Consumer Privacy Workshop-Data Base Study: Comments to the Federal Trade Commission

Advocacy Comments

June 10-14, 1997

Session One: Data Base Study, P974806

  • Pre-Conference Written Comments, April 14, 1997
  • Oral Presentation at June 10, 1997, Workshop
  • Post-Workshop Comments, July 14, 1997

Pre-Conference Written Comments, April 14, 1997

Beth Givens, Privacy Rights Clearinghouse

April 14, 1997

Secretary
Federal Trade Commission
Rm H-159, Sixth St. and Pennsylvania Ave. NW
Washington, D.C. 29580

Session One
Data Base Study -- Comment, P974806


These comments pertain to the section "Information Collection and Use," points 1.1 - 1.26.

In September 1996, there was a flurry of controversy surrounding the sale of personal information by the Lexis-Nexis company vis-a-vis its P-TRAK service. Although much of the brouhaha centered on the sale of Social Security numbers, which Lexis-Nexis had curtailed a few months earlier, the public outcry illustrated a growing concern about electronic privacy. The Lexis-Nexis phone lines were jammed with people requesting that their records be deleted from the P-TRAK data base.

What most of these people did not realize is that Lexis-Nexis is not the only seller of personally identifiable information. There are hundreds of companies throughout the country which obtain the same or similar 'look-up' information as is sold via P-TRAK in which the Social Security number is not suppressed. Some information vendors limit themselves to 'look-up' data such as names and name variations, current and former addresses, telephone numbers (including in some cases, unlisted numbers), Social Security numbers and date of birth. Others, as described below, also provide access to public records data bases.

A major source of 'look-up' information are the three credit reporting bureaus -- the 'credit header' data sold by Experian (formerly TRW), Trans Union and Equifax. Credit header data has been deemed to be out of reach of the Fair Credit Reporting Act. It can be sold to information vendors without restriction; no 'legitimate business need' or 'permissible purpose' is required for this data to be sold to information vendors and then re-sold to their customers. Other sources of 'look-up' data are publishers' mailing lists and nationwide white pages directories.

Some information vendors go beyond the 'look-up' data sources by compiling and providing access to public records obtained from local, state and federal government agencies. Information obtained from public records includes real property information, voter registration files, motor vehicle registration and license information, occupational licensing records, court lawsuit information, Universal Commercial Code records, and for some states the vital statistics indexes for marriage, divorce and death records. Information vendors that combine the 'look-up' data sources with public records information are able to provide their customers with the ability to compile virtual dossiers on individuals.

The following is a partial list of such information vendors. These were obtained primarily by using an Internet search engine and seeking the Web sites of information vendors. This list is by no means comprehensive. Such companies are used by a wide variety of investigative companies, including collection agencies, private investigators, skip tracers, employment background checkers, tenant screening services, insurance investigators, missing persons locators, and so on. (You may look in the Yellow Pages of the telephone book under Investigators to see the types of companies that might use the services of such information vendors.)

 

Lexis-Nexis (Ohio); CDB Infotek (owned by Equifax, and located in California); Information America (Georgia); IRSC (California); WDIA (National Credit Information service, Ohio); Autotrack (Database Technologies, Florida); Informus (Mississippi); Super Bureau Inc. (California); Atlas Information Services (Florida); Dig Dirt Inc. (New Jersey); Wind Associates (New York); ATT Information Brokers (Florida); Kadima Systems (California). Many of these and other similar companies obtain credit header data from the credit reporting bureaus -- Experian, Equifax and Trans Union.

 

One of the concerns we at the Privacy Rights Clearinghouse have about these information vendors is that their activities are virtually unregulated. Granted, when they provide access to credit reports, they must ensure that the requestor has a 'legitimate business purpose.' But much of the remainder of the considerable body of data to which they have access is not regulated by a code of Fair Information Practices such as that provided by the Fair Credit Reporting Act for consumers' credit history data.

In addition, consumers do not have ready access to the data compiled about them. We have received many calls to the PRC hotline from individuals who tell a story that goes something like this:

"I'm looking for work, and I often get to the first interview stage, sometimes even the second interview. But then I'm dropped like a hot potato. I wonder if there's some information about me out there that is harming me."

 

We are aware of one job applicant who, after being turned down for many jobs, found out that a data base used by most of the department stores and retail outlets in his area listed him as having a criminal background. His record had been mixed erroneously with that of a criminal.

Our suggestion to hotline callers who wonder if there is some information 'out there' harming them is to hire an investigative service to conduct a background check on them using one or more of the database services provided by the above-listed companies. And even after spending $50 to $150 for such a search, the job applicant cannot be absolutely sure that he or she has uncovered the information that might be harming him or her.

There are other harmful consequences of unrestricted access to information about individuals. 'Identity theft' is one. We have seen a dramatic increase in calls to the PRC from consumers whose identities have been stolen for the purpose of obtaining credit cards and other services fraudulently. All the imposter needs is the name and Social Security number, something easily purchased from many information vendors.

Fortunately, some vendors are now making it more difficult to obtain SSNs. For example, Lexis-Nexis has voluntarily removed the SSN from the P-Trak data that is displayed on the subscriber's terminal. CDB Infotek replaces the last two digits of the SSN with 'x's. Information American has also restricted access to SSNs. But many more information vendors offer services which provide SSNs when a search by name and address is conducted, obtained primarily from credit header sources. (Two such services are WDIA's National Credit Information and Trans Union's ReTrace.)

The Privacy Rights Clearinghouse is not aware of any specific cases of data from an information vendor's data bases being used for identity theft purposes. Victims of identity theft usually do not know how their SSN and other data were obtained by the imposter. There are many low-tech ways to obtain the information necessary to commit theft of identity and credit card fraud, such as wallet theft and dumpster diving. But given the relatively low price of many 'look-up' services, the sophisticated identity thief is not likely to pass up the opportunity that such data bases provide.

Another harmful use of such 'look-up' information is to track down victims of stalking and domestic violence. Victims of these crimes who have moved to another location to escape a stalker or abuser need to be able to shield the location of their residence. If they reveal their new address to their credit grantors, who in turn report it to the credit reporting bureaus, they can be easily found.

Many individuals have occupations in which the ability to shield their home addresses is important: police officers and other employees in the law enforcement and justice systems, teachers, doctors and other health professionals, psychological counselors, social workers, and employees of 'unpopular' government agencies like the IRS and state tax agencies.

But given the proliferation of information vendors which provide 'look-up' services, it is difficult, if not impossible to prevent such information from getting into the hands of wrong-doers. Certainly, there are many beneficial uses of the services of information vendors -- locating missing friends and relatives, weeding out violent employees, catching up with parents who do not pay child support payments, preventing sexual predators from working in child care centers and schools, and so on. For every 'horror story' that we hear from PRC hotline callers, there is no doubt an equally compelling 'hero story.'

The balancing of beneficial uses of these data sources with the privacy rights of individuals is truly one of the most challenging public policy issues of this information age.

We believe that the answer to many of the problems discussed above can be found in regulating the information vendor industry with a code of Fair Information Practices, much like the credit reporting industry is regulated by the Fair Credit Reporting Act. The amount of information compiled about individuals is only going to grow. And the consequences for individuals about whom information is compiled are only going to become more significant. The data subjects must be able to have a right of access to this data (at a reasonable price, not $100), along with a right to have erroneous data corrected and a right to know who has accessed information about them.

This concludes the PRC's comments for Session One, Computerized Data Bases.

Oral Presentation at June 10, 1997, Workshop

Federal Trade Commission
Public Workshop on Consumer Privacy

Panel II - - Benefits and Risks of Computer Reference Services

Comments of Beth Givens, Project Director
Privacy Rights Clearinghouse

Thank you for the opportunity to participate in this workshop.

I am going to discuss some actual cases that have come to the consumer hotline of the Privacy Rights Clearinghouse -- for your information, a service that has been in operation since October 1992, nearly 5 years.

But first, let me preface my discussion of risks with some observations about the database industry.

The information vendor industry is virtually unregulated. There is little oversight of these companies, and little accountability for their practices.

In addition, the information vendor industry is virtually invisible, not to us here today, but to most Americans who know nothing about these companies. Nonetheless, these companies hold an increasing amount of sensitive personal information about nearly each and every one of us. What do I mean when I say that the database industry is unregulated. The companies that comprise this industry are not governed by a code of Fair Information Practices. The data subjects do not have a rights of disclosure, access and correction like they do with their credit reports. Nor do they have the ability to learn who has accessed their files. Nor is there a time limit put on the disclosure of negative information. Nor are there penalties for misuse of personal information.

What are the risks for the data subjects?

We have received numerous calls from people wondering if information in databases somewhere might by preventing them from getting work. They tell of repeated interviews, sometimes even second interviews, and then they're dropped, with no information given to them as to why.

One individual, whose name is Bronti K., was out of work for several years. His profession was department store clerk, and he held several jobs successfully. But he was no longer able to land a job and didn't know why. In desperation, he demanded of one employer to know why he was turned down. He was told that a database they used indicated that he had been caught shoplifting from a department store.

When Bronti put the pieces of the puzzle together, he realized that the identification documents in his wallet that had been stolen some time ago had been used by a thief who was impersonating him, a thief whose criminal record was now his. Bronti has since hired an attorney and is suing the database company, EMA/SPA, and the department store that put the shoplifting data into his record. The trial is set for this coming fall in Los Angeles Superior Court. He is still not able to find work as a department store clerk, perhaps because of his long period of employment and because he's now seen as a troublemaker.

The second case concerns a man who for many years was successfully employed in the construction business. His name is Ron D. He was seriously injured and had to leave construction work. He was retrained to work with computers, but has not been able to find work for 7 years. He has had many interviews, even second and third interviews, but has been ultimately turned down by all his potential employers.

He is certain that information about one of his brothers, who happens to be a drug addict and felon, is tripping him up. His brother's name is close to his, and their Social Security Numbers are one number apart. But he has not been able to find a single employer who will tell him the source of information being used to make their hiring decisions. One employer did admit to using an outside source.

We suggest to people like this that they find a company that accesses the various data bases of the information vendors and conduct a thorough background check on themselves, spending maybe $100 to $200 if they indeed want to be thorough. And they should also check to see if there are criminal records inaccurately attributed to him.

However, even if they hire someone to conduct a background check on themselves, they might not yet know for certain if they are finding the exact same information that their potential employers have found, especially if it comes from a company like EMA/SPA that is collecting information from a certain industry.

This situation is reminiscent of Franz Kafka's work of fiction, THE TRIAL. I think there could be a nonfiction version of his book based on cases like Ron's and Bronti's. It could be called THE JOB.

These cases point up several risks of the information vendor industry being unregulated.

- One is inaccurate or misleading information being used to make important decisions, such as employment decisions, without the data subject being able to determine the accuracy of that information and have erroneous information corrected.

- A second is the absence of an audit trail - having no ability to know who has obtained information about you from these data bases.

- A third is the end of the notion of social forgiveness. Should one's shoplifting conviction at age 19 prevent one from getting a job at age 29, if he or she has had a clean record since then. We have built a kind of social forgiveness into many of our systems, credit reporting, for example. Certain kinds of convictions are purged after a given number of years -- in California, I'm referring to some DMV records, for example. But with cradle to grave data bases with no time caps on the length of time that negative information can be reported, more and more of us will become disenfranchised in one way or another.

Ron, the man who's unfortunate to have a criminal for a brother, has been told by a career counselor at a service run by San Diego County, to not bother to look for work until he can ferret out the source of the bad data. So far, he's not been able to do so.

I should point out that both Bronti and Ron are seeking jobs in the retail industry that pay from $5 to $7 an hour. Pre-screening for these types of jobs is becoming somewhat automated, almost like the credit screening that is done when you apply for instant credit -- simply a yeah or nay, with no underlying reasons given.

I am convinced we are going to be seeing more cases like these as the amount of data compiled in the various data bases increases. And I think the reason we at the Privacy Rights Clearinghouse don't hear of more cases like these is that the process is invisible to individuals.

A further point:

None of these data holdings are consensual -- whether it's public records information or the credit header information. All the more reason to have this industry regulated with a code of Fair Information Practices.

Just a quick run-down of some other risks:

Another harm or risk is identity theft, the ability of an imposter to obtain personal information like the Social Security number and use it to fraudulently apply for credit cards in the victim's name, order a credit report, and so on.

Another harm: tracking down victims of stalking or domestic violence -- people have had to relocate to escape the stalker. A simple credit header search can be quite effective in locating these people. Credit header files are nonconsensual. You do not have the ability to opt out of them. I think they should fall below the line and be regulated by the FCRA, the same as the rest of the credit history. Or at the very least, individuals should be allowed to opt in to such commercial data sources.

A further harm of these data bases is to people who have sensitive occupations: law enforcement, taxation authorities, people who work for abortion clinics, mental health professionals, teachers, parole officers and so on.

Thank you for the opportunity to present these comments. That concludes my remarks.

Post-Workshop Comments, July 14, 1997


Follow-up Comments of Beth Givens, Project Director, Privacy Rights Clearinghouse

Federal Trade Commission
Data Base Workshop, P974806

"A Critique of the Individual Reference Services Industry Principles"

Thank you for the opportunity to follow-up on the comments provided at the June 10, 1997, workshop session on the data base industry.

I will provide a critique of the privacy principles presented by the individual reference service industry at the June 10th workshop. My comments focus on five issues: accountability, accuracy, access, consumer education, and feedback.

Accountability, Accuracy and Access

Two interrelated aspects of accountability deserve attention: (1) How will we know when self-regulation is working? (2) How will the practices of the reference services industry be monitored?

A shortcoming of the self-regulatory approach, at least as promulgated to date, is the lack of any benchmarks for success. Unless some tangible goals are imposed on the reference services industry, we will not be able to determine if in fact self regulation is working -- that is, if it is effective in safeguarding the privacy of those individuals whose personal information is compiled and disseminated by information vendors.

The Direct Marketing Association's (DMA) Mail Preference Service (MPS) exemplifies this particular shortcoming. [1] The MPS was established by the Direct Marketing Association in 1971, over a quarter century ago. Consumers who do not want to receive unsolicited mail register their name and address with this centralized data base. Mailers use this list on a voluntary basis to "suppress" these names from their own lists. [Footnote 1: Personally identifiable marketing data is not considered to be part of the reference services industry, as explained in the AWhite Paper: Individual Reference Services' (Piper and Marbury, June 10, 1997). The direct marketing industry is discussed here in order to exemplify the shortcomings of the self-regulatory approach. This section on the DMA's MPS is taken from the PRC's Day Two pre-workshop comments for P954807.]

Does the MPS work? From the standpoint of many callers to the Privacy Rights Clearinghouse (PRC) hotline who have used the MPS, the answer is "no." Consumers see little to no reduction in volume of unsolicited mail after registering with the MPS. The only category of mail for which the MPS has any noticeable effect is catalog mail.

Another way to assess whether or not the MPS has been successful is to look at the numbers of mailers that use the service. The major nationwide mailers are the most likely to use the MPS. But large categories of mailers do not take advantage of the MPS. These include local mailers, the 'resident' mailers, many charities, as well as many prize and sweepstake promoters. In addition, not even the totality of DMA members use the MPS.

If meaningful goals were imposed on direct mailers, with sanctions for not complying, perhaps the MPS could in fact be effective. For example, the goal of x% of MPS subscribership by direct mailers, y% of resident mailers, z% of charities over certain sizes, and so on, could be established as benchmarks to determine if in fact self regulation is working vis-a-vis direct mail.

Several comparisons can be noted between the direct marketing industry's poor record of self regulation and the privacy principles proposed by the reference services industry. The first concerns the portion of the industry that has adopted the privacy principles. Only eight information vendors have initially signed on to the principles. If the Federal Trade Commission has not already done so, it should consider conducting a survey of all such companies in order to monitor whether or not they adopt the principles in the coming year (one year is the amount of time the initial eight companies have said they will need to implement the principles). The PRC and other contributors of pre-workshop comments have listed several such information vendors. There are no doubt many more.

A second comparison involves the principles themselves, and whether or not they are adequate to safeguard individuals' privacy. The Direct Marketing Association issued its set of industry privacy principles in 1994, ' The Fair Information Practices Manual.' Yet key provisions are still not practiced by a large number of direct marketers, for example disclosure notices and consent opportunities. And some provisions do not go far enough (for example, the emphasis on opt-out opportunities rather than opt-in).

The privacy principles of the reference services industry also illustrate similar shortcomings. In my testimony during day one of the FTC privacy workshops, I raised the issues of 'access' and 'accuracy,' by relaying two cases: individuals who have been unable to obtain employment because of allegedly inaccurate information in data bases used by the employers and because those job applicants have not been able to gain access to that information in order to determine its accuracy. (See the June 10th comments, attached to these comments.)

Principle XI on access states that data subjects are to be told the nature of the information that the reference services make available in their products and services, but does not address access to the actual information, that which is needed in order to determine if the records are accurate or if the records of the correct John Smith were obtained. If accuracy of personally identifiable information is to be ensured (accuracy is Principle III), then the data subjects must be accorded some means to access those records easily and at reasonable cost.

A third comparison between the direct marketing industry's poor record of self regulation and the proposed reference services principles involves the lack of sanctions for noncompliance. We have received numerous calls to the hotline in which consumers ask what can be done about direct mailers who repeatedly ignore their requests to be taken off the mailing list (Dataquick is an example of such a mailer). We tell them there is no law which requires mailers to comply with such requests (except for mail considered to be pornographic). And we direct them to the industry trade association, the Direct Marketing Association, but warn them that the DMA itself does not have the ability to enforce compliance with consumers' requests, especially if the entity is not a member.

The principles proposed by the reference services industry likewise lack discussion of sanctions for noncompliance. This is a major failing of the self regulatory approach. A significant challenge facing the FTC is to determine ways in which sanctions can be imposed within a self-regulatory framework.

To conclude this discussion of accountability, accuracy and access, the PRC makes three recommendations. First, we recommends that the FTC determine goals or benchmarks which it expects the information industry to achieve in a given period of time. Without such markers, we will never be able to determine if self regulation is indeed working. Second, we recommend that the FTC indicate to the reference services industry whether or not the proposed principles go far enough to adequately safeguard individuals' privacy. Perhaps it should promulgate some standards which the information vendors should be expected to adopt. And third, we recommend that the FTC explore ways in which meaningful sanctions can be imposed.

Consumer Education and Feedback

[Footnote 2: This discussion is adapted form the PRC's written pre-workshop comments for Day Two, P954807.]

Given the above comments, I am not convinced that self regulation has worked to date. And I do not expect it to be effective in the future unless there are effective tools for ensuring and measuring compliance. Nonetheless, if the self-regulatory approach is ultimately embraced by the FTC, a mechanism for consumer education must be implemented.

In a self-regulatory environment, consumers must know the 'lay of the land.' What expectations regarding protection of their privacy should they have? How will they know when an information vendor is not taking adequate steps to protect their privacy? How will they know what actions they can take regarding entities that violate their privacy?

Consumer education can go a long way toward explaining the 'lay of the land' to consumers. Laudably, the principles proposed by the reference services industry include education. Principle I states that "[i]ndividual reference services should individually and through their industry groups make reasonable efforts to educate users and the public about privacy issues, the types of services they offer, and the benefits of the responsible flow of information."

The PRC recommends that while industry education efforts are important, consumer education must also be provided by independent entities in order to avoid serving the interests of industry (or of government for that matter).

In addition, consumers must have a trusted feedback mechanism they can use so their experiences with information vendors -- both the good and bad -- are documented. The market provides one kind of feedback mechanism, but an imperfect one: entities which violate consumer privacy might lose business and/or suffer the consequences of negative publicity. A more reliable mechanism would be an independent body or bodies to which consumers can provide such feedback.

At the risk of appearing self-serving, I encourage the FTC, industry and others to investigate the model provided by the Privacy Rights Clearinghouse -- a nonprofit organization which conducts research and makes information available to consumers, and which also serves as a feedback loop for both government and industry entities. Granted, a program as small as the PRC is not able to serve the educational and feedback needs of a nation. But on a larger scale, the PRC model deserves attention.

When examining the role of an independent consumer education body(ies), policymakers must also determine how to fund such an entity(ies) to provide long-term stability and avoid conflicts of interest. [For further information, see Comments of the PRC, submitted in June 1996 at the FTC Consumer Privacy workshop.]

This concludes my written comments in follow-up to the June 10, 1997, workshop on the reference services industry. Thank you for this opportunity.