Free credit reports aren't!

What are services designed to help guard your personal information doing with your trust?

By Ed Foster March 21, 2003

Watch out, they’re trying to catch you. With all the Internet scams and hoaxes out there trying to trick you into divulging useful information about yourself, it’s getting hard to know whom you can trust to guard your privacy -- even if the company bills itself as a partner in protecting it.

Take the case of a company called PrivacyGuard.com and a reader we’ll call Mr. Catchings. When Mr. Catchings was talking to someone at his bank recently about his online account, the bank representative highly recommended he take advantage of a free trial offer with PrivacyGuard.com. “PrivacyGuard says they act as an intermediary between consumers and the three major credit-reporting agencies,” Mr. Catchings told me. “You give them your approval and identity information, and they collect, compile, and rate your credit score. They also alert you when there are any requests for your credit history information.”

That sounded as if it might be worthwhile to Mr. Catchings, but being a careful man, he read the PrivacyGuard.com online privacy policy closely. “It was your objectionable but standard privacy policy, essentially stating that using the Web site constitutes an agreement to [future changes in the] policy,” he noted. “What concerned me was that just creating a username and password required providing an e-mail address, social security number, mother’s maiden name -- all the same data one might give their bank. But, hey, this service was recommended by my bank, so it must be all right.”

Mr. Catchings went ahead and registered a username and was about to order his free credit report when he caught something. The order form contained some fine print with another reference to a privacy policy, plus a nonhighlighted link that only revealed itself when the mouse cursor moved over it. Following that link took him to a different privacy statement than the online document he’d read.

The second privacy policy document (which I later learned also served as the privacy policy for other free-credit-report sites such as ConsumerInfo.com and Freecreditreport.com) had several provisions that bothered Mr. Catchings enough that he decided not to order the credit report after all. One thing that particularly concerned him was a statement revealing that his information could be disclosed to companies that “perform services on our behalf, such as the credit reporting agencies from which we obtain your credit report(s), credit card processors, e-mail communications management firms, or call center providers.”

Mr. Catchings felt disturbed that he had provided PrivacyGuard.com with sensitive information to register his username before finding the hidden privacy policy that revealed how the information would be used. “I particularly did not like the sound of ‘e-mail communications management firms’ and ‘call center providers’ having my information,” says Mr. Catchings. “My two biggest objections are the ‘second-level’ privacy policy and the fact that this was promoted by my bank.”

After looking over the two privacy policies myself, I had to agree that Mr. Catchings was justified in his concerns about what they might really mean. 

The hidden policy for the free-credit-report sites raised several other issues as well. It revealed that a customer’s credit history was itself part of the information that could be shared by the free-credit-report Web sites and all their partners. Did that mean that PrivacyGuard would be targeting customers for their advertisers based on their credit worthiness? PrivacyGuard's policy also spelled out its right to keep using the personal data of ex-customers -- a category under which Mr. Catchings presumably now fell, although he had not ordered a free credit report. And what exactly was the relationship between PrivacyGuard and the free-credit-report Web sites? Do they all share one giant database of customer information, and does every e-mail communications management firm and call center in the country have access to it?

In a quest to answer some of these questions, I contacted officials for PrivacyGuard’s parent company, Trilegiant in Norwalk, Conn. I asked that the company clarify more specifically how its customers' information would be used, and a representative promised to get back to me. When I checked back during subsequent weeks, I was told that answers would be forthcoming soon. They just had to check a few things with the lawyers.

After a month had passed with no answers, I noticed that some changes had been made to the privacy policies in question. The relatively innocuous online privacy policy on the PrivacyGuard Web site now has a second-level "Use of Financial Information" privacy policy that can be accessed without registering a username. This new section does, at least, reveal that credit history is part of the information that it can collect and share with affiliates. Without registering a username of my own -- which I’m not going to do -- I can’t check to see if the nearly invisible link Mr. Catchings found for the second privacy policy is still there pointing to the same document. However, I did find that the privacy policy used by the other free-credit-report Web sites has been somewhat rewritten from what it said a month ago, although it doesn’t appear to have changed much in substance. It no longer mentions call centers, for example, but that doesn’t necessarily mean call centers aren’t still among the partners and affiliates that are going to have access to Mr. Catchings’ mother’s maiden name.

So I guess I found my answers. But I'm disappointed that I never got the chance to speak with PrivacyGuard official spokesman Frank W. Abagnale, the “former con man turned crime-fighting consultant,” as the company's press releases identify him, whose autobiography Catch Me If You Can served as the basis for the recent movie of the same name. As a man who knows a good scam when he sees one, it would have been interesting to hear his assessment of free-credit-report privacy policies such as these.

In the absence of his advice, I’ll give you mine. If you care about preserving your personal information, be very careful when anyone on the Internet offers you something for free. They’ll catch you if they can.