Credit Patrons Unknowingly Help in Stings

When U.S. Secret Service agents set a trap for a young computer operator who had expressed an interest in stealing credit information, they baited it well: with real credit card numbers from real customers.

The young man, Ari Burton of Las Vegas, went for it, was arrested and was charged with possession of stolen credit information--charges to which he ultimately pleaded guilty. That ended the case against Burton, but the cardholders’ information did not stay secret with the Secret Service. Detailed credit histories of 35 Citibank cardholders, none of whom gave their permission for their files to be accessed, ended up with the defendant, his lawyers and anyone else who got a copy of the case file.

Included in it: names, addresses, home phone numbers, Social Security numbers, credit card numbers, available credit lines and outstanding balances--more than enough for anyone to run up huge tabs on unsuspecting customers.

The cardholders were never warned that their information had been used in a sting, or that it had subsequently been shared with the defendant and others. In fact, a few of the cardholders only learned of the disclosure when the defendant’s father wrote asking whether they had authorized the release of the information. Others found out just last week, three years after the information was first released, when contacted by The Times.

Told of their unwitting involvement in a federal sting, many were furious.

“I’m upset, I’m real upset,” said Joe Becker of Costa Mesa. “I want to know how this happened.”

“I never authorized anything like that,” said Sarah DiBoise, who lives in Atherton. “I am certainly bothered by it.”

And Sam Zadeh, who lives in New York, deplored what he called the “bank and law enforcement agency invading our privacy.”

The same revelations that left cardholders smoldering also raised troubling questions about the conduct of the government and of the bank that released private information to the Secret Service. Some of those questions ripple into delicate areas of criminal law--topics such as the right of defendants to evaluate evidence against them and the right of uninvolved citizens to maintain their privacy while federal agents try to corral bad guys.

Why, lawyers, cardholders and others asked, would the Secret Service use real cardholder information for sting operations? And even if, for legal reasons, it feels compelled to use actual credit histories, why not seek permission from cardholders first?

Finally there is this question: How many cardholders nationally are exposed to disclosure of their credit information through government operations? Authorities in some other parts of the country say they do not use real credit information, and Citibank stresses that the Burton case was an aberration. But investigators and prosecutors in Las Vegas said the techniques used to nab Ari Burton are employed in other instances.

In fact, Secret Service agents in Las Vegas say the use of real credit information is forced upon them by federal law requiring authorities to demonstrate that a suspect actually possessed something illegal in order to win in court.

“In something of this nature, the crime is the illegal obtaining of what is called the access device,” said Jerry Wyatt, assistant special agent in charge of the Secret Service office in Las Vegas. “Unless the access device is a real number, it’s just a number.”

Following that theory, some authorities argued that if the Secret Service had supplied Burton with fake credit card information, Burton could not have been found guilty of attempting to steal real credit card histories.

But that reading of the law is hotly contested by experienced lawyers. Although it is a violation of federal law to have unauthorized possession of an access device--another name for a credit card number--it also is against the law to attempt to possess such a device, even if that attempt turns out not to be successful.

Legal experts said agents could make up fictitious customers and generate false credit histories, then use that information in sting operations. Even without a handoff of real credit information, prosecutors still could charge the objects of the stings with attempting to steal credit card numbers, an approach that might slightly complicate criminal cases but that would protect cardholders.

Wyatt said he was not familiar enough with the facts of the Burton case to know why that approach was not adopted. Nor could he say how many cases each year involve the knowing transfer of actual credit information from the government to criminal suspects--only that such cases are not unusual.

At the U.S. attorney’s office in Las Vegas, the chief of that office’s criminal division agreed that other tactics might have minimized the risk to cardholders in the Burton case, but he said the Las Vegas office typically uses real credit card numbers of actual cardholders in luring suspects such as Burton.

“We’re sensitive to disclosing too much personal information,” said John Ham of the U.S. attorney’s office. “But whenever we charge credit card cases, we include names and numbers.”

As for its role, Citibank acknowledged releasing the files to the government but defended its actions by saying it meant no harm and by stressing that its customers’ privacy is its highest priority.

“We would never do anything to jeopardize our customers,” said Maria Mendler, a spokeswoman for the bank, which has a reputation for vigorous protection of its cardholders’ privacy. She acknowledged that real information was supplied in the Burton case, but she said the bank did not intend for that information ever to surface in a court file or otherwise become available to the defendant and others.

In 1993, the bank also defended its actions in a letter to a lawyer by noting that while information had been released, it had not been done to hurt anyone. “We submit that the actions as alleged do not include the requisite element of an intention to do harm to those customers whose information was disclosed,” an associate general counsel for Citibank wrote at the time.

Those explanations hold little sway with Citibank customers, however, many of whom complained that if their personal credit histories were going to be used in a sting operation, they at least deserved to be notified so that they could apply for new card numbers once the operation was over.

Instead, sensitive information about them and their credit has been kicking around a court file for more than three years--available to, among others, Burton, a man who has admitted that he tried to steal credit information. There is no evidence that Burton or anyone else used the card information gathered in that case to ring up bills, but that, too, is little comfort to the cardholders.

“Financial information is private, and I have a right to privacy,” said Becker, one of those whose credit information was used by the Secret Service. “I’m worried about how this information might be used now that it’s out there.”

Experienced defense and civil rights lawyers, who are used to analyzing government conduct and subjecting it to harsh scrutiny, said they were taken aback by the actions of the Secret Service and Citibank in the Burton case.

“I would think these people could sue for invasion of privacy,” Century City defense lawyer Harland W. Braun said of the cardholders.

Paul Hoffman, a Los Angeles civil rights lawyer, said he too was surprised by the use of private information in a sting.

“It does seem amazing to me,” he said. “These people have rights, too.”

Legal experts with both defense and prosecution backgrounds acknowledged that problems might have confronted the Secret Service had it tried to avoid offending customers by fabricating card numbers or inventing fake credit histories. But they said those problems probably could have been overcome, and added that in any event, they did not pose enough of an obstacle to justify accessing credit information without permission.

“The answer to that is you get real people who are willing to have their credit cards used that way,” said Hoffman. “If you’re doing a sting in a house, it doesn’t mean you go into a neighborhood and take a house. Why should this be different?”

Complicating the issue still further is a decision by the prosecutor in the case. Once the Secret Service and Citibank had used real credit histories to bait the trap for the sting, the U.S. attorney in Las Vegas was presented with a case in which the evidence against the defendant involved personal information whose disclosure might harm innocent citizens.

That type of situation can pose a difficult dilemma for a prosecutor: Federal rules require that prosecutors share evidence with their defense counterparts so that defendants know what they might face at trial, and failing to do so can allow suspects to go free. On the other hand, disclosing the information might put other people at risk.

In general, careful prosecutors tend to err on the side of providing information to the defense even if it may create hazards for others.

In the Burton case, however, some experts argue that the privacy rights of the cardholders should have outweighed the defendant’s right to confront the specific identifying information; an edited list of cardholder information should have sufficed in a case such as this one, they said.

The solution, according to those experts, would have been for prosecutors to ask the judge to impose a protective order that would have shielded the personal, private information from either the defense lawyer or from the defendant himself.

But others maintain that Burton’s lawyers were entitled to the information because it was evidence against Burton, and therefore evidence that his lawyers had a right to assess and consider in deciding their legal strategy.

Ham, the chief of the Las Vegas office’s criminal division, echoed that view, saying his office had no choice.

“We have to provide documents that support the charges,” he said. If prosecutors had not done so, he added, a judge undoubtedly would have forced them to. Ham said no protective order was sought to keep the information from being shared with people other than the defense lawyer.

The prosecutor, said noted Los Angeles defense lawyer Donald Re, “probably had the obligation to provide [the material] in discovery.” Re added, however, that a protective order might have been tailored to allow Burton’s lawyers to review the material on the condition that they not share it with anyone else, including their client.

Because there was no such order, Burton effectively received the same information in discovery that he had sought illegally. Within a month of being arrested, the same government that was charging him with a crime provided him with the list of cardholders and their personal information.

“They handed it right back to me,” Burton said in an interview.

At the same time, Re and others stressed that the prosecutor’s decision was a close call and difficult to second-guess. Far more troubling, they said, were the actions that led to it: the bank’s disclosure of the material and the Secret Service’s decision to hand it over to a suspect.

And given the statements by investigators and prosecutors that the techniques used in the Burton case are widely practiced in other investigations, many experts warned that ill-advised government practices may be putting cardholders across the country at risk.

“There are a lot of situations where they create a scenario like this where you want to show actual possession, not just an attempt,” said Re. “But in those situations, you get consent from somebody. You have a security officer who sets up an account, and you use that account number in the sting. Then there’s no harm, no foul.

“But you don’t give out real information,” Re added. “That’s just crazy.”