Privacy Practices, and Other Policies
Information on this Site
National ID Watch is primarily a database of hundreds of thousands of free personalized Identity Exposure Reports™, provided as a public service. Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, you can further investigate, take action, or correct harm.
The NationalIDWatch.org databases never expose sensitive personal information, such as complete addresses, Social Security Numbers, phone numbers, etc. Instead, your Identity Exposure Report (IXR) documents the type of personal information may have been exposed, and the conditions surrounding the exposure. Despite the name of the site, not all IXRs document an exposed Social Security Number, or even sensitive information. You may have more than one IXR, if we have documented more than one information breach with your information.
Contents of an IXR™
Click here to can see an example IXR. Each Identity Exposure Report has several components:
- Victim's Name
Example: "John Q Public"
- A Personalized List of Exposed Information
Example: "Your Name, SSN, Address... etc have been exposed."
- Exposing Entity's Contact Information
Example: "Crazy Go Nuts University- 123 Main St. Freecountry, USA"
- Detailed Information about Breach
Example: "On October 2, the Golf Team Coach posted the names, Social Security Numbers, Dates of Birth, Addresses, Phone Numbers of 538 students…"
- Breach Size
Example: "Records Exposed: 538"
- Breach Sensitivity
- Breach Duration
Example: "More Than One Year"
- Breach Distribution
Example: "Exposed Online"
- Related Links
Example: Links to official press releases and news stories about the breach
- Additional Breach Identification
Example: "Student Database. Grades-2004.xls"
Example: "File Deleted, Caches Cleared."
- Links to Resources
Example: FTC website, Free Credit Report, Privacy Rights Clearinghouse, etc.
How we get Exposed Information
Though large and growing, our database only covers a small fraction (about .2%) of all breaches. Each IXR is derived from a public exposure of personal information, or by the request of breaching entities.
We follow a standard protocol whenever while documenting breaches:
- Discover: We discover personal information which has been exposed in an easily accessible public forum, or a breaching may request that we document a breach online.
- Document: After discovering the information, we carefully document the types of personal information exposed, the circumstances, and those responsible, in accordance with this policy.
- Notify: We notify those responsible, and will often notify authorities such as the FBI or a state licensing board, for example. When possible, we will also try to notify victims directly.
- Destroy: We destroy the original files as soon as practicable, absent extenuating circumstances such as an investigation. We have no desire to be permanent stewards of such sensitive information.
- Announce: Before we announce any breach, we make reasonably certain that the information is no longer available in a public forum.
Why Store the IXR online?
Remember that IXRs do not contain any sensitive information; only information about how a breach occurred. We store IXRs indefinitely for practical reasons.
In a perfect world, each and every victim would receive a personalized notification from the breaching entity. But even under the best circumstances people move, phone numbers change, breaches are discovered after several years, or many people simply miss the press release announcing the breach.
Criminals, and even some organizations never issue a press release in the first place, regardless of local law. Creating a permanent record online is vital to reach some people who would not have otherwise known about the breach. In addition, the negative effects of the exposure may not occur for years, at which point you may need access to your IXR.
We also store this information online as a courtesy to victims. While an IXR is not proof of identity theft, it may be helpful as evidence of identity breach.
How we Keep Information Safe
Of course, our very first priority is to empower victims without empowering bad guys. NationalIDWatch.org's first and most important security feature is that the website does NOT contain any combination of sensitive personal information in its database: Period.
Here's how it works: When we document breached personal information on NationalIDWatch.org, we replace the Address, SSN, DOB, or other personal information with a "Yes" or "No." For example, let's suppose that the following information about John Q. Public was exposed:
|Name||SSN||Date of Birth||Address||Phone Number||Pet's Name|
|John Q Public||123-45-6789||123 Main Street, Anywhere, USA||(555) 123-4567||Rex|
This is how we process the information:
|This Data||Becomes||This Entry|
|SSN: 123-45-6789||...||SSN: Yes|
|Address: 123 Main Street, Anywhere, USA||...||Address: Yes|
|Phone: (555) 123-4567||...||Phone: Yes|
|Pet's Name: Rex||...||Pet's Name: Yes|
And the database ends up looking something like this. So, even in the unlikely event that someone looked directly at the database, there's nothing to see. Your IXR records the type of information exposed, but does not reveal the contents of the information.
With hundreds of thousands of records, some people inevitably share the same name. In order to help people with the same name to distinguish themselves, nationalidwatch.org may store small pieces of distinguishing information that will be familiar to the individual, but will never be tied to your IXR. NationalIDWatch.org does not currently use this feature, but may in the future.
Additional Information We Collect
Like most websites, we collect web statistics that give us an idea of how many people are visiting nationalidwatch.org, where they came from, IP addresses, and other information about their computers. We currently use a third party website, Statcounter.com, to capture user information. This technology uses "cookies," which are small text files that identify your computer (not you). Disabling cookies should not affect most website functionality. However, in order to hide your IXR, you must enable cookies.
As a security precaution, we also collect IP address and search information. This helps us to stop malicious "Injection Attacks," or servers that do numerous automated searches. We permanently erase search information from our database after several weeks on an automated, rotating basis.
NationalIDWatch.org contains methods to contact us, such as e-mail, mail, etc. Unless we specifically represent to you otherwise, you should not consider your communications with us secure. As with all media of communication, we cannot guarantee the security of e-mail, or even mail. We will do our best to keep confidential information private; but communications which may indicate evidence of wrongful intent or behavior may be investigated, or shared with law enforcement.
Do not, under any circumstances, include a social security number, account number, password, or any other sentivive information in any communication with NationalIDWatch.org or the Liberty Coalition.
If you choose to share a story of identity theft or other personal story, we may request permission to share it with others. Of course, we will not share your story if you decline such a request, or if we cannot contact you.
You will never be required to identify yourself or give any personal information (even an e-mail address) to search NationalIDWatch.org. If you choose to utilize a function of the website that requires a login or e-mail address, we may keep that e-mail address on file to prevent abuse of our systems. We won't use it to spam you, and we certainly won't sell, rent, give, share, or otherwise distribute your e-mail address with anyone, without your explicit permission.
This website contains web forms which you can use to send e-mail to the Liberty Coalition. As when you compose any e-mail, we require that you include a valid e-mail address. We do not log any of the message information in our online servers, but may retain the e-mail you send to us.
In the future, this website may create user forums. All publicly generated user content is donated to this website, and is considered public. We reserve the right to moderate user-contributed content.
Membership and Breach Alerts
As NationalIDWatch.org expands, we plan to offer you free membership, which will allow you to add user-generaged content and sign up for breach alerts. Membership requires you to provide a valid e-mail address, but does not require other personally identifying information. Other optional information (such as a website, IM, etc) will be treated as public information, if you choose to provide it. Membership is not necessary to search for your IXR.
If you choose to utilize a function of the website that requires an e-mail address, we may keep that e-mail address on file to prevent abuse of our systems or to send you communications to which you have opted-in. We won't use it to spam you, and we certainly won't sell, rent, give, share, or otherwise distribute your e-mail address to anyone without your explicit permission.
Your IXR: NationalIDWatch.org website is open to the public. It is possible for others to view your IXR(s), unless you hide them.
Third Party Identity Protection Services: As a courtesy, the Liberty Coalition occasionally negotiates discounts on identity theft protection services, in behalf of breach victims. Those commercial entities have no additional access to information than any member of the public who uses this site. We are not a party to any contract you may decide to make with another organization, even if we provide a link to their website. A link to a third party service does not constitute an endorsement of their services under all conditions. Because your needs may be unique, we strongly encourage you to research the company, their services, and prices before entering into any agreement with that company.
Marketing Agreements and Third Party Relationships: We do not enter into marketing agreements where we would share any personal information about you with another entity. Although we may partner with other organizations or companies to make the information in our database more easily accessible, they will only have access to the non-personally identifiable information described above. Our most valuable asset is the trust we earn with our visitors; we do everything in our power to keep that trust.
Judicial Order or Investigation: We may share information in our databases, or any other information in our possession if ordered by a court, or as a part of a good faith investigation.
Even though your Identity Exposure Report does not contain sensitive personal information, we understand that you may wish to hide your IXR from public view, once you have read it and investigated the exposure. Only hide an IXR if you are confident that you are the individual in the report. If you accidentally hide someone else's IXR, they will never have a opportunity to learn about their risk.
If you're confident that you are the individual named in the IXR, you may request that the IXR be hidden from our searches and public access. Once the request is approved by NationalIDWatch.org, and you confirm the removal, the IXR will no longer be available to you or any other visitor to this website. However, keep in mind that it may take several weeks or even months for Google or other search engines to remove your name from their search engine results. We do our best to speed up this process, but have little control over it.
If you choose to hide your IXR, you will be required to provide a valid e-mail address, and represent that you are authorized to make this request. If approved, a confirmation link will be e-mailed to you. You must follow this link within 24 hours in order to complete the process.
Since it is possible that you may have more than one IXR if your information was exposed more than once, removing one of your IXRs DOES NOT guarantee that your name (or someone who shares your name) will not re-appear in our databases, if personal information about someone with your name is exposed in the future.
In order to hide your IXR, follow these steps:
- Click this link to turn on the IXR Removal Tool. You only have to do this once each time you visit the website, and your browser must enable cookies in order to hide your IXR.
- Once you've turned on the IXR Removal Tool, search for your name.
- Once you've found your IXR, scroll to the bottom of the page, and click the link that says Hide my IXR.
- Follow the directions on the screen and in the confirmation e-mail.
- Repeat Steps 2-4, to make sure you do not have more than one IXR.
- Consider signing up for Breach Alerts to find out if your name is added in the future.
Updates to this Policy
This page was last updated July 19, 2009. We'll continue to update our policy as necessary, and though individual policies may change with time, one thing will not: We will always treat your privacy the way we would like others to treat ours.