I don’t have any info about fraud directly from dealers, you would know this better than I, but there are two BMW models on the HLDI 10 most stolen new car list, the 7 series and the X5. Most people who would be buying a 7 series or an X5 probably should be able to provide two forms of photo ID, like a license and a passport. Many state agencies don’t ever require more data than that, although the new RFID passports are reportedly insecure, and hey, have you seen those new ink-jet printers?

I suspect the IRS has many reasons for tracking high dollar cash sales, but it seems that is much more likely due to people notoriously forgetting to claim cash transactions on their tax returns. The IRS doesn’t care about stopping car theft – they don’t even require a thumbprint to file your taxes. Ahem.

I’m closing comments because I really don’t need any more offers for cheap viagra and it’s killing my blackberry battery. If you have more to say, you can always reach me at the email address you’d expect.

I still don’t feel like I have a clear answer on why or how thumbprinting deters car thieves, but I’ve learned a lot in the last week. Thank you all for the comments and conversation – this has been a much more interesting adventure than I thought I would be having when I walked into a car dealership last week.

evlfred, thanks again for the comments. point taken regarding profit / loss. As for not liking the policy, that’s the exact point I want to make. You can always go elsewhere, but I believe it’s actually important to say no when you don’t like someone’s made-up, non-standard policy.

Here’s a totally straightforward question for you. If a 100% loss on a stolen car comes to $50 per car (the four lost cars number came directly from the dealership in question, the average cost number may be off but with four lost cars it seems like it’s the right ballpark), why wouldn’t a dealer simply add that into the price for all new cars, rather than trying to take fingerprints? That’s usually what a store does when there’s loss: prices go up. Why would you decide to fingerprint all your customers? Where does that even come from? Most customers aren’t going to shop elsewhere to save $50 on a $30K purchase. I wouldn’t, but I was so surprised with the fingerprint demand that I went home and wrote about it. I suppose if you don’t know a dealer’s doing this, you get stuck with the demand at the end of the process and comply, but at least if you know some dealers are doing it, you have the choice to shop around to one that doesn’t.

In terms of keeping things secure, especially in any kind of retail environment I’ve worked in places where I was astonished by the amount of unsecured data, and I’ve worked in places that were unbelieveably careful. Both places would claim to be extremely careful and you can’t tell from the outside what you’re dealing with. UCLA was extremely careful – they had a break-in anyway. I believe completely that your dealership is careful, and I’m sure there are many dealerships that take this very seriously, but after this whole experience I am reminded why it’s important to not offer up information when you’re not legally bound to do so.

I’m glad to hear there’s a lot of concern from the auto sales industry regarding this. When these guys presented me with a photocopied legal-ish document with spelling mistakes, that’s when I started thinking: maybe this company is not as careful as I would like for them to be. And that’s when I walked out, and I’d do it again if the same thing happened tomorrow. If one good thing came out of it, people who’ve read this post will be more aware and careful with how any personal data is used.

I read up on many of the topics you mentioned above while learning about all this. And my conclusion is that when a merchant asks for extra information that isn’t legally required to close the sale, it is because they are trying to protect their own interests, and often at the potential risk of my own interests.

Curious, what do you think about the Dollar-Rent-A-Car results from their similar thumbprint experiment? The company dropped it, because it bothered customers and in the end it didn’t make a difference to their bottom line.

Also, don’t bother trying to get the dealership to return all copies of your information. If they pulled a credit bureau on you they are required by low to maintain that information for at least 24 months. However they are also required to keep it secure with limited access. We are very careful with all information left with us.

Dealerships can only afford to refuse so many sales before it cuts into profits. But when some dealership starts going all homeland security on its customers, there’s just not a good enough deal for me to willingly support that.

I believe that the only reason 5200 people gave their fingerprints to that dealership is because the negotiation process wears the customer down completely – it’s designed to. After you’ve spent so much effort shopping and then haggling, and the dealer sneaks in this policy at the last minute, well – most people feel stuck in the deal. They don’t feel like they can say no, so they don’t. That doesn’t mean it’s a good policy, it just means people don’t feel like they have a choice, and that’s what stinks about it.

Bottom line? To this dealership, my lost sale is the equivalent of 25% of their stated last years’ losses to fraud.

They said one other person walked out because of this policy in the past three months. If they lose one sale over this every three months, they’re exactly break-even with the losses from fraud. Currently, they’re at double that.

Except losing your customers due to your own bad policies, that isn’t covered by insurance.

My 2 cents.

1) Equating an email address to biometric information is a very curious practice. These two bits of information are so vastly different when it comes to actual security calculations (asset value, etc.) , I am truly surprised to see anyone try and make such a point.

2) The issue is not about how nice a dealership might be or how pleasant they are when you are compliant with their demands. It is about how a company manages your sensitive identity information, especially when there is no risk to them if they mishandle the information. No amount of positive relations and perks can change the fact that a company may engage in the type of improper information handling practices linked to identity theft and/or privacy violations. A thorough and independent information security audit would be the correct and fair approach to assessing “goodness” in this scenario. Do they have a privacy policy? Do they follow the policy…etc.

While I agree in principle that a dealer needs to use an identification process to reduce the risk of grand theft, this does not mean they should be free to demand whatever identity information they want without proper safeguards and assurances to the consumer. Yes, I know this is completely counter to the Ashcroft-led movement that says Americans will be free only when everyone has surrendered all of their privacy to loosely regulated private firms like ChoicePoint (who then will sell it to the government(s) and/or use it to “clean” elections):

http://www.privacyclue.com/index.php/20060320/ashcroft-shills-for-choicepoint/
http://www.guardian.co.uk/usa/story/0,12271,949709,00.html
http://www.thenation.com/doc/20040517/palast

Again, Lorna was clearly wise to ask for clarification and then walk away if not satisfied. The trickier question is really how a consumer/citizen can get comfortable with information security practices of companies without some kind of accountable oversight body or independent regulation.