------------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 3, Number 16
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 3, Number 16 December 18, 1997
CONTENTS: (1) Industry Responds to Online Community RE: Personal Information
(2) How to Subscribe/Unsubscribe
(3) About CDT, Contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
|PLEASE SEE END OF THIS DOCUMENT FOR SUBSCRIPTION INFORMATION|
_____________________________________________________________________________
(1) INDUSTRY RESPONDS TO ONLINE COMMUNITY'S OUTRAGE OVER WIDESPREAD
AVAILABILITY OF PERSONAL INFORMATION
Dec. 18--In the wake of last year's public uproar over the providing of
unique, personal identifiers like Social Security numbers, unlisted phone
numbers and birthdates over the Internet, the country's three leading
credit bureaus and individual reference services have pledged to stop
making that information available to the general public, according to a
report the Federal Trade Commission (FTC) released yesterday. The Center
for Democracy and Technology (CDT) applauds the FTC, the credit bureaus and
the reference services for their work, but warns that it doesn't entirely
solve the problem of protecting consumers at a time when Web sites that
provide fast, easy access to public records containing personal information
on individuals are proliferating.
The Individual Reference Services Group (IRSG)--an industry coalition
composed of Experian, LEXIS-NEXIS, Equifax Credit Information Services,
Inc., Trans Union Corp., and 10 other companies--has agreed to abide by a
set of self-regulatory principles aimed at curbing access to sensitive
private data on individuals. The issue of personal information made widely
and easily available to the general public via the Internet first drew a
public outcry in September 1996 when LEXIS-NEXIS began offering
individuals' mothers' maiden names, Social Security numbers and dates of
birth on its "P-Trak" database. At the height of the controversy Congress
asked the Federal Reserve Board and the Federal Trade Commission to study
the privacy implications of this practice. The FTC's report is available at
http://www.ftc.gov/opa/9712/inrefser.htm. The Federal Reserve Board issued
its report earlier this year.
"The companies involved in the IRSG's effort are to be commended for
stepping up to the plate and crafting the most comprehensive set of
self-regulatory guidelines of any US industry, however, a number of
important consumer and privacy issues remain to be addressed before this
can be considered a complete solution," said CDT Staff Counsel Deirdre
Mulligan, who focuses on privacy issues.
COMPANIES' PROPOSAL RESPONDS TO PRIVACY CONCERNS
The IRSG proposal responds to concerns raised by Internet users and
privacy advocates last September, available at
http://www.cdt.org/privacy/960920_Lexis.html, by:
* prohibiting the distribution of Social Security Numbers, dates of birth,
unlisted phone numbers, and mothers' maiden names to the general public;
* prohibiting "reverse Social Security Number (SSN)" look-ups (finding a name
or address based on an SSN);
* requiring companies offering look-up services to the general public to allow
people to "opt-out" of these databases;
* providing individuals with access to information held by the companies that
does not come >from public records; and
* prohibiting the distribution of information about children unless it is for
the purpose of locating a missing child.
Experian, LEXIS-NEXIS and the other companies have promised to exchange
database information only with other companies who also follow these
principles, a decision that will increase the principles' effectiveness.
Signers of the IRSG proposal also agree to undergo yearly audits of their
practices and to make those audits available to the public. The audit
records and the principles will help the FTC investigate instances where
companies have not complied with the guidelines.
SEVERAL IMPORTANT AREAS STILL BE BE ADDRESSED BY GUIDELINES
The IRSG proposal falls short of providing complete protection for
sensitive consumer information in a number of important areas, Mulligan
said. They include the following:
* Individuals will not be provided access to public records held by the
companies that sign the proposal.
CDT believes that the companies should provide individuals full access to
their own personal information. These companies have an important role to
play--just as they serve as a one-stop shopping source for other
businesses, they should allow individuals access to information >from a
centralized source.
* Individuals will not be notified of adverse decisions based on data in the
companies' files.
Many people are unaware that others are using information services to make
decisions about them. If data in a company's file comes from inaccurate
public records or has been inaccurately transcribed, a consumer could be
harmed. People should be notified when information >from the IRSG
companies' files are used to make decisions about them so that they can
correct inaccurate data, challenge inaccurate assumptions, or deal with
real problems reflected in the data.
* The IRSG companies will not maintain detailed audit trails, even though they
will undergo yearly audits.
CDT believes that accountability requires strict oversight over access to
and use of personal information. When the end-users of sensitive personal
data are law enforcement personnel, employers, or others who can exercise
power over the consumer, an audit trail that documents the end-user's
treatment of personal information would help curb abuses, prevent
unauthorized access, and provide accountability to the system.
* Individual consumers have no SIMPLE way to SEEK RELIEF from violations of the
guidelines.
The IRSG proposal doesn't provide a grievance process nor remedies for
consumers who believe credit decisions have been made on the basis of
inaccurate data. CDT hopes that the industry and the FTC will work to craft
a grievance process and remedies that are responsive to consumers' needs.
CDT believes that the IRSG proposal is a noteworthy step towards meaningful
self-regulatory guidelines. We commend the FTC for their work in this area
and encourage the agency to continue to monitor not only further
developments in this area, but also the implementation and compliance with
the IRSG guidelines. Strong enforcement of the guidelines and consumer
education are key to effective work in this area.
Still, as we noted last year, the wide spread availability and use of
public record information is a continuing breeding ground for privacy
concerns. See http://www.cdt.org/privacy/961008_Sen_let.html. As the FTC
notes in its report, "the easy availability of sensitive, unique
identifiers (e.g. Social Security number, mother's maiden name, and date of
birth) listed on public records increases the risk of serious harm."
Those IRSG companies with Web sites include:
Acxiom Corporation http://www.acxiom.com/
CDB Infotek, a choicePoint Company http://www.cdb.com/public/
Equifax Credti Information Services, http://www.equifax.com/
Experian http://www.experian.com/
First Data Solutions Inc.
http://www.firstdatacorp.com/busunits/busunits.html#fds
Information Amercia Inc. http://www.infoam.com/
IRSC Inc http://www.irsc.com/
LEXIS-NEXIS http://www.LEXIS-NEXIS.com/
Metromial Corporation http://www.metromail.com/
Trans Union Corp http://www.transunion.com/
_____________________________________________________________________________
(2) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
majordomo@cdt.org
in the BODY of the message (leave the SUBJECT LINE BLANK), type
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
_____________________________________________________________________________
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: http://www.cdt.org/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
----------------------------------------------------------------------------
End Policy Post 3.16 12/18/97
----------------------------------------------------------------------------
CDT Publications Page
CDT Home Page