If Boston fans are allowed into TD Garden on Wednesday for a scheduled Bruins-Sabres game, or into Fenway Park on Friday for the next Red Sox home game, they are sure to be greeted by grim reminders of Monday's terror attacks — beefed up security, extra uniformed police, additional bomb sniffing dogs. Already, fans around the country are seeing and feeling the aftermath at sports venues around the country.

Experts are wondering if these changes are temporary or permanent. Could the Boston Marathon bombing to do sporting events what the 9/11 attacks did to airports? Might the attack lead to aggressive new security measures that create long security lines and frustration for fans?

One change could come quickly: Sports venues around the country might take a hard look at banning all backpacks or bags of any kind, said Dr. Lou Marciani, director of the National Center for Spectator Sports Safety and Security at the University of Southern Mississippi, which is funded by the Department of Homeland Security. The center trains venue operators and security personnel around the country.

---

At least one of the bombs that detonated near the finish line of the Boston Marathon on Monday was hidden in a backpack. Investigators have found fragments of dark or black nylon, which were possibly from a bag or backpack that contained the bombs. 

Whether or not backpacks were used, bags are sure to come under increased scrutiny.

"Some stadiums are moving toward eliminating any type of carry-in anyway," said Marciani. "If that ends up being a factor (in this attack), that might be one best practice that comes out of this."

Those attending sports events for the next several weeks should expect to see heavy security presence, Marciani said. Fans should leave a little early and pack some extra patience, particularly in Boston and other East Coast cities.

Marciani urged careful deliberation, however, as little is still known about the methods of Monday's attacker.

"We can't do anything until the investigation is complete," he said. "When it is, we will take a look at that information, we will collaborate at our annual conference, and digest that into our best practices."

'It's not fool proof'
One security measure that is unlikely to appear at sports venues: metal detectors. Bob Karl, who runs security firm Safety Act Consultants, said the machines cost $35,000 each and would be too costly to add at every venue gate. 

"And it's not fool proof," Karl said. A magnetometer would catch a bomb packed with metal shrapnel, like the ones apparently used in the Boston attack. But it's not hard to craft bombs that are invisible to metal detectors. The next step would be X-ray machines, which no one wants at sporting events, he said.

"You can really create some unhappy fans ... How many people per minute can you screen, and at what point is the fan experience ruined?" he said. "You are always balancing the threat versus the inconvenience and the expense."

Karl agrees a backpack ban will get fresh consideration, and thinks some other lower-cost technologies might be implemented at future events.

"Supposedly, this device was in a trash can," he said. "At a lot of the high-rise venues I work with, any trash cans there are blast resistant."

Urban sports venues like Yankee Stadium pose their own security challenges because they don't have a natural buffer zone around the perimeter that can be secured — such as the parking lots which surround many suburban stadiums. Additional security personnel — and diligent fans — are the best security measures, he said.

“We'll look at some training, but we're not going change what we're doing now," he said. "We will keep our public events in this country. One thing I can take away from this is we are proud of what the response was. We've trained a lot of first responders, and they were ready."

'Do the best you can'
There are special problems with securing a marathon, Marciani said, and it would be a mistake to draw too many conclusions from Monday’s attacks. Marathons have more in common with public space events like parades than big-ticket sporting events like pro sports, he said.

"Marathons are open-ended. There's no access control. You have 26 miles to cover. It's a lot more like St. Patrick's Day," he said. At stadiums, every entrant must pass some through some kind of access point. "(At a marathon) you do the best you can, check the manholes, check the garbage cans, but you can't manage every aspect of 26 miles."

David McWhorter is a sports stadium security expert with Catalyst Partners in Washington, D.C., a consulting firm that just helped Yankee Stadium operators obtain the coveted "Safety Act" designation, meaning it has been deemed well-protected against terrorist attacks by the Department of Homeland Security.

There are additional high-tech measures that marathon operators — such as those running this weekend's London race, or Montreal's race on April 28 — might consider, he said.

"A huge cadre of K9s might have picked up on something. Also, depending on the viewing angle and other considerations, there is software ... that analyses camera feeds and can detect certain types of movement or unattended items," he said. "Also, there are more covert technologies that monitor for certain electronic signals, but I'm not at liberty to get into details.

"Lastly, there is the option of more human security guards, although it is not at all clear that this would have helped," he said. "Unfortunately, all those things take money to buy and maintain. No one has the budget to defend against all possible threats."

Follow Bob Sullivan on Facebook or Twitter.

CLARIFICATION: This story was updated Feb. 1 with additional information about Kathy Sandy’s Work Number disclosure report.

The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.

Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities.

"It's the biggest privacy breach in our time, and it’s legal and no one knows it’s going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA."

---

Despite all the information Americans now share on social media and websites, and all the data we know companies collect on us, one piece of information is still sacred to most people: their salaries. After all, who would post their salary as a status update on Facebook or in a tweet?

But salary information is also for sale by Equifax through The Work Number. Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they’ve ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually.

How does Equifax obtain this sensitive and secret information? With the willing aid of thousands of U.S. businesses, including many of the Fortune 500. Government agencies -- representing 85 percent of the federal civilian population, including workers at the Department of Defense, according to Equifax -- and schools also work with The Work Number. Many of them let Equifax tap directly into their data so the credit bureau can always have the latest employment information. In fact, these organizations actually pay Equifax for the privilege of giving away their employees' personal information.

Equifax turns around and sells some of this data to third parties, including debt collectors and other financial services companies. 

Equifax declined to be interviewed, but in an emailed statement to NBCNews.com, it confirmed that it shares "employment data" with debt collectors and others, and said it does so in compliance with Fair Credit Reporting Act guidelines. 

"In all cases, these entities must have a permissible purpose to request employment information," Equifax spokesman Timothy Klein said. 

He also said consumers give these third parties the right to access the data "at the time of application" for credit.

"A consumer grants verifiers (creditors) and their assigned debt collectors the right to verify employment should the consumer default on their account," he said. 

Data for debt collectors
Companies sign up for The Work Number because it gives them an easy way to outsource employment verification of former workers. Firms hate taking these calls, which usually come when a former employee is applying for a new job, because they are a costly distraction for human resources departments and open the firm up to lawsuits if someone says something disparaging about the former employee. So they contract with The WorkNumber, which automates the process. In exchange, firms upload their human resources data to The Work Number, which was part of an independent St.Louis-based firm named TALX until it was acquired by Equifax in 2007 for $1.4 billion.

The Work Number offers consumers some benefits. It provides an easy way for prospective landlords to verify an applicant's income, for example. Consumers tell the Work Number they want a one-time access code, which they then give to a landlord so he or she can verify that the potential tenant can really afford the apartment.

But The Work Number serves dual purposes. It’s also a massive database that Equifax monetizes in a variety of ways, despite the reassuring-sounding messages found all over TheWorkNumber.com.

"Can just anyone get my income information from The Work Number?" reads one passage. Answer: "No. You have to give someone authorization to get your income information from the service."

Employers who sign up for the service go to great pains to reassure workers that their data is safe and secret. Columbia University, when it explained to employees it was transitioning to The Work Number, posted this on the school's website:

"You are the only person who can authorize access to your salary information."

But Kathy Sandy of Sommerville, N.J. was surprised to find that a debt collector had accessed information from her report two years ago, something she learned only when she obtained her "consumer disclosure" from The Work Number. Because the data is considered a credit report, consumers are entitled to one free report every year. The report shows what data the report contains, and what entities have seen it.

Sandy's Work Number report, which she shared with NBC News, is 22 pages long -- an amazingly detailed history of every paycheck she had received for years. The first page of the report lists "verifiers who have requested your data in the past 24 months." On the list is "Pressler and Pressler," a law firm that specializes in debt collection. The firm had sued her in small claims court over a credit card debt that she says she was already repaying. It is not clear from Sandy’s report what employment data was shared with Pressler and Pressler; Equifax says it does not provide salary information to debt collectors, but it does provide other information.

"I found out debt collectors can access this information, which is strange," Sandy said. "I assumed with The Work Number, for that information, you had to have a (passcode) … but they got in, and got it somehow without my consent."

In brochures where Equifax advertises sale of the data, it's not shy about the source.

"The Work Number specializes in employment and income verification. It's direct from the source: the employer. It's current, as of the last pay period. It's delivered quickly -- on demand," says one brochure, titled "Portfolio Monitoring."

In his statement to NBC News, Klein confirmed that "pay rate" information is shared with third parties, including "mortgage, auto and other financial services credit grantors," as authorized under the Fair Credit Reporting Act.

He denied that salary information is sold to debt collectors, however.

"Debt/Collection agencies may request employment information -- which may be nothing more than verifying that a consumer is working where they say they are – if it qualifies under permissible purpose," he wrote. "Collections agencies are not provided salary information."

That contradicts an assertion made recently by Equifax CEO Richard Smith in 2009, when he talked about how detailed The Work Number data is.

"With FirstSearch and TALX we can provide information about a debtor’s location, income and employment," said Smith in an interview published on NYSE Magazine’s website, referring to The Work Number’s former parent company. "That can help prioritize which accounts to pursue first. If they’re employed, that business has a better shot at collecting what is owed to them."

Klein said Smith misspoke when describing TALX’s services, and reiterated that salary information on consumers is not sold to debt collectors.

'Unbelievably scary'
With or without the income data, The Work Number data is incredibly valuable to debt collectors -- and it may come as a surprise to many workers that their employers, directly or unwittingly, help debt collectors.

Equifax markets The Work Number specifically to student loan issuers. In another brochure on the firm's website, Equifax brags that The Work Number makes debt collectors' jobs easier.

"The Work Number produced a 5.5 percent lift in Right Party Contact and a 7.3 percent lift in Collections Resolution versus current skip-trace methods," the "case study" brochure says.

Equifax’s resale of The Work Number data doesn’t stop there. It also offers "portfolio monitoring" to financial firms who might want to market their products to consumers … or to get early warning on someone who might soon land in financial trouble. It calls this "proactive managing of risk." 

"The Work Number is part of our employment and income verification service. It provides continual track of changes to your customer or client portfolio, delivered on demand per your schedule," it says. "Simply submit a portfolio of customer or client accounts and The Work Number does the rest. ... Using The Work Number to stay abreast of employment changes can expand your ability to mitigate risk while maximizing product and service potential."

Mather has been in the employer data business for more than 20 years, and he says that if Americans suspected their employers were giving away their personal information to a credit bureau, they'd be shocked.

"The story here is how (The Work Number) is getting this information," he said. "When people find out, no respectable employer will continue to do this."

Larry Ponemon is a privacy expert who operates The Ponemon Institute, a consulting firm. He said he’d never heard of companies selling employer data to debt collectors.

"Are you joking? Oh my god, I'm shocked," Ponemon said when the business was described to him. "This is unbelievably scary. I consider payroll information very sensitive and private." In studies he's conducted, salary data is always among the information consumers say is most private.

"If the public knew about this, there would be such outrage," he said. "It's just ... really depressing."

Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, had heard of The Work Number, but only because some consumers have complained to his agency that the data in its database is inaccurate. Some workers find that when they try to use the information for employment verification, their titles are outdated or otherwise misrepresent their work history, which can be embarrassing for a job applicant.

When told that the data is sold to third parties, he said he was under the impression the data was not shared.

"I think it is something that would be offensive to many people. One typically considers salary information to be shared by your employer just with IRS," he said. 

A glance at the language on The Work Number's website suggested to Stephens that the firm is legally within its rights to share the information, however.

"You get into the 'permissible purpose' doctrine," he said. "Debt collectors have a permissible purpose to look at your credit information. It was my impression that the data was only being given out when employees released it."

'Secret' process?
Data brokers are under heightened scrutiny in Washington, D.C., lately. There are two separate congressional investigations of the industry, and the Federal Trade Commission announced in December that it had begun an inquiry into how brokers obtain their information. Equifax received an inquiry letter from the FTC, but only for the data broker portion of its business involving non-financial data, such as criminal background records and address information.

Credit reporting agencies, such as The Work Number, are distinct from data brokers and are governed by special rules. Ironically, those special rules may open the door for Equifax -- and the credit-reporting side of its business -- to resell the salary information, says Katrina Blodgett, a lawyer with the Federal Trade Commission. She is one the agency’s experts on the Fair Credit Reporting Act. 

The FTC filed a case against TALX and Equifax in 2008 for allegedly failing to provide employers with sufficient notice about their disclosure responsibilities under the Fair Credit Reporting Act. Equifax admitted no wrongdoing and paid a small fine.  

Blodgett said the Fair Credit Reporting Act and subsequent updates give consumers specific legal rights, such as the ability to dispute errors in credit reports. But it also creates permissible purposes for access, including giving financial service companies the right to review credit reports of consumers they do business with. 

"It’s not as easy as it should be to say whether debt collectors can get your consumer reports, because it depends on the circumstance," she said, adding that she believed Equifax could have the right to sell the salary information to debt collectors because it is part of a credit report.

Much attention has been paid to the use of credit reports by human resource departments in recent years, and Congress gave job applicants special rights when a credit report is used during the job interview process. The reverse isn’t true, however, Blodgett pointed out.

"There are special restrictions on how credit reports can be used in hiring decisions, but there are no special restrictions on how employment reports (such as salary information) is used for non-employment purposes," she said.

She said she wasn’t surprised that Equifax is selling the information in The Work Number.

"They are a credit bureau. They sell credit information to lenders," she said.

Mather wants the sale of employee information halted. His firm also performs third-party employment verification, but he does not resell the data he collects.

"I strongly believe there is no reason to resell employee information to debt collectors without the permission of the employer and employee," he said. "This 'secret' process needs to stop. I hope eventually a simple law is passed making it required to get the permission of the employee BEFORE his information is resold. It simply should NOT be used for any other purpose except for employment purposes without permission. In my view, it is a betrayal of trust."

Consumers who want to see what information The Work Number has on their employment history can visit this page on the TheWorkNumber.com. While reports are available online, consumers may have to fill out a form and mail it to The Work Number in some cases.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Telecom firms can't say how 'crammed' charges were billed to unused phone
• Proposed 'privacy tax' would penalize firms that profit from consumers' info
• Net users fall for fake online lovers all the time, victims advocate says

Breezy Point, in New York City's Queens borough, was built in part by New York City firefighters and their families in the early 1900s. A large section of it was destroyed by Hurricane Sandy, in part because firefighters couldn't get there.

The idyllic community of around 3,800 homes – many wooden bungalows, packed tightly together – sits on an isolated spit of land, connected to mainland New York City by two bridges. It enjoys both bayside and ocean views, a luxury that makes it a target for both New Yorkers and every large storm that roars ashore from the Atlantic. But it wasn't rain or wind that did in Breezy Point – it was fire and logistics.

---

At the height of Sandy's fury late Monday, when a devastating blaze ignited in the heart of the community, firefighters were slowed by flooded roadways and other weather-related challenges, finally requiring help from the National Guard to get through. As they were working out an approach, flames fueled by massive winds jumped from home to home, consuming family histories along with the buildings holding them. By the time the blaze was contained, more than 100 homes – and St. Genevieve's Catholic Church – were destroyed, ripping the heart out of the community.

Breezy Point is sometimes called the Irish Riviera – or by its Gaelic name Cois Farraige, which means "By The Sea." Irish police and firefighters looking for affordable seaside homes rushed to build in the area when transportation to and from the city became readily available just over a century ago. It has remained one of the most Irish enclaves in America, with more than half the residents claiming Irish heritage, according to the U.S. Census Bureau. 

"If you are interested in learning anything — the bagpipes or the tin whistle or Irish dancing," Breezy Point is the place, Dolores Mulholland told the Irish Echo, a New York-based newspaper aimed at Irish immigrants, in a feature story on the neighborhood last year.

Even Frank McCourt, the famed chronicler of Irish-American life who wrote "Angela's Ashes," once lived there, but few outsiders have the chance. Property rarely comes up for sale, and when it does, buyers must come up with a 50 percent down payment required by co-op rules. The Breezy Point Cooperative, which governs the area, pays for its own security force, and is one of the rare spots in New York City where the fire department is still run by volunteers. 

They were no match for the record-breaking storm and fire that gutted the place early Tuesday morning. The blaze did not discriminate. Rep. Robert Turner, R-N.Y., who won a special election to replace disgraced former Rep. Anthony Weiner last year, lost his home in the blaze. So did state Conservative Party Chairman Mike Long.

Breezy Point was under mandatory evacuation orders when Sandy rolled in, so many residents spent Monday night watching terrified on television, or scanning the Internet, looking at distant images showing their beloved beach community engulfed by water and flames. They hoped friends and family got out in time, and hoped their homes could dodge the triple threat of wind, flood and fire. Few did.

'I can see a fire from my house'
Max Countryman got an alarming text from his mother, Paula, in the early morning hours on Tuesday asking if there was a fire on Breezy Point. Paula and her partner had decided to ride the storm out, as she and Max had ridden out Hurricane Irene with little trouble last year.

"I can see a fire from my house," the text said.

Max had left his mother at her Bedford Avenue home only a day earlier, after scoring a ticket on one of the last pre-storm flights out of New York. Back home in San Francisco, after Paula's electricity, phone and Internet service went out, he had to rely on her texts, news reports and, finally, the Web.

"I was just listening to the Fire Department scanner (online) all night," he said. "I listened to the progression of the fire, when it went from one alarm, to two, three, four, five, six alarms. ... It was horrible to listen to the traffic, hear another block is engulfed in flames, another block, and they just couldn't stop the progression."

He took to Twitter to ask for help, but soon learned there was no way for his mother to get off the island. At first, he was more concerned about flooding.

"I'm in contact with her. But there's probably not a lot to do but wait," he told one user. "There's a second floor and deck. And I suppose there's always the roof. But for now it's not that bad." 

But quickly, fire became the bigger worry.

"Breezy Point is in dire shape at the moment: between twelve and fifteen homes are on fire, a church is burning, and the FDNY is stuck," he wrote. A little later, he tweeted: "@FDNY what's the status on the 3-alarm in Breezy Point? My mom is stuck (on) Bedford Ave, fire is not too far away." Then, this, a moment later:  "@FDNY ... What should people stuck on the point do as the fire approaches their homes?"

About the same time, Chelsea Taylor was sweating out the storm and fire from her home in Bensonhurst, Brooklyn. For Taylor's family, Breezy Point has been like an extended family hotel for the past two decades. Her sister Nicole Makridis lives on Bayside Avenue; her aunt, uncle and their two kids live next door.

"I was basically raised over in Breezy Point because of a beach club over there and it was absolutely beautiful," she said. "I've spent endless summers over there and a lot of my high school friends live over there."

Before Sandy’s landfall, Makridis had evacuated to Taylor's home, but the other family household stayed behind. Taylor found out during the night that parents and kids – a 3-year-old and a 9-year-old – were evacuated by boat, but she couldn't find out where. 

"(I) found out they were evacuated by boat to the clubhouse. I have no idea where that is though," she told NBCNews on Tuesday. "It was the 9-year-old's birthday on Saturday," she added.

The uncertainty and fear were felt by many others with roots in Breezy Point.

Chris Gavagan is a filmmaker living in Brooklyn who grew up on Breezy Point; his father and brother still live there. His father retreated to ride out Sandy in Brooklyn, but brother Rob stayed behind in Breezy Point. When Chris Gavagan discovered Max Countryman's tweets about this mother, the two shared notes and determined that Countryman's mother and Gavagan's brother were neighbors.

"My brother (we haven't heard from since 8p) lives about 100ft away. The Army is involved now," Gavagan said on Twitter, referring to the National Guard. 

Reading texts, monitoring fire scanner
Countryman never lost contact with his mother  through the frightful night. While she couldn't place calls, text messages continued to work and her cellphone battery held out. He knew when her first floor filled with 4 feet of water. As the night wore on, he heard on the FDNY scanner activity that wind had blown the fire the opposite direction, away from his mother's house. Then, after the high tide waters receded, he figured she was out of immediate danger.

He still had no idea how to help her, however – and his mother and her partner didn't know what to do next. 

"They were going to try to rent a car, or somehow get a car – my mom's partner hadn't heard from her mom, so they want to go into Brooklyn and check on her," he recalled. "But it's probably impossible for them to leave the house." 

He reflected on his mother's decision to stay, and said it was complicated. Their first option was to evacuate, but the nearest family member's home – in "Zone A" in Brooklyn – was also under a mandatory evacuation order. The couple has two dogs and a bird, making evacuation to anywhere else challenging. Such potentially life-threatening calculations were not unusual. The Wall Street Journal reported that perhaps 60 percent of Breezy Point residents tried to ride out the storm there.

PhotoBlog: Evacuations continue and residents take stock in destroyed Breezy Point

Nonetheless, as the weather began to clear on Tuesday, he wondered aloud why his mother wasn't getting more help leaving her badly damaged home.

"You'd think the National Guard would want to step in and evacuate, maybe make an attempt to get people out at dawn. But right now I don't know what they are going to do," he said.

Gavagan got good news, too, as he was able to make it to Breezy Point Tuesday to check on his brother in person. 

"(My brother) rode it out in a house where taking on water was the concern. He had a few feet (of water) in the house," he said.

Perhaps for the best, he said, brother Rob didn't know about the fire because he was too busy caring for their home. 

A picture Gavagan sent to NBC News shows his father and brother already cleaning up debris around the house, carrying away a sign that reads, "Beach Officially Closed." He was able to let Countryman know that he'd seen his mother's home.

"The sidewalks and areas around her house still have feet of water, but there is plenty of help now," he said. He also reported that the National Guard was on the scene, but didn't know if they were evacuating residents.

For others, relief was delayed and tempered by the loss of treasured memories. 

Chelsea Taylor was still waiting late Tuesday to hear where her uncle, aunt and their children ended up, assuming they were OK but worrying nonetheless. Her sister was able to make her way back to Breezy Point to get see the damage, but that did nothing to lighten her mood.

"Looking at the pictures my sister just showed me of her house is absolutely heartbreaking," she said. "Her whole house is completely flooded. "The flooding is unbearable. She lives on a floor level condo right across the street from the beach in Rockaway. … The boardwalk from the beach also washed up to right in front of her door."

Lauren Pallini's family lives in a home on Breezy Point that was also flood damaged. 

She spent Tuesday scheming how to get into the neighborhood so she could see the damage for herself. NBC News connected with her on Twitter as she started the trip over from Brooklyn. 

"To Breezy now," she said. Then, in Twitterspeak, "#Soscared."

An hour later, she'd seen the destruction.

"There's no hope for my house. Can't stop crying. I literally lost everything," she wrote. "Everything is flooded and literally everything got wet so everything is ruined."

Bob Sullivan writes The Red Tape Chronicles blog for NBC News. Follow him on Twitter at @RedTapeChron

Share your photos with us
We want to see the people that helped you during this time of crisis. Post pictures on Twitter or Instagram by tagging them #NBCNewsPics or upload photos using the form below. Use the caption or Tweet to explain why the person is a hero. Click here for more information

More content from NBCNews.com:

• Sandy leaves trail of destruction, disbelief in its path
• Volunteers rush in to help devastated region recover
• 'There was no stopping it': Sandy's surge inundates northern NJ towns
• Breezy point: 'Whatever is not flooded is on fire'
• Sandy leaves NYC subway system, infrastructure licking its wounds
• New York's post-Sandy divide: Those with power and those without
• Stranded by Sandy, air travelers eager to change status
• Sandy hammers Jersey Shore, levels homes, shreds boardwalks
• By the numbers: Superstorm Sandy
• Foot of snow: Sandy brings blizzard conditions to West Virginia
• News sites knocked out as NYC data center floods
• Storm seen as unlikely to delay election
• Your images of Sandy's fury

Follow US news from NBCNews.com on Twitter and Facebook

 

 

Privacy's last stand is taking place not far from The Alamo in Texas right now, to hear some people tell it. Two schools in San Antonio have begun tracking students using radio-enabled computer chips embedded in their ID cards, allowing administrators to know the precise whereabouts of their charges on campus -- be it in class, in the bathroom, in a stairwell or AWOL -- all while sitting at a computer.  

The stated purpose of the so-called RFID ID cards is simple: Because state aid is based on attendance, and the chips help schools count kids, tracking equals funding. The district also says the technology makes kids safer.

---

But at the intersection of technology, parenting, schools and privacy rights, things frequently get messy. Are schools merely modernizing, or are they teaching children to silently accept a Big Brother state? Should parents be happy that teachers can more easily keep tabs on their kids, or should they worry that vast databases of detailed location information might one day harm the children?

Technology with potential privacy implications is shoehorning its way into schools around the country, creating thorny issues at every turn.

Should district be allowed to demand middle-schooler's Facebook password?

Before San Antonio's implementation, Houston ran a trial in 2010 and found the RFID ID cards did in fact help boost attendance figures. RFID tracking has also been tried in California, where one preschool embeds chips in kids' clothes. Biometrics -- usually fingerprints -- have been used by some schools. In Carroll Country, Md., some kids now flash their palms instead of cash to pay for food. And the Daily Princetonian earlier this month revealed that new keyless locks opened by ID cards installed in dorm rooms feed a central database that records each time students enter buildings and rooms. University officials responded to the story the way every school does -- and nearly every data collection authority does -- by saying officials don't monitor the data but they reserve the right to access it in an emergency.

Children desensitized to being watched?
The definition of an emergency can be dicey, however, and that logic has already led to some celebrated privacy and technology lawsuits. Several districts around the nation have run into trouble for demanding students' social media passwords or asking to rummage through kids' cellphones without a warrant. 

A few parents in San Antonio are putting up a stink about the RFID cards, arguing that schools shouldn't be a playground for new privacy-invading technologies. A group calling itself "Chip Free Schools" has tried to organize opposition. Another parent is objecting on religious grounds.

Gov't agencies, colleges demand applicants' Facebook passwords

Chip Free Schools has received support from a larger privacy advocacy group -- Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN, which was formed more than 10 years ago to protest the proliferation of supermarket loyalty cards.

"RFID is used to track factory inventory and monitor farm animals," said Dr. Katherine Albrecht, director of CASPIAN. "Schools, of all places, should be teaching children how to participate in a free democratic society, not conditioning them to be tracked like cattle."

Of course, the fight against loyalty cards didn't get very far, and privacy concerns may take a back seat as schools are tempted by new technologies that help them manage their districts, warns Jay Stanley, a senior policy analyst with the American Civil Liberty Union’s Speech, Privacy and Technology Project.

It's often hard to see the long-term privacy issues created by technology through the fog created by short-term gains, he warned. Location tracking can have a chilling effect on casual congregating, for example -- kids who consider forming a club may skip the idea once they are aware that administrators will know about every meeting. 

"The consequences of tracking are that as people become more aware they are being tracked, they become less free," he said.

There's also concern that students who learn to accept tracking as teen-agers will enter adulthood desensitized to being watched by government agencies.

"Schools shape children not just by what they tell them, but also what we demonstrate to them," he said. "We don't want to see the next generation of citizens growing up thinking about this kind of invisible eye in the sky."

'Prisoners in their own schools'
There are also several practical problems with tracking students and collecting data on them, Stanley warned.  The practice can provide a false sense of security, for example, as kids might find a way to separate themselves from their RFID chips ("As a parent, I would wonder, do they know where your kid is, or do they know where your kid's chip is?" Stanley said). While the data might be collected for one use -- paying for lunch -- there might be mission creep. One day, it could be used as part of an adjudication procedure to find witnesses to a fight, for example. Long term, perhaps it will end up in the hands of political operatives, forcing a future presidential candidate to explain why he missed so many history classes. There's some concern -- theoretical at this point -- that the radio signal sent by the chip or the data collected could be stolen by others who might harm children. And there are worries about the cost.

NBC News' Charles Hadlock on the school's controversial use of tracking technology

"You should ask, 'Is this just a gimmicky solution to a problem that's been solved already, like using lunch money,’ and the funds might be better spent on education?’ " he said.

Katie Deolloz, who is helping coordinating RFID ID card opposition for CASPIAN, argued that the switch to an RFID card was really motivated by money.

"Students deserve to be treated with dignity and respect, not forced to wear microchips that track them like cattle," she said. "(The district) has spent upward of $500,000 solving a non-problem. Relying on RFID to track and monitor students during the school day shifts the burden of responsibility away from the administrators and teachers. (The district) needs to be in the business of educating children, not treating them like prisoners in their own schools."

Failing to provide Facebook password gets teacher's aide fired

Stanley concedes that parents confronted with tracking technology at schools might have a very different reaction than privacy advocates. Many already pay cellphone providers so they can use mobile GPS tracking tools to keep tabs on their children. Parents also tend to keep kids much closer at hand then they did a generation ago, when it was common for kids to spend entire days biking around the neighborhood unsupervised. When concerns about school tracking are raised, they sometimes respond with a simple shrug. 

Meanwhile, school officials point out that students have reduced civil rights when on campus. According to school spokesman Pascual Gonzalez, the kids have no right to privacy at school.

"During the school day, when they are within our four walls, we've got to know where those kids are," he said. "We reject the argument (that their privacy is being invaded). People saying that are not charged with the safety of children."

He dismissed the idea that the cards represent a tracking device, calling it instead a "locator."

"There is nobody sitting at a bank of monitors looking at a bunch of dots on a computer screen," he said. "We only go and look for a student when we have reason to.|

Implementation of the RFID pilot program -- which involves 4,200 students at two of the district's 112 schools -- has gone on without a hitch, he said. 

So far, it appears parents are buying the district's argument. Gonzalez says only two district families are opposing the cards. If those students continue to refuse to wear the cards, they are subject to being kicked out of school, he said.

Stanley said he's not surprised at the lack of protest from parents. Many have become much more comfortable with the technology, and there is an apparent lack of consequences stemming from its use. There are no tales of sexual predators hacking databases of kids' fingerprints, no evil school principals who've posted detailed charts of kids' whereabouts on their Facebook page. So when the cost-benefit analysis is presented, it's hard to spell out that cost.

"With privacy, the issue is almost like the environment. We have to ask what kind of society we want to create long term," he said. "These things do have a very real effect on our freedom, but it's very gradual and often very subtle."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

Nearly one in six convicted sex offenders is using sophisticated techniques invented by identity thieves to avoid their legally mandated registration requirements, a new study has found. These digital absconders might be able to avoid post-incarceration restrictions by living near schools and playgrounds, and could possibly gain employment working with children.

The study, conducted by Utica College and funded by the U.S. Justice Department, estimates that roughly 92,000 of the 570,000 registered sex offenders across the country are systematically manipulating their names, birthdays, Social Security numbers and other personal identifiers so they can live as they want while appearing to satisfy court-imposed or statutory restrictions.

"These are offenders who are flying under the radar and authorities don't know it," said Don Rebovich, the Utica professor who directed the study. "The authorities really don’t have the resources to keep on checking on these people. Offenders find where the vulnerabilities are in the system and exploit them."

---

These digital absconders create two obvious problems. Communities expend energy and resources dealing with offenders who aren't really there -- local police knock on doors and send notices to warn neighbors; public listings are published on the Internet. And sex offenders live where they please as normal adults, without any protective measures kicking in.

"In the worst-case scenario, by thwarting registration requirements, they could potentially have easier access to children," said Staca Shehan, director of case analysis at the Center for Missing and Exploited Children, who is familiar with the study. "(In) those jurisdictions that have residency restrictions that would not allow (offenders) to live within distance of a school, daycare or park, (they) could avoid that type of requirement."

While the study found that an average of 16.2 percent of sex offenders manipulate their identities nationally, some states fared worse: Louisiana, Washington, D.C., Nevada, Tennessee and Delaware all had digital absconder rates of higher than 25 percent.

Officials in Tennessee, Nevada and Delaware challenged the study's conclusions and complained that they had not been contacted by the researchers for additional information that might have clarified the results; officials in the other states did not immediately respond to requests for comment.

'Strategic' manipulation
Shehan said there are generally two kinds of sex offender absconders: those who simply fail to keep their records current, and hope they fall through the cracks; and those who are more systematic in their evasion, intentionally altering their identities so they can circumvent the restrictions. 

"That takes a lot more thought," she said. "They are much more strategic about what they are doing ... and so that's much more concerning."

In one celebrated case of sex offender identity manipulation, a convict named Frank Kuni changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey. Kuni was recognized by a mom after he knocked on the door of her Pennsauken home, and he was later sentenced to three years in prison. Kuni’s case attracted national headlines because of the fear it created surrounding temporary Census workers.

The Utica study, believed to be the first attempt to quantify these more strategic absconders, was conducted by Utica College's Center for Identity Management, set up to examine a variety of identity issues in the digital age. Rebovich is director of the center.

It's well known that some sex offenders neglect their registration requirements, dropping off the grid and accepting only cash-paying jobs to remain hidden. But the Utica study found something more subtle, and perhaps more disturbing -- sex offenders who appear to be satisfying their registration requirements while living a digital double life.

In a parallel survey of 223 law enforcement agencies from 46 states, Utica found that awareness of ID-theft style registry evasion was low -- only 5 percent of respondents said they knew of an identity manipulation case within their jurisdiction. 

And nearly 40 percent of the agencies responded that they had zero absconders, suggesting some law enforcement agencies are unaware of the problem.

The power of the Utica study lies in the use of sophisticated algorithms developed by private firm ID Analytics, a fraud-fighting company used by many large banks and other financial institutions. ID Analytics receives more than 1 billion credit applications and other credit-related events from clients every year. It uses sophisticated software to track the behavior of identity thieves across the credit system, and can find fraud that individual firms miss. It knows, for example, if a criminal uses a systematic series of birthdays or addresses on a set of credit card applications at various banks in an attempt to evade fraud detection. The ID Analytics tool has enough data that it can generally tell the difference between honest typographical errors and systematic fraud attempts. 

ID Analytics ran sex offender data through its massive database of credit-related events, and found evidence of rampant identity manipulation among the offenders.

Kristin Helm, a spokeswoman for Tennessee's sex registry, challenged the study's findings, saying that fewer than 1 percent of that state's sex offenders are absconders. Criminals have always used false identities to try to evade police, but law enforcement systems are geared to handle that issue, she said. "Fingerprints obtained by law enforcement identify individuals regardless of a name or Social Security number," she said, adding that names sometimes change for legitimate reasons, too, such as marriage. 

But Stephen Coggeshall, chief technology officer for ID Analytics, said his technology is well-versed in screening out mundane reasons for identity changes and finding patterns that specifically indicate active evasion is taking place.

"This goes way beyond typos," he said. "These are people who have slightly adjusted or substantially adjusted their personally identifiable information for a reason. They are actively doing so, and we are observing them use these aliases relatively recently."

Nevada spokeswoman Julie Butler also questioned the validity of the study, which she had not seen. She said that Nevada uses fingerprints to track sex offenders, so identity manipulation techniques would be ineffective.

"Our registry is fingerprint-based. We don't base it on date of birth, or Social Security number, or name," Butler said. "They can put down their name as whatever and we still have them in the database."

But Coggeshall responded that even in states which use fingerprint identification, an identity manipulator would only be discovered when trying to engage in an activity – such as becoming an elementary school teacher – which triggers a fingerprint evaluation. 

"In general it doesn't help you track where they are or if they're living under an alias at an unregistered location," he said. "It can help to find sex offenders as they enroll in certain groups, but many … groups don't routinely fingerprint new enrollees."

SSNs connected to multiple people
Two years ago, using this tool on a database of Social Security numbers, ID Analytics found that rampant evidence of identity theft: 5 million SSNs were connected to three or more U.S. adults in credit applications, and 140,000 were associated with five or more people, indicating almost certain fraud. The tool can also track individual identity manipulators, as ID Analytics calls them, as they attempt various frauds across an array of credit issuers.

This tool was turned on the sex offender registry problem at the invitation of Utica College in Utica, N.Y., beginning last year. ID Analytics took a large sample -- nearly 100,000 -- of the 570,000 active registered sex offender records and ran them through its credit application database, looking for signs of manipulation.

The findings were disturbing. In Louisiana, the study found, nearly two-thirds of offenders' records showed signs of manipulation. Rebovich theorized that Louisiana's problem might stem from the aftermath of Hurricane Katrina, which gave some people a golden opportunity to drop off the grid.

Officials in Louisiana did not immediately respond to requests for comment.

In many cases, the study found, the steps criminals take are subtle -- changing an address from "440 Monroeville Road" to "434 Monroeville Road," for example. In fact, in the majority of cases, digital absconders were much more likely to move across town than across the country. Absconders who fake their address are six times more likely to remain in the same state than to cross state lines, the study found, and 90 percent of those who remain in state stay within 40 miles of their original registered address. In many cases, the data shows, those addresses belong to a family member. That might allow absconders to show up on a moment's notice at their registered address in case local police do a random check, Rebovich said.

But the address change could also allow them to apply for jobs and housing they would otherwise be unable to qualify for, he said.

While half of the manipulations involve bad addresses, plenty of other types of evasion are going on, the study found. One subject studied had five names, three Social Security numbers and four dates of birth, for example.

About 10,000 offenders had used at least four different Social Security numbers, Rebovich said. The evidence indicates this was usually done to evade the court registration requirements rather than commit financial identity theft, the study found.

One reason sex offenders seem to get away with evasion is that registration requirements are set by states and vary widely. In some states, convicts merely send updates through the U.S. mail to state officials, and are subjected to little, if any, verification. In others, officers try to check on sex offenders, but ofter are assigned hundreds, or even thousands of offenders, to track.

In other states, such as Florida, there are strict requirements and frequent random inspections, Rebovich said. That shows up in the data -- Florida's digital absconder rate is about half the national average, at 9.4 percent.

The study was funded by the Justice Department's Bureau of Justice Assistance, which plans on issuing a comprehensive report later this fall. Requests for comment from the Department of Justice went unanswered.

'System is never going to be perfect'
Shehan, of the Center for Missing and Exploited Children, said she didn't believe that the potentially high rate of digital absconders means the entire sex offender registry program is broken. In fact, she said the situation has improved since passage of the Child Safety and Protection Act of 2006, which instituted some national standards on offender registries.

Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

"Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring. 

"We are trying to develop a predictive model," he said. "So we can turn it into an alert system, so states can do this in real time, if they want to."  

Coggeshall said such an alert system would have helped police track down Frank Kuni before he was able to get a job with the Census Bureau.

"In retrospect, we know there are things we would have been able to observe" he said.

http://on.msnbc.com/topnewsemailsignup">Click here to sign up to receive our Top News email each day.

 *Follow Bob Sullivan on Facebook.

*Follow Bob Sullivan on Twitter.  

Daryl Henry's reward for 20 years of service in the Navy was a $1,083 monthly pension. But more than half of it went to a private California company -- Retired Military Financial Services -- after Henry was duped into a complex financial agreement, the Maryland resident alleged in a class-action lawsuit.

Struggling with bills, Henry says he answered an ad in the Navy Times and traded 96 months of future pension checks -- totaling $103,000 -- for a lump sum payment of $42,131. He then spent years depositing his government pension checks into a special account so Retired Military Financial Services could take its share of the taxpayer-funded payments and pay private investors with it.

Lump sum pension payments for vets are big business, targeting 1.5 million former service members who receive $40 billion annually. Companies that provide them have attracted negative attention from military advocates for years. Tales of retired or injured vets getting 30 to 40 cents on the dollar are easy to find. In 2004, Congress threatened legislation designed to banish the industry, and several courts have ruled the arrangements run afoul of existing federal laws.

---

Still, companies offering so-called "annuity utilization contracts" crowd out Google searches around military pensions and loans. The websites that rank highest are often decorated with red, white and blue banners, and they have government-sounding dot-com names. While the lump payouts may sound attractive to retired vets in a financial bind, the terms are oppressive: Participants find themselves with what is essentially a loan at 30 percent interest.

 

But on Monday, Consumer Financial Protection Bureau Director Richard Cordray said his agency will begin focusing on pension lump sum payments.

"We are ... concerned about military pension buyout schemes," Cordray said in a speech on Elder Abuse Awareness Day. "Military retirees are offered lump-sum cash payments in return for surrendering their rights to their pension payouts. These schemes are usually very bad deals for the retirees. We want to collect information on all of these kinds of financial practices."

Several agencies and investigators have been collecting information on the industry for years. John Wasik, an author of 13 books on personal finance, recently investigated the industry for investment-related fraud in a column on Forbes.com.

"Basically, you sign up they lock you in, and if you want out, you don't have recourse," Wasik said. "There is very clear language saying, ‘This is not a loan,’ but it resembles a loan in all characteristics."

Where do these pension payout companies get their capital from? Investors looking for steady returns. Wasik found that Retired Military Financial Service’s partner, California-based Structured Investments Co., was ordered by an arbitrator in November to repay $5 million to investors who alleged they were defrauded. In December, the firm agreed to stop selling the investments in California.

In August, a California court ruled in favor of Henry and the class of veterans who joined his lawsuit, ordering Retired Military Financial Service to return $2.9 million.

"There is an awful lot of litigation out there," Wasik said. "My biggest concern is the proliferation of these things without regulation. Somebody should be looking at what they are doing."

Attempts to reach Retired Military Financial Services by deadline were unsuccessful. Founder Steven P. Covey defended his company last year in a story published by the Center for Public Integrity’s iWatchNews.org.

"The position is: We’re purchasing at a discounted lump-sum, future cash flow,” he said. “We’re not lenders. When you’re not lenders, you’re not dealing in potential usury areas.”

Covey's attorney, Robert Clarkson, told Wasik that his client had "done nothing wrong,” but said he wouldn't answer questions because of pending litigation.

'It's likely every single one is violating a law'
Plenty of websites offer cash for pension and disability payments, which add to an already crowded field of firms offering lump payments for structured settlement recipients. There’s good money in granting lump payments to down-on-their-luck consumers who have a guaranteed stream of income. Military pensions fall into a protected category, however, says Stuart Rossman of the National Consumer Law Center, who helped argue Henry's case.

"If these sites are dealing with the issue of military pensions, it's likely every single one is violating a law," he said.

All firms that offer such lump payments are between a legal rock and a hard place, he said. Assigning military pensions to a third party isn’t legal; offering loans without abiding by Truth and Lending Requirements is also illegal.

"And they are either one of the other," he said. 

One site, MilitaryPensionLoan.org, offers a typical example: "This program is NOT A LOAN," it says on its home page, despite its Web address. "We will buy the next eight years of your pension for a lump sum of cash."

MilitaryPensionLoan.org didn’t immediately respond to requests for comment.

Despite the legal troubles, and occasional bad publicity, the military loan/pension products have survived for more than a decade. Rossman said he filed his first case against such a firm nine years ago. But why?

He thinks many of these companies use veterans' sense of honor against them.

"They believe in doing their duty. They don't want to come forward. They believe 'It's my mistake and I have to own up to it,'" Rossman said. "And a lot of them don't even realize they are paying 30 percent interest."

Rossman hopes military pension payout companies are on the ropes now that investors might be scared away by the California litigation. No investors would mean no money for lump payments. 

Henry’s legal triumph was a bit of a hollow victory, however -- he'd already made all 96 payments by the time the judge ruled in his favor. While he is entitled to a portion of the $2.9 million judgment, Rossman said the owners of Retired Military Financial Payments had declared bankruptcy, so there are no assets to pay the judgement.  

Still, it was a worthy fight, Rossman said. 

"He's proud he's put a stop to this, and once we had the judge's ruling, we were able to tell other members of the class they could stop making payments. We saved them a lot of money, and he's proud of that," Rossman said.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.  

Could you be blamed for a car crash because you sent a text message? 

A New Jersey judge will decide later this week if the sender of a text message might be partially liable for a horrific auto accident that occurred because the driver was reading that message on his cell phone and drifted into oncoming traffic.

With nearly half a million U.S. drivers injured in distracted driving-related accidents every year, according to the National Highway Traffic Safety Administration, the judge’s decision could have wide-ranging impact in both the legal and digital realms.

While it might seem absurd to blame someone who isn't even in the car -- or anywhere near it -- for causing an accident, some legal experts say the plaintiff is on firmer ground than you might think.

---

Skippy Weinstein, a Morristown-based lawyer, is using similar logic to press the case he filed on behalf of David and Linda Kuber. Both Kubers lost their legs during a 2009 crash in Mine Hill, N.J., after 19-year-old Kyle Best sideswiped their car when driving while texting. Weinstein said Shannon Colonna, who was texting with Best, should also be held responsible for the Kubers’ injuries.

"She was not physically in the vehicle but she was electronically present," Weinstein told msnbc.com. "She and he were assisting each other in a violation of the law."

That word "assisting" is at the crux of Weinstein's novel legal argument. 

Most readers will be familiar with the notion of "aiding and abetting" a criminal act and the guilt it brings: the man who knowingly holds the door for the gang is just likely to be convicted of bank robbery as the safe cracker.

More recently, this notion of aiding and abetting has been extended to civil liability cases, too, creating a basis for what's sometimes called "secondary" or "vicarious" liability. For the past two decades, most civil aiding and abetting cases have been limited to investment and securities fraud: An aggrieved investor might not only sue Bernie Madoff for stealing his money, for example, but also go after a third-party broker who repeatedly executed trades for Madoff. Even if the trader wasn't profiting from the scheme or part of a "joint enterprise,“ a court might find the trader provided assistance to Madoff, and should have known that someone was likely be injured by his actions.

The aiding and abetting argument in injuries that give rise to lawsuits, known as "torts," is only beginning to find its way into other kinds of civil cases.

There's a simple three-pronged test to prove someone is partly to blame for causing an injury by aiding and abetting someone else. It is set out in the Restatement of Torts published by the American Law Institute, which guides most civil courtrooms:

1) The party the defendant assists must do a wrongful act;

2) The party must be generally aware of his or her role in the illegal or "tortuous" act;

3) The party must "substantially assist" in the principal violation.

Weinstein think his argument is easy to make. The driver violated the law by texting while driving. Colonna, the text sender, should have known that Best was driving home from work and had to know texting while driving was a violation, he said. Therefore, it's hard to argue that a text sender isn't substantially assisting in the creation of a text message conversation that violates New Jersey's driving laws.

"That very comfortably satisfies the third prong of the legal test," he said.

Colonna’s lawyer, Joseph McGlone, doesn't think the argument has any merit, and has asked Morris County Superior Court Judge David Rand to dismiss the case. Rand is scheduled to rule this week on McGlone’s motion to dismiss the case.

The sender of a text message has no way to control or predict when the recipient will read it, McGlone argues.

"The sender of the text has the right to assume the recipient will read it at a safe time,” McGlone told the local Daily Record  newspaper. “It’s not fair. It’s not reasonable. Shannon Colonna has no way to control when Kyle Best is going to read that message."

He added that there is no precedent for heaping liability on a person on the other side of a text message conversation that causes injury.

Of course, there's no precedent for a lot of legal areas in the Digital Age. In situations like this, judges usually turn to analogies. In driving injury cases, the judge has a bushel full to choose from.

For starters, it's hard to tag liability on anyone who isn't holding the steering wheel of the car while an accident occurs. Lawyers around the nation have repeatedly tried and failed to make passengers partly responsible for accidents caused by drunken drivers when passengers knowingly get into a car with an intoxicated driver.

There are exceptions, however. A South Carolina court has said a passenger could be judged a "proximate cause" of an injury if the driver and passenger were in some kind of "joint enterprise," such as the passenger steering the car while the driver presses the gas pedal.

Passengers who have directly encouraged drivers to break the law -- by urging them to speed excessively or to drive in the oncoming lane as part of a game, for example -- have also been found liable, Weinstein says.

But to find a passenger liable, the South Carolina court said, "The passenger must have an equal right to control the direction and management of the vehicle." It seems hard to argue that a text message sender has equal ability to control the vehicle as the driver does.

But there are plenty of other situations where someone other than the driver has to pay after an injury accident, an extension of liability called “imputed negligence.” The most common is when the driver is "an agent" of someone else -- when a pizza delivery man driving for work causes an accident, his employer is liable.  Parents are often liable for accidents their children cause if they kids are directly under their care. 

There's also concept called "negligent entrustment": if you knowingly let an unlicensed driver take your auto out for a spin, you will probably be liable for an accident he or she causes. 

Neither of those cases fit this situation well, however. So Weinstein has settled on a simpler analogy.

"If she was in the vehicle and put her hands over his eyes so he couldn't see, she would be liable," he said. "(Texting with him) is as if she put her hands over his eyes."

Is texting the digital equivalent of willfully rendering someone blind? To even make that argument, and to press on with the aiding and abetting claim, Weinstein has to persuade the judge that Colonna knew that Best was texting while driving. Colonna's lawyers are contesting that point, but Weinstein says the pattern of texts between boyfriend and girlfriend make clear that she must have known he was on his way home from work.

But even if he fails on that argument, it's easy to imagine other lawsuits where evidence of knowledge by the sender could be hard to deny. A driver might directly text, "Hey, I'm driving home," for example.

That would make a big difference in a case like this, said Robert Mitchell, a Utah-based lawyer and author of a recent article on aiding and abetting claims.

"If there is conclusive evidence that the person sending the text messages to the driver knew the driver was texting while driving, we see no reason why a claim for aiding and abetting the driver’s negligent or reckless conduct could not be made. The case is probably weaker if there is no evidence of actual knowledge, but only evidence of ‘constructive knowledge,’" said Mitchell, referring to a concept that the sender "should have known" the recipient was driving. "Courts disagree over whether constructive knowledge is sufficient to give rise to aiding and abetting liability."

Courts have found that the contribution by this third party in aiding and abetting cases can't be slight – it must be “significant.” For example, giving directions to the bank robber probably wouldn’t be substantial enough to get you prosecuted, but telling him what time security guard shifts change could be. And, as with most civil liability cases, the harm caused by the action doesn't have to be intentional.

Mitchell said this is the critical phrase in the American Law Institute's guidelines.

"If the encouragement or assistance is a substantial factor in causing the resulting tort, the one giving it is himself a tortfeasor and is responsible for the consequences of the other’s act. This is true both when the act done is (intentional) and when it is merely (negligent)," Mitchell wrote in his review, quoting the guidelines with added parenthesis. In fact, liability exists even if the third-party has no idea he or she is doing something illegal or negligent.

So in Mitchell’s view, it's a relatively easy to argue that the texter "substantially assisted" the driver in causing the accident. 

"The third prong, substantial assistance, would be an easier hurdle to clear (than knowledge) since sending somebody a text message while driving distracts the driver and that distraction may ultimately cause the accident," he said.  "Of course defenses may include superseding or intervening causes to the underlying tort (the first prong), like bad weather, poor road conditions or visibility, avoiding someone or something on the road."

Not all experts agree, however. Maryland-based lawyer Bradley Shear, an expert in digital law, openly fretted about how far liability might extend if Weinstein is successful in his novel legal argument.

"What if someone is hopping on a boat, and they look down at a text, slip and drown? What if a doctor gets a text before a surgery that upsets him and he makes a mistake? Is the sender responsible?" he said. "If you start going down that route where are you going to draw the line?"

Mark Rasch, for head of the Justice Department’s Computer Crimes Unit, said he thinks the case will boil down simply into this question: Can anyone really prove that the sender of the text, Colonna, knew that Best would read it while driving? Absent such proof, there is no case, he says.

But he was concerned with the larger issue of extending liability through digital means.

“The real question here is, do we as a society want to impose a duty on the non-driving texter for accidents that happen when a recipient is driving?” he said. “For now, it seems a reasonable place to draw the line at this: The person driving has a duty not to text. And the person on other end of line has no duty unless there are special circumstances.”

One special circumstance he envisioned: A boss or other person in a position of power who received a message from an employee saying, “I can’t text, I’m driving,” but continued to send demanding texts with an implied threat if they weren’t answered quickly.

“The person in the position of authority might have liability then,” said Rasch, now a cybersecurity consultant with Virginia-based CSC Inc.

Complicating matters, juries can apportion liability, and theoretically could find a driver 90 percent responsible and the sender of a text 10 percent responsible. Damages can be similarly apportioned, although the realities of collections means the party with the deepest pockets usually pays the most in damages.

It’s also possible that Congress or state legislatures might create a chain of liability, as states have done with dram shop laws, which make bars liable for injuries and damages caused by patron who are served after they’re drunk.

For his part, Weinstein demurs when asked if he's trying to set an important legal precedent or make law. He's just trying to win a case for his client, he said.

"The defense ... wants to make this into a cause celebre, but this is not complicated," he said. "A jury may find I'm wrong and thrown me out on my duff. ... All I'm saying is don't (text) while driving, and don't assist someone else in texting while driving."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

A mother who says her middle-school daughter was forced to let school officials browse the 13-year-old girl’s private Facebook page is speaking out against the practice because, she says, "other parents are scared to talk about it."

Pam Broviak, who lives in the Chicago suburb of Geneva, Ill., says her daughter was traumatized when the principal of Geneva Middle School South forced the child to log in to her Facebook account, then rummaged through the girl's private information.

"What a violation of my daughter's privacy this whole episode was," Broviak said. The incident took "a huge toll on my daughter, who ended up crying through most of the rest of the day and therefore missed most of her classes. She was embarrassed and very upset."

There have been several descriptions lately of Facebook prying by schools – and one lawsuit was filed recently by the American Civil Liberties Union on behalf of an anonymous plaintiff against a school district that allegedly demanded a student’s social media passwords. But Broviak may be the first parent to go public with concerns about what she sees as serious violations of student privacy.

---

In a conversation with msnbc.com, Broviak said she confronted school officials about the incident involving her daughter soon after it occurred last fall and was told that they routinely investigate student issues by asking kids to log into their social networking pages -- or cellphones -- in the presence of administrators. And she said her daughter and other students told her they are frequently called into the principal’s office and told that they can’t leave until they surrender their passwords or unlock their phones and allow school officials to browse their personal information.

"(Students) let them see the accounts because otherwise, they are not allowed to leave the room. And that is just wrong," she said.

Kent Mutchler, superintendent of Geneva schools, said in an interview with msnbc.com that he couldn't comment on Broviak’s daughter because privacy rules prevent him from publicly discussing an individual student’s situation. But he said Broviak's description of district policy is inaccurate.

"We would never demand someone's password. When you have someone's password, you open yourself up to other issues," Mutchler said. "But if we have a disruptive situation, a school (official) will ask to see the page, and if the student refuses, we call the parents."

But principals only request access to students' social media pages under extreme circumstances, Mutchler said.

"There are different levels of concern. If there is a drug trafficking suspicion, we'll get the police involved. If it's something like cyberbullying, we'll say, 'This has been reported to us,' and ask to see the page," he said.

Often, students volunteer before they are even asked, he said.

"We ask, 'Is there something you want to show us?' that sort of thing. And they volunteer," he said. 

Such incidents are very rare among district middle schools, he said, contradicting Broviak's assertion that the inspections are commonplace. 

"It happens a half-dozen to a dozen times per year," he said.

Broviak's public complaint comes at a time when schools, employers and lawmakers around the country are wrestling with sticky privacy issues surrounding social networks. The state Legislature in Illinois is considering legislation that would make it illegal for employers to demand access to workers’ or applicants’ private social media information. That law is silent on the issue of schools and social media snooping, but federal legislation introduced last month by Rep. Eliot Engel, D-N.Y., would extend the protections to students, too.

Submit your questions about social media and privacy, then join our Google+ Hangout Friday at 4 p.m. ET.

Broviak said she didn't think school officials should ever look at a child's personal social media page or cellphone without first contacting parents.

"It's just wrong for them to do this, but parents are afraid to talk about it, because they are worried, 'Are they going to target my kid?'" she said.

Additionally, she said, looking at a kids' social media page violates an entire family's privacy, even if school officials don’t intend to look at posts involving other family members.

"The whole family is exposed in this," she said. "Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there's these anonymous people reading through this information."

When the first incident occurred in the fall, Broviak said she didn't know what to do -- and initially chose to let it drop for fear that complaining might make things worse for her daughter. But she said reports from her daughter that other kids have been treated the same way and a recent spate of news stories surrounding the issue pushed her to speak up. Three weeks ago she published a detailed accounting of events on her personal blog, and this week agreed to be interviewed by msnbc.com.

"It's really important for people to talk about this and know what's going on," she said. "And I'm really glad that the state Legislature and Congress are considering laws to deal with this."

Her daughter, meanwhile, has learned an important but sad lesson through this experience, Broviak said.

"It's taught her to use better judgment with adults," she said. "Basically, what (they) showed her was you can’t trust anyone. Her trust in and the respect of the adults at her school has been shattered to the point that she is struggling to look beyond this abuse and allow for the education process to occur."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Ever wonder what it's like to have FBI agents knock on your door? Or to have them walk into your business unannounced and walk away with your computer?  Jamie McClelland and Alfredo Lopez can tell you.

Their recent run-in with the men in black – the result of a spate of email bomb threats to the University of Pittsburgh -- offers a rare glimpse into the collision between free speech rights and the benefits of anonymity on one side with the needs of law enforcement to act quickly in the face of real threats on the other.

Their tale ends with an odd twist: FBI agents, caught on video, returning the server only four days after it was seized from a co-location facility in New York City. At the moment, no one knows why the FBI would take that unusual step. FBI Special Agent Bill Crowley said the agency wouldn't comment on either the seizure or the return of the server.

Federal investigators and local officials in Pittsburgh were scrambling last month as bomb threats targeting the University of Pittsburgh piled up. Within days, 46 such threats were logged, causing massive disruption as students and teachers were continually evacuated from building after building.  Parents and school officials pressured law enforcement to solve the case. For some reason, the FBI thought a server in a small facility in New York City might contain a crucial clue.

---

McClelland and Lopez run a progressive Internet organization called MayFirst/PeopleLink, which helps democracy-seeking groups around the world use the Web to organize. Together with sister organization RiseUp, MayFirst/PeopleLink offers email services, mailing list support and other Web tools. But their services make a promise that's critical to people fighting oppressive regimes: All data is encrypted, guaranteeing total anonymity to those who need it.

 

 

 

McClelland was on a conference call in MayFirst/PeopleLink's Brooklyn office -- which is in the same building where Lopez and his wife live -- on April 11 when he saw two men in suits standing at the door.

"I thought they were Jehovah’s Witnesses, but I joked with people on the call that it was the FBI," he said.  Moments later, it was no joke.

The agents flashed their badges and asked if they could come in; McClelland refused.  They asked if they could step into the vestibule. He refused again.

"I had had some rudimentary training,” he said. “It certainly had occurred to us that we might some day get a visit from the FBI given the nature of what we do. But this wasn't what I expected. I was surprised at how easy it was to say ‘no’ to them...There was no intimidation, none of that. The agent appeared more nervous than me, and I was pretty nervous."

Standing outside, the agents then showed printouts of a few emails with full headers to him, saying they were related to the Pittsburgh bomb threats. At that point, McClelland hadn’t  heard about the threats, so he said he didn't know anything about them. They asked if he knew anything about ECN.org, a server which appeared in the e-mail headers. Again, he said “no,” truthfully.

"I asked if I could have copies of the emails. The agents said “no.” But I then asked if I could get pen and paper and write down details of what we were looking at. They let me do that," McClelland said. "I then asked them if they thought our server was compromised. But they couldn’t tell me anything. So I asked for their business card and told them we would research it."

The agents left, but McClelland’s day had only just begun. What was ECN.org? Why did the agents show up unannounced? And most important, what would happen next? He was sure that wasn't the end of it.

"When you are visited by the FBI, even when it goes relatively easy like it did, your entire life gets put on hold as you deal with all the implications," he said. McClelland called Lopez and other leadership team members, and then called the Electronic Frontier Foundation for legal help.

“There were three hours of calls to run through things and make sure we had everything covered," he said.

Initially, Lopez and McClelland assumed that one of their members had been hacked, and the account used for illegal purposes. Simply patching whatever security hole existed could end the problem. But a visit to ECN.org indicated there was a much more complex issue.

ECN stands for the European Counter Network, an independent Internet service provider in Europe. It shares much the same mission as MayFirst/PeopleLink. On ECN.org, the provider offers anonymous email services through a service called "Mixmaster." Using Mixmaster, email users can achieve nearly undefeatable anonymity -- multiple servers pass messages from one to the other, each time stripping out header information and replacing it with false data, making it nearly impossible for investigators to "trace" the message to the original sender. 

ECN had subcontracted space on RiseUp's New York City server; RiseUp had in turn subcontracted that space from MayFirst/PeopleLink.  It now appeared that the FBI believed someone connected to the Pittsburgh bomb threats had used ECN's anonymous email capabilities, which led to FBI agents knocking on the door at Alfredo Lopez's home office.

"If you had asked me before this happened if one of our members ran an anonymous remailer, I would have said, 'probably,' " said McClelland. "That's exactly the kind of thing we want to support and we want to protect."

When correctly configured, anonymous remailers leave no trace at all. There are no log files to check, no other server "fingerprints." After making sure the server was running properly, McClelland called the FBI agent on the business card and told him all he knew about ECN, which essentially was nothing.

"We told him we suspected there was an anonymous remailer, there's nothing else we can tell you," he said. "We decided that was our best strategy ... to minimize disruption to our members. We didn't want to risk going to the next level of escalation."

The strategy failed.  The next day, MayFirst/People Link received a subpoena demanding that the organization answer a series of questions about its server. With help from the EFF lawyer, they sent the responses on Monday, April 16.

"At that point, we thought everything was OK, that we were done, and ready to move on," he said. 

Then on Wednesday, April 18, at around 6 p.m., things took a turn for the worse.

"I got a call from a tech who said, 'Jamie, the server isn't responding.' So he went to look for it in the rack and found that it was gone," McClelland said.

Later, Lopez and McClelland would learn that the FBI had produced a search warrant when it showed up at the XO Communications Manhattan server farm, where the MayFirst/PeopleLink server was housed, which gave agents the right to take the box. But at the time, they could only guess what happened.

"We filled out a help ticket that said, 'Our server is missing.'  We've never done that before," McClelland said.  "I can't emphasize enough that we received no communication from the FBI. From a human point of view, that is atrocious. But from a legal point of view, they don't have to do any more."

The impact was immediate, and devastating, for both MayFirst/PeopleLink and RiseUp. Hundreds of mailing lists, websites and email accounts were immediately knocked offline.

“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” Devin Theriot-Orr, a spokesperson for RiseUp, said  in a statement at the time. “This is particularly misguided because there is unlikely to be any information on the server regarding the source of the threatening emails.”

While Lopez was scrambling to find a way to get the organizations back online, a camera with motion detection capabilities was installed at the server facility by an assistant.

"We thought it was a little like shutting the barn door after the horse ran out, but we did it anyway," he said McClelland said.

Generally, when FBI agents seize computers as part of an investigation, they're not returned for months, or even years. But within a week, a worker in the server room noticed that the motion detector camera had been activated on April 23. When he looked at the video, the tale took an even more unusual turn.

The video shows two men in suits -- apparently FBI agents -- placing the server back in its rack.  But the box isn't merely dropped off. The two appear to be plugging it in, and then watching the machine for a few minutes, perhaps looking to see if it is operating correctly.

Why would they do that? The FBI refused to answer a question about that.

But Lopez has a theory. There's only one way to defeat most anonymous email services: to compromise the computer that processes the emails with special software -- a virus -- that could defeat the anonymizing software.

"There was not even a scintilla of expectation that this server would return to our rack. It's the most amazing thing," Lopez said. "It's possible they put device on it or a virus or Trojan of some kind." 

MayFirst/PeopleLink later posted the FBI agent video online. The agency hasn't commented on it.

The server has not been returned to service; the organization is currently auditing the machine to see if it has been tampered with.

"I can tell you that's the burning question in my mind. We are planning on doing a full diagnostic on server to see if we detect anything on server," McClelland said. 

But even if it hasn't been tampered with, Lopez said he's outraged that U.S. federal agents would compromise Internet access for global groups fighting for democratic rights while hunting for evidence that doesn’t exist.

"Look at the atrocity of them going in and taking a computer ... and disrupting all this information, and potentially getting all this information from hundreds of people not even accused of a crime," Lopez said. "This is serious … for people all over the world who depend on this stuff for their day to day work. To have it taken away by some other government, it's really unfair to them in every conceivable way."

The MixMaster service was uninterrupted by the server seizure; anonymous messages were simply routed through other servers.

MayFirst/PeopleLink and RiseUp both told their members that no identities were compromised during the FBI seizure -- all data on the server is encrypted and there's no reason to believe the encryption was compromised. Still, U.S. government action against anonymous Web services could have a dangerous chilling effect, fretted Lopez.

"In some parts of the world, privacy and anonymity are a matter of life or death," he said. "These services are used for important work, and in many countries, they are the only way to communicate without putting yourself in serious danger."

The Electronic Frontier Foundation issued a statement last week accusing the FBI of "overreaching."

"The fact that the FBI's investigation led them to an anonymous remailer should have been the end of the story. It should have been obvious that digging deeper wouldn't lead to helpful information because anonymous remailers don't always leave paper trails," wrote Hanni Fakhoury. "So enough is enough. The government's ability to search a person and their property -- and in this case, shut down speech -- is an extraordinary power that can easily be abused. Law enforcement needs to do its research before resorting to an extremely intrusive search warrant that intrudes on innocent people's privacy, causes significant disruption to harmless activity, and silences speech. And as we've argued before, search warrants for electronic devices shouldn't be limitless."  

Lopez, who has two children in their 30s, said he understands why parents in Pittsburgh were concerned for their children's safety during the repeated bomb scares.  But he warned that repression often begins with "people who mean well."

"These people making the threats, these are jerks, nobody wants to protect them," he said. "But what do you give up when you give up freedom in exchange for the illusory feeling of security?  You can't trample people's rights because when you do, the terrorists have won."

The Pittsburgh bomb threats stopped on April 21. No bombs were found. There have been arrests in connection with the incidents, but authorities are still investigating.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

---

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.