyFico.com "My utilization is very low but it still caused my score to drop 60+points because according to the report my utilization is now well over 100 percent."

Other consumers reported that HSBC had told them it was working on the problem and their credit scores should return to normal soon.

HSBC referred questions about the incident to the Experian credit bureau.  In a statement, Experian told msnbc.com that the error had already been fixed.

"On April 1, 2011, Experian loaded data from a single data furnisher and made an isolated administrative error in coding this data," it said. "This error was detected on Monday, April 4, which Experian quickly corrected and the data was immediately suppressed.  Since that point, the information has now been reloaded accurately and the file reflects the most updated information provided by the lender. 

"It is possible that consumers who are members of a credit monitoring service received an alert that their account was over the credit limit. At this time, we are not aware of any consumers who were negatively affected by the temporary change in their information. "

The scale of the problem was unclear, but one HSBC customer told msnbc.com that he was told by the bank that it impacted "thousands" of consumers.

Experian said consumers' credit scores were back to normal, but David Schott, an HSBC customer, said his credit monitoring service still indicates that his account is over the limit.

Click here to follow Bob Sullivan on Facebook

Before this weekend, you'd probably never heard of Epsilon Data Management. But the Texas-based marketing firm had almost certainly heard of you. 

In fact, the company behind the high-profile leak of data belonging to Best Buy, Target, The College Board, Walgreens and other big-name firms probably has an intimate relationship with you.  It says it holds information on 250 million worldwide consumers, and its company credo is to offer a "complete 360 degree view" of customers.  Getting a 360-degree of Epsilon is a bit harder.

"People are saying, 'Who is this company and why should they have my personal information?'" said Larry Ponemon, a privacy consultant who runs The Ponemon Institute.

They also might wonder why at least one company executive thinks Americans are overly prone to "indignation" about unwanted e-mails.

Epsilon does the dirty work of e-mail list management, upkeep and complaint interference for household brands around the world, including Disney, Capital One and Kroger.  Most consumers have no idea that Epsilon has their e-mail and name -- the e-mails generally appear to be from a retail firm with which the consumer has a business relationship. That relationship usually begins with a simple check box on a website or a form filled out during a retail store purchase, but it can last for years. Many consumers complained on Monday that they received warning notices about the e-mail leak from multiple companies. Some consumers might not have interacted with the firm for years before Epilson's database was stolen.

"Jerks at @RobertHalf kept my data on file 3 yrs. after I told them I NEVER wanted to work w/ them again. Now a hacker has my data. #Epsilon," complained one Twitter user on Monday.

Epsilon's servers churned out 40 billion e-mails last year and are capable of sending 15 million per second, according to the firm's website.  And at least one of the company's executives clearly doesn't appreciate when consumers get in the way.

'Trigger happy'
A big part of Epsilon's job is convincing Internet service providers that the e-mails it sends on behalf of brand-name companies aren't spam. Annoyed recipients will trigger consumer complaints and spam reporting, which can cause a red flag at an ISP and ultimately disrupt an e-mail campaign.

Tony Cheung, an Epsilon vice president based in China, lamented in a recent column on the firm's site about Americans' "indignation response" to unwanted e-mails.

"Few Chinese e-mail users actually click to unsubscribe unwanted inbound mails, in stark contrast to the far more trigger-happy Americans and Europeans," he wrote.

By most accounts, Epsilon takes pains to stay on the right side of the law and of spam filters, and frequently offers advice to retailers that sending unwanted e-mails is a bad idea.  The firm's e-mails include the usual opt-out mechanisms, and it prides itself on something it calls "Epsilon Data Hygiene," which helps keep e-mail and direct marketing lists up to date.

Behind the curtain
But Friday's data theft offers a rare window into the secretive world of consumer database collection and third-party marketing firms. It's a view that bothers Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.

"Most companies do not tell the consumer that we're taking your information and sharing it for purposes of fulfilling this need -- for example, e-mail marketing or handling of the account," he said.  "They are not really being transparent about it."

But nearly all companies do it; very few handle e-mail relationships in-house, said Dave Franklin, a Forrester analyst who studies electronic marketing.  Firms like Epsilon -- and competitors like Acxiom and Merkle -- offer far more than mere e-mail services.  Epsilon is part of Alliance Data Systems, which offers broad customer relationship management services, including transaction processing and analytics. That means Epsilon is capable of tracking e-mail response rates, mapping them to in-store purchase decisions and demographic information, and analyzing the data with a host of other advanced marketing tools.

"They help companies build a holistic view of consumers," said Franklin.  "From an e-mail point of view, they help companies communicate with hundreds of thousands of consumers in a way that is effective, and making sure the e-mail is actually delivered into their inboxes. ... They make sure things fall under desired communication."

In one example, Domino's Pizza bragged that it would be able to send customers much more relevant e-mails because of its relationship with Epsilon.

"Preferred pizza flavors, soft drink purchases, times to order, location and other targeted customer factors will be utilized by Epsilon to deliver personalized offers for Domino's Pizza," the firm said, announcing that it had begun using Epsilon's "DREAMmail" e-mail platform in Australia.

Of course, a well-timed coupon for pizza – perhaps sent on Sunday during halftime – is usually welcomed by most consumers.  On the other hand, if unwanted coupons arrive persistently, and an opt-out message isn't attached, it's unlikely consumers would find their way to Epsilon's opt-out page to eliminate communications from the firm.  

Agressive aggregation
Epsilon started operations in 1969 but began ramping up its Internet marketing group in the middle of the last decade after being acquired by Alliance Data in 2004. Soon after, it spent nearly a billion dollars to acquire a series of smaller firms with large e-mail and marketing lists -- firms like Abacus (from DoubleClick for $465 million), CPC Associates (for $70 million), Bigfoot Interactive ($120 million in 2005) and DARTMail (also part of DoubleClick, for $90 million).

Epsilon doesn't send spam, said Franklin, the Forrester analyst.  "It works with blue chip companies, not with the unsavory stuff we see on the Internet."

That doesn't mean all its e-mails are welcome, but often Epsilon isn't the problem, he said.

"Sometimes it comes down to client pressure. They really should send out 200,000 e-mails, but it's the end of the quarter and they have a number to make so they send out 1 million because e-mail is cheap," he said.

There aren't many complaints about Epsilon spam e-mail online -- here's one concerning an unwanted Apple computer pitch in 1997 -- but most consumers wouldn't have any reason to file a complaint using Epsilon's name. That is, until they received notice that the firm had lost control of their e-mail addresses.

Epsilon's business is associating massive amounts of disparate, relevant data, but Franklin said he's spoken to company executives and is confident that only e-mail addresses and names were taken by the computer intruders.  He described the problems that could result from the stolen data as a nuisance more than anything else – an increase in phishing attacks, for example.

But Ponemon, the privacy expert, said the incident points to the cavalier attitude that data behemoths sometimes take with personal information.

"The data could have been encrypted, there's no reason it couldn't be, but it wasn't," Ponemon said.

Companies like Epsilon do their best to stay under the radar because once consumers pay attention, they begin making more demands on data collection firms.

"These kinds of data brokers operate in the shadows," Ponemon said. "Once they are visible, they have to operate to higher standard.  If you are going to complain about an e-mail, and don't realize a third party is sending that, to you it operates somewhere in outer space. You can't complain."

Indignance or arrogance?
An Epsilon vice president complaining that U.S. consumers are trigger happy or overly indignant about unwanted e-mail shows that the firm doesn't care enough about the consumers whose information it controls, Ponemon said. 

"It reveals an organizational culture. In their mind, we are worrying about nothing," he said, referring to unwanted e-mails. "This attitude involves such arrogance. ... I think it is a big deal."

Jessica Simon, head of Epsilon public relations, said the comments by the firm's vice president were "incredibly unrelated" to the e-mail theft incident, and referenced a study of consumer attitudes conducted in 2009.  She reiterated that only e-mail addresses and names were stolen, and said the incident only impacted 2 percent of its 2,500 clients. Not all of those clients use the firm's e-mail marketing tools, she added.

"We are pretty limited in what we can say but we are doing a thorough investigation," she said. 

Congress is currently considering its first major legislative effort surrounding privacy in more than a decade, as it studies a proposal to create a Do Not Track list for Web surfers and other ideas. None of them, however, would have prevented the Epsilon incident or would give consumers additional rights to deal with firms like Epsilon, Ponemon said.

Even proposals that would allow consumers to examine any of their personal information a company stores wouldn't help, because people often have no idea where their information is.

"I still think people don't understand the world of Internet marketing. They think they are dealing with a company, and it's this one to one relationship," he said. "They think, 'I give you my email because I know you.  I shop at Best Buy and I give them my email and it's OK. But I didn't really authorize a company I've never heard of to maintain my information.' I think people are surprised that once you give your information, you've lost control of it because you don't even know where to look for it."

For advice about the expected onslaught of spam coming as a result of this leak, read Helen Popkin's post.

Click here to follow Bob Sullivan on Facebook

Child ID theft, among the more tragic and vexing 21st Century crimes, is much more common than previously thought, suggests a report being published Friday by a Carnegie Mellon University fellow.

Data examined by Richard Power, a distinguished fellow at the school's CyLab research center, offers hints that identity thieves are specially targeting children when picking victims.

"They make perfect targets because they have no records and don't discover the crime for years," he said. 

Using data supplied by identity monitoring company Debix, Power examined 40,000 children's profiles and found more than 10 percent had identities that were tainted in some way.

"These were 4,000 kids in there with gun licenses, mortgages, car loans and driver's licenses. That's crazy," Power said. 

Among the victims described in the report: A 16-year-old girl in Arizona with 33 credit accounts linked to her name, including three mortgages; a college student with $300,000 in debt that was the result of the transposition of numbers; a college student from Texas who lost an internship because her background check classified her as "unemployable"; and a 30-year-old woman in Arizona whose identity was compromised when she was 12 and who is still haunted by her imposter. When she tried to buy a home recently, her bank told her she had a recent foreclosure on her record.

Among the 4,311 children found to have distressed identity records, 300 were under 5 years old. Nearly 1,800 cases involved utility service records, such as bogus electricity service accounts. There were also 500 kids' names attached to mortgages or foreclosures, and 415 of the kids had driver's licenses.

"This is an existential threat to our society," Power said. "The elephant in the room is that obviously we are not properly authenticating people at all."

Bigger threat than bullies, predators?
Power said the report was the first real attempt to quantify the problem of child ID theft. Hard numbers on the crime are nearly impossible to come by, as child victims often don't discover the thefts for a decade or more. When a child's identity is either stolen or tainted through some kind of error, the problem usually isn't found until the child applies for college financial aid, a car loan, or attempts to obtain employment.  Then, because the unpaid debts or other blemishes can be 10 or more years old, efforts to clean the child's record can be monumental.

"You could be quite effective at warding off online predators and cyberbullies, as well as proving quite successful at guarding your own hard earned good credit, only to find that your child's identity has been violated, and your family's financial and emotional well-being threatened in an almost inconceivable way," Power says in the report, which is being released Friday.

Reporting issues have stymied researchers trying to pinpoint how prevalent child ID theft is.  Because the crimes frequently go undetected for so long, police are reluctant to pursue prosecution. That also means publicly available data studied by researchers might only reflect crimes committed in the late 1990s or early part of the last decade.

Carnegie Mellon was recently approached by private corporation Debix with an offer that promised to open a window into this confusing world. Debix is one of several firms that offer identity monitoring to consumers who've had their personal information compromised in a data breach incident.  During a 12-month span ending in November 2010, 800,000 consumers signed up for the service.  Of that group, 40,000 were children enrolled by their parents, which gave the firm permission to investigate their records for signs of distress.

Debix offered the database to the school for research purposes, and Power jumped at the rare chance to examine data related to child ID theft. 

Not scientific; still striking
The study is not scientific; the data sample is not necessarily representative of the public as a whole, so it's not possible to extrapolate the findings and declare that millions of children are currently ID theft victims and their parents don't know it. On the other hand, the data represent a group that has demonstrated above-average sensitivity to identity issues by signing up with Debix -- only about 10 percent of consumers take companies up on their offer of free credit monitoring after a data leak.  And the data is consistent with other research suggesting criminals often use randomly selected Social Security numbers to obtain employment or credit, which puts children at equal risk as adults.

Earlier research by identity firm ID Analytics found that one in seven Social Security numbers are attached to more than one name, and there's no reason to believe children's numbers are exempt from that. Other experts briefed on the data said the report's findings were consistent with real-world experience.

"I personally think that the results are informative, giving us the best insight available into the potential scope and nature of the problem," said Steven Toporoff, the child ID theft expert at the Federal Trade Commission.

Power said the report offers the first real evidence that organized criminals are specifically targeting children for identity theft. Because their credit records are empty, and their Social Security numbers may not appear in any credit databases, children's identities are extremely valuable to criminals.  They often can create new records using a child's number but a different name, an easy path to so-called "new account fraud," allowing risk-free creation of cell phone accounts, bank accounts, even mortgages. 

Criminals have also figured out that they can get away with using the child's ID for years, while a stolen adult identity has a far shorter shelf-life. Adults discover identity problems in an average of 59 days, according to earlier research from Javelin Strategy and Research.

"ID thieves are targeting children because their IDs are pure," Power said. "This is organized crime, in some cases international organized crime."

The secret list of ID theft victims
It's unclear whether criminals can identify children's identities as targets; the research provides no insight on that. In some cases, it's likely dumb luck – the criminals randomly enter a Social Security number on an application that belongs to a child, or one that has yet to be issued.

In many cases, child ID crimes fall into the realm of SSN-only ID theft, in which a criminal uses only a victim's number -- not their name or other identifying information -- when committing crimes. The topic has been covered at length in a series called "The secret list of ID theft victims." One main driver of this type of ID theft is undocumented workers who use randomly selected numbers, or numbers purchased on the black market, with their real names to obtain employment.

In Power's report, there were 5,497 erroneous names associated with the 4,311 victims -- some of whom had more than one imposter. He concluded the illegal immigration is also a driver of the child ID theft he uncovered.

"The primary drivers for such attacks are illegal immigration (e.g., to obtain false IDs for employment), organized crime (e.g., to engage in financial fraud) and friends and family (e.g., to circumvent bad credit ratings, etc.)," the report says.

Michelle Dennedy, former chief privacy officer of Sun Microsystems, was briefed on the report.  She has a child who's been a victim of ID theft twice and believes organizations aren't doing enough to protect kids from the crime.

"You can't sign your kid up for soccer teams today without giving up your kid's Social Security number," she said. "There are these places where they are vulnerable."

Parents need to be aware of the potential that their children might be victims, she said, urging much more vigilance in monitoring.

"If we get guardians to look (at their kids' records) the value of their identities starts to drop," she said, as crimes will be discovered more quickly. "The softness of the target starts to go away."

RED TAPE WRESTLING TIPS: What parents should do
Advice for concerned parents is nuanced, however.  Neither the FTC nor the nonprofit Identity Theft Resource Center recommends that parents check kids' credit reports on a regular basis. That could actually cause a credit bureau to prematurely create a report, which might make kids' identities more vulnerable, according to the FTC.

Both agencies agree that parents should attempt to obtain a credit report on the child's 16th birthday. Ideally, there won't be one; but if there is and it's full of errors, there should be ample time to deal with the problem.  Before age 16, under normal circumstances, an occasional check -- perhaps every three or four years -- is sufficient, said the FTC's Toporoff.

But if there is a reason to suspect foul play, parents should immediately contact credit bureaus and request a report, he said. They should also consider placing a credit freeze on the child's records, following their state's particular policies.

"Parents should also be on guard for warning signs of potential child ID theft, such as credit offers, credit cards offers, bank offers coming to a child," Toporoff said.

Jay Foley, executive director of the Identity Theft Resource Center, says parents don't need to panic over evidence of identity theft, but they should realize they are facing an uphill battle. Obtaining information on SSN-only ID theft can be tricky.

"Unless the child is being chased by collection agencies, my suggestion is to wait until the child is 16 years old and then the parents need to write a letter to the credit reporting agencies requesting any information on the child's name in combination with the SSN and any information on the SSN alone," he said. "If at that time they find something wrong we have roughly two years (in most cases) to get it fixed or replaced."  

Click here to follow Bob Sullivan on Facebook