The multiple personalities of AllClear ID

On leaving IBM, I initiated the process to roll my 401K over to my IRA.  The fund manager sent the requisite forms – already filled out with my SSN, contact info and the account numbers to effect the transfer – to me via email.  Naturally, I called bullshit.  Unencrypted email is about as secure as a post card.  One thing led to another and now my wife and I have been provided with a year of free credit monitoring protection through AllClear ID.

One would think that a credit monitoring service would be all about privacy, security and monthly fees for the upgraded service tier, and AllClearID does not disappoint in any of those categories.  In particular, the basic service is good but if the marketing can be believed you might as well be naked without the Pro service, billed in easy and convenient installments of only $14.95 per month!

But I’m being harsh.  After all, right at the top of the Privacy Policy document they pledge that “AllClear ID will continue working hard to earn and keep your trust.”  I can’t tell you how relieved I was to read that.  I almost stopped reading right there and signed up, so overcome with confidence was I.  Still, it wouldn’t be prudent to sign up without at least skimming over the TOS and Privacy Policy, right?  (Somebody has to read the damned things.)

The second paragraph informs me that “AllClear ID may add or remove features of any of the Services at any time.”  This didn’t concern me too much.  Everyone reserves the right to change their service, and after all how often does that happen?  Turns out, it happens several times over the course of the document.  Confidence is waning.  Perhaps I really do need to read this thing.

Want to come along for the ride?  I’ll be your guide!  Warning, you must be this tall ^ to enjoy this attraction and you are warned to step out of line if you have a weak constitution.

The first sign of trouble came in the preamble:

We may change this Privacy Policy by posting a new version of this Privacy Policy on our Site or through the Service, and it is your responsibility to review this page periodically.

Just to be clear, this is a company who make their living by notifying their customers of adverse events in the customer’s credit reports.

I’ll repeat that.  Their core business is a notification service.

For which they charge $180 per year.

But which is incapable of detecting and notifying you of changes to their own web site.

Incredible.  And I mean that in the sense of the word that suggests AllClear ID lacks credibility.  Why on Earth would somebody claim to offer state-of-the-art notification over events that affect you financially and exclude their own adhesive contract to which you are bound without having first read it and which they reserve the right to change without notice?  What possible motivation could lead to that particular result?

Oh wait – it must be because it changes so often.  That explains it.  It isn’t that they cannot detect the change, but rather that the volume of notifications would overwhelm their call center and their customers.  Right?  Surely, they’d never make unfavorable changes without notice and bind you to an abusive contract, because they are in the trust business.

Next comes the “Information Collected” section.  The first paragraph details all the personal information they collect about you and how they use it.  There’s a lot of it and for any other businesses it would  be a bit invasive.  But, having worked at both a school board and at Equifax on the programs that attempt to match, dedpulicate and uniquely identify people, I know how difficult it is to distinguish between two similar looking records representing different people.  This company is helping fix identity theft issues so they really do need detailed data about you to perform that service, and they need it before it is contested.  I really don’t begrudge them this information or the uses they disclose for it.

Until we get to the second paragraph.

AllClear ID may also collect technical data and related information – including but not limited to technical information about your devices, system and application software, and peripherals. We may also automatically receive and record information on our server logs from your browser, which could include your IP address, cookie information, browser information, and the page you request. This information is not deemed by AllClear ID to constitute Personal Information and while AllClear ID will not use it in a way that associates such information with you, such information it may be aggregated and used. AllClear ID owns this information and may use it in any manner it deems appropriate.

I’m never quite sure of the legal effect of contract clauses with sentence fragments or broken grammar.  One day maybe I’ll ask an attorney.  But in the meantime, it appears AllClear ID has some industrial-strength data harvesting.  It’s gathering more than enough information to uniquely fingerprint my machine, and they declare full ownership in the harvested data with no recourse to you whatsoever in how it is used or if you are damaged by it.  AllClear ID may deem this information to not be personally identifiable, but that’s a statement in their own self-interest.  Clearly if you clicked the link above about fingerprinting, you know that the EFF deems this information to be uniquely identifiable.  And why does AllClear ID even need all that system info to deliver telephone notifications and credit reports?  Perhaps some other web site which does have my details can link that machine fingerprint back to me personally.  This would allow AllClear ID to back into a complete, personally identified dataset, without using their own demographic data, and which they’d own for whatever purposes they wish.

Not saying they do.  Just that they could.  “Trust me,” they said.  What could go wrong?

A bit further is a section on “Information Use” which explains all the legitimate uses for the information they collect about you.  For example:

Among other things, AllClear ID wants to help you quickly find information on our Site, leverage our tools in connection with your authorized use of our Service, and alert you to product upgrades, special offers, updated information, and other new products and services.

Wait?!?! What?!?!  Their service is capable of detecting changes to their web site and notifying me after all?  But before they said it was my responsibility to periodically check for changes to the contract.  WTF?  Oh wait – I see what’s going on.  The alerts only work when there’s an opportunity for me to spend money.  Here I was accusing them of multiple personality disorder what with Mr. Hyde expecting me to check the web site all the time, and Dr. Jeckyll offering to send me notifications.  That’s really unfair of me since it’s clear they are acting consistently in all these cases.  It’s all Mr. Hyde, it’s just that he’s a psychopath and quite charming when he wants to be.

As with the other sections so far, the “Information Use” starts out pretty standard, then veers off the rails.

AllClear ID may also use your information to develop fraud prevention and other services, which it may make available to third parties, provided that such services shall not include access by such third parties to your Personal Information. AllClear ID may also send promotional information about AllClear ID products and services, during and after any term for which you are subscribed for a Service. However, users may “opt out” of receiving such information.

In other words, my information is the basis for services that AllClearID sells to 3rd parties.  Not “Personal Information” in proper case and as defined in the document, but simply “your information.”  That includes all the information you gave them, plus the machine fingerprint they harvested.

But wait!  There’s more!  Nowhere in this document do they mention that they collect your credit report data, but they have to do so to provide the service.  They must keep history of the report in order to identify the delta when a change is made.  But the contract alludes only to the information that you provide.  If you are skimming the document, you could be forgiven for not realizing that you gave them all-access permission to harvest your credit report and machine fingerprint, for which they charge you for the privilege, and then permission for them to use these information assets as the basis for a lucrative service they sell to 3rd parties.  Fortunately, you can opt out.

Sort of.  read on.

Next up is a section called ” Information Sharing and Retention” which begins with a sentence fragment, followed by broad but meaningless assurances:

Sharing Information with third parties; AllClear ID takes the privacy of our users very seriously. As a result, except as provided herein, AllClear ID will never sell, rent, or intentionally provide your Personal Information to any third parties for their marketing purposes.

Oh, thank Grid!  they won’t sell, rent or intentionally provide my information to 3rd parties for marketing purposes.  Other purposes, sure.  So long as the 3rd parties don’t market to you.  Maybe the 3rd parties resell the data to someone who markets to you, we don’t really know.  If they said to their business partner something like “here’s all T.Rob’s personal information, use it any way you want just don’t contact him or let him know you have it,” that would be permitted since the 3rd party isn’t using it for marketing purposes.

The other wiggle clause is “except as provided herein.”  So there are exceptions.  Wonder what those are.  Oh, here’s one now:

In order to use or provide the Services, we or you may also share your Personal Information with third parties.

Well, that clears it up.  They won’t sell, rent or give away my info to 3rd parties unless it has something to do with running the web site, performing the notification service, gathering more data about me from credit bureaus or other brokers, or any other function of their core business.  Or unless the 3rd party promises not to use it to market to me.

As a side note, it’s comforting that they don’t claim exclusive rights to my data but rather expressly permit me to share my own data.  You don’t want to get stuck in a contract that restricts you from sharing your own data.  This is, I believe, what happened to The Artist Formerly known As Prince and look what hell he went through because of it.

As with previous sections, the Information Sharing and Retention section goes a bit haywire toward the end (as if it wasn’t already):

Finally, unless we otherwise agree, even after the term of your subscription has expired or terminated, AllClear ID may retain your Personal Information indefinitely for the uses permitted hereby, to resolve potential disputes, to comply with official investigations or proceedings and/or enforce AllClear ID’s agreements.

The Singular Summary and Aggregate Statistical Information that AllClear ID may share aggregated personal demographic and profile data and/or anonymized or redacted data regarding users of our Service. This data also does not contain Personal Information, but may describe information regarding group usage of the Service and/or group demographic information.

The first of these I understand.  They are saying that they can keep my information indefinitely.  The second paragraph is unintelligible due to more sentence fragments and/or bad grammar.

Moving on to the “Accessing and Changing Your Account Information,” there’s only one paragraph so you’d think there wasn’t an opportunity to make it batshit crazy but they pull it off.

You can review the Personal Information you provide us and, unless otherwise indicated, make any desired changes to such information, or to the settings for your AllClear ID account, at any time by logging into your account on the Site and editing the information on your Profile page. You can request in writing that AllClear ID remove your Personal Information from our database and that your account be closed.

So I have the contractual right to review any of my information, and even update it – unless it happens to be marked with an indicator that says I can’t.  Oh, and remember that information they have the right to keep indefinitely?  Fortunately, I have the right to request that they delete it.  Not that they are obligated to do so, they clearly stated above that they reserve the right to keep it indefinitely and don’t contradict that here.  But I can take comfort in my right to make that request, however futile it may be.

There is absolutely no value to me in this paragraph of the contract, despite what appears to be careful crafting to make it appear so.  Every single thing that looks like it offers some protection has an escape hatch.  The only things Allclear ID are obligated to do here is accept my written request to delete information (not act on the request, just accept it) and to be sure to indicate on all data fields that I’m not allowed to update them.  Beyond that they have no particular obligation as a result of this paragraph.

But it sure looks good, doesn’t it?

There’s a section about security which I’ll skip.  Basically, it says “we try hard but it’s a hostile Internet and if you are breached, here’s a list of points between you and us where the breach probably occurred,” yadda, yadda, yadda.

The section “Framing and Linking” is interesting so I’ll reproduce it in full here:

Some of the content on the Site may be provided through the use of framing or linking technology. Using this technology from the Site, you may view content that may reside on a third party’s server. In that case, the third party may place a cookie on your computer and any personal information you provide to that third party may be used by that third party in a manner that AllClear ID cannot control. By accessing any third party content through our Site, you are assuming all liability from and risk of the use of such content, including the use of cookies. AllClear ID takes no responsibility or liability for any cookie placed by a third party, for any content viewed on a third party’s server or for any use they may make of information you choose to provide that third party. If you are concerned about a third party’s web site privacy practices, please review the privacy policy for that site.

In other words, AllClear ID creates a browser frame within which to display someone else’s web content.  This doesn’t happen by accident and to be legal they will have obtained permission of the content owners before doing so.  So they know exactly whose content is showing up in their frames, or at least they should.  If they do not, then it doesn’t speak well to their ability to do their core job.

But anyway, remember when I said that if you have a browser fingerprint and a site who knows your personally identifiable information that it’s possible to back into a positive and unique identification without using the demographic data you already have?  Basically, the two business partners match up data based on the machine fingerprint they both have access to.  That requires a partnership with someone who is allowed in their own privacy policy to give your data away.  That’s actually kind of hard to do since most privacy policies at least look like they restrict sharing.

Using a frame to pull up some web site where your account information is displayed is a MUCH easier way to harvest the data and connect a fingerprint to an identity. The genius bit here is the magician’s redirection.  With all the dire warnings about the other web site’s cookies and how AllClear ID can’t control them, you might forget to consider the fact that it’s AllClear ID’s page hosting the frame.  They have complete access to whatever is displayed there.

Who needs a business partner when you have frames?  Duh.  What was I thinking?  Now they have the fingerprint and all your system and browser metadata – which they stipulated they completely own – and a way to enrich that with your personal data, all without breaking their TOS or privacy policy.  Awesome.

So what’s the bottom line here?  Does AllClear ID actually do any of the things their contract allows them to do and which I’ve described here?  Who knows.  Does anyone actually understand the contract given all the sentence fragments?  Again, who knows.

Some of my most valuable personal data was exposed by a vendor who is supposed to be well trained to prevent such things.  They freely admit that nothing in their system would have picked up on it, and only the intersection of a breach event with a knowledgeable customer would have caught it.  Then the remedy for this situation includes a year of monitoring by a service which, when you read the fine print, their cure sounds worse than the disease.

I’m.   Not.  Happy.

I’m coming into this a bit pissed off with the whole thing so I have to ask… am I being too harsh with AllClear ID?  Having read this much of the Privacy Policy (or the source), what’s your take?  Would you give them your SSN and permission to access all your credit reports?   And forget about the content of the clauses that are well constructed, would you agree to a contract with as many meaningless sentence fragments as this has?

In other words, am I being reasonable or over-critical here?  I really want to know.

About T.Rob

Computer security nerd. WebSphere MQ expert. Autist. Advocate. Author. Humanist. Text-based life form. Find me on Facebook, Twitter, G+, or LinkedIn.
This entry was posted in Clue train, Rant, VRM and tagged , , , , , , , . Bookmark the permalink.

7 Responses to The multiple personalities of AllClear ID

  1. This company is run by absolute complete idiots with no information security expertise. My PII was hacked at a large well known organization. This organization sent me an offer for “2 years free credit monitoring from AllClear ID”. I phoned AllClear ID and discussed the program. Let’s just say that I regret that decision immensely. The organization that was hacked indicated on the letter to me;

    What was taken?
    list of all PII here-
    Specifically included was the “email address”

    So what does AllClear ID use for their default username and password?

    Username to their system is your email address (presumably the same one already stolen by the hackers of the referring organization).

    What is their DEFAULT password for all new accounts? Let’s just say it might as well be “password”. I’m not publishing it for the benefit of everyone else that they have already scammed. Any middle school school student could guess it, and its very likely on the top ten list of the “most guessed passwords”.

    But it doesn’t even need to be. If the hackers that compromised the original referring organization phoned AllClear ID and requested an account using the info they had already stolen, they’d be given a new acount and the DEFAULT password. They’d also be informed that its the same default password for ALL new accounts. And it remains this way unless the new user logs in and changes it. How many people forget to do this? Lots. But certainly the hackers can log in and change it, and there you have it complete access to ALL your PII and more.

    So the original hackers with an enormous database of emails acquired by their hacks to numerous organizations that refer to AllCLear ID simply run a chron on the email they already have (your username) and the stupid simple default password that AllClear ID gives to ALL new users.

    This company is in the business of information security and identity protection? I think not. I strongly suspect that Hillary Clinton is on their Board or giving them information security advice. After all she ran a private server out of here home with top secret classified information on it. It was backed up by a mom and pop IT company run out of an apartment and the backup server was housed in their bathroom closet. Even better yet, the domain registered for this purpose was “Clintonemail.com”. What we call “information security through obscurity”; hiding the purpose of the system or process with a confusing string of characters. What could the characters “clinton email .com” mean to anyone? This is a shrewd and complex information security tactic used by only those wishing to aspire to become the leader of the free world. Forget encrytion, dod level private networks and restricted IP access and dod firewalls. Just give the email a really confusing name and hide the server really good.

    Smart, no other government would ever believe that the former first lady, senator, and secretary of state could possibly be dumb enough to register a domain by the name of “Clintonemail.com” with top secret classified information on it. After all, even the smartest hackers and Nigerian attackers couldn’t possibly discern the purpose for a domain name “Clintonemail.com” and registered with credentials to match. Thank god that she “wiped the server with a cloth” to clean it before turning it over to the FBI sans 30,000 emails, which were removed after being subpoenaed by congressional committee.

    At least she didn’t give them a dirty dusty server. And I believe that she did wipe it with a cloth, after all, the box contained the fingerprints of every IT Guy in the office of the Secretary of State that she employed to privately manage it in here house on the taxpayer dollar. Fortunately for them, we have the 5th amendment so these folks can just invoke it to protect themselves from lengthy prison terms for aiding in espionage and information security breach of the highest order.

    Ok, back to AllClear ID. Sadly, they are not even as bright as Hillary. Hackers don’t even have to hack in, they can just log into default accounts using their list of millions of emails that have already been compromised. Its their username list to the accounts. And the default password, they have it if you didn’t change it. Now the account is theirs until the unsuspecting customers eventually try to log in.

    Bottom line; Personally Identifiable information (PII) isn’t safe anywhere, anymore, anytime. And the organizations that market their “information security and ID protection” services to protect you after a breach are just partners of the referring organization grossly compounding the problem. Stay CLEAR of AllClear ID.

  2. CE says:

    I just signed up a few months ago from the Home Depot fraud and after being notified of the Anthem fraud and they’re also using AllClearID service I decided to test them out. I’m intimate with my and my wife’s credit reports, via all three agencies. Have been for years.

    We have both been on their service for 90 days now and the following things have happened DURING that time:

    * We refinanced our house (hard inquiry + new account hit TransUnion)
    * We leased a vehicle, which ran hard inquiries on ALL three services (TU,Exp,Eqfx).
    * We applied for a tough-to-get top-credit-only credit card (hard inquiry + new account) hit TU.
    * We applied for credit card increase (hard inquiry) on one account
    * We also did several card increases (lowes/homedepot) which issued soft inquiries for various accounts, so I don’t expect AllClearID to report the soft ones to me.

    Normally our credit is quiet for a long time, but since our scores hit 836+ we do all the credit stuff in “batches” and this was a very busy three months.

    Guess how many notifications me and my wife received? ZERO None. No emails and no phone calls. No messages, nothing in our SPAM or deleted folders.

    I called concerned and they said well new accounts can take up to 8 weeks, so……
    Another response was “well we only monitor TransUnion so maybe they didn’t use that service”.
    After I complained “inquiries are immediate, it’s not like accounts where they have weeks to report them to you and plus I can see these accounts and inquiries hit TransUnion as I have my free online TU report in front of me showing these inquiries and accounts”.

    Call was escalated and now they are investigating, all the while assuring me this doesn’t happen. Hmmm…. I really don’t feel much safer now.

    Problem is, I’m not sure if any of the $30/month are any more reliable like LifeLock, etc.
    Man I remember when CreditKeeper was $10/month and you could update your entire credit report for free every day. It definitely emailed me for all inquiries and monthly.
    /sigh The good ole days. Now credit monitoring is the hot thing and they keep raising their prices as the demand has skyrocketed thanks to the emboldened hackers.

  3. PL says:

    T.Rob,

    I saw your reply to my comment after posting my second comment. Sorry if I gave the impression that I may be trying to persuade you towards anything. from your article, I got the impression that you were put off by the T&C but had not decided on whether AllClear had value to you.

    Given that your article has a June, 2013 date, I assumed you already made a decision. However, you ended with a question, and it is a well written article. I wondered if there may be value in expanding the discussion. If you did take out a policy , then the time will come when you will be faced with the choice of whether or not to renew, as is the case with me.

    I was trying to be helpful, not to persuade.

  4. PL says:

    T.Rob,

    I just found a disclaimer saying “Financial fraud covered is limited to that related to your credit card, debit card, savings, and/or checking accounts — no other accounts qualify.”
    https://www.allclearid.com/legal/guarantee

    So, I guess that means any fraud related to brokerage, 401K, IRA, and other such accounts is not covered. Increasingly, but not exclusively, people use online services with these accounts which may increase their exposure. Same for credit card, debit card, savings, and/or checking accounts.

    It appears that there is no coverage for losses that are not electronic (“Stolen funds loss includes principal amount, exclusive of interests and fees, incurred by you and caused by an unauthorized electronic fund transfer provided you first seek reimbursement from the financial institution which issued the access devise and holds the account from which the funds were stolen”), as stated in section 4, here: https://www.allclearid.com/legal/insurance/

    I also found kits issues by various states on actions to take. As examples,
    here’s Florida’s
    http://myfloridalegal.com/idkitprintable.pdf
    and here’s New York’s:
    http://www.ag.ny.gov/sites/default/files/pdfs/publications/ID_Theft_Kit_2011.pdf
    Here’s the IRS Taxpayer Guide to Identity Theft: http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

    I’m beginning to think that the only real benefit is the payment of lost wages (how real is that, and does anyone prove it when an employer agrees to let someone use vacation time?), and legal services. However, as they require, the ability to use a lawyer is limited to “(1) Defending any civil suit brought against you by a creditor or collection agency or entity acting on behalf of a creditor for non-payment of goods or services or default on a loan as a result of a stolen identity event; and (2) Removing any civil judgment wrongfully entered against you as a result of the stolen identity event.”

    In such instances, identity theft includes “but not limited to stolen identity events occurring on or arising out of your use of the Internet.”

    Life was so much easier before I learned how to read : – )

  5. T.Rob says:

    PL, I’m not sure what conclusion you would like to persuade me towards. I never get to arguing the merits of what it is they actually do (or not) because I never get past the published contract which I believe to be invalid on its face and overreaching in its intent. Even if there is a huge difference between the free and paid services such that the paid ones are acceptable, the T&C of the free service so undermines my confidence in the company that I would not use any service from them.

    The service they actually perform may be top notch and if that’s the case, go ahead and renew. You already gave them permission to keep and resell your data and to do so long after your relationship with them ends so at this point you have nothing (more) to lose if in fact it’s a good service.

  6. PL says:

    T.Rob,

    I mean this respectfully, but you are missing key points about AllClear’s coverage. Whereas, much of what they collect may be used selfishly by them for their own benefit, some chunk of it may be collected as a safeguard against fraudulent claims.

    More importantly, the contract that binds your benefits is not posted (see here: https://www.allclearid.com/legal/insurance/). Note the section that says ” Your benefits will be subject to all of the terms, conditions, and exclusions of the Master Policy, even if they are not mentioned in this Summary. A complete copy of the Policy will be provided upon request.”

    Next, note the following text: “provided you first seek reimbursement from the financial institution which issued the access devise and holds the account from which the funds were stolen. Stolen funds loss does not include any amount for which you received reimbursement from any other source.”

    So, I imagine that the only funds they may return are in excess of FDIC limits for banks, and anything over SPIC and additional insurance for brokerage accounts – assuming that the fine print in the contract you must request provides such coverage (and the coverage is not limited to credit cards, and so forth, In any case, one must first exhaust claims with third parties before AllClear’s coverage might kick in.

    They are very clear about this: ” If you have other insurance that applies to a loss under this policy, the other insurance shall pay first. This policy applies to the amount of loss that is in excess of the Limit of Insurance of your other insurance and the total of all your deductibles and self-insured amounts under all such other insurance. In no event shall the Insurer pay more than our Limits of Insurance as shown above.”

    Next, they don’t do the legwork. You do: “The Master Policy provides benefits to you only if you report a stolen identity event to us by the contact number stated above as soon as you become aware of a stolen identity event, but in no event later than 90 days after you first gain knowledge of a stolen identity event and you follow the instructions given to you in a claims kits that you will be provided. These instructions will include notifying major credit bureaus, the Federal Trade Commission’s Identity Theft Hotline and appropriate law enforcement authorities. This claims kit will also instruct you how to file for benefits under the policy if the stolen identity event results in losses covered under the policy.”

    It’s a bit mystifying as to whether the free basic service accomplishes anything. I guess it helps to know: “If fraud is detected, you will receive an alert call and email so you can take action.”
    See here:https://www.allclearid.com/enroll

    Still, AllClear seems to attract customers. Here’s the State of Ohio State Term Schedule as of May 15, 2013: http://procure.ohio.gov/pricelist/800303%20pricelist.pdf

    I’m trying to figure out whether to renew.

  7. TJ says:

    I agree completely T.Rob. Nothing vague about their wording except for the parts that are actually vague. We received 1 yr paid at corporate expense and will pass on the deal. Devil is always in the details, no way are they getting our SSN. We will take our chances with unknown thieves rather than known.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s