TUCoPS :: Privacy :: priv_606.txt

Privacy Digest 6.06 5/15/97

PRIVACY Forum Digest      Thursday, 15 May 1997      Volume 06 : Issue 06

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
                    the ACM (Association for Computing)     
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

	Fingerprints required when cashing checks (Jeremy Grodberg)
	Video-Surveillance (Roger Clarke)
	DIAC '97 (Susan Evoy)
	National ID Card Measure Comes Before Congress (Monty Solomon)
	Lexis-Nexis Comments to Federal Trade Commission
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	MC/VISA Comments to Federal Trade Commission
	   (Lauren Weinstein; PRIVACY Forum Moderator)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


   Quote for the day:

	"I *am* the law."

		-- Judge Dredd (Sylvester Stallone)
		   "Judge Dredd" (Cinergi; 1995)


Date:    Sat, 19 Apr 1997 21:54:30 -0700 (PDT)
From:    jgro@netcom.com (Jeremy Grodberg)
Subject: Fingerprints required when cashing checks

While visiting my bank (Bank of America) I picked up a flyer titled "A
New Program Designed to Fight Check Fraud."  The new program?  If you
don't have an account with BofA, when you cash a check at BofA, you have to
put your fingerprint on the check.  The flyer claims this program has
been endorsed by the "California Bankers Association" and says
"Similar programs at several banks in other states have proved
effective (at preventing check fraud)."  

They minimize privacy concerns by saying that "the bank will not
maintain files of the prints nor will the prints be accessible to any
other company or agency unless the check proves to be fraudulent."

Of course that is not true, the prints will be accessible to whoever
wrote the check, presuming that they receive their canceled checks.

Their ultimate recommendation to solve the privacy problem is to open
an account with the BofA, then "this new check cashing procedure would
not apply to you."  That's what they said when people complained about
ATM access fees for non-depositors.

I'm not happy with this further encroachment on our privacy, but I
doubt there is anything I can do about it.  Anyone know the law
regarding banks cashing checks drawn on their accounts?  I'd think   
requiring fingerprints could be deemed an excessive burden, but what
do I know?

Jeremy Grodberg          

		[ I get quite a few queries on this topic.  People tend to
		  have a gut feeling that there is something "special" about
		  fingerprints--probably because of their common usage in
		  criminal investigations and identifications.  But in
		  reality, except in the few cases where specific laws say
		  otherwise, they are basically just another of the many
		  "biometric" identifiers that we will be seeing used in
		  great numbers.  There's nothing in most cases that I know
		  of preventing their storage, exchange, and sale through
		  private databases and their use in a wide variety of
		  commercial applications, including banking.  They are just
		  another of the many "information commodities" that are
		  largely unregulated.



Date:    Thu, 10 Apr 1997 11:19:14 +1000
From:    Roger Clarke <Roger.Clarke@anu.edu.au>
Subject: Video-Surveillance

There are a few studies of the privacy aspects of video-surveillance
around.  Tim Dixon's document on workplace surveillance for the N.S.W.
Privacy Committee a couple of years ago is the most valuable one that I
know ('Invisible Eyes', Report No. 76 of September 1995), C'tee page at:
and Simon Davies has done several papers and chapters too.  Unfortunately,
I don't think that any of those sources are up on the web.

David Brin (of sci-fi fame, especially 'Earth'), has the theory that
ubiquitous video-surveillance is inevitable.  He argues that the best
strategy is to subvert it, in particular by making the feeds from all
cameras publicly available in real time, and making sure that police
headquarters (and suchlike locations) have cameras as well as

Here's a news story from down under that tests David's theory.

On 7-8 April 1997, videos were shown on Australian TV News of action
outside a nightclub in Ipswich (west of Brisbane, Queensland), on 22 March.

Policemen are seen forcibly arresting several aboriginals.  This was
definitely not of Rodney King proportions, but (even allowing for the
mediocre quality of video-surveillance images), it's pretty clear that
undue force was used.  One, quite small woman (who didn't appear to be
resisting arrest) was gripped in a reverse headlock, and flung violently
backwards to the ground;  and a male is reported to have suffered what
appeared to have been a fit, and required ambulance attention.

The aboriginals were stated to have undertaken "a series of attacks"
(unquote the Queensland Police Commissioner) on USAF personnel who were
located in the area as part of a joint military exercise.

The persons involved in the action were four policemen and a private
security guard, plus two US servicemen in uniform who appeared (to my
no-longer-trained eye) as if they may have been military police.

Ipswich is the home town of a particularly high-profile and rather racist
member of parliament, and this was already enough to guarantee that the
clips would be newsworthy (her seat is called Oxley, and a local paper has
dubbed her 'the Oxley moron').  The involvement of (a) persons in military
uniform, (b) persons in a *foreign* military uniform, and (c) of all things
*American* military uniform, on Australian soil, made it a verrrrry
newsworthy event.

Anyway, the poignant thing was that "the tape was recorded under an
anti-crime program operated by the local council [lowest tier of
government, cf. a U.S. County] and was handed to police" (Sydney Morning
Herald, 8 April).  Not quite real-time;  but not ancient history either ...

[I haven't yet seen reported how the tape came into the hands of the media
- - but I'll bet that even the Queensland Police weren't stupid enough to
'feed the chooks', which is how a past-Premier of that State used to depict
the provision of information to the media].

Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 1472, and 288 6916     mailto:Roger.Clarke@anu.edu.au
Visiting Fellow,   Faculty of Engineering and Information Technology
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211        Tel:  +61  6  249 3666


Date:    Fri, 2 May 1997 23:28:10 -0700
From:    Susan Evoy <sevoy@Sunnyside.COM>
Subject: DIAC '97 

Community Needs and Cyber Challenges:

Activists Explore Connection in Seattle

Proceedings available NOW from CPSR!!

Add to the Resource Bank at 

Earlier this year -- while a typical Seattle rainstorm raged -- nearly 
400 computer professionals, librarians, journalists, government 
officials, business people, and community activists gathered face-to-
face to consider an increasingly tempestuous issue: How do 
cyberspace events, policies, and use affect what happens in the 
communities in which people live?

Cyberspace with its vast physical, financial, as well as emotional 
investment, represents a techno-social tidal wave of historic 
momentum.  How much of what we hear is realistic?  How much is 
hype? What opportunities -- and what challenges -- does the 
medium offer? And, most especially, how does it affect community, 
what Matthew Dumont has called the "gossamer network of 
mutual responsibilities."

The Computer Professionals for Social Responsibility "Community 
Space and Cyberspace: What's the Connection" conference asked a 
multitude of pointed questions like "What is *work* in cyberspace?  
How can we build up -- or tear down -- our existing non-electronic 
civic networks?  Is cyberspace an agora for rich and informed 
dialogue or is it an infinite echo chamber for monologists?

CPSR has gathered papers from the panelists and workshop 
conveners into a trenchant collection of critical ideas as well as 
pragmatic projects to help carry on the important work of inventing 
an informed and humanistic future.

Please check out web site to add your information as well as search 
the conference's on-line resource bank.  We encourage everybody -- 
whether you attended the conference or not -- to read the 
proceedings, contribute to the resource bank, and follow up on any 
of these ideas in your communities.

Conference web pages: http://www.scn.org/tech/diac-97
Add information to resource bank:  
Search the resource bank:  Available SOON!   Watch for this!

To order the DIAC '97 Proceedings for $18 (including postage), send check, 
VISA, or Mastercard information to:
CPSR, PO Box 717, Palo Alto, CA  94302  USA  
415-322-3778        415-322-4748 (fax)

> --
> Susan Evoy   *   Deputy Director                     
> http://www.cpsr.org/home.html    
> Computer Professionals for Social Responsibility
> P.O. Box 717  *  Palo Alto  *  CA *  94302         
> Phone: (415) 322-3778   *  Fax: (415) 322-4748    *  Email: evoy@cpsr.org 


Date:    Wed, 14 May 1997 22:15:42 -0400
From:    Monty Solomon <monty@roscom.COM>
Subject: National ID Card Measure Comes Before Congress

Excerpt from ACLU News 05-13-97

National ID Card Measure Comes Before Congress;
ACLU Urges Committee to Stop Big Brother

Tuesday, May 13, 1997

WASHINGTON -- The American Civil Liberties Union said today that a bill
introduced by Rep. Bill McCollum, Republican of Florida, would turn social
security cards into defacto national identification cards.

The House Subcommittee on Immigration is scheduled to hold hearings today on
McCollum's H.R. 231, which would require the Social Security Administration
to "harden" social security cards to make them "as secure against fraudulent
use as a U.S. passport."

"Other than turning the card into an identification document, there is no
reason to make the card like a U.S. passport," said ACLU Legislative Counsel
Gregory T. Nojeim.

"This bill means that Big Brother is knocking on our nation's door," Nojeim
added. "Our only hope is that Congress won't let him in."

A similar proposal was rejected when offered as an amendment to the
immigration bill Congress enacted last year.  That amendment failed on a vote
of 191-221 when the then-Commissioner of Social Security, Shirley S. Chater
pointed out that the SSA would have to put photographs on Social Security
cards to comply with the amendment.  Doing so would effectively turn the
Social Security Card into a photo-identification document similar to the U.S.
passport, Chater said in a March 19, 1996 letter to Congress.

The ACLU said that once "hardened," there would be no limit to the purposes
for which the government and businesses would demand to see the ID card. "The
card  would be demanded when you apply for a job, seek federal or state
benefits, board an airplane, check into a hotel, cash a check, purchase a gun
or ammunition, or open a bank account, and it would facilitate governmental
monitoring and control of these and dozens of other every-day transactions,"
Nojeim said.

The proposal is based on the hope that a Social Security Card that identifies
the holder could not be used for employment purposes by aliens who do not
have work authorization.  "The National ID Card will not solve the problem of
undocumented workers," Nojeim added.  

"The same employers who ignore the law today and illegally hire undocumented
workers at substandard wages without checking their immigration status will
continue to do so regardless of whether the government imposes a National
I.D. Card," he said.  "And the same people who produce fraudulent I.D.'s
today would produce fraudulent National I.D.'s tomorrow."

"Worse still," Nojeim said, "The National I.D. proposal further entrenches
employer sanctions  the cause of immigration-related employment
discrimination," Nojeim said, referring to a 1990 report by the General
Accounting Office that documented a "serious pattern of discrimination"
resulting from employer sanctions.


Date:    Thu, 15 May 97 15:08 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Lexis-Nexis Comments to Federal Trade Commission

Greetings.  Though it is a bit lengthy, I've included below the text of
comments that Steven Emmert of Lexis-Nexis filed in the ongoing FTC review of
databases and privacy issues.  It makes for interesting reading.  It's also
illuminating in this context to review earlier PRIVACY Forum materials on
this subject, including my "PRIVACY Forum Radio" interview with Mr. Emmert
from last year, which remains available via http://www.vortex.com (along
with all other PRIVACY Forum materials).


   Before the
   Federal Trade Commission
   Washington, D.C. 20580
   CONSUMER PRIVACY 1997--COMMENT, P954807 Steven Emmert, Corporate
   9443 Springboro Pike
   Miamisburg, OH 45342
   (937) 865-1472
   Ronald L. Plesser
   Emilio W. Cividanes
   James J. Halpert
   Piper & Marbury L.L.P.
   1200 Nineteenth, St. N.W.
   Washington, D.C. 20036
   (202) 861-3900
   Of Counsel
   Date: April 15, 1997
   LEXIS-NEXIS is pleased to respond to the Commission's Notice
   Requesting Public Comment and Announcing Public Workshop, 62 Fed. Reg.
   10271 (released March 6, 1997). LEXIS-NEXIS is a world leader in
   providing enhanced information services, online services, and
   management tools. We are the leading data base company for
   professionals, with a wide variety of products and services that help
   legal, business and government professionals collect, manage and use
   information more productively.
   Among LEXIS-NEXIS' many data bases are a wide variety of news article
   files, public record files, and two person locator files that contain
   identifying information about individuals. As discussed in our
   response to Question 1.9, these data bases are used for a wide range
   of productive and socially beneficial uses.
   The Commission's questions fail to differentiate between these very
   different types of data bases. As a preliminary matter, we emphasize
   that there are fundamental legal distinctions between these data base
   libraries, even though some files in each of these libraries afford
   the ability to find identifying information about individuals.
   LEXIS-NEXIS news libraries contain press articles. The public records
   data bases contain reproductions of federal, state and local
   government records. Content-based restrictions on access to or use of
   this information are subject to First Amendment protection.
   One of LEXIS-NEXIS' two person locator services, P-FIND, is based upon
   a combination of public records and telephone white pages information,
   which as such individuals have consented to place in the public
   domain. Finally, LEXIS-NEXIS' other person locator data base, P-TRAK,
   contains a truncated version of credit header information, which the
   Commission agreed to permit credit reporting agencies to sell pursuant
   to a 1993 amendment to the consent decree in FTC v. TRW, 784 F. Supp.
   361 (N.D. Tex. 1991). With the exception of our news files, this is
   the only LEXIS-NEXIS data base containing individual identifying
   information that is not based in whole or in part on public records or
   press reports.
   Furthermore, none of the data displayed in LEXIS-NEXIS data bases in
   the context of our services should be considered "sensitive" within
   the meaning of the introduction in the Commission's Notice regarding
   the Workshop. See 62 Fed. Reg. 10271, 10272. Most of the information
   originates from public records that may be freely obtained in
   government offices. Other information is substantially similar to
   information contained in current and former telephone white pages
   directories on file in many public libraries. The additional
   information in the P-TRAK data base, which comes from credit header
   information, is restricted so as not to display social security number
   or the individual's actual date of birth. Moreover, to the best of our
   knowledge the P-TRAK and P-FIND data bases do not contain information
   regarding persons identified as being under age 18.
   Information Collection and Use
   1.2 What information is contained in the data bases? Please provide
   specific examples. 
   1.3 What is the source of the information in the data bases? 
   LEXIS-NEXIS has two person locator data bases, P-TRAK and P-FIND, as
   well as a variety of public records data bases and news article data
   bases, some of which contain identifying information that relates to
   P-TRAK and P-FIND are enhanced electronic white page-type directories.
   P-TRAK files contain an individual's name and address, and may contain
   up to two prior addresses, year and month of birth, a local phone
   number (without area code), and other names used by the individual,
   such as a maiden name. In addition, for a substantial majority of
   records, searches may be conducted using a social security number,
   although social security numbers are never displayed. Even if a search
   is conducted using the individual's social security number, that
   number is not displayed. The source of the information in P-TRAK is
   credit header information.
   P-FIND files contain an individual's name, address, telephone number,
   the year the individual was first listed in the telephone book at the
   present address, census data on the median home value of the census
   tract in which the individual lives, an evaluation of the probability
   that the individual is a homeowner, and the names of other adults
   believed to reside at the listed address. The month and year of birth
   of the individual and other adults living at the same address may also
   be included in the files. P-FIND files are provided to LEXIS-NEXIS by
   a third party, and are compiled from telephone white pages
   information, aggregate census tract data, and public record sources.
   In addition, LEXIS-NEXIS' public records data bases, available
   separately on our system, include a variety of information made
   available to the public by federal, state and local governments, such
   as professional license records, civil and criminal court records,
   real property records, bankruptcy and lien records, records of
   incorporation, vehicle and boat registration records, and Federal
   Election Commission filings. Most public record information is
   obtained by LEXIS-NEXIS directly from the government custodian of the
   LEXIS-NEXIS news data bases also contain articles with a variety of
   identifying information about individuals.
   1.7 Who has access to the information in the data bases?
   Only LEXIS-NEXIS subscribers with a valid contract with LEXIS-NEXIS,
   proprietary software from our company, and a confidential subscriber
   identification number have access to the information in P-TRAK.
   Subscribers under deeply discounted pricing plans, such as law
   schools, do not receive access to the information in P-TRAK, P-FIND
   and the ASSETS real estate public records data base.
   1.9 What are the uses of the information in the data bases? Are there
   beneficial uses of the information in these data bases? If so, please
   describe. Are there risks associated with the compilation, sale, and
   use of this information? If so, please describe. 
   A. Benefits
   LEXIS-NEXIS' person locator and public records data bases serve a
   variety of important, socially productive functions, a few of which
   are discussed as part of this answer. We emphasize that the public
   records data bases in many cases advance the important First Amendment
   function of permitting citizens to obtain information about the
   operations of their government. In addition, the public records data
   bases typically advance the purpose for which the government in
   question has placed them in the public domain. For example, online
   availability of land records and lien records makes it easier and
   faster to verify title as part of the purchase of a new home.
   A few beneficial uses are discussed below in greater detail.
   LEXIS-NEXIS would be happy to assist the Commission in locating users
   of our services who would testify as witnesses at the Workshop
   addressing the beneficial uses of the person locator and public record
   data bases.
   1. Child Support Enforcement
   LEXIS-NEXIS' person locator and public records data bases are very
   helpful in tracking down the hardest-to-find "deadbeat parents" who
   have refused to pay child support. In this way, these services can
   advance personal responsibility, give much-needed income to divorced
   parents and their children, help to free families from welfare
   dependency, and provide a source of additional revenue and a reduction
   in expenses for state welfare programs.
   For example, when a non-custodial parent leaves a state's
   jurisdiction, the custodial parent usually bears sole responsibility
   for collecting court-ordered child support. By using P-TRAK to search
   on the ex-spouse's social security number, a lawyer for the custodial
   parent or a government employee charged with child support enforcement
   can locate the non-custodial parent quickly, even though he or she may
   be actively disguising his or her identity.
   For governments, locator services are likely to play an important role
   in making welfare reform a success at a time of tightening state
   budgets. Congress recognized the importance of locator data bases in
   enacting the 1996 Welfare Reform Act, which expands use of the Federal
   Parent Locator Service to enforce child support orders and directs the
   states to establish state data bases. Commercial locator services can
   play an important role in supplementing and filling gaps in this
   important federal data base, as well as in furnishing information for
   the state locator data bases.
   2. Uniting Separated Families
   P-TRAK, P-FIND and similar commercial locator data bases permit law
   enforcement personnel, lawyers for parents or children, and advocates
   for children to reunite family members. For example, customers have
   informed us of cases where they have used P-TRAK to reunite brothers
   who were separated for 17 years, and public records data bases to help
   a state agency locate a 10-year-old child's aunt who at his request
   adopted him, avoiding the need to place him in foster care.
   3. Locating Heirs To Estates
   Social security numbers are often included in wills to offer
   assistance in locating beneficiaries. Commercial locator services
   offer a cost-effective means for the estate's attorney/executor to
   locate the heirs even if decades have transpired since the will's
   execution, heirs and witnesses have relocated or married and changed
   their names, etc. In one case,
   P-TRAK was used to help locate a destitute Montana farmer who received
   a $4 million inheritance.
   4. Pension Fund Beneficiaries
   Pensions provide important supplemental income that permits millions
   of elderly Americans to continue to live a comfortable existence after
   retirement. Yet every year, thousands of pension fund beneficiaries
   are unable to receive pensions owed to them because the trustee or
   administrator of the fund is unable to locate them. Commercial locator
   data bases, such as P-TRAK and P-FIND, are used to help solve this
   problem by providing an effective and simple way for the trustee or
   administrator -- who has the Social Security Number of the former
   employee on tax records, even though decades may have passed since the
   beneficiary left the company -- to make sure that beneficiaries
   receive pension money owed to them. Indeed, federal law requires the
   administrators of certain plans to use commercial locator services to
   search for missing plan participants. See 29 C.F.R. ' 4050.4(B)(3)
   (July 1, 1996).
   5. Locating Trial Witnesses, and Aiding Investigations and Criminal
   Another significant use of P-TRAK and P-FIND is to help locate
   uninsured motorists, eyewitnesses to accidents, and other witnesses
   for civil litigation. For example, personal injury cases often take
   years to go to trial because they are usually filed one or more years
   after the accident, delayed in the judicial process, and compete for
   time on crowded judicial dockets. This means that in many cases
   attorneys have an "old" address for a witness. By using P-TRAK to
   search by name and prior address, these witnesses can be found years
   after the accident.
   P-TRAK and P-FIND provide important tools to law enforcement officials
   for criminal investigations and prosecutions because they are ideally
   suited for tracking witnesses and investigative targets efficiently.
   Up-to-date information from these services has permitted law
   enforcement officials to locate and arrest significant numbers of
   hard-to-find criminals who often move and assume different names in
   efforts to evade capture. The services have likewise assisted law
   enforcement in locating witnesses to crimes, in advancing criminal
   investigations and in trial preparation. In addition, LEXIS-NEXIS'
   public records products are used by law enforcement to track
   criminals' commercial activities, such as land purchases,
   incorporation of corporate "front companies," and to learn of
   criminals' assets in preparation for criminal prosecutions or civil
   forfeiture actions.
   LEXIS-NEXIS' public record products have a variety of uses in civil
   litigation, including negotiating more equitable settlements (in light
   of prior verdicts in a jurisdiction), identifying real parties in
   interest in a dispute, ascertaining bias of witnesses who have a
   financial interest in a litigation, assessing business assets and
   liabilities, and assisting in service of process on corporations.
   6. Tracing the Influence of Money in Politics
   Public record products perform an important function in advancing the
   transparency of government operations. A leading example is
   LEXIS-NEXIS' data base of FEC filings, which affords the press and
   government watchdog groups, including Common Cause, as well as
   political parties themselves, easy access and flexible search capacity
   to review records of federal political campaign contributions. The
   data base has also been used in political corruption investigations.
   Moreover, both the Democratic National Committee and Republic National
   Committee use LEXIS-NEXIS press articles and our public records data
   bases as a cost-effective way to run checks on political contributors.
   Indeed, the DNC recently resumed use of these data bases for this
   B. Risks
   While LEXIS-NEXIS knows of many beneficial uses of its data bases
   containing individual identifying information, it is not aware of any
   instance of improper use of its data bases containing personal
   identifying information that raises privacy concerns. For reasons
   explained in the answers to Questions 1.10, 1.11 and 1.12 below,
   LEXIS-NEXIS does not believe that there are any appreciable risks
   associated with use of these data bases in light of the information
   contained in the data bases and LEXIS-NEXIS' policies governing the
   data bases.
   1.10 Do these data bases create an undue potential for theft of
   consumers' credit identities? How is such potential for theft
   created? Please provide specific examples. What is the extent to
   which these data bases (as opposed to other means) contribute to
   consumer identity theft? Is this likely to change in the future? If
   so, please describe. 
   While LEXIS-NEXIS cannot speak to all data bases containing personal
   identifying information, we believe that our own data bases do not
   pose an appreciable risk of identity fraud. LEXIS-NEXIS is aware of no
   instance in which any of these data bases has been used to commit
   identity theft. Conversely, we are aware of a number of instances in
   which our data bases have been used in uncovering identity fraud and
   tracking white collar criminals.
   Indeed, to date no evidence has been presented of actual use of an
   online data base in perpetration of identity fraud. Significantly, the
   Federal Reserve Board ("the Fed") recently examined whether data bases
   containing sensitive personal identifying information pose a risk of
   fraud to federally insured banking institutions. In the course of this
   study, the Fed examined the relationship between data bases containing
   sensitive information and the problem of identity fraud. It actively
   solicited evidence of identity fraud stemming from use of these data
   bases, and received comments from over one hundred commenters, among
   them consumer advocates, state consumer protection agencies, credit
   card companies, and banks and credit unions. Not one commenter offered
   any specific evidence of use of such a data base for identity fraud.
   Accordingly, the Fed, while expressing concern about identity fraud,
   found that "There is little 'hard' evidence on how fraud due to the
   usage of sensitive information occurs, the frequency with which it
   occurs, or the amount of associated losses." Board of Governors of the
   Federal Reserve System, Report to the Congress Concerning the
   Availability of Consumer Identifying Information and Financial Fraud,
   at 21 (March, 1997).
   In contrast, the Fed Report strongly suggested that illegal means of
   acquiring information to commit identity fraud are the real problem.
   The Report noted that "unlawful access to sensitive information may
   often be the precursor to this type of fraud." It also added that "The
   number of ways in which a person can illegally obtain information that
   will enable fraud to be committed is virtually limitless." Id. at 18 &
   Based upon our knowledge of the subject to date, most credit fraud is
   perpetrated by obtaining unauthorized access to below-the-line credit
   report information, by stealing credit card numbers, or by
   intercepting a credit card application, then filling out the
   application in the name of the person to whom the application was
   P-TRAK is of virtually no use for any of these approaches because it
   contains no financial information, does not reveal a social security
   number to someone who searches on an individual's name, address, etc.,
   and does not reveal an individual's date of birth. LEXIS-NEXIS has
   decided not to display individuals' social security numbers ("SSNs"),
   while permitting searches by social security number by users who
   already know the SSN of the individual they are looking for.(2)
   Moreover, P-TRAK does not contain individuals' actual birth dates --
   only their month and year of birth. The policy of not displaying SSNs,
   the limited content in the data base, the product's per-search cost,
   and its limited availability make such abuse highly unlikely.
   P-FIND simply furnishes telephone white pages information, plus some
   aggregate data on the individual's neighborhood and the likelihood
   that the individual is a homeowner, and possibly the individual's
   month and year of birth. This limited information can be obtained
   through other means -- for example, by examining a telephone directory
   and one or two public records on file with government agencies or
   posted on the Internet. Far more detailed, highly sensitive
   information can be obtained through either authorized or unauthorized
   access to the same individual's credit report.
   Far from presenting a risk of crime, P-TRAK, P-FIND and LEXIS-NEXIS'
   public records data bases are used to prevent and to track crime by
   law enforcement agencies. In fact, P-TRAK has been used to prevent
   fraud -- both in finding white collar criminals and in revealing that
   someone else is using an individual's social security number or other
   identifying information. For example, by searching on their social
   security number using P-TRAK, identity fraud victims have discovered
   that another person has obtained credit at a different address using
   their name and social security number.
   P-TRAK has been the subject of distorted rumors that emerged on the
   Internet in September 1996 alleging that it displays information --
   including mother's maiden name, social security number, credit card
   and bank account numbers -- useful for perpetrating identity fraud. In
   reality, P-TRAK displays none of this information.
   LEXIS-NEXIS would be happy to assist the Commission in locating a
   witness with law enforcement expertise who is familiar with problem of
   identity fraud and with the sorts of data bases that are the subject
   of this Notice and Workshop I.
   1.11 How do the risks of the collection, compilation, sale, and use of
   this information compare with the benefits?
   The concrete, demonstrable benefits of the sale and use of the
   information in LEXIS-NEXIS data bases discussed in response to
   Question 1.9 far outweigh the largely theoretical risks associated
   with the sale and use of this information discussed in response to
   Question 1.10.
   Indeed, eliminating availability of information such as prior
   addresses or social security number search functions from these data
   bases would likely leave consumers more, rather than less exposed, to
   white collar criminal activity. It would deprive law enforcement of a
   significant tool to fight such fraud, and would make it more difficult
   to uncover such fraud and to prosecute civil enforcement actions
   against such criminals because of difficulty finding the defendants,
   their assets, and witnesses to their crimes.
   1.12 Are there means that are currently available to address the
   risks, if any, posed by these data bases? If so, please describe.
   On its own initiative -- months before P-TRAK became the subject of
   false Internet rumors -- LEXIS-NEXIS worked with its data supplier to
   adopt several measures which further reduce the remote risk that the
   product would be used for an improper purpose. As noted in response to
   Question 1.10, the product does not display individuals' dates of
   birth or social security numbers. In addition, upon written or
   electronic request of an individual, LEXIS-NEXIS will remove from
   P-TRAK any record of the individual that matches or corresponds to the
   request. Finally, LEXIS-NEXIS works with its data suppliers to remove
   the records of all individuals identifiable as minors from the P-TRAK
   and P-FIND data bases.(3)
   1.17 How should the benefits of the collection, compilation, sale, and
   use of information from these data bases be balanced against privacy
   or other legal interests implicated by such practices? Are there
   other ways to obtain these benefits without implicating privacy or
   other legal interests? If so, please describe.
   The benefits of sale and use of information from these data bases can
   be balanced against corresponding privacy interests through
   responsible industry action. LEXIS-NEXIS actively embraces policies
   that it believes strike the proper balance between these interests:
   Delivering the vast majority of its services via a proprietary online
   data base with safeguards to protect against unauthorized access
   No display of social security numbers or dates of birth in its P-TRAK
   data base
   No display of information about persons identified as minors in
   locator service documents
   No display of personal medical information(4) or "below-the-line"
   credit report information
   In response to an individual's request, LEXIS-NEXIS will remove from
   the P-TRAK data base any record that matches or corresponds to the
   individual's request.
   Strict security measures to maintain the integrity of the data bases
   A good example of such balance is LEXIS-NEXIS' policy of offering
   users who already know a social security number the ability to search
   by that number, but never displaying a social security number on the
   P-TRAK data base. This search capability is of enormous importance to
   the effectiveness of P-TRAK, as well as to the social benefits that
   flow from use of the product. Social security number searches play an
   invaluable role in helping to locate individuals such as child support
   obligors, heirs to wills, pension fund beneficiaries, and missing
   children -- whose social security numbers are often known by the
   person seeking them. By affording SSN search capability, but not SSN
   display, P-TRAK offers substantial protection of individual privacy
   interests without sacrificing the important benefits that flow from
   the product.
   LEXIS-NEXIS has taken a leadership role in the data base industry in
   developing such a balance. Our industry is working presently to
   achieve broader industry consensus on responsible industry action.
   1.27 Have data base operators undertaken self-regulatory efforts to
   address concerns raised by the collection, compilation, sale, and use
   of sensitive consumer identifying information?
   LEXIS-NEXIS has adopted internal privacy policies discussed in
   response to Question 1.17, and is in the final stages of codifying
   these policies in information guidelines.
   Furthermore, LEXIS-NEXIS is working with other data base companies and
   with industry associations to explore ideas for self-regulation.
   LEXIS-NEXIS hopes that these discussions will prove fruitful.
   3.12 What steps have children's commercial Web site operators taken
   since June 1996 to address children's online privacy issues? To what
   extent have they adopted the principles outlined in the following
   documents submitted at the June 1996 Workshop: (1) the Joint
   Statement on Children's Marketing Issues presented by the Direct
   Marketing Association and Interactive Services Association; (2)
   Self-Regulation Proposal for the Children's Internet Industry
   presented by Ingenius, Yahoo and Internet Profiles Corporation; and
   (3) Proposed Guidelines presented by the Center for Media Education
   and Consumer Federation of America? 
   LEXIS-NEXIS has voluntarily worked with its data supplier to remove
   records of all persons identified as minors from the P-TRAK data base.
   1. See, e.g., In the Matter of Consumer Identity Fraud Meeting at 12,
   20-21, 21-22, 47-48 (August 20, 1996) (testimony before the Commission
   discussing the ease with which identity fraud may be committed through
   obtaining an individual's credit report through an auto dealership,
   stealing a credit card and filing a fraudulent credit card change of
   address request, and through intercepting pre-approved credit card
   2. P-TRAK displayed SSNs for the first ten days the product was
   available, from June 1 until June 10, 1996. Thereafter, P-TRAK has not
   displayed SSNs.
   3. A small number of older minors may have credit accounts, and would
   therefore otherwise have identifying information entered in the P-TRAK
   data base but for these measures.
   4. Personal medical information is on occasion published in press
   reports and judicial decisions. However, LEXIS-NEXIS does not
   distribute any confidential medical information.


Date:    Thu, 15 May 97 15:08 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: MC/VISA Comments to Federal Trade Commission

Included below is another comment text from the FTC database/privacy
proceedings, this one from MasterCard International Inc. and VISA U.S.A. Inc.



   April 15, 1997
   Writer's Direct Dial Number
   (202) 887-1566
   By Hand Delivery
   Federal Trade Commission
   Room H-159
   Sixth Street & Pennsylvania Avenue, N.W.
   Washington, D.C. 20580
   Re: Data Base Study -- Comment, P974806
   Dear Mr. Secretary:
   This comment letter is submitted on behalf of MasterCard International
   Incorporated ("MasterCard")(1) and VISA U.S.A. Inc. ("VISA")(2) in
   response to the proposed Federal Trade Commission ("FTC") study of
   computerized data bases containing sensitive consumer identifying
   information ("FTC Study"). VISA and MasterCard thank the FTC for the
   opportunity to comment on the FTC Study.
   Genesis of the FTC Study
   The genesis of the FTC Study was a letter to the FTC from Senator
   Bryan, Senator Hollings, and then-Senator Pressler, which requested
   the FTC to conduct a study of "possible violations of consumer privacy
   rights by companies that operate computer data bases."(3)
   More specifically, the letter requested that the FTC investigate the
   "compilation, sale, and usage of electronically transmitted data bases
   that include identifiable personal information of private citizens
   without their knowledge."(4)
   The Senators' request arose in the context of the public focus on the
   LEXIS "P-Trak" "look-up" service, which was spawned by a spate of
   Internet messages and national news media stories about the types of
   consumer information that were then available on the P-Trak service.
   In addition to giving rise to the request for the FTC Study, the
   public focus also caused LEXIS to limit the types of consumer
   information available through P-Trak.
   Congress, as a whole, responded to the P-Trak issue by including a
   provision in the Economic Growth and Regulatory Paperwork Reduction
   Act of 1996 that directed the Federal Reserve Board ("FRB"), in
   consultation with the FTC and other federal banking agencies, to
   conduct a study assessing the undue potential for fraud and risk of
   loss to insured depository institutions from the activities of
   companies engaged in the business of making "sensitive consumer
   identification information" available to the general public ("FRB
   Under this provision, "sensitive consumer identification information"
   included social security numbers, mothers' maiden names, prior
   addresses, and dates of birth. Importantly, in enacting this
   provision, Congress exempted from the FRB Study entities that are
   subject to the Fair Credit Reporting Act ("FCRA")(6) as consumer
   reporting agencies.
   Scope and Purpose of the FTC Study
   The Supplementary Information to the FTC Study states that the FTC
   Study will include consideration of the collection, compilation, sale
   and use of computerized data bases that contain what consumers may
   perceive to be sensitive identifying information.(7)
   Given the context in which the Senators' request for the FTC Study
   arose -- as well as the clear statement of Congressional intent
   embodied in the limitation of the scope and purpose of the FRB
   Study -- it is appropriate that the FTC has limited the study to
   so-called "look-up services." In order to maximize public benefit and
   efficiency, we urge that the focus of the FTC Study be further
   narrowed to specifically assess whether there are companies that
   disseminate sensitive consumer identifying information in a manner
   that could create opportunities for fraud. It is the use of such
   information for fraud purposes that raises the greatest concern and,
   as a result, was the focus of Congressional legislative action.
   Activities that may involve consumer information but do not give rise
   to fraud risks should be excluded from the scope of the FTC Study. For
   example, the FTC Study should explicitly exclude companies using
   consumer identifying information to communicate data between one
   another, such as those in which entities within a corporate family use
   consumer identifying information to share information on their
   customers. This approach is consistent with the Supplementary
   Information which indicates that the FTC Study will not address data
   bases used primarily for direct marketing purposes, medical and
   student records, or the use of consumer credit reports for employment
   It is also appropriate because Congress recently addressed affiliate
   sharing of information in the same legislation that requested the FRB
   Definition of Sensitive Consumer Identifying Information
   The Supplementary Information to the FTC Study states that sensitive
   consumer identifying information may include some or all of the
   following: social security numbers, mothers' maiden names, prior
   addresses, and dates of birth.(9)
   For purposes of the FTC Study, VISA and MasterCard believe that this
   definition of sensitive consumer identifying information is
   appropriate and need not be expanded. In this regard, it is our
   understanding that financial institutions principally rely on social
   security numbers, dates of birth, mothers' maiden names and prior
   addresses when ascertaining and verifying the identity of consumers or
   providing consumers with access to their records.
   The FTC also requested comment on information that might be used in
   the future to identify consumers. MasterCard and VISA urge the FTC to
   adopt a definition of sensitive consumer identifying information that
   is based on current practices and not on predictions of future
   practices. New consumer identification methods such as those utilizing
   finger minutiae, voice analysis, iris scan and other biometric systems
   are in various stages of development, testing and evaluation by
   financial institutions and other private and public organizations.
   While it is expected that one or more of these new technologies may be
   used in the future to further refine consumer identification
   procedures, these technologies are not yet commonly used. VISA and
   MasterCard caution that if the FTC Study or its related
   recommendations are overly broad, they could have a counterproductive,
   chilling effect on the development of these or other consumer
   identification technologies that might otherwise enhance risk
   management and financial privacy in the future.
   Dissemination of Sensitive Consumer Identifying Information
   MasterCard and VISA have long been concerned about, and have worked
   diligently to address, the risks presented by credit card fraud and
   similar types of financial fraud. In our experience, where consumer
   information has been used to commit financial fraud, the information
   is generally obtained illegally -- by stealing U.S. Mail or a wallet
   or purse, improperly removing information from consumer files and,
   more recently, through illegal access to computer files. Additional
   restrictions on the flow of information would be unlikely to address
   these issues. Much greater benefits would be derived from increased
   resources for law enforcement in this area.
   Structure of the Public Workshop
   Finally, MasterCard and VISA commend the FTC for separately addressing
   issues associated with computerized data bases containing sensitive
   consumer identifying information from issues associated with consumer
   online privacy and the Bureau of Consumer Protection's June 1996
   Public Workshop on Consumer Privacy on the Global Information
   Infrastructure. In particular, we support the FTC's proposed structure
   for the Public Workshop, in which Session One addresses computerized
   data bases and Sessions Two and Three address consumer online privacy
   issues. Such a structure more efficiently facilitates substantive
   discussion of these important topics. We urge the FTC to continue
   addressing these issues separately.
   * * * * *
   Once again, VISA and MasterCard appreciate the opportunity to comment
   on the FTC Study, and we hope that these comments are helpful. If you
   have any questions concerning these comments, or if we can otherwise
   be of assistance in connection with this matter, please do not
   hesitate to contact me at the number indicated above, Michael F.
   McEneney, at (202) 887-1568, or Clarke D. Camper, at (202) 887-8793.
   Sincerely yours,
   L. Richard Fischer
   Enclosure: Comment Letter in the Microsoft Word 6.0 format on 3 1/2
   inch diskette
   Russell W. Schrader, VISA U.S.A. Inc.
   Miriam L. Wahrman, MasterCard International Incorporated
   Michael F. McEneney
   Clarke D. Camper
   1. MasterCard is a membership organization comprised of financial
   institutions which are licensed to use the MasterCard service marks in
   connection with payment systems, including credit, debit and
   stored-value cards.
   2. VISA is a membership association comprised of financial
   institutions in the United States which are licensed to use the VISA
   service marks in connection with payments systems, including credit,
   debit and stored-value cards.
   3. Letter from Senator Bryan, Senator Hollings, and Senator Pressler
   to the FTC (Oct. 8, 1996).
   4. Id.
   5. Pub. Law No. 104-208, ' 2422 (1996).
   6. 15 U.S.C. ' 1681 et seq. 
   7. 62 Fed. Reg. 10,272 (1997).
   8. Id.
   9. Id.


End of PRIVACY Forum Digest 06.06

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH