|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Thursday, 15 May 1997 Volume 06 : Issue 06
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation), and Cisco Systems, Inc.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Fingerprints required when cashing checks (Jeremy Grodberg)
Video-Surveillance (Roger Clarke)
DIAC '97 (Susan Evoy)
National ID Card Measure Comes Before Congress (Monty Solomon)
Lexis-Nexis Comments to Federal Trade Commission
(Lauren Weinstein; PRIVACY Forum Moderator)
MC/VISA Comments to Federal Trade Commission
(Lauren Weinstein; PRIVACY Forum Moderator)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 06, ISSUE 06
Quote for the day:
"I am the law."
-- Judge Dredd (Sylvester Stallone)
"Judge Dredd" (Cinergi; 1995)
----------------------------------------------------------------------
Date: Sat, 19 Apr 1997 21:54:30 -0700 (PDT)
From: jgro@netcom.com (Jeremy Grodberg)
Subject: Fingerprints required when cashing checks
While visiting my bank (Bank of America) I picked up a flyer titled "A
New Program Designed to Fight Check Fraud." The new program? If you
don't have an account with BofA, when you cash a check at BofA, you have to
put your fingerprint on the check. The flyer claims this program has
been endorsed by the "California Bankers Association" and says
"Similar programs at several banks in other states have proved
effective (at preventing check fraud)."
They minimize privacy concerns by saying that "the bank will not
maintain files of the prints nor will the prints be accessible to any
other company or agency unless the check proves to be fraudulent."
Of course that is not true, the prints will be accessible to whoever
wrote the check, presuming that they receive their canceled checks.
Their ultimate recommendation to solve the privacy problem is to open
an account with the BofA, then "this new check cashing procedure would
not apply to you." That's what they said when people complained about
ATM access fees for non-depositors.
I'm not happy with this further encroachment on our privacy, but I
doubt there is anything I can do about it. Anyone know the law
regarding banks cashing checks drawn on their accounts? I'd think
requiring fingerprints could be deemed an excessive burden, but what
do I know?
--
Jeremy Grodberg
jgro@netcom.com
[ I get quite a few queries on this topic. People tend to
have a gut feeling that there is something "special" about
fingerprints--probably because of their common usage in
criminal investigations and identifications. But in
reality, except in the few cases where specific laws say
otherwise, they are basically just another of the many
"biometric" identifiers that we will be seeing used in
great numbers. There's nothing in most cases that I know
of preventing their storage, exchange, and sale through
private databases and their use in a wide variety of
commercial applications, including banking. They are just
another of the many "information commodities" that are
largely unregulated.
-- MODERATOR ]
------------------------------
Date: Thu, 10 Apr 1997 11:19:14 +1000
From: Roger Clarke <Roger.Clarke@anu.edu.au>
Subject: Video-Surveillance
There are a few studies of the privacy aspects of video-surveillance
around. Tim Dixon's document on workplace surveillance for the N.S.W.
Privacy Committee a couple of years ago is the most valuable one that I
know ('Invisible Eyes', Report No. 76 of September 1995), C'tee page at:
http://www.attgendept.nsw.gov.au/privacy.html
and Simon Davies has done several papers and chapters too. Unfortunately,
I don't think that any of those sources are up on the web.
David Brin (of sci-fi fame, especially 'Earth'), has the theory that
ubiquitous video-surveillance is inevitable. He argues that the best
strategy is to subvert it, in particular by making the feeds from all
cameras publicly available in real time, and making sure that police
headquarters (and suchlike locations) have cameras as well as
display-screens.
Here's a news story from down under that tests David's theory.
On 7-8 April 1997, videos were shown on Australian TV News of action
outside a nightclub in Ipswich (west of Brisbane, Queensland), on 22 March.
Policemen are seen forcibly arresting several aboriginals. This was
definitely not of Rodney King proportions, but (even allowing for the
mediocre quality of video-surveillance images), it's pretty clear that
undue force was used. One, quite small woman (who didn't appear to be
resisting arrest) was gripped in a reverse headlock, and flung violently
backwards to the ground; and a male is reported to have suffered what
appeared to have been a fit, and required ambulance attention.
The aboriginals were stated to have undertaken "a series of attacks"
(unquote the Queensland Police Commissioner) on USAF personnel who were
located in the area as part of a joint military exercise.
The persons involved in the action were four policemen and a private
security guard, plus two US servicemen in uniform who appeared (to my
no-longer-trained eye) as if they may have been military police.
Ipswich is the home town of a particularly high-profile and rather racist
member of parliament, and this was already enough to guarantee that the
clips would be newsworthy (her seat is called Oxley, and a local paper has
dubbed her 'the Oxley moron'). The involvement of (a) persons in military
uniform, (b) persons in a foreign military uniform, and (c) of all things
American military uniform, on Australian soil, made it a verrrrry
newsworthy event.
Anyway, the poignant thing was that "the tape was recorded under an
anti-crime program operated by the local council [lowest tier of
government, cf. a U.S. County] and was handed to police" (Sydney Morning
Herald, 8 April). Not quite real-time; but not ancient history either ...
[I haven't yet seen reported how the tape came into the hands of the media
- - but I'll bet that even the Queensland Police weren't stupid enough to
'feed the chooks', which is how a past-Premier of that State used to depict
the provision of information to the media].
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
http://www.etc.com.au/Xamax/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 1472, and 288 6916 mailto:Roger.Clarke@anu.edu.au
Visiting Fellow, Faculty of Engineering and Information Technology
The Australian National University Canberra ACT 0200 AUSTRALIA
Information Sciences Building Room 211 Tel: +61 6 249 3666
------------------------------
Date: Fri, 2 May 1997 23:28:10 -0700
From: Susan Evoy <sevoy@Sunnyside.COM>
Subject: DIAC '97
Community Needs and Cyber Challenges:
Activists Explore Connection in Seattle
Proceedings available NOW from CPSR!!
Add to the Resource Bank at
http://www.scn.org/tech/diac-97/resources.html
Earlier this year -- while a typical Seattle rainstorm raged -- nearly
400 computer professionals, librarians, journalists, government
officials, business people, and community activists gathered face-to-
face to consider an increasingly tempestuous issue: How do
cyberspace events, policies, and use affect what happens in the
communities in which people live?
Cyberspace with its vast physical, financial, as well as emotional
investment, represents a techno-social tidal wave of historic
momentum. How much of what we hear is realistic? How much is
hype? What opportunities -- and what challenges -- does the
medium offer? And, most especially, how does it affect community,
what Matthew Dumont has called the "gossamer network of
mutual responsibilities."
The Computer Professionals for Social Responsibility "Community
Space and Cyberspace: What's the Connection" conference asked a
multitude of pointed questions like "What is work in cyberspace?
How can we build up -- or tear down -- our existing non-electronic
civic networks? Is cyberspace an agora for rich and informed
dialogue or is it an infinite echo chamber for monologists?
CPSR has gathered papers from the panelists and workshop
conveners into a trenchant collection of critical ideas as well as
pragmatic projects to help carry on the important work of inventing
an informed and humanistic future.
Please check out web site to add your information as well as search
the conference's on-line resource bank. We encourage everybody --
whether you attended the conference or not -- to read the
proceedings, contribute to the resource bank, and follow up on any
of these ideas in your communities.
Conference web pages: http://www.scn.org/tech/diac-97
Add information to resource bank:
http://www.scn.org/tech/diac-97/resources.html
Search the resource bank: Available SOON! Watch for this!
To order the DIAC '97 Proceedings for $18 (including postage), send check,
VISA, or Mastercard information to:
CPSR, PO Box 717, Palo Alto, CA 94302 USA
415-322-3778 415-322-4748 (fax)
> --
> Susan Evoy * Deputy Director
> http://www.cpsr.org/home.html
> Computer Professionals for Social Responsibility
> P.O. Box 717 * Palo Alto * CA * 94302
> Phone: (415) 322-3778 * Fax: (415) 322-4748 * Email: evoy@cpsr.org
------------------------------
Date: Wed, 14 May 1997 22:15:42 -0400
From: Monty Solomon <monty@roscom.COM>
Subject: National ID Card Measure Comes Before Congress
Excerpt from ACLU News 05-13-97
National ID Card Measure Comes Before Congress;
ACLU Urges Committee to Stop Big Brother
FOR IMMEDIATE RELEASE
Tuesday, May 13, 1997
WASHINGTON -- The American Civil Liberties Union said today that a bill
introduced by Rep. Bill McCollum, Republican of Florida, would turn social
security cards into defacto national identification cards.
The House Subcommittee on Immigration is scheduled to hold hearings today on
McCollum's H.R. 231, which would require the Social Security Administration
to "harden" social security cards to make them "as secure against fraudulent
use as a U.S. passport."
"Other than turning the card into an identification document, there is no
reason to make the card like a U.S. passport," said ACLU Legislative Counsel
Gregory T. Nojeim.
"This bill means that Big Brother is knocking on our nation's door," Nojeim
added. "Our only hope is that Congress won't let him in."
A similar proposal was rejected when offered as an amendment to the
immigration bill Congress enacted last year. That amendment failed on a vote
of 191-221 when the then-Commissioner of Social Security, Shirley S. Chater
pointed out that the SSA would have to put photographs on Social Security
cards to comply with the amendment. Doing so would effectively turn the
Social Security Card into a photo-identification document similar to the U.S.
passport, Chater said in a March 19, 1996 letter to Congress.
The ACLU said that once "hardened," there would be no limit to the purposes
for which the government and businesses would demand to see the ID card. "The
card would be demanded when you apply for a job, seek federal or state
benefits, board an airplane, check into a hotel, cash a check, purchase a gun
or ammunition, or open a bank account, and it would facilitate governmental
monitoring and control of these and dozens of other every-day transactions,"
Nojeim said.
The proposal is based on the hope that a Social Security Card that identifies
the holder could not be used for employment purposes by aliens who do not
have work authorization. "The National ID Card will not solve the problem of
undocumented workers," Nojeim added.
"The same employers who ignore the law today and illegally hire undocumented
workers at substandard wages without checking their immigration status will
continue to do so regardless of whether the government imposes a National
I.D. Card," he said. "And the same people who produce fraudulent I.D.'s
today would produce fraudulent National I.D.'s tomorrow."
"Worse still," Nojeim said, "The National I.D. proposal further entrenches
employer sanctions the cause of immigration-related employment
discrimination," Nojeim said, referring to a 1990 report by the General
Accounting Office that documented a "serious pattern of discrimination"
resulting from employer sanctions.
------------------------------
Date: Thu, 15 May 97 15:08 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Lexis-Nexis Comments to Federal Trade Commission
Greetings. Though it is a bit lengthy, I've included below the text of
comments that Steven Emmert of Lexis-Nexis filed in the ongoing FTC review of
databases and privacy issues. It makes for interesting reading. It's also
illuminating in this context to review earlier PRIVACY Forum materials on
this subject, including my "PRIVACY Forum Radio" interview with Mr. Emmert
from last year, which remains available via http://www.vortex.com (along
with all other PRIVACY Forum materials).
--Lauren--
-------------------------------------------
Before the
Federal Trade Commission
Washington, D.C. 20580
COMMENTS OF LEXIS-NEXIS
PUBLIC WORKSHOP ON CONSUMER INFORMATION PRIVACY:
DATA BASE STUDY--COMMENT, P974806
&
CONSUMER PRIVACY 1997--COMMENT, P954807 Steven Emmert, Corporate
Counsel
LEXIS-NEXIS
9443 Springboro Pike
Miamisburg, OH 45342
(937) 865-1472
Ronald L. Plesser
Emilio W. Cividanes
James J. Halpert
Piper & Marbury L.L.P.
1200 Nineteenth, St. N.W.
Washington, D.C. 20036
(202) 861-3900
Of Counsel
Date: April 15, 1997
Introduction
LEXIS-NEXIS is pleased to respond to the Commission's Notice
Requesting Public Comment and Announcing Public Workshop, 62 Fed. Reg.
10271 (released March 6, 1997). LEXIS-NEXIS is a world leader in
providing enhanced information services, online services, and
management tools. We are the leading data base company for
professionals, with a wide variety of products and services that help
legal, business and government professionals collect, manage and use
information more productively.
Among LEXIS-NEXIS' many data bases are a wide variety of news article
files, public record files, and two person locator files that contain
identifying information about individuals. As discussed in our
response to Question 1.9, these data bases are used for a wide range
of productive and socially beneficial uses.
The Commission's questions fail to differentiate between these very
different types of data bases. As a preliminary matter, we emphasize
that there are fundamental legal distinctions between these data base
libraries, even though some files in each of these libraries afford
the ability to find identifying information about individuals.
LEXIS-NEXIS news libraries contain press articles. The public records
data bases contain reproductions of federal, state and local
government records. Content-based restrictions on access to or use of
this information are subject to First Amendment protection.
One of LEXIS-NEXIS' two person locator services, P-FIND, is based upon
a combination of public records and telephone white pages information,
which as such individuals have consented to place in the public
domain. Finally, LEXIS-NEXIS' other person locator data base, P-TRAK,
contains a truncated version of credit header information, which the
Commission agreed to permit credit reporting agencies to sell pursuant
to a 1993 amendment to the consent decree in FTC v. TRW, 784 F. Supp.
361 (N.D. Tex. 1991). With the exception of our news files, this is
the only LEXIS-NEXIS data base containing individual identifying
information that is not based in whole or in part on public records or
press reports.
Furthermore, none of the data displayed in LEXIS-NEXIS data bases in
the context of our services should be considered "sensitive" within
the meaning of the introduction in the Commission's Notice regarding
the Workshop. See 62 Fed. Reg. 10271, 10272. Most of the information
originates from public records that may be freely obtained in
government offices. Other information is substantially similar to
information contained in current and former telephone white pages
directories on file in many public libraries. The additional
information in the P-TRAK data base, which comes from credit header
information, is restricted so as not to display social security number
or the individual's actual date of birth. Moreover, to the best of our
knowledge the P-TRAK and P-FIND data bases do not contain information
regarding persons identified as being under age 18.
WORKSHOP I
Information Collection and Use
1.2 What information is contained in the data bases? Please provide
specific examples.
1.3 What is the source of the information in the data bases?
LEXIS-NEXIS has two person locator data bases, P-TRAK and P-FIND, as
well as a variety of public records data bases and news article data
bases, some of which contain identifying information that relates to
individuals.
P-TRAK and P-FIND are enhanced electronic white page-type directories.
P-TRAK files contain an individual's name and address, and may contain
up to two prior addresses, year and month of birth, a local phone
number (without area code), and other names used by the individual,
such as a maiden name. In addition, for a substantial majority of
records, searches may be conducted using a social security number,
although social security numbers are never displayed. Even if a search
is conducted using the individual's social security number, that
number is not displayed. The source of the information in P-TRAK is
credit header information.
P-FIND files contain an individual's name, address, telephone number,
the year the individual was first listed in the telephone book at the
present address, census data on the median home value of the census
tract in which the individual lives, an evaluation of the probability
that the individual is a homeowner, and the names of other adults
believed to reside at the listed address. The month and year of birth
of the individual and other adults living at the same address may also
be included in the files. P-FIND files are provided to LEXIS-NEXIS by
a third party, and are compiled from telephone white pages
information, aggregate census tract data, and public record sources.
In addition, LEXIS-NEXIS' public records data bases, available
separately on our system, include a variety of information made
available to the public by federal, state and local governments, such
as professional license records, civil and criminal court records,
real property records, bankruptcy and lien records, records of
incorporation, vehicle and boat registration records, and Federal
Election Commission filings. Most public record information is
obtained by LEXIS-NEXIS directly from the government custodian of the
records.
LEXIS-NEXIS news data bases also contain articles with a variety of
identifying information about individuals.
1.7 Who has access to the information in the data bases?
Only LEXIS-NEXIS subscribers with a valid contract with LEXIS-NEXIS,
proprietary software from our company, and a confidential subscriber
identification number have access to the information in P-TRAK.
Subscribers under deeply discounted pricing plans, such as law
schools, do not receive access to the information in P-TRAK, P-FIND
and the ASSETS real estate public records data base.
1.9 What are the uses of the information in the data bases? Are there
beneficial uses of the information in these data bases? If so, please
describe. Are there risks associated with the compilation, sale, and
use of this information? If so, please describe.
A. Benefits
LEXIS-NEXIS' person locator and public records data bases serve a
variety of important, socially productive functions, a few of which
are discussed as part of this answer. We emphasize that the public
records data bases in many cases advance the important First Amendment
function of permitting citizens to obtain information about the
operations of their government. In addition, the public records data
bases typically advance the purpose for which the government in
question has placed them in the public domain. For example, online
availability of land records and lien records makes it easier and
faster to verify title as part of the purchase of a new home.
A few beneficial uses are discussed below in greater detail.
LEXIS-NEXIS would be happy to assist the Commission in locating users
of our services who would testify as witnesses at the Workshop
addressing the beneficial uses of the person locator and public record
data bases.
1. Child Support Enforcement
LEXIS-NEXIS' person locator and public records data bases are very
helpful in tracking down the hardest-to-find "deadbeat parents" who
have refused to pay child support. In this way, these services can
advance personal responsibility, give much-needed income to divorced
parents and their children, help to free families from welfare
dependency, and provide a source of additional revenue and a reduction
in expenses for state welfare programs.
For example, when a non-custodial parent leaves a state's
jurisdiction, the custodial parent usually bears sole responsibility
for collecting court-ordered child support. By using P-TRAK to search
on the ex-spouse's social security number, a lawyer for the custodial
parent or a government employee charged with child support enforcement
can locate the non-custodial parent quickly, even though he or she may
be actively disguising his or her identity.
For governments, locator services are likely to play an important role
in making welfare reform a success at a time of tightening state
budgets. Congress recognized the importance of locator data bases in
enacting the 1996 Welfare Reform Act, which expands use of the Federal
Parent Locator Service to enforce child support orders and directs the
states to establish state data bases. Commercial locator services can
play an important role in supplementing and filling gaps in this
important federal data base, as well as in furnishing information for
the state locator data bases.
2. Uniting Separated Families
P-TRAK, P-FIND and similar commercial locator data bases permit law
enforcement personnel, lawyers for parents or children, and advocates
for children to reunite family members. For example, customers have
informed us of cases where they have used P-TRAK to reunite brothers
who were separated for 17 years, and public records data bases to help
a state agency locate a 10-year-old child's aunt who at his request
adopted him, avoiding the need to place him in foster care.
3. Locating Heirs To Estates
Social security numbers are often included in wills to offer
assistance in locating beneficiaries. Commercial locator services
offer a cost-effective means for the estate's attorney/executor to
locate the heirs even if decades have transpired since the will's
execution, heirs and witnesses have relocated or married and changed
their names, etc. In one case,
P-TRAK was used to help locate a destitute Montana farmer who received
a $4 million inheritance.
4. Pension Fund Beneficiaries
Pensions provide important supplemental income that permits millions
of elderly Americans to continue to live a comfortable existence after
retirement. Yet every year, thousands of pension fund beneficiaries
are unable to receive pensions owed to them because the trustee or
administrator of the fund is unable to locate them. Commercial locator
data bases, such as P-TRAK and P-FIND, are used to help solve this
problem by providing an effective and simple way for the trustee or
administrator -- who has the Social Security Number of the former
employee on tax records, even though decades may have passed since the
beneficiary left the company -- to make sure that beneficiaries
receive pension money owed to them. Indeed, federal law requires the
administrators of certain plans to use commercial locator services to
search for missing plan participants. See 29 C.F.R. ' 4050.4(B)(3)
(July 1, 1996).
5. Locating Trial Witnesses, and Aiding Investigations and Criminal
Prosecutions
Another significant use of P-TRAK and P-FIND is to help locate
uninsured motorists, eyewitnesses to accidents, and other witnesses
for civil litigation. For example, personal injury cases often take
years to go to trial because they are usually filed one or more years
after the accident, delayed in the judicial process, and compete for
time on crowded judicial dockets. This means that in many cases
attorneys have an "old" address for a witness. By using P-TRAK to
search by name and prior address, these witnesses can be found years
after the accident.
P-TRAK and P-FIND provide important tools to law enforcement officials
for criminal investigations and prosecutions because they are ideally
suited for tracking witnesses and investigative targets efficiently.
Up-to-date information from these services has permitted law
enforcement officials to locate and arrest significant numbers of
hard-to-find criminals who often move and assume different names in
efforts to evade capture. The services have likewise assisted law
enforcement in locating witnesses to crimes, in advancing criminal
investigations and in trial preparation. In addition, LEXIS-NEXIS'
public records products are used by law enforcement to track
criminals' commercial activities, such as land purchases,
incorporation of corporate "front companies," and to learn of
criminals' assets in preparation for criminal prosecutions or civil
forfeiture actions.
LEXIS-NEXIS' public record products have a variety of uses in civil
litigation, including negotiating more equitable settlements (in light
of prior verdicts in a jurisdiction), identifying real parties in
interest in a dispute, ascertaining bias of witnesses who have a
financial interest in a litigation, assessing business assets and
liabilities, and assisting in service of process on corporations.
6. Tracing the Influence of Money in Politics
Public record products perform an important function in advancing the
transparency of government operations. A leading example is
LEXIS-NEXIS' data base of FEC filings, which affords the press and
government watchdog groups, including Common Cause, as well as
political parties themselves, easy access and flexible search capacity
to review records of federal political campaign contributions. The
data base has also been used in political corruption investigations.
Moreover, both the Democratic National Committee and Republic National
Committee use LEXIS-NEXIS press articles and our public records data
bases as a cost-effective way to run checks on political contributors.
Indeed, the DNC recently resumed use of these data bases for this
purpose.
B. Risks
While LEXIS-NEXIS knows of many beneficial uses of its data bases
containing individual identifying information, it is not aware of any
instance of improper use of its data bases containing personal
identifying information that raises privacy concerns. For reasons
explained in the answers to Questions 1.10, 1.11 and 1.12 below,
LEXIS-NEXIS does not believe that there are any appreciable risks
associated with use of these data bases in light of the information
contained in the data bases and LEXIS-NEXIS' policies governing the
data bases.
1.10 Do these data bases create an undue potential for theft of
consumers' credit identities? How is such potential for theft
created? Please provide specific examples. What is the extent to
which these data bases (as opposed to other means) contribute to
consumer identity theft? Is this likely to change in the future? If
so, please describe.
While LEXIS-NEXIS cannot speak to all data bases containing personal
identifying information, we believe that our own data bases do not
pose an appreciable risk of identity fraud. LEXIS-NEXIS is aware of no
instance in which any of these data bases has been used to commit
identity theft. Conversely, we are aware of a number of instances in
which our data bases have been used in uncovering identity fraud and
tracking white collar criminals.
Indeed, to date no evidence has been presented of actual use of an
online data base in perpetration of identity fraud. Significantly, the
Federal Reserve Board ("the Fed") recently examined whether data bases
containing sensitive personal identifying information pose a risk of
fraud to federally insured banking institutions. In the course of this
study, the Fed examined the relationship between data bases containing
sensitive information and the problem of identity fraud. It actively
solicited evidence of identity fraud stemming from use of these data
bases, and received comments from over one hundred commenters, among
them consumer advocates, state consumer protection agencies, credit
card companies, and banks and credit unions. Not one commenter offered
any specific evidence of use of such a data base for identity fraud.
Accordingly, the Fed, while expressing concern about identity fraud,
found that "There is little 'hard' evidence on how fraud due to the
usage of sensitive information occurs, the frequency with which it
occurs, or the amount of associated losses." Board of Governors of the
Federal Reserve System, Report to the Congress Concerning the
Availability of Consumer Identifying Information and Financial Fraud,
at 21 (March, 1997).
In contrast, the Fed Report strongly suggested that illegal means of
acquiring information to commit identity fraud are the real problem.
The Report noted that "unlawful access to sensitive information may
often be the precursor to this type of fraud." It also added that "The
number of ways in which a person can illegally obtain information that
will enable fraud to be committed is virtually limitless." Id. at 18 &
n.14.
Based upon our knowledge of the subject to date, most credit fraud is
perpetrated by obtaining unauthorized access to below-the-line credit
report information, by stealing credit card numbers, or by
intercepting a credit card application, then filling out the
application in the name of the person to whom the application was
addressed.(1)
P-TRAK is of virtually no use for any of these approaches because it
contains no financial information, does not reveal a social security
number to someone who searches on an individual's name, address, etc.,
and does not reveal an individual's date of birth. LEXIS-NEXIS has
decided not to display individuals' social security numbers ("SSNs"),
while permitting searches by social security number by users who
already know the SSN of the individual they are looking for.(2)
Moreover, P-TRAK does not contain individuals' actual birth dates --
only their month and year of birth. The policy of not displaying SSNs,
the limited content in the data base, the product's per-search cost,
and its limited availability make such abuse highly unlikely.
P-FIND simply furnishes telephone white pages information, plus some
aggregate data on the individual's neighborhood and the likelihood
that the individual is a homeowner, and possibly the individual's
month and year of birth. This limited information can be obtained
through other means -- for example, by examining a telephone directory
and one or two public records on file with government agencies or
posted on the Internet. Far more detailed, highly sensitive
information can be obtained through either authorized or unauthorized
access to the same individual's credit report.
Far from presenting a risk of crime, P-TRAK, P-FIND and LEXIS-NEXIS'
public records data bases are used to prevent and to track crime by
law enforcement agencies. In fact, P-TRAK has been used to prevent
fraud -- both in finding white collar criminals and in revealing that
someone else is using an individual's social security number or other
identifying information. For example, by searching on their social
security number using P-TRAK, identity fraud victims have discovered
that another person has obtained credit at a different address using
their name and social security number.
P-TRAK has been the subject of distorted rumors that emerged on the
Internet in September 1996 alleging that it displays information --
including mother's maiden name, social security number, credit card
and bank account numbers -- useful for perpetrating identity fraud. In
reality, P-TRAK displays none of this information.
LEXIS-NEXIS would be happy to assist the Commission in locating a
witness with law enforcement expertise who is familiar with problem of
identity fraud and with the sorts of data bases that are the subject
of this Notice and Workshop I.
1.11 How do the risks of the collection, compilation, sale, and use of
this information compare with the benefits?
The concrete, demonstrable benefits of the sale and use of the
information in LEXIS-NEXIS data bases discussed in response to
Question 1.9 far outweigh the largely theoretical risks associated
with the sale and use of this information discussed in response to
Question 1.10.
Indeed, eliminating availability of information such as prior
addresses or social security number search functions from these data
bases would likely leave consumers more, rather than less exposed, to
white collar criminal activity. It would deprive law enforcement of a
significant tool to fight such fraud, and would make it more difficult
to uncover such fraud and to prosecute civil enforcement actions
against such criminals because of difficulty finding the defendants,
their assets, and witnesses to their crimes.
1.12 Are there means that are currently available to address the
risks, if any, posed by these data bases? If so, please describe.
On its own initiative -- months before P-TRAK became the subject of
false Internet rumors -- LEXIS-NEXIS worked with its data supplier to
adopt several measures which further reduce the remote risk that the
product would be used for an improper purpose. As noted in response to
Question 1.10, the product does not display individuals' dates of
birth or social security numbers. In addition, upon written or
electronic request of an individual, LEXIS-NEXIS will remove from
P-TRAK any record of the individual that matches or corresponds to the
request. Finally, LEXIS-NEXIS works with its data suppliers to remove
the records of all individuals identifiable as minors from the P-TRAK
and P-FIND data bases.(3)
1.17 How should the benefits of the collection, compilation, sale, and
use of information from these data bases be balanced against privacy
or other legal interests implicated by such practices? Are there
other ways to obtain these benefits without implicating privacy or
other legal interests? If so, please describe.
The benefits of sale and use of information from these data bases can
be balanced against corresponding privacy interests through
responsible industry action. LEXIS-NEXIS actively embraces policies
that it believes strike the proper balance between these interests:
Delivering the vast majority of its services via a proprietary online
data base with safeguards to protect against unauthorized access
No display of social security numbers or dates of birth in its P-TRAK
data base
No display of information about persons identified as minors in
locator service documents
No display of personal medical information(4) or "below-the-line"
credit report information
In response to an individual's request, LEXIS-NEXIS will remove from
the P-TRAK data base any record that matches or corresponds to the
individual's request.
Strict security measures to maintain the integrity of the data bases
A good example of such balance is LEXIS-NEXIS' policy of offering
users who already know a social security number the ability to search
by that number, but never displaying a social security number on the
P-TRAK data base. This search capability is of enormous importance to
the effectiveness of P-TRAK, as well as to the social benefits that
flow from use of the product. Social security number searches play an
invaluable role in helping to locate individuals such as child support
obligors, heirs to wills, pension fund beneficiaries, and missing
children -- whose social security numbers are often known by the
person seeking them. By affording SSN search capability, but not SSN
display, P-TRAK offers substantial protection of individual privacy
interests without sacrificing the important benefits that flow from
the product.
LEXIS-NEXIS has taken a leadership role in the data base industry in
developing such a balance. Our industry is working presently to
achieve broader industry consensus on responsible industry action.
Self-Regulation
1.27 Have data base operators undertaken self-regulatory efforts to
address concerns raised by the collection, compilation, sale, and use
of sensitive consumer identifying information?
LEXIS-NEXIS has adopted internal privacy policies discussed in
response to Question 1.17, and is in the final stages of codifying
these policies in information guidelines.
Furthermore, LEXIS-NEXIS is working with other data base companies and
with industry associations to explore ideas for self-regulation.
LEXIS-NEXIS hopes that these discussions will prove fruitful.
WORKSHOP III
3.12 What steps have children's commercial Web site operators taken
since June 1996 to address children's online privacy issues? To what
extent have they adopted the principles outlined in the following
documents submitted at the June 1996 Workshop: (1) the Joint
Statement on Children's Marketing Issues presented by the Direct
Marketing Association and Interactive Services Association; (2)
Self-Regulation Proposal for the Children's Internet Industry
presented by Ingenius, Yahoo and Internet Profiles Corporation; and
(3) Proposed Guidelines presented by the Center for Media Education
and Consumer Federation of America?
LEXIS-NEXIS has voluntarily worked with its data supplier to remove
records of all persons identified as minors from the P-TRAK data base.
1. See, e.g., In the Matter of Consumer Identity Fraud Meeting at 12,
20-21, 21-22, 47-48 (August 20, 1996) (testimony before the Commission
discussing the ease with which identity fraud may be committed through
obtaining an individual's credit report through an auto dealership,
stealing a credit card and filing a fraudulent credit card change of
address request, and through intercepting pre-approved credit card
applications).
2. P-TRAK displayed SSNs for the first ten days the product was
available, from June 1 until June 10, 1996. Thereafter, P-TRAK has not
displayed SSNs.
3. A small number of older minors may have credit accounts, and would
therefore otherwise have identifying information entered in the P-TRAK
data base but for these measures.
4. Personal medical information is on occasion published in press
reports and judicial decisions. However, LEXIS-NEXIS does not
distribute any confidential medical information.
------------------------------
Date: Thu, 15 May 97 15:08 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: MC/VISA Comments to Federal Trade Commission
Included below is another comment text from the FTC database/privacy
proceedings, this one from MasterCard International Inc. and VISA U.S.A. Inc.
--Lauren--
-------------------------------------------
April 15, 1997
Writer's Direct Dial Number
(202) 887-1566
By Hand Delivery
Secretary
Federal Trade Commission
Room H-159
Sixth Street & Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Re: Data Base Study -- Comment, P974806
Dear Mr. Secretary:
This comment letter is submitted on behalf of MasterCard International
Incorporated ("MasterCard")(1) and VISA U.S.A. Inc. ("VISA")(2) in
response to the proposed Federal Trade Commission ("FTC") study of
computerized data bases containing sensitive consumer identifying
information ("FTC Study"). VISA and MasterCard thank the FTC for the
opportunity to comment on the FTC Study.
Genesis of the FTC Study
The genesis of the FTC Study was a letter to the FTC from Senator
Bryan, Senator Hollings, and then-Senator Pressler, which requested
the FTC to conduct a study of "possible violations of consumer privacy
rights by companies that operate computer data bases."(3)
More specifically, the letter requested that the FTC investigate the
"compilation, sale, and usage of electronically transmitted data bases
that include identifiable personal information of private citizens
without their knowledge."(4)
The Senators' request arose in the context of the public focus on the
LEXIS "P-Trak" "look-up" service, which was spawned by a spate of
Internet messages and national news media stories about the types of
consumer information that were then available on the P-Trak service.
In addition to giving rise to the request for the FTC Study, the
public focus also caused LEXIS to limit the types of consumer
information available through P-Trak.
Congress, as a whole, responded to the P-Trak issue by including a
provision in the Economic Growth and Regulatory Paperwork Reduction
Act of 1996 that directed the Federal Reserve Board ("FRB"), in
consultation with the FTC and other federal banking agencies, to
conduct a study assessing the undue potential for fraud and risk of
loss to insured depository institutions from the activities of
companies engaged in the business of making "sensitive consumer
identification information" available to the general public ("FRB
Study").(5)
Under this provision, "sensitive consumer identification information"
included social security numbers, mothers' maiden names, prior
addresses, and dates of birth. Importantly, in enacting this
provision, Congress exempted from the FRB Study entities that are
subject to the Fair Credit Reporting Act ("FCRA")(6) as consumer
reporting agencies.
Scope and Purpose of the FTC Study
The Supplementary Information to the FTC Study states that the FTC
Study will include consideration of the collection, compilation, sale
and use of computerized data bases that contain what consumers may
perceive to be sensitive identifying information.(7)
Given the context in which the Senators' request for the FTC Study
arose -- as well as the clear statement of Congressional intent
embodied in the limitation of the scope and purpose of the FRB
Study -- it is appropriate that the FTC has limited the study to
so-called "look-up services." In order to maximize public benefit and
efficiency, we urge that the focus of the FTC Study be further
narrowed to specifically assess whether there are companies that
disseminate sensitive consumer identifying information in a manner
that could create opportunities for fraud. It is the use of such
information for fraud purposes that raises the greatest concern and,
as a result, was the focus of Congressional legislative action.
Activities that may involve consumer information but do not give rise
to fraud risks should be excluded from the scope of the FTC Study. For
example, the FTC Study should explicitly exclude companies using
consumer identifying information to communicate data between one
another, such as those in which entities within a corporate family use
consumer identifying information to share information on their
customers. This approach is consistent with the Supplementary
Information which indicates that the FTC Study will not address data
bases used primarily for direct marketing purposes, medical and
student records, or the use of consumer credit reports for employment
purposes.(8)
It is also appropriate because Congress recently addressed affiliate
sharing of information in the same legislation that requested the FRB
Study.
Definition of Sensitive Consumer Identifying Information
The Supplementary Information to the FTC Study states that sensitive
consumer identifying information may include some or all of the
following: social security numbers, mothers' maiden names, prior
addresses, and dates of birth.(9)
For purposes of the FTC Study, VISA and MasterCard believe that this
definition of sensitive consumer identifying information is
appropriate and need not be expanded. In this regard, it is our
understanding that financial institutions principally rely on social
security numbers, dates of birth, mothers' maiden names and prior
addresses when ascertaining and verifying the identity of consumers or
providing consumers with access to their records.
The FTC also requested comment on information that might be used in
the future to identify consumers. MasterCard and VISA urge the FTC to
adopt a definition of sensitive consumer identifying information that
is based on current practices and not on predictions of future
practices. New consumer identification methods such as those utilizing
finger minutiae, voice analysis, iris scan and other biometric systems
are in various stages of development, testing and evaluation by
financial institutions and other private and public organizations.
While it is expected that one or more of these new technologies may be
used in the future to further refine consumer identification
procedures, these technologies are not yet commonly used. VISA and
MasterCard caution that if the FTC Study or its related
recommendations are overly broad, they could have a counterproductive,
chilling effect on the development of these or other consumer
identification technologies that might otherwise enhance risk
management and financial privacy in the future.
Dissemination of Sensitive Consumer Identifying Information
MasterCard and VISA have long been concerned about, and have worked
diligently to address, the risks presented by credit card fraud and
similar types of financial fraud. In our experience, where consumer
information has been used to commit financial fraud, the information
is generally obtained illegally -- by stealing U.S. Mail or a wallet
or purse, improperly removing information from consumer files and,
more recently, through illegal access to computer files. Additional
restrictions on the flow of information would be unlikely to address
these issues. Much greater benefits would be derived from increased
resources for law enforcement in this area.
Structure of the Public Workshop
Finally, MasterCard and VISA commend the FTC for separately addressing
issues associated with computerized data bases containing sensitive
consumer identifying information from issues associated with consumer
online privacy and the Bureau of Consumer Protection's June 1996
Public Workshop on Consumer Privacy on the Global Information
Infrastructure. In particular, we support the FTC's proposed structure
for the Public Workshop, in which Session One addresses computerized
data bases and Sessions Two and Three address consumer online privacy
issues. Such a structure more efficiently facilitates substantive
discussion of these important topics. We urge the FTC to continue
addressing these issues separately.
* * * * *
Once again, VISA and MasterCard appreciate the opportunity to comment
on the FTC Study, and we hope that these comments are helpful. If you
have any questions concerning these comments, or if we can otherwise
be of assistance in connection with this matter, please do not
hesitate to contact me at the number indicated above, Michael F.
McEneney, at (202) 887-1568, or Clarke D. Camper, at (202) 887-8793.
Sincerely yours,
L. Richard Fischer
Enclosure: Comment Letter in the Microsoft Word 6.0 format on 3 1/2
inch diskette
cc:
Russell W. Schrader, VISA U.S.A. Inc.
Miriam L. Wahrman, MasterCard International Incorporated
Michael F. McEneney
Clarke D. Camper
_______________________________________________________________
1. MasterCard is a membership organization comprised of financial
institutions which are licensed to use the MasterCard service marks in
connection with payment systems, including credit, debit and
stored-value cards.
2. VISA is a membership association comprised of financial
institutions in the United States which are licensed to use the VISA
service marks in connection with payments systems, including credit,
debit and stored-value cards.
3. Letter from Senator Bryan, Senator Hollings, and Senator Pressler
to the FTC (Oct. 8, 1996).
4. Id.
5. Pub. Law No. 104-208, ' 2422 (1996).
6. 15 U.S.C. ' 1681 et seq.
7. 62 Fed. Reg. 10,272 (1997).
8. Id.
9. Id.
------------------------------
End of PRIVACY Forum Digest 06.06
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.