Call Don’t Click Update: Still be smart about ordering federally mandated free credit reports
The World Privacy Forum cautions consumers who qualify  to order a federally mandated free annual credit report  to ensure that they take common-sense computer safety steps before ordering their credit report online.  If consumers are unsure about any aspect of securing their computers, calling for a credit report via the official toll free number (877-322-8228) is a good option, as is mailing in for the report.  Both the phone and the mail options generally expose consumers to fewer potential hazards than the online option. 
The official annualcreditreport.com site has improved since its launch in December 2004.  However, there are continuing potential hazards posed by imposter Web domains, some of which have been aggressively attempting to deceive and misdirect consumers. From mid-May through the end of June 2005, the World Privacy Forum identified and tracked 233 domain name registrations that employed the words annual credit report in some combination or variation, or were close misspellings of the official site annualcreditreport.com.
Researchers documented that one hundred twelve (112) of the 233 registered imposter domains were active and online during the month of June, 2005.  This marks a 124 percent increase of documented active, online imposter sites from the World Privacy Forum’s February 25, 2005 report on this issue. (The February report documented 96 imposter domain registrations with 50 of the registered domains being active imposter domains.)
The imposter domains vary in content. Some imposter domains ask consumers to supply Social Security Numbers (SSNs), date of birth, and other highly sensitive information inappropriately. Other imposter domains containing the words annual credit report in various combinations are “link farms”  or “ad farms” that send consumers to for-pay services at subsidiaries of the credit bureaus Experian, TransUnion, and to other companies through affiliate marketing programs  and/or online keyword advertising programs.  And finally, some imposter domains send consumers to sites that have nothing to do with credit, for example, some imposter domains have plentiful links to pornographic sites. Four of the imposter domains forward consumers directly to the home page of a commercial data broker, Intelius. 
Consumers can land on imposter domains in two primary ways. Some consumers simply mistype the official domain name, or do not remember it correctly when they type it in. Others use a search engine to find the annualcreditreport.com site, and then land on an imposter domain when they click on the wrong result, or on a paid result, in a search engine listing. 
Researchers found that the search engines varied substantially in how well the official site was displayed after a search for the phrase “annualcreditreport” and related variations. Depending on the search engine used, consumers may encounter paid results that are listed before the official annualcreditreport.com site, thus creating the possibility of potential confusion for some consumers, even if the non-sponsored search results were generally accurate. 
Summary of new findings:
- At least 233 total domains with close or nearly identical spellings of annualcreditreport.com have been purchased. This is an increase from the findings in the first report.
- At least 112 known and confirmed imposter domains were “live,” that is, online and are actively routing consumers away from the official site as of June, 2005. This is an increase of 62 domains from the findings in the first report.
- 21 of the imposter sites posted some form of minimal contact information, such as
the ability to fill out a Web form or send an email.
- Many of the imposter domains actively sent consumers to credit bureaus instead of to the official annualcreditreport.com site. This is happening because the pay per click and affiliate marketing issues articulated in the first report are still a substantial problem. When the “live” and “parked” imposter domains send consumers to commercial credit services and some credit bureaus, many of the imposter domains get paid for doing this via “pay per click” online advertising and/or affiliate marketing schemes.
- Four imposter domains forwarded consumers directly to a commercial data broker, Intelius.
Summary of Changes from February 25, 2005 Report:
- As of June 2005, 112 confirmed imposter sites were active online. This is 62 more domains than researchers documented in February, 2005. Some of the domains were more assertive about gathering consumer SSNs and other sensitive information than was documented in the earlier report.
- Originally, only four sites were able to link to the official free credit report site: the Federal Trade Commission (FTC) and the three credit bureaus, Experian, Equifax, and TransUnion. The credit bureaus now allow legitimate organizations to link to the official Web site, which is a positive change from the first Call Don’t Click report. 
- TransUnion’s initial implementation of its free credit report system has changed since the first report. The initial report noted that when consumers used the official annualcreditreport.com site to order reports from TransUnion, they were automatically selected to receive marketing information and product offers from subsidiaries and affiliates. This was done via a check box that was already checked at the TransUnion registration point of the annualcreditreport.com site. This issue has now been resolved, and TransUnion no longer pre-selects consumers to receive this marketing material on this particular page.
- A commercial data broker, Intelius, is using annualcreditreport.com imposter domains to send consumers to its services. This was not a situation researchers uncovered in research for the February version of the report.
- Consumers who go to a variety of search engines and type in the term annualcreditreport will frequently see the official site as the first non-paid result the official site, depending on which search engine is being used. That search engines can now index the official site is a positive change from the first report. Unfortunately, not all search sites clearly segregate paid and unpaid listings clearly, and this can pose problems.
- (Detailed tips and recommendations for consumers are available in Appendix F and also at <http://www.www.worldprivacyforum.org/consumertips_calldontclick.html>. )
- All Web domains that are online and that use the keywords annual credit report in various combinations, or domains which are close misspellings of the official site, need to be taken offline immediately and turned over to the Central Source. 
- The FTC should require credit bureaus and their subsidiaries to cease and desist from all search engine and other online advertising campaigns – including affiliate marketing programs — that use the words annual + credit + report in any combination if these search terms take consumers to a for-pay commercial site or any site other than the official annualcreditreport.com site. This is a challenging area, but one that needs to be tackled.
- The credit bureaus and their subsidiaries should be required to closely audit their marketing affiliates and search engine marketing campaigns for abuses and take action. Any credit bureau affiliates using domains containing the words annual credit report should be disaffiliated immediately and the domain turned over to the Central Source. To date, this has not been happening in a consistent or timely manner.
- There are substantial problems with imposter domains that are parked or live “ad farm” or “link farm” domains. These domains frequently post dozens of text advertising links to credit bureaus and credit services. This is an out-of-control area of e-commerce that needs to be looked at very closely by the FTC for consumer fairness issues. Consumers who land on “link farms” or “ad farms” should receive some disclosure about what it is they have landed on so they can make informed decisions. Well-known domain registrars are among the entities creating the imposter domains, and well-known search engines are among those filling the domains with commercial credit bureau and debt consolidation ads. In addition to creating more accountability for the credit bureaus and their affiliate marketing advertisements, the companies responsible for creating the domains and/or the advertisements sitting on the imposter domains also need to shoulder some of the responsibilities to the consumer.
- The commercial data broker Intelius is using domains that contain the keywords annual credit report to forward consumers to its data brokerage services. These domains should be returned to the Central Source immediately.
- Those Web sites that state in their source code that they are referring consumers from a domain other than the actual domain should be held accountable for deceptive practices. This would apply especially to questionable sites that redirect consumers to legitimate businesses by altering the domain referrer information.
- A search of “annualcreditreport” using a search engine such as Google.com, Yahoo.com, or MSN.com typically brings up the official site plus in some cases sponsored listings for commercial sites and services that are not the official annualcreditreport.com site. While this is an accepted business practice, this is a cause for concern in instances where there may be consumer confusion about which search results are paid listings, and which are the unpaid listings. Because of the importance of the annualcreditreport.com site, it is important for the FTC and the credit bureaus to continue public education campaigns to differentiate the official site. Although display of search results is admittedly a larger Internet issue, it is still important for all search engines to follow the FTC guidelines for clearly differentiating search engine placement of paid and sponsored results. 
 Residents in Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming can order a free report beginning December 1, 2004. Residents in Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin can order a report beginning March 1, 2005. Residents in Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas can order a free report starting June 1, and residents in Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia, the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005. Source: < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 For more information about why free credit reports have been mandated by the Federal government, see the discussion at the FTC pages. < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 Key safety steps include: 1. Ensure you are at the official site before you submit personal information, 2. Do not use a public computer (such as a library computer) or use a networked computer at work to order your reports, 3. If you order your report using a Wireless Internet connection, ensure that the connection is encrypted, 4. Ensure that the computer you use is not infected with viruses or spyware that could compromise the security of your information, 5. If you use software such as Google desktop search or other search software that saves https files, either deselect https caching or turn the software off during your ordering process.
 Federally mandated credit reports may be ordered by mail. See the Resources section of this report for directions on how to do this.
 Michigan Attorney General Mike Cox has suggested in a February 2005 consumer alert several tips for consumers who phone in for their reports. First, request that only the last four digits of the SSN are shown on the mailed report, and send the report to a secured mail box. For the complete consumer alert, please see <http://www.michigan.gov/printerFriendly/0,1687,7-164-34391-111010– ,00.html>.
 The most significant site-specific improvement was TransUnion’s decision to stop pre-selecting consumers to receive marketing materials during the registration process. See the February 25, 2005 study for a discussion of this and other site-specific issues: <http://www.www.worldprivacyforum.org/pdf/wpf_calldontclick_study_2005.pdf. >
 112 +/- 3. Each domain included in the final number of 112 was checked a minimum of three times prior to inclusion in this report. Domains that were identified as problematic, i.e., domains that were found to be shifting, were checked as many as 20 times prior to inclusion. Please note that the imposter domains can change as frequently as three times in one day, so the number of domains is a moving target. It is probable that the domains may have changed since the last complete check date June 27, 2005. The average variation in domain names during checks was plus or minus 3 due to domain shifting. That is, the domains would go offline for a day, then come back up. Some of the domain names changed home pages multiple times during a day, others would change the URLs to which the domain was forwarding.
 A link farm is a Web site that exists for the primary purpose of sending consumers to various services or sites, often in return for a small fee paid for each time a consumer clicks on one or more of the links. Some links on a link farm may be placed there on the basis of an affiliate marketing relationship (For more on affiliate marketing, see Footnote 9). But some link farms are simply collections of text ad links that have been rolled onto one or more pages. There is no real content, just dozens of links that are text ads. For example, a link farm can be created on a parked domain that contains many text link ads related to or from online advertising programs such as Google’s Domainpark program. (See footnote 10 for more on Domainpark.)
 Affiliate marketing programs are a common feature of the Internet at this point. The issue with affiliate marketing programs is that because they typically pay a commission to sites that bring in visitors through active links, some domain owners have abused the programs by creating thousands of phony or “typo” sites to bring in visitors for certain keywords. Some affiliate marketing programs are well-policed for abuses, others less so. For additional information about this subject, see Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.
 Online advertising programs are frequently encountered on the imposter sites. The Google Domainpark program (see < http://www.google.com/domainpark/) and other similar programs allow site owners with multiple “parked” domains to place text link ads and other kinds of online ads on parked pages. The links may be related to advertisements keyed to particular words or phrases. The pages that result are frequently called “link farms” or “ad farms.” The domains in parked ad programs may get high volumes of visitors because the sites are often misspellings of well-known sites, in this case, annualcreditreport.com. See Footnote 8 for more on link farms.
 As of June 27, 2005 the following four domains containing the key words annual credit report resolved to (that is, forwarded consumers to) Intelius: www.onlineannualcreditreport.com, www.creditreportannually.com, www.annualonlinecreditreport.com, and www.freeannualcreditreports.net . For more about Intelius see < http://find.intelius.com/index.php>.
 Consumer Reports Web Watch issued a June 2005 report detailing the importance to consumers of how search engines display search results. The report, Still In Search of Disclosure, is available at < http://www.consumerwebwatch.org/dynamic/search-report- disclosure-update-abstract.cfm >.
 Ibid. Still in Search of Disclosure.
 Originally, the credit bureaus only allowed the FTC and the three credit bureaus to link to the official annualcreditreport.com site. This created numerous problems, for example, consumers were having to type in domains, which increased the possibilities for consumers to land on a typo domain. See Figure 2 in the first report for more information about the original linking problem < http://www.www.worldprivacyforum.org/calldontclick.html >. Also see EPIC’s December 2004 letter to the FTC asking the agency to unblock Web links. “Free Annual Credit Report Site is Blocking Web Links,” December 7, 2004. < http://www.epic.org/privacy/fcra/freereportltr.html>.
 The Central Source was established by a rulemaking of the Federal Trade Commission. The rule created one central location where consumers could request and acquire a free annual credit report from the three nationwide credit bureaus: Equifax, Experian, and TransUnion. Under the final FTC rule, the centralized source must include “a dedicated Internet Web site, a toll-free telephone number, and a postal address.” See < http://www.ftc.gov/opa/2004/06/freeannual.htm>.
 See the FTC consumer alert about search engines: <http://www.ftc.gov/bcp/conline/pubs/alerts/searchalrt.htm>. Also see the FTC guidelines for search engines: < http://www.ftc.gov/os/closings/staff/commercialalertletter.htm >.
Roadmap: Call Don’t Click Update – Still be smart about ordering federally mandated free credit reports: Summary