[conspire] (Arguably offtopic) Become a Red Cross volunteer, suffer identity theft

Rick Moen rick at linuxmafia.com
Tue Oct 31 16:19:29 PST 2006

I'm marking this as "arguably offtopic" because there's no direct
connection to Linux or open source, but there _is_ one to Internet and
Web security, and to broader security issues.


Summary:  American Red Cross is rolling out a requirement that all
volunteers submit to intrusive, privacy-violating background checks
including a "hard pull" credit check.  A "hard pull" is a one treated by
the credit reporting agencies (Equifax, etc.) as indicating an actual
_application_ for credit (as opposed to an informational inquiry) --
which has the incidental effect of _literally hurting_ your
creditworthiness rating for half a year.[1]  So, not only is this a
gross invasion of privacy, but also it could literally cost you a _lot_
of money, if, e.g., you were applying for a car loan or mortgage during
the covered period.

Deirdre has pointed out that Red Cross's doing "hard pulls" in this
context is simply flat-out illegal, even if the target has signed a
paper authorising it, since "becoming a volunteer" is not among the
covering Federal statute's list of "permissible purposes" for credit
pulls (even "soft" ones).  Quoting Deirdre:

  There is NO permissible purpose for the Red Cross to have a credit
  report pulled for volunteers, even if the Red Cross never sees it.
  Even if the volunteer provided it, the Red Cross could not legally
  use it, even to a third party doing vetting. They may be pulled for
  employment, sure, but consider the possibility of someone having
  their CR pulled, losing their job (for whatever reason), not
  volunteering any more, and putting down the Red Cross as their
  employer. They'd have much more of a leg to stand on in court if the
  credit report pulled said that it was used for employment purposes.

We've seen from the HPgate spying scandal that violation of people's 
financial privacy is pretty much rampant -- but it's amazing that Red
Cross wants people to _authorise_ such prying for the privilege of 
working for them for free.

Here's the Web-security relevance from the cited article:

  The Red Cross says it's gone to great lengths to ensure prospective
  volunteers are not giving out their Social Security numbers to anyone
  other than the contractor, and then only through a secure, encrypted
  Web site. 

Are you wincing, yet?  Hey, we're using an https connection for sending
your confidential personal data to us, so everything must be great.
The sad thing is:  The unidentified Red Cross spokesman probably 
_does_ believe that.

Red Cross's "contractor" is said to be MyBackgroundCheck.com LLC of
Anderson, CA -- probably some bunch of private detectives.  And, gosh, 
outsourced data-mining has never caused any harm, right?  {boggle}

Anyhow, the usual rule applies:  Be _really_ careful what you're willing
to sign.  Don't listen to the nice flack who tells you it's "routine";
read carefully, judge for yourself.  If it doesn't seem appropriate, it
probably isn't.  

And personally, if some group I volunteered for pulled that sort of
stunt on me, I'd grab copies of the paperwork for my files, notify all
the other volunteers I could reach, and then walk away.

(/me makes a note to give future blood donations at Blood Centers of the
Pacific, and no longer donate to American Red Cross.)

[1] http://www.mymoneyblog.com/archives/2006/05/hard_vs_soft_cr_1.html

More information about the conspire mailing list