January 31, 1997
William W. Wiles, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Ave., NW
Washington, DC 20551
To the Board of Governors of the Federal Reserve System:
The Center for Democracy and Technology (CDT) submits these comments
for consideration by the Board in its study "to determine
the availability to the public of sensitive identifying information
about consumers, the possibility that such information could be
used for financial fraud, and the potential for fraud or risk
of loss, if any, to insured depository institutions," under
the Economic Growth and Regulatory Paperwork Reduction Act of
1996. (Docket No. R- 0953)
CDT is a non-profit, public interest organization working to protect
and advance civil liberties and democratic values on the Internet.
One of our core goals is to develop a privacy framework for the
Internet. Towards this end, CDT is working to develop and implement
fair information principles and technical tools that foster individual
control over personal information on the Internet.
The emerging global information infrastructure poses both difficult
challenges and unique opportunities for protecting individual
privacy. CDT believes that new technologies can be designed to
enable citizens to exercise greater control over the collection
and use of personal information. Through the development and implementation
of strong privacy policies, and the design and implementation
of technological mechanisms that facilitate individual choice,
we believe that interactive digital media can empower citizens
to make meaningful decisions about the flow of personal information.
Today the impact of interactive media on individual privacy remains
unclear. Whether the medium that makes instant, global communication
and information sharing possible, will also support individual
control over the vast amount of information captured, stored,
and potentially reused is an unknown. If we fail to address the
privacy issues that arise with this new technology, we may undermine
its roles as communication medium, information source, and global
marketplace of ideas and products. As the Federal Reserve considers
the issue of personal information and privacy, we urge you to
consider the unique privacy threats and opportunities presented
by the global information infrastructure.
Privacy on the Internet
Implementing Fair Information Principles
The Code of Fair Information Principles, developed by the Department of Health Education and Welfare in 1973 and published in the Report of the Secretary's Advisory Committee on Automated Personal Data Systems1 provides the intellectual and structural basis of existing privacy laws and policies in the U.S. While there have been efforts to codify the fair information practices through statute, regulations, and industry guidelines, the results have generally fallen far short of the desired goal of privacy advocates -- to have individuals control the collection, use, and disclosure of personal information.2
Battles over the crafting and implementation of privacy policy
have largely centered on the method of obtaining individual consent
for secondary uses of personal information. In the traditional
information privacy realm, various interests have wrestled with
awkward, mechanistic, and largely unsuccessful approaches to allowing
people some say over how and whether their personal information
should be used by others.3 Industry has
staunchly defended the merits of an "opt-out" approach
which presupposes permission to use and disclose personal information
unless the consumer lodges an objection. Privacy and consumer
advocates have engaged in a largely unsuccessful effort to move
industry and policy-makers towards a more privacy-protective "opt-in"
standard that would require individual consent prior to the use
or disclosure of personal information for unrelated purposes.
The Internet may offer us the opportunity to shift this debate.
CDT believes that there is an opportunity to more fully effectuate
the core privacy principles -- providing notice of information
practices, and providing individuals the ability to make decisions
about the flow of personal information -- in the interactive,
two-way environment of the Internet. For example, the interactivity
of the Internet may eliminate the battle over a default setting
of either "use and disclose" or "don't use and
disclose" by enabling or requiring people to "opt."
And more importantly, by giving individuals the ability to make
up-front decisions regarding the use and disclosure of personal
information the interactive world may offer a policy option that
simultaneously supports stronger privacy policy, more secure communications
and transactions, and vigorous commerce.
The importance of building in privacy
Individuals are reaping the benefits of the digital age as they
conduct banking activities, research, trade stock, order plane
tickets, file their tax returns and communicate with their families,
friends and co-workers online. Industries are quickly adapting
their businesses to make the most of interactive technologies
benefits. Each day more individuals rely upon email, chatrooms,
bulletin boards, newsgroups, and the World Wide Web for information
and communication. President Clinton and members of Congress have
spoken of bold initiatives to wire every classroom, thereby ensuring
our children a competitive position as we enter the Information
Age. For the children of today, the Internet will be ubiquitous
and multi-purpose, supporting and enriching the activities of
daily life in ways we can barely imagine.
As information about the current practices of collecting and using
personal information trickles out in news stories and in on-line
discussion groups public concern with online privacy continues
to escalate. The revelation that a marketer was gathering hundreds
of thousands of individuals' email addresses culled from use of
the World Wide Web and usenet discussion groups, created a furor
over the use of this transaction data.4
The practice of selling "credit header" information
-- including social security numbers -- came under heavy fire
from concerned citizens shortly after an email about the Lexis-Nexis
service P-Trak flooded the Internet.
A recent survey revealed that 83% of Americans are very concerned
about their privacy. This number has increased steadily over the
years. A finding of even greater importance in our "Interactive
Age," is that the publics' concern with privacy reaches new
heights when computerization is mentioned.
While businesses continue to flock to the Internet, relatively
little actual commerce is occurring online.5
The disquieting fear and confusion over the lack of privacy rules
and security standards for the Internet continue act as a barrier
to the public's willingness to use new media. Recognizing that
uncertainty about the policies regarding the privacy of personal
information will continue to undermine the public's desire to
fully participate in social, political, and commercial activities
online, the development of a strong, workable privacy framework
for the Internet should be a priority of policy-makers.
Personal financial information is viewed by many individuals as
the most sensitive information. The ability to engage in a wide
variety of financial transactions and receive personalized information
about investing on the Internet raises many questions about individual
privacy. How is the detailed information individuals provide about
their financial assets protected by entities to whom it is disclosed?
What rules should apply to its use and disclosure? How can individuals
protect their privacy in this online world? Are entities providing
financial services on the Internet informing consumers of their
information practices?
CDT is engaged in a number of activities designed to foster individual
privacy on the Internet. CDT is currently working with other public
interest organizations, businesses operating on the Internet,
and the Massachusetts Institute of Technology-based World Wide
Web Consortium (W3C) to develop a language and technical tools
to implement the core fair information principles of notice and
individual choice on the global information infrastructure. In
addition, over the next few months, CDT's privacy policy clearinghouse
will highlight entities providing financial services on the Internet.
By providing the information handling/privacy policies of entities
offering financial services and crafting a "privacy matrix"
for their analysis, we will educate consumers about the current
state of personal information on the Internet. Through our effort
we hope to create a market for privacy policies in the financial
services sector.
CDT's Response to Specific Questions
Individual Control
What is or should be considered sensitive consumer information
for purposes of the study?
The Code of Fair Information Practices and other general policies
and laws dealing with privacy and personal data generally avoid
labeling certain data as sensitive. The goal of privacy policies
and data protection laws -- protecting the individuals privacy
interests -- is best supported by policies that let individuals
decide for themselves which personal information is sensitive.
It is through facilitating individual decisions over the use and
disclosure of personal information that public policy can best
serve the privacy interest of the individual.
A number of reasons argue for policies that facilitate control.
The perceived sensitivity of a given piece of information will
vary based on a number of factors such as, the individual involved
and the context or purpose in question. Individuals have extremely
varied privacy interests. For example, a telephone number can
be very sensitive to someone who is experiencing harassing phone
calls, is being stalked, or is in a high-profile or public position
(police officers, government officials, media stars). On the other
hand many individuals find the publication of their phone number
in the white pages to be a useful method of enabling friends and
others to contact them. People in each position should be able
to set their privacy expectation.
Similarly, the same individual may have different privacy concerns
with a single piece of information depending on the context or
the purpose. For example, an individual may be perfectly happy
to share information about their income when applying for a bank
loan, but would not offer that information to a company for the
purposes of direct marketing. Finally the same piece of information
may raise different concerns at different times in an individuals
life. For example, as people age they often become less willing
to reveal their age to others.
What this points to is the difficulty of arriving at a single
definition of "sensitive information."
Currently the FCRA substitutes a set of "permissible purposes"
for which credit information may be released -- in contrast to
the model set out in the Code of Fair Information Practice which
would require a method through which individuals could make decisions
about the unrelated use and disclosure of credit information.
Working within the existing statutory framework, CDT urges the
Board to recommend extending the permissible purpose provisions
to govern "credit header information." This would increase
the privacy protection of information provided in the credit context
by limiting many of the unrelated uses of header information that
proliferate today.
In addition, CDT urges the Board to recommend that Congress examine
the possibility of employing a consent-based model for protecting
privacy, like that found in the recently passed rules governing
Customer Proprietary Network Information that require customer
consent prior to a companies use of calling pattern information,
in the credit context.
Controlling Use
Is the compilation, sale, and use of sensitive identifying
information about consumers subject to industry guidelines or
regulations, and if not, what guidelines, regulatory or legal
requirements might be appropriate?
There are a number of industry regulations that allow individuals
to remove or suppress names and addresses or other personal information
for the purpose of limiting unsolicited phone calls and mail.
However, there are very few self regulatory efforts that address
the compilation, sale, or use of personal information in a way
that addresses the full range of consumer privacy concerns. For
example the Direct Marketing Association allows individuals to
place themselves on do not contact lists for both telephone and
mail, but does not set forth rules limiting the internal use of
personal information. Many companies make money renting lists
of individuals with certain characteristics. Many more use information
internally for purposes completely unrelated to the reason for
which the individual provided it. For example, the information
an individual sends in on a warranty card may enable the company
to contact them if there is a recall, but its just as likely to
be used for future marketing activities and resale.
The recently adopted European Union Data Protection Directive6
like data protection and privacy laws and codes in other countries,
limits the collection, use, and disclosure (sale) of personal
information. Congress recently took a similar step toward controlling
the internal use of personal information, passing the Customer
Proprietary Network Information (CPNI) Provisions of the Telecommunications
bill of 1996. The CPNI provisions prohibits the use of information
about customers' calling patterns and telephone usage for other
purposes absent consumer consent.
Due to the consolidation and convergence of industries, the distinction
between "internal use" and "external disclosure"
has become less meaningful as a protector of people's privacy.
Corporate entities today may encompass a variety of unrelated
businesses and activities. The lack of rules governing the internal
use of personal information allows entities to use information
for purposes completely unrelated to the purpose for which the
individual provided it. Careful consideration should be given
to the impact that unchecked internal use has on both individual
privacy and fraud.
Fraud and Privacy
How is sensitive identifying information about consumers used
for financial fraud (for example, to obtain a credit card in another
person's name)?
The nexus between the availability of personal information and
vulnerability to fraud has been remarked upon by courts, policy-makers,
and victims alike.7 In particular, the
widespread use of the Social Security Number as an identifier
by both the private and public sectors continues to raise concerns.
As the most frequently used identifier, the Social Security Number
acts as a key to numerous public and private systems of records.
The availability of an individual's Social Security Number from various sources such as department of motor vehicle records and "credit headers" provides would be thieves with access to the "key" needed to unlocked a wealth of personal data in both public and private sector data systems. As one Court noted:
Thanks to the abundance of data bases in the private sector that
include the ssn's of persons listed in their files, an intruder
using an ssn can quietly discover the intimate details of a victim's
personal life without the victim ever knowing of the intrusion.8
As the court noted later in its opinion, the release of Social
Security Numbers creates "high potential for fraud and victimization."9
Another Court went further -- linking the availability of social
security numbers directly to financial fraud -- stating:
(T)he harm that can be inflicted from the disclosure of a Social
Security Number to an unscrupulous individual is alarming and
potentially (financially) ruinous.10
Despite the role that availability of social security numbers
plays in undermining privacy and facilitating fraud, the disclosure
of "credit header information" -- which includes the
individual's name, address, prior addresses, social security numbers,
and phone numbers -- is not regulated by the Fair Credit Reporting
Act of 1970. The availability of this information directly from
Credit Bureaus and through other entities who purchase and repackage
it, such as online and database information services, has led
to heightened risks to consumer privacy and unnecessary exposure
of both individuals and financial institutions to increased risk
of fraud.
For purposes of this study, it is particularly worthy to note
that the exact information needed to apply for credit -- name,
address, phone number, ssn -- is the information which may be
freely traded and sold under existing policy. The recent revelation
that both Lexis-Nexis and Westlaw were making credit header information
-- obtained from Trans Union -- available on millions of individuals,
to anyone willing to pay the fee, raised deep public concern.
The invasions of privacy and the risk of both individual and institutional
fraud are compelling reasons to revisit the issue of what information
should be considered part of the "credit report" and
governed by the permissible purpose rules of the FCRA.
Conclusion
CDT urges the Federal Reserve to recommend that:
CDT appreciates the opportunity to submit comments for this proceeding.
Please contact us if we can be of further assistance.
Sincerely,
Deirdre K. Mulligan
Staff Counsel
1 Due to the lack of strong constitutional privacy protection, added emphasis has been placed on federal and state statutory protections. While statutory privacy protections for personal information have been crafted on a sector by sector basis, many are based on the principles set out in The Code of Fair Information Principles , published in the Report of the Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens. U.S. Dept. of Health, Education & Welfare, July 1973. The basic principles of the 1973 Code, as published in the Advisory Committee's Report, are:
2 Current
U.S. privacy protections for personal information are incomplete
and scattered throughout case law, federal and state statutes,
and executive branch reports. See, The Privacy Act of 1974, 5
U.S.C. §552a(1974); The Computer Matching and Privacy Protection
Act of 1988, 5 U.S.C. 552a (1988); The Fair Credit Reporting Act,
15 U.S.C. § 1681 (1970); The Family Educational Rights and
Privacy Act, 20 U.S.C. §1232g(1974); Right to Financial Privacy
Act § 12 U.S.C. 3401 (1978); The Privacy Protection Act 42
U.S.C. §2000aa (1980) (prohibits the government from searching
press offices without a warrant); The Debt Collection Act 31 U.S.C.
§952 (1982) (requiring due process before an individuals
federal debt information is referred by an agency to a private
credit bureau); The Cable Communications Policy Act of 1984, 47
U.S.C §551 (1984); the Video Privacy Protection Act, 18 U.S.C.
§2710 (1988); The Electronic Communications Privacy Act of
1986, 18 U.S.C. §2510 et seq. (1986); Section 207 of the
Communications Assistance and Law Enforcement Act of 1994, providing
heightened protections for transactional data. Pub. L. No. 103414,
108 Stat 4279 (1994); and, Section 702 of the Telecommunications
Reform Act of 1995, "Privacy of Customer Information".
See also: Personal Privacy in an Information Society: The report
of the Privacy Protection Study Commission, Washington DC, 1977;
Privacy and Related Security Principles for the NII, Mega-Project
III of the National Information Infrastructure Advisory Council,
1995; and, the Principles for Providing and Using Personal Information,
Report of the Privacy Working Group of the Information Infrastructure
Task Force, October, 1995. While there is no definitive case finding
a constitutional right of information privacy, the Supreme Court
acknowledged that such a privacy right exists in Whalen v. Roe.429
U.S. 589 (1977) (upholding a state statute that required doctors
to disclose information on individuals taking certain highly addictive
prescription drugs for inclusion on a state database)
3 This
is not to underestimate the importance of hard fought battles
to craft statutory privacy protections for personal information.
Existing privacy laws set important limits on the use and disclosure
of personal information. However, there is not a statute on the
books that gives the individual simple, meaningful, up-front,
control over personal information. The sector by sector approach
of existing U.S. law makes analytic sense, but progress has been
slow and many gaps remain.
4 See , Washington Post, "When Direct Mail Meets E-mail, Privacy Issue Is Not Fully Addressed," John Schwartz, 10/9/95. See also, Similarly, public reaction, in Missouri, was so intense to a new product called "Caller Intellidata" that Southwestern Bell withdrew it the day after introduction. Caller Intellidata packaged Caller ID information, including date and time of call, from Southwestern Bell, with caller address and demographic information compiled by Equifax. In addition to individual profiles of callers, this service would include a statistical profile of the businesses customers based on demographic information from census reports and Equifax. The Public Counsel for Missouri objected to the service calling it "Big Brother" and stating that "Consumers should not be forced to become statistics in a marketing study merely by placing a telephone call." St. Louis Dispatch, Jerri Stroud, October 5-6, 1995.
5 Less than two dozen online merchants accept CyberCoins, a digital payment currency. David S. Hilzenrath, Cyberspace Full of Falling Stars, WASH. POST, Feb. 3, 1997, Wash. Bus. 14.
6 The Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, was adopted in July, 1995. The Directive seeks to establish a common ground of privacy protection for personal data within the European Union community.
7 The Federal Trade Commissions August, 1996 meeting on Consumer Identity Fraud provided useful information on the relation between the availability of personal information and credit card fraud.
8 State Ex Rel. Beacon Journal Pub. v. Akron, 640 N.E. 2d, 164, 169 (Ohio 1994).
9 Id.
10 Greidinger v. Davis, 988 F.2d 1344 , 1354 (4th Cir. 1993).