TUCoPS :: Privacy :: priv_518.txt

Privacy Digest 5.18 9/22/96

PRIVACY Forum Digest      Sunday, 22 September 1996      Volume 05 : Issue 18

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

	"PRIVACY Forum Radio" and Lexis-Nexis "P-TRAK" Interview/Update Info
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Detailed Update Regarding Lexis-Nexis "P-TRAK" Database
	   (Lauren Weinstein; PRIVACY Forum Moderator)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


   Quote for the day:

	"Gee, I wish we had one of them Doomsday Machines..."
		-- General "Buck" Turgidson (George C. Scott)
   	   	   "Dr. Strangelove: Or, How I Learned to Stop Worrying
  	           and Love the Bomb" (Hawk; 1964)


Date:    Fri, 20 Sep 96 23:22 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "PRIVACY Forum Radio" and Lexis-Nexis "P-TRAK" Interview/Update Info

Greetings.  In the message following this one, I've provided a detailed
update on the current Lexis-Nexis "P-TRAK" personal information database
furor, based on my own research.  Since the situation has been changing very
rapidly, this represents the most up-to-date information I'm aware of
regarding both the service and your options for dealing with it if you so

With concerns over databases and personal information running at such a high
level, this seems like the appropriate time to announce the first program
from the PRIVACY Forum's new effort: "PRIVACY Forum Radio".  As longtime
readers of the forum know, one of my major concerns is getting the word out
to people that privacy really matters, and that there are actions they can
take to help protect themselves, *before* troubles arise.  Whether related
to computer, telecommunications, or database privacy issues, or the less
esoteric aspects of privacy in our personal lives, to be forewarned is

PRIVACY Forum Radio will be an ongoing production of the PRIVACY Forum.  It
initially will include audio interviews, discussions, and other programs
conducted with all manner of persons involved in the privacy, security, and
related areas.  Participants will include persons from business, industry,
government, concerned organizations, and other individuals.  Both the
well-known "movers and shakers" and the unknown folks affected by privacy
problems will be featured.  All aspects of privacy in our personal,
commercial, and public lives will be topics for various guests.  Initial
programs will be prerecorded, but shortly we'll begin live broadcasts
offering listeners the ability to call in by phone, or send in e-mail
queries, to directly participate in the discussions.

The primary distribution medium for these PRIVACY Forum Radio materials is
the Internet, via the Xing "Streamworks" system.  Versions of the shows,
including live programs, will be available for access by listeners at
network connection rates as low as 14.4 Kbps per second.  Some materials will
also be made available at higher rates for those with the appropriate
capabilities.  In the very near future, we also plan to make some items
available with accompanying video ("PRIVACY Forum TV"), using the
same system.

These shows are also available, by arrangement, for conventional radio
syndication.  Since my primary goal is to try get the word out about these
issues as widely as possible, PRIVACY Forum Radio is also making available
short (e.g. 60 second) "Privacy Bites", suitable for use by regular broadcast
radio stations who want to help their listeners not only become aware of
privacy risks, but to learn what they can do about them.  Inquiries
regarding any of these materials should be directed by e-mail to
privacy-radio@vortex.com, or by voice to (818) 225-2800.

The first special program from PRIVACY Forum Radio is an interview I
conducted a few days ago with Lexis-Nexis Corporate Counsel Steven Emmert,
on the subject of concerns over the "P-TRAK" database, and on the topics of
personal information and databases in general.  It provides fascinating
insight into views of privacy from the "database industry" side of the
fence.  To hear this program, follow the PRIVACY Forum (and PRIVACY Forum
Radio) links from


Links are present within the PRIVACY Forum Radio area explaining the
technical details of hearing the interview and other materials, and for
downloading the (free) Streamworks software for your system that you'll need
if you don't have it already.

This is an exciting step in the evolution of the PRIVACY Forum, one that I'm
hoping will be a major stride towards helping people worldwide deal with the
ever-encroaching loss of privacy that has become part and parcel of our
modern societies.  Please direct any questions about accessing or obtaining
PRIVACY Forum Radio materials to the e-mail address or phone number
mentioned above.  Thanks much!



Date:    Fri, 20 Sep 96 23:20 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Detailed Update Regarding Lexis-Nexis "P-TRAK" Database

Greetings.  This is going to be a long message, but I urge you to read it in
its entirely.  As many of you are no doubt aware, considerable controversy
has been raging around the Internet, and now in the mainstream press,
concerning the Lexis-Nexis "P-TRAK" personal information database.  Since
the transmission of P-TRAK related messages here in the PRIVACY Forum early
this month, various information, some accurate, some inaccurate, has been
widely disseminated.  In some cases, I've seen versions of the original
PRIVACY Forum items in excerpted and usually unattributed form, sometimes
having been modified or addended in manners that significantly alter the
original content.

Concern over P-TRAK has mushroomed around the country, perhaps especially
due to Lexis-Nexis' high visibility.  Many people are concerned about
their personal information, however innocuous some might consider it to
be, residing in publicly accessible databases.  They want some measure
of control over their personal data.  It is this concern that has
brought this story to national prominence.

Lexis-Nexis has put forth an official statement concerning P-TRAK
(accessible via http://www.lexis-nexis.com) which is accurate as far
as it goes--but in my opinion leaves out some *very* important points which
people should be aware of and that I'll describe in detail below.

Adding to the confusion is the fact that over the last couple of weeks the
mechanisms available for people to request removal from the P-TRAK database
have been changing, largely due to the high volume of requests that
Lexis-Nexis has been receiving.  Callers to various Lexis-Nexis numbers were
at times told conflicting or apparently inaccurate information, and the
exact mechanisms for requesting removal, and what such a request really
meant in practice, has been in a state of flux.

Early deletion requests were taken by operators, then by voicemail systems,
and then later callers were told all requests had to be by mail or fax.  Most
callers were asked for their Social Security numbers.  Some were told that
it was essentially useless to request removal, since they could easily pop
right back on the database again later.  Questions about how to verify
removal persisted.

Given all this, I decided to take it upon myself to go directly to
the source, and had a number of detailed conversations with the
Lexis-Nexis Corporate Counsel, Steven Emmert.  Since Lexis-Nexis
was in the process of making decisions on some of these issues, I held
off this update until now to give Mr. Emmert time to get me the 
latest information, which he has done.  

As described in the previous message, I'm also pleased to announce that
PRIVACY Forum Radio is presenting a detailed audio interview with Mr.
Emmert, via the PRIVACY Forum web page (access via http://www.vortex.com).
Mr. Emmert and yours truly discuss both the details of the P-TRAK
controversy and some of the more philosophical aspects of personal
information databases.  If you're at all concerned about these topics, you
will probably find the interview quite interesting.

Where do the P-TRAK issues stand right now?  First off, it should be noted
that Lexis-Nexis is a reseller of the data in P-TRAK, not the collector.
They don't verify or otherwise amend the original information.  The
information itself is the so-called "credit header" data which FTC and other
decisions ruled were not covered under the FCRA (Fair Credit Reporting Act)
and could be openly disseminated.  This includes name, address, phone
number, Social Security number, and other related data.  Lexis-Nexis obtains
this info from one of the big credit data agencies (published reports have
suggested that this is Transunion).  Lexis-Nexis receives this data, which
includes more than 300 million records, on a monthly basis.

While Lexis-Nexis notes that their marketing focus is to government, law
enforcement, and the legal profession, it's important to realize that
the P-TRAK database is not *restricted* in any way to ensure that
only persons in those categories are using the data.  Anyone who
wants to the pay the appropriate fee can obtain search data.  This is
a crucial problem in the database industry--the almost total lack of even
rudimentary "need to know" requirements before gaining access to
information that many persons consider (obviously erroneously in many
cases!) to be private.

Lexis-Nexis points out that you cannot view Social Security numbers through
P-TRAK.  This is true.  When the database was originally established in June
of this year, SS#'s were available for viewing, but in short order concerns
led to their display being terminated.  So, you can't derive a SS# from
someone's name via P-TRAK.

HOWEVER--this does not mean that SS#'s are not in the P-TRAK database.  In
fact, they are there, and if you already have an SS# you can use it to
search in P-TRAK for all of the other data associated with that number
(e.g., name, address, phone number, and so forth).  Lexis-Nexis considers
the SS# to be the only reliable personal identifier, and in fact has told me
that when a person requests removal from the P-TRAK database (more on this
below) the best chance of actually getting removed exists when that person
provides their SS#.  Name and address are considered less desirable for this
purpose, due to name duplications, name or address changes, etc.  This is
the reason that callers asking to be removed have typically been asked for
their SS#'s.

To Lexis-Nexis' credit, it should be noted that they have competitors (some
on the Internet) who don't restrict SS# information at all, and don't
offer any opportunity to be removed from their databases either.  
Still, it's important to understand that SS#s *are* in the P-TRAK
database, and that you still can search *by* SS# in that database.

Information available for direct view in P-TRAK includes name, maiden name
(if any), current address, up to two previous addresses, phone number, and
year/month of birth.  Mother's maiden name is not included.  The source of
phone numbers is of particular interest.  Lexis-Nexis in their statements
has likened all this data to the telephone company "white pages", pointing
out that it is all based on publicly available information.  But the
definition of "publicly available" is very broad--much broader than most
people realize.  

Phone numbers in P-TRAK are *not* derived from telephone company (e.g. white
pages) information.  They are obtained from a variety of other sources,
notably data provided by businesses that have conducted transactions or other
business with a person, to whom that person may have provided their phone
number.  As such, unlisted (non-published) phone numbers *can* appear in
P-TRAK, since an unlisted designation only affects phone company records,
not all the other places where you have provided a number, probably with the
expectation that the number would not be provided to commercial databases!
There are no legal restrictions on the dissemination of such phone numbers,
even though many persons keep their phone numbers unlisted for quite valid
and serious reasons.

OK, let's say you've decided that you consider the information in P-TRAK to
be significant to you, and you want your record deleted.  First off, be
aware that it could take up to 60 days for a deletion to occur.  This is due
to the 30 day cycle on the database source; the deletion request needs to be
present long enough for a complete cycle to process.

Can you verify (for free) that a deletion has taken place?  No, not easily;
you need to pay for a regular P-TRAK search.  Previously there was a contact
person for verification of deletions, but due to the high volume of requests
that option is apparently no longer being offered.

Will you stay off the list once a deletion request has been processed?
Maybe.  It would seem to depend strongly on how much information you
provided with your original request.  If you provided a SS#, you probably
have a better chance of not finding yourself with a new record in a future
cycle due to non-identical name or address information appearing for you in
a future load of incoming data.  Do you want to provide your SS# with your
request for deletion?  That's a personal decision of course.

What if perchance you don't currently have a record in P-TRAK?  Will your
deletion request be held until a record does come in?  No, it will not.  If
you don't have a matching record at the time your deletion request is
processed, that request will be flushed, and if a record for you appears in
future data that record will enter the P-TRAK database.  There is no
mechanism present for a "permanent" deletion request that would deal with
such situations.

As noted above, the methods for requesting deletion have changed over the
last two weeks.  In fact, they've even changed in the few days since the
recording of the interview with Steven Emmert (a different fax number
and the re-establishment of voice requests on a new number).  So be
sure to use the information specified below, not the number that Mr. Emmert
provided during the interview.

The following is the most up-to-date information as of this writing, and
comes directly from my communications with Lexis-Nexis.  Here are your

Telephone (toll free): 1-888-965-3947
   Please note that this is a new number at Lexis-Nexis and 
   is not scheduled to be working until this Monday morning (9/23)
   Eastern Time.  It is currently scheduled to go to live operators,
   but if volume is very high it might be switched to voicemail.

FAX (toll free): 1-800-470-4365
   Again, this number is scheduled to become functional
   on the morning of 9/23, Eastern Time.

Mail: P-TRAK, P.O. Box 933, Dayton, OH 45401

Email: p-trak@prod.lexis-nexis.com

A web form for removal requests is also available at Lexis-Nexis
via http://www.lexis-nexis.com.  

The minimum information required to request removal is full name and mailing
address.  As noted above, Lexis-Nexis feels that the strongest likelihood of
a successful removal will occur when Social Security number is also provided.
The web form (as of this writing) doesn't request SS#, and you of course
should use your judgment about choosing to send your SS# in e-mail.  My own
recommendation would be to use the telephone or fax options.

By no means is P-TRAK the most onerous database of personal information
now available.  But I believe the furor that has erupted demonstrates
the deep-seated concerns that many people have with details of their
personal lives being collected and sold merely as "information
commodities", with the subject of that data having virtually no input
on how it will be used, or abused.

It's time for a detailed examination of what information should and should
not be considered to be "public", who should have access to that data, and
under what circumstances.  Some database companies themselves admit that this
is not an area that they can unilaterally address in any general way--they
have competitive concerns.  Only through serious legislative efforts can we
really begin working toward reasonable changes in the commercial database
field.  And we'd better get started now, unless we want the 21st century to
be a time when the word "privacy" becomes nothing more than an amusing
anachronism in the history books.


P.S.  Be sure to check out my audio interview with Steven Emmert of
      Lexis-Nexis on PRIVACY Forum Radio if you can.  Just follow
      the PRIVACY Forum links from http://www.vortex.com to
      PRIVACY Forum Radio.



End of PRIVACY Forum Digest 05.18

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH