CALL DON'T CLICK: Why it’s smarter to order federally mandated free credit reports via telephone, not the Internet

Pam Dixon, Principal Investigator *

Released February 25, 2005

Report Updated March 8, 2005

Important Update Notes:

It is unusual to update a research report just one week after its release. However, after the publication of Call Don't Click a number of changes took place very quickly. First, the Weblinking problem this report documented was addressed by a policy change at the three credit bureaus. Second, one of the issues this report documented with the TransUnion credit bureau was addressed by a policy change from TransUnion. With the exception of these two changes, the remaining issues documented in the report are as stated. For example, issues with affiliate marketing campaigns, typo domains, and confusing menu bars remain.

More details on the updates:

Weblinking: As of noon February 28, 2005, the credit bureaus changed the no-linking policy described in this report and began allowing news organizations and other sites to link directly to the Annualcreditreport.com site.

TransUnion pre-selection of consumers to receive marketing information: Confirmed as of March 4, 2005, TransUnion changed its preselection policy described in this report and no longer automatically opts consumers in to receive marketing offers through a checkbox at the bottom of its registration page. However, TransUnion still asks for an email address.

Shift in imposter domains: As soon as this report was published, the imposter "typo"domains began shifting and moving. We are tracking those changes and will publish an update to the imposter list in the coming weeks.

We have noted updated information in the text by an asterisk and corresponding endnotes to preserve the flow and integrity of the original text. We will continue to monitor changes and update as needed.

Experian typo domains: It is also important to note that a number of press reports are quoting this report as finding that Experian is diverting consumers via its 28 typo domains. This is not the finding of this report. To reiterate the report findings, the Experian typo domains are not live domains, and are not available online.

Summary

The World Privacy Forum urges consumers who qualify [1] to order a federally mandated free annual credit report [2] to call the toll free number (877-322-8228) instead of ordering their free credit report online. Calling the toll free number exposes consumers to fewer potential hazards than ordering online. [3]  Consumers who try to use the official online site www.annualcreditreport.com may encounter numerous challenges, some of them potentially serious.

By calling the toll free number instead of visiting the online site, consumers are also protected from the potentially confusing sales and marketing information at the official free annual credit report site. [4]

Beyond issues with the annualcreditreport.com site, there are hazards posed by imposter Web domains. The World Privacy Forum has identified and confirmed 96 domain names that are close misspellings of the official site, annualcreditreport.com. At the time of writing, 50 of these imposter domains were active and luring unsuspecting consumers to questionable sites. Some of these deceptive imposter sites led consumers to official credit bureau sites where individuals would have to pay a fee instead of being able to access a federally mandated free credit report.

The problem of the misspelled domain names is particularly troubling because the credit bureaus are refusing to allow legitimate news organizations, consumer groups, and other legitimate companies to link to the official free credit site. [5] Currently, only four sites are able to link to the official free credit report site: the Federal Trade Commission (FTC) and the three credit bureaus, Experian, Equifax, and TransUnion. * [See update 1]

Unless consumers are clicking from one of these four sites, they must type in or copy and paste the free credit report site address. Given that numerous deceptive sites are actively misleading consumers by claiming to be the official site, and are typically only one letter or one easy typo away from the “real site,” it is altogether too easy for consumers to get trapped by an imposter domain.

One credit bureau apparently thought about this issue; Experian took out at least 28 known domains of common typos for annualcreditreport.com on July 27, 2004. However, Experian and the other credit bureaus left dozens of potential domain names up for grabs, many of which were picked up by “pay per click” companies. Consumers are now left to weed their way through a jungle of imposter sites whose only purpose is to gather “clicks” for money.

Meanwhile, various companies appear to be actively advertising commercial services through keyword advertising campaigns and or affiliate marketing programs. [6] The imposter domains can profit from these campaigns and programs. For example, an online ad or affiliate marketing campaign studied for this report included the keywords “free +credit + report + online.” This program sent consumers to Experian and other credit services via the imposter sites. [7] The Experian, TransUnion, and Equifax credit bureaus all have active affiliate marketing campaigns that encourage domain owners to send visitors to their commercial, for-pay service sites. [8]

If consumers do manage to find their way to the official annualcreditreport.com site, they still face challenges. TransUnion, for example, automatically selects consumers to receive marketing information through a small, pre-checked box at the bottom of a registration page. * [See update 2]. If the box is left checked, TransUnion may then share the consumer’s information with its business affiliates and partners.

Consumers also have up to four different privacy policies to read and understand. Additionally, one credit bureau, TransUnion, is requesting consumer email addresses in a way that does not indicate the submission of the information is voluntary and is not necessary for getting a free credit report.

Summary of findings regarding misspelled domains:

• Ninety six (96) total domains with close or nearly identical spellings of annualcreditreport.com have been purchased. Of these, 28 domains are owned by Experian. Sixty eight (68) domains are owned by other individuals.

• There are 50 known imposter domains that are “live.” Many of these 50 known imposter domains label their home pages as the official annualcreditreport.com site, even though they are not in fact the official site. There may be more imposter domains that have not been found yet.

• The “live” imposter domains actively send consumers to commercial credit services and credit bureaus. The imposter domains get paid for doing this via “pay per click” online advertising and affiliate marketing schemes. Some pay per click schemes run through search engines. Pay per click schemes can also operate through affiliate marketing programs.

• Experian, TransUnion, and Equifax are not allowing legitimate news, consumer, and other organizations to link to the official annualcreditreport.com Web site. * [See update 1] This means that consumers have even a greater chance of misspelling domains because they must type the name in instead of click on a link. Meanwhile, the credit bureaus are allowing active links to their commercial service sites from affiliate marketing programs.

Summary of Findings from analysis of the actual annualcreditreport.com site

• TransUnion’s implementation of its free credit report system is problematic in several respects. When consumers use the official annualcreditreport.com site to order reports from TransUnion, they are automatically selected to receive marketing information and product offers from subsidiaries and affiliates. This is done via a check box that is already checked. * [See update 2 ].

• TransUnion requests an email address from consumers who want to order a federally mandated free credit report. But TransUnion does not state that submission of the email address is voluntary.

• TransUnion requires consumers to register at its site prior to seeing their federally mandated free credit report. TransUnion is the only credit bureau with this requirement.

• Two credit bureaus, Experian and Equifax, have employed potentially confusing menu formatting in their implementation of their free credit report offerings.

• Consumers who use the official annualcreditreport.com site to order all three of their credit reports will be subject to a total of four different privacy policies.

Recommendations

• The FTC needs to take down the misspelled domains that deceptively state on their home pages that they are annualcreditreport.com.

• Those Web sites that state in their source code that they are referring consumers from a domain other than the actual domain should be held accountable for deceptive practices. This would apply especially to questionable sites that redirect consumers to legitimate businesses by altering the domain referrer information.

• The FTC should require all three credit bureaus to cease and desist immediately from participating in any online keyword advertising or affiliate marketing campaign that contains the words “free credit report” or “annual credit report” if the campaign sends consumers to their for-pay commercial services. Additionally, the credit bureaus should be required to police their affiliates more closely for abuses.

• The FTC needs to require the credit bureaus to immediately stop “blacklisting” legitimate non-profit organizations, news outlets, and other entities from linking to the official annualcreditreport.com site. Due to the 68 known imposter sites, there is a clear risk in not allowing Web linking to the official site from legitimate organizations. * [See update 1]

• Menu options at the credit bureau subsections of annualcreditreport.com need to be labeled conspicuously as either specifically for the federally mandated free credit report or for a commercial service unrelated to the free credit report.

• TransUnion should not be allowed to automatically select consumers to receive marketing material and have their information shared with affiliates and partners. *[See update 2 ] Further, TransUnion should not be requesting an email address to send marketing information to via a site designed primarily to allow consumers to get their federally mandated free credit report. If TransUnion is going to continue to request email addresses from consumers -- information that is not required for receiving a free credit report -- then the email address request should be clearly labeled as a voluntary submission at the time it is requested. Currently, it is not labeled as a voluntary submission.

• Some attention needs to be paid to the fact that consumers will have to read four privacy policies in order to understand their rights at the official online site. If this process can be simplified or made clearer, then it should be.

Discussion of Findings

The report findings are divided into two sections: findings on fraudulent domains, and findings relating directly to the actual annualcreditreport.com site. Findings on Fraudulent, deceptive, or misspelled domains.

To date, 96 known misspelled domains are registered; [9]  28 of these domains belong to Experian, 68 of these domains belong to other individuals who are exploiting the misspellings with deceptive “pretender” domains and pay per click marketing schemes that lead consumers to for-pay services at Experian and other credit services such as “MyFico” at FairIsaac. Of the total number of typo domains, 50 are currently online and some of these domains are highly deceptive. Of the 50 active imposter domains, there are two primary methods by which consumers are misled.

• A. The active imposter domains may incorrectly claim to be annualcreditreport.com on their home pages.

• B. Some of the domains may correctly label their home pages, but then incorrectly include deceptive domain forwarding information within their source code. This deceptive information incorrectly identifies the domain to a search engine, or a credit bureau, or other ad partner or affiliate.

In the graphic below (Figure 1) is an example of an imposter domain. Here, annualceditreport.com is claiming on its home page to be annualcreditreport.com, and boasting that it is “Your Access to Free Credit Reports.”

Figure 1. An imposter domain. Note the misspelling of the URL in the address bar.

Misspelled domains owned by Experian

Experian purchased at least 28 domains on July 27, 2004. [10] Each domain is comprised of a close misspelling of annualcreditreport.com, the official free credit report site.

The Experian-owned misspelled domains are:

The Experian domains have name servers of ns03consumerinfo.com/ns04 consumerinfo.com. This is important, because even though these domains were registered to GoDaddy via Domains by Proxy, nameservers are unlikely to lie.

ConsumerInfo.com is an Experian company, and is an active domain. Its nameservers are ns03/ns04 consumerinfo.com, the same as the domains above.

Qspace.com, a domain receiving numerous “pay per click” flows from the parked domains mentioned in this report, is also registered to ConsumerInfo.com, and uses the ns03/ns04 consumerinfo name servers.

As of the report date, the 28 Experian domain names listed above did not have active Web sites.

Misspelled Domains Owned by Other Companies

Researchers found 68 misspelled domains owned by a variety of companies and individuals. The total known number of the misspelled domains known to be owned or hosted by pay per click companies is 68. Fifty (50) of the domains are live, 18 have been taken out but were not online as of the time of writing. [11]

During research for this report, a number of the domains changed status. For example, one domain that was live in December still exists, but has been taken offline. Other domains that were not online now are.

There is a high possibility that more misspelled domains already exist, or will be taken out in the future. There is also the possibility that the live and non-live domains will continue to shift. * [See update 3].

50 “live” imposter domains:

18 purchased imposter domains not currently online:

Other Problematic Domains to be aware of

The domain annualcreditservice.com is associated with pay-per-click schemes and sends consumers to various for-pay services. It is included here because the site also uses the annualcreditreportinfo.org name deceptively. Annualcreditreportinfo.org is a domain owned by the three credit bureaus, not by annualcreditservice.com.

How the Owners of the Misspelled Domains are Making Money on Consumer Confusion

The deceptive and misspelled domains that are hosted at or owned by “pay per click” companies are highly problematic on a number of levels.

First, the misspelled sites are sending consumers to for-pay services at the credit reporting bureaus, and the owners of the misspelled imposter sites are getting paid to do this. They are getting paid because someone somewhere paid for a keyword or Internet marketing campaign. There is a possibility that the credit bureaus themselves are paying the misspelled sites or their partners because the imposter sites or their partners have joined one or more of the credit bureaus’ “affiliate” programs. [12]

What is most troubling is that the keyword phrase “free online credit report” is being used to target and send consumers to for-pay services at Experian and other sites instead of to the federally mandated free credit report site, annualcreditreport.com.

How the scheme works: the specifics

This is a simplified explanation of what is happening to consumers. For more details and examples of how the source code looks and operates, please see Appendix A.

1.An individual types in official annualcreditreport.com domain name with a misspelling. In this example the typo domain is annualcresitreport.com.

2. The annualcresitreport.com domain name is parked at or managed by a “pay per click” domain company, in this example, the annualcresitreport.com Web site is parked at DomainSponsor.com.

3. The annualcresitreport.com home page contains links to Free Credit Reports and similar topics. (PDF of home page).

4. Consumers who click on the “Free Credit Report Online” links will be taken to a page of “sponsored links.” The four sponsored links on the site in this example are “Free Credit Report Now,” Instant Credit Report, Online Credit Report, and Free Credit Report. (PDF of Sponsored Links page).

5. After clicking one of these sponsored links, individuals will be redirected through a series of Web sites. This will happen so quickly that most will never see the information flashing across the address bar. For example, say a consumer clicks on the sponsored link “Free Credit Report.” In this example, that link will take the consumer first to Information.com then to Google.com, then finally, the consumer will land on an Equifax credit bureau site that lets consumers check their credit -- for a fee. All of this redirection will happen in the blink of an eye and will not be obvious to most consumers.

(PDF of ConsumerInfo via Qspace, arrived at via clicking on the imposter site link).

The reason this redirection happens is so that keywords or search terms can be passed along to advertising partners. This ensures that everyone in the chain gets a commission from the click. Meanwhile, ConsumerInfo.com/Experian gets customers. And the owner of the annualcresitreport.com domain gets a potential financial payout from the click-through. Everyone makes money or gets a benefit, except for the consumer who did not make it to the real annualcreditreport.com site. For the record, the annualcresitreport.com imposter site in this example had four “sponsored links” leading to the following sites:

• Sponsored Link: Free Credit Report Service (An Experian Company)
• Leads to: <https://qspace.iplace.com/cobrands/370/order1_1.asp?p=1&sc=6088BJ07>

• Sponsored Link: MyFICO.com, a division of FairIsaac
• Leads to: <http://www.myfico.com/?lpid=GGLE1011>

• Sponsored Link: ConsumerInfo.com, an Experian company
• Leads to: < http://qspace.iplace.com/cobrands/457/default.asp?sc=6163GGMN>

• Sponsored Link: CreditProtect by Identity Guard
• Leads to: <http://www.identityguard.com/se/landing_se_cm_cptrial.asp>

Specific Pay Per Click Companies Involved in AnnualCreditReport.com misspellings

As previously stated, 68 of the 96 misspelled domains are registered to or somehow connected to pay-per-click companies. These companies specialize in creating hundreds and sometimes thousands of domains for the sole purpose of making money from keyword or search engine ad sales. Usually the only way these imposter sites make money in the context of the misspelled domains is when an individual misspells a domain and clicks all the way through to a final destination page, which in some cases only takes two or three exploratory clicks.

Many of the imposter domains are redirected by DomainSponsor, a “pay per click” domain parking engine. This is revealed by the name servers of nsproredirect1/nsproredirect2, which are the well-known name servers Domain Sponsor allows domain parkers to use. The domains parked at Domain Sponsor make extensive use of iFrames to disguise what is happening to consumers. Imposter domains that were “live” at the time of writing were hosted by the following companies on the following name servers:

• DomainSponsor Name Server: NS1.PROREDIRECT.COM
• Enom Name Server: DNS1.NAME-SERVICES
• GoDaddy Name Server: PARK17.SECURESERVER.NET
• Budget Names Name Server: NS1.RENTALQUEUE.COM
• Domain Hop Name Server: NS1.DOMAINHOP.COM

Note: One misspelled domain that was live in December 2004 was hosted by Fabulous at Fabulous.com name servers, however, this domain was taken down and no other Fabulous hosted domains were found.

Consumers who mistype in annualcreditreport.com and land at one of these active imposter domains will be besieged by pop-ups, pop-unders, and persistent advertisement windows. Researchers documented pop-up advertisements for Phoenix University, virus scanning software, a host of “free” items, and credit report advertisements.

Consumers who land on these domains should simply close their browsers and start over, or simply call the toll free number for their credit report.

Finally, some of these pay per click companies also own or are affiliated with search engine sites. For example, DomainSponsor is affiliated with Information.com. Information.com in turn collects all of the information flowing into its site from the imposter domains and makes money by selling or sharing the information. (PDF of Information.com privacy policy.)

Based on the WHOIS registry information and information on Information.com and DomainSponsor, it is possible to go one step further. DomainSponsor.com is registered by Oversee.net, and Information.com is also registered by Oversee.net. Information.com states on its Web site that it is an Oversee.net company. It appears that Information.com uses its apparent DomainSponsor product to set up imposter domains and feeds the keywords and ad campaigns into its own search engine.

Findings on Official Site AnnualCreditReport.com

Blacklisting, or not allowing active Web linking to the annualcreditreport.com site is an ongoing issue. But those consumers who do manage to land at the official annualcreditreport.com site have further challenges to contend with.

Namely, there are issues regarding automatic selection for marketing and information sharing, menu confusion, and up to four different privacy policies to read and understand. Additionally, one credit bureau, TransUnion, is requesting consumer email addresses in a way that does not indicate the submission of the information is voluntary and is not required for receiving a free credit report.

Blacklisting for those who link to annualcreditreport.com * [See update 1]

As of December 1, 2004, this is the message consumers saw when they clicked a link to annualcreditreport.com from all sites but the FTC and the three credit bureaus:

Figure 2. Original Black List Message from the official annualcreditreport.com site .

It is intriguing that the credit bureaus are allowing imposter domains to help send them business via online ad links and affiliate marketing, while at the same time they are blocking legitimate organizations from sending consumers to the official free credit report site via online links.

The most current blocking message the credit bureaus are putting on the annualcreditreport.com site is as follows:

“For security purposes, www.annualcreditreport.com can be accessed by

typing the web address "www.annualcreditreport.com", or from links from

the Federal Trade Commission (www.ftc.gov), Equifax (www.equifax.com),

Experian (www.experian.com) and TransUnion (www.transunion.com) websites.

annualcreditreport.com is the only web source authorized by all three

nationwide consumer credit reporting companies from which free annual credit file disclosures can be requested.”

Again, it should be pointed out that the three credit bureaus allow affiliate marketing sites to actively link to the bureaus’ credit services. It is unknown how security risks are mitigated in the instances of affiliate marketing linking to credit bureaus’ commercial sites.

TransUnion Marketing to Consumers and Email Collection

If consumers use annualcreditreport.com to collect their federally mandated free credit report from the TransUnion credit bureau, consumers will run into two immediate issues. First, TransUnion pre-selects a checkbox that gives it permission to send consumers marketing and affiliate offers. Secondly, unlike the other two credit bureaus., TransUnion requests consumer email addresses at its registration page.

A third general issue to note is that TransUnion, unlike the other two credit bureaus, requires consumers to register at the TransUnion site in order to view their federally mandated free credit report. Registration requires consumers to provide more information than would otherwise be necessary.

TransUnion “Auto-Opt In” * [See update 2]

On the TransUnion subsection of the official annualcreditreport.com site, consumers are automatically selected to receive marketing emails and have their information potentially shared with affiliates and partners. TransUnion accomplishes this by displaying a checked box on the bottom of the page on its site. If consumers do nothing, they will be effectively choosing to receive marketing and affiliate offers.

(PDF of TransUnion page with pre-checked box.) *[See update 2]

The text of the TransUnion pre-checked offer states:

“You will receive a free monthly newsletter loaded with important credit education as well as valuable product offers provided by our subsidiaries and partners.”

This pre-selection is problematic on a number of fronts. First, consumers should not be forced to de-select themselves from marketing and affiliate offers when they are going to the site specifically for collecting a federally mandated free credit report. It is important to note that in order to get those product offers from subsidiaries and partners, TransUnion may share consumers’ relevant information.

Secondly, the checked box is at the very bottom of the page, and may easily be overlooked by consumers.

In its annualcreditreport.com privacy policy, TransUnion states:

“Under the FCRA, we may provide information to companies that provide you with pre-approved offers of credit or insurance.

If you indicated to us when you registered, placed an order or updated your account that you were interested in receiving information about other products and services, your name and email address may be shared with a third party in order to present these offers to you.” (PDF of full privacy policy.)

Because TransUnion requires consumers to register in order to access federally mandated free credit reports, then this statement about name and email address sharing with third parties will very likely apply to consumers who neglect to uncheck the box and who provide email addresses.

It is unknown if TransUnion’s auto-selection of consumers at annualcreditreport.com will override previous opt-outs consumers have made. For example, if a consumer has previously called to stop affiliate information sharing, will keeping the TransUnion checkbox checked reverse this choice? This is a question the FTC needs to address with TransUnion.

Also located in TransUnion’s annualcreditreport.com privacy policy is a statement specifically about signing up for the newsletter:

“TrueCredit Newsletter

You may sign up for TrueCredit's free monthly newsletter by selecting “You will receive a free monthly newsletter loaded with important credit education and valuable product offers provided by our subsidiaries and partners.”

 

There is a question here of the accuracy of the privacy policy, because consumers do not need to select anything to sign up for the TrueCredit newsletter, it has already been done for them if they visit the site. *[See update 4]

Neither Equifax or Experian are automatically selecting consumers to receive marketing information and affiliate offers.

TransUnion Email Address Requests

On the same page where TransUnion automatically selects consumers to receive marketing offers, TransUnion also requests consumers’ email addresses. The email address is requested in the same space that requests information such as name and address and SSN. (Click here to see TransUnion email request PDF)

TransUnion does not specifically disclose that giving an email address is voluntary. If an individual clicks on a link under the email address request, a box pops up with an explanation of why TransUnion is asking for it.

This is the text of the TransUnion email explanation:

“Why do you need my email address?

Your email address allows us to contact you with important information regarding your account and , if necessary, to help you login or confirm your identity.”

(Click here to see a screen shot of the email explanation box at TransUnion PDF )

In order to view a federally mandated free credit report online, there is no need for an individual to give a credit bureau an email address. The report displays online through the Web browser, and is not sent via email. The other two credit bureaus do not request email addresses from consumers as a prerequisite to viewing the free credit report.

Consumers’ email addresses are an additional and optional piece of information that TransUnion does not need to have.

TransUnion, in its privacy policy governing its activities at annualcreditreport.com states: “We may use information you provide to update our consumer credit database.” It is unknown if this statement applies to email addresses. However, if a consumer does not opt-out of the newsletter checkbox, the email address and name may apparently be shared with affiliates and partners. *[See update 4].

It should be noted that Experian in its implementation of the federally mandated free credit report does give consumers an opportunity to provide an email address much later in the reporting process. This is done only if a consumer chooses to dispute an item in the credit report. The notification of why the email is requested is very clear, and it is made very clear that the submission of the email address is voluntary.

Potentially Confusing Menu Bars at the annualcreditreport.com Site

The three credit bureaus have been allowed by the FTC to advertise for their commercial services at the annualcreditreport.com site. Generally speaking, because of this, the menu design of the individual credit bureaus’ aspect of the annualcreditreport.com site is not optimal.

For example, when an individual is viewing their free credit report online via the annualcreditreport.com site, menu items for the free credit report show up. But menu items for commercial items also show up, and sometimes in a way that makes it look as if those commercial items are part of the free credit report. For example, the Equifax menu bar is all one color, and it is very difficult to differentiate between items that are part of the free credit report and items that are not.

(PDF of Equifax menu bar showing a commercial pitch.)

Experian’s menu bar is a little better, but not perfect. The Experian menu bar at the time of researchers’ visits were color-coded to differentiate the free materials from the for-pay materials, but there was still room for consumer confusion.

(PDF of Experian menu bar.)

The menu bar issue could be easily remedied by the credit bureaus by clearly labeling the for-pay menu items as “commercial services” and separating the for-pay menu items clearly from the free credit report menu items.

Privacy Policies at annualcreditreport.com

An individual who goes to annualcreditreport.com and orders credit reports from all three credit bureaus will be subject to four different privacy policies: the annualcreditreport.com policy, and the policies of all three credit bureaus. These policies will be in effect at different times of consumers’ visit and generally do not overlap.

annualcreditreport.com is essentially a portal site that acts as a funnel to lead consumers to subsites at the three credit bureaus where they can access their free credit report at each separate credit bureau. annualcreditreport.com has a privacy policy that covers its collection of information, but this policy only applies to the few pages of the annualcreditreport.com portal area; it does not apply to consumers after they have entered each of the three credit reporting sites from the portal. For that, each credit bureau has its own policy.

As soon as consumers enter the TransUnion, Experian, or Equifax subsection of the annualcreditreport.com site, then they are subject to the relevant credit bureau’s privacy policy.

Experian and Equifax did not display unique policies tailored to annualcreditreport.com. TransUnion, however, did. TransUnion apparently has a standard privacy policy on its main site, and a separate (and different) privacy policy for annualcreditreport.com.

Archive of relevant annualcreditreport.com privacy policies:

AnnualCreditReport.com privacy policy PDF

TransUnion annualcreditreport.com site privacy policy: PDF

Experian annualcreditreport.com site privacy policy: PDF

Equifax annualcreditreport.com privacy policy: PDF

Resources

Toll Free number for accessing federally mandated free credit report:

877-322-8228

For mailing, complete the Annual Credit Report Request Form and mail it to:

Annual Credit Report Request Service

P.O. Box 105281

Atlanta, GA 30348-5281

The Annual Credit Report Request Form is available online at:

<http://www.ftc.gov/bcp/conline/edcams/credit/ycr_free_reports.htm>

Federal Trade Commission page on Free Annual Credit Reports:

<http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>

Credits

Dave Del Torto of Cryptorights.org was instrumental in the early stages of this research.

Daniel Brandt of Namebase.org provided information on the details of online ad campaigns and how the click flows work with affiliate marketing programs.

Gary Mittman of Nami Media provided information about the “pay per click” business model and world.

Daryl Swensson, Technology Research Fellow at the World Privacy Forum, assisted in the proofing of the early report drafts.

L.K. Davidson provided editorial proofing.

John Boak, Webmaster of World Privacy Forum, created the design for the report.

Jordana Beebe of Privacy Rights Clearinghouse and Daniel Brandt of Namebase.org provided particularly important feedback during the peer review process.

Tips provided by the Attorney General of Michigan’s February 2005 consumer alert were indispensable in thinking through the consumer information in the report.

Appendix A:  Source Code of the Redirects at misleading domains (PDF)

Appendix B : Registry information for domains  (PDF )

Update Notes

Update 1: The annualcreditreport.com site now allows Web linking. The site does not allow "framing" but direct HTML links are now possible.

Update 2: TransUnion has halted its practice of pre-selecting consumers. However, if consumers choose to receive the newsletter, consumers will still have their credit and other information shared. Please note that TransUnion still requires consumers to register at its site to get a free credit report, and still asks for an email address.

Update 3: Since publication of the report, some of these domains may have shifted.

Update 4: Since TransUnion now requires consumers to actively choose to receive marketing offers, its privacy policy now accurately reflects what will happen to consumers. That is, if consumers choose to receive the TransUnion offers, their information may be shared with affiliates and partners.

Footnotes

[1] Residents in Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming can order a free report beginning December 1, 2004. Residents in Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin can order a report beginning March 1, 2005. Residents in Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas can order a free report starting June 1, and residents in Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia, the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005. Source: < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.

[2] For more information about why free credit reports have been mandated by the Federal government, see the discussion at the FTC pages. < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.

[3] Michigan Attorney General Mike Cox has suggested in a February 2005 consumer alert several tips for consumers who phone in for their reports. First, request that only the last four digits of the SSN are shown on the mailed report, and send the report to a secured mail box. For the complete consumer alert, please see <http://www.michigan.gov/printerFriendly/0,1687,7-164-34391-111010--,00.html>.

[4] Federally mandated credit reports may also be ordered by mail. See the Resources section of this report for directions on how to do this.

[5] See Figure 2 in this report. Also see EPIC’s letter to the FTC asking the agency to unblock Web links. “Free Annual Credit Report Site is Blocking Web Links,” December 7, 2004. < http://www.epic.org/privacy/fcra/freereportltr.html>

[6]Affiliate marketing programs are a common feature of the Internet at this point. The issue with affiliate marketing programs is that because they typically pay a commission to sites that bring in visitors through active links, some domain owners have abused the programs by creating thousands of phony or “typo” sites to bring in visitors for certain keywords. Some affiliate marketing programs are well-policed for abuses, others less so. For additional information about this subject, see Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.

[7] Online ad campaigns based on keywords and search engines can be dynamic and complex. For more on this, see Google AdSense and Overture as two examples of how these kinds of campaigns generally operate. Sites: < http://www.google.com/ads/> and < http://www.content.overture.com/d/USm/ays/ps.jhtml>.

[8] TransUnion’s TrueLink affiliate program is at:< http://www.truelink.com/affiliate/faq.html#1>; Equifax’s Link Partner Program is at < http://www.equifax.com/link_partners/ > ; Experian’s CreditExpert affiliate program is available at: <https://www.creditexpert.com/CE_site/Message.aspx?PageTypeID=Affiliate Program_CE>.

[9] For date, nameserver, and registration details on each of the registered domans, see Appendix B.

[10] This figure was determined by conducting DiG lookups and checking WHOIS registry information for the domains and then comparing the domain nameserver information with nameservers used to host other known Experian domains.

[11] Last check of the live domain names was conducted on February 21, 2005.

[12] For general information about how affiliate sharing can work, Wired Magazine has a good article on this subject. Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.

[13] <http://www.domainsponsor.com>

[14] A confirmation of this is the DiG lookup of proredirect.com: proredirect.com name servers are ns2.oversee.net and ns1.oversee.net. Oversee.net is the parent company for DomainSponsor.

[15] DomainSponsor, in its FAQ page, discusses the benefits of using pop-ups at sites parked at its service. See < http://www.domainsponsor.com/faq.html>.

[16] Information.com may make additional revenue from the incoming data, beyond affiliate marketing. This is hinted at in the Information.com privacy policy, which states: “Individual customers who reside in California and have provided their personal information to us may request information about our disclosures of certain categories of personal information to third parties for their direct marketing purposes.” See: <http://www.information.com/help/privacy.html> Last visited February 24, 2005.

[17] The Electronic Privacy Information Center complained to the FTC about this practice December 7, 2004. To date, the credit bureaus are still blocking active Web links to the official annualcreditreport.com site.

[18] Source: < www.annualcreditreport.com >. Last accessed February 24, 2005.

[19] Text confirmed in December 2004.

Complete Original Call Don't Click Report (PDF)