|15 April 1997
Re: Data Base Study -- Comment, P974806
Dear Mr. Secretary:
Attached are comments of the National Retail Federation ("NRF") with respect to selected questions propounded for Session One ("Computerized Data Bases Containing Sensitive Consumer Identifying Information") of the Public Workshop on Consumer Information Privacy to be held by the Commission on June 10, 1997. Please place these responses on the public record for consideration in conjunction with the Commission's deliberations and our request for participation in the Workshop.
Question 1.4: What information is currently used to identify individuals? What types of information might be used to identify individuals in the future?
Comment: Identity information currently used includes driver's license (or non-driver's license ID) number, date of birth, social security number, financial account and personal identification number ("PIN number"), transactional information, addresses and telephone number(s) and names, including mothers' maiden names. Less specific elements are often used in combination, rather than singly, to effect an identification. In the future, biometrics such as thumbprint, voice and eye scans or scent also may be used.
Questions 1.5: Do the data bases contain identifying information that consumers regard as sensitive? What identifying information is considered to be sensitive? Why is such information regarded as sensitive? Please provide specific examples.
Comment: Questions 1.5 (sensitive data) and 1.6 (non-sensitive data) are two sides of the same coin. Objectively, we know of no information that is always sensitive or always non-sensitive. The characterization turns on expectations of privacy. By way of simple example, a celebrity seeking publicity could consider widespread dissemination by third persons of her likeness and activities not only non-sensitive, but an actual boon to her career. However, the same celebrity seeking solitude or seclusion could consider an identical data dissemination to be an insensitive invasion of her privacy.
The study seeks to determine whether there is sensitive consumer identification information within data bases. In this instance, by "sensitive" we assume it is meant information generally needed in order to greatly compromise an individual's reasonable expectations of privacy surreptitiously: either generally, such as by gathering (and possibly disseminating) detailed information about an individual, that the person ordinarily would share only with a trusted few; or specifically, such as by initiating fraudulent credit accounts or possibly accomplishing fraudulent credit transactions in the individual's name. Among the most sensitive data from those perspectives would be social security numbers, existing account and PIN number information, as well as name, place and date of birth information. Of secondary importance would be data such as prior addresses and mothers' maiden names.
We would caution the Commission not to place too great a reliance on the term "sensitive consumer identification information" -- or the identification of specific data as requiring special treatment. The concept of sensitive consumer identification information is something of an artificial construct. A digital code, such as a social security number, is no more "sensitive" than is a unique individual name made up of, say, nineteen letters. Both allow one to denote, with specificity, a particular person. Both could be assumed by a person to whom they were not legally given. And both could be used to research additional information about, or to commit fraud upon, unsuspecting companies or individuals. No greater legislative or regulatory protection should be provided to a unique identifying number or other characteristic, simply because it is denominated as "sensitive consumer identifying information," than would be provided to a comparably unique name. Furthermore, from a fraud perspective, no single piece of information, standing alone, should be considered sensitive. The risk of fraud generally arises only when such data is used in combination.
Questions 1.6: Do the data bases contain identifying information that consumers regard as non-sensitive? What identifying information is considered to be non-sensitive? Why is such information regarded as non-sensitive? Please provide specific examples.
Comment: See NRF response to Question 1.5.
Question 1.9: What are the uses of the information in the data bases? Are there beneficial uses of the information in these data bases? If so, please describe. Are there risks associated with the compilation, sale, and use of this information? If so, please describe.
Comment: There are many legitimate uses for such information. For example, from financial and identity theft perspectives, information from these data bases is used to contact individuals and to confirm their identities: these uses help credit grantors detect and limit potential fraud.
Question 1.10: Do these data bases create an undue potential for theft of consumers' identities? How is such potential for theft created? Please provide specific examples. What is the extent to which these data bases (as opposed to other means) contribute to consumer identity theft? Is this likely to change in the future? If so, please describe.
Comment: Unscrupulous use of information in some data bases may make it easier for the persons to accomplish a theft of credit identity. However, data bases are merely one means to that end and may not be as valuable a tool as a stolen wallet, or information recovered from a trash can, for example. On the other hand, the information has great value to retail credit grantors who use information from multiple sources to flag fraudulent activity. Increased future access by greater numbers of persons to such data would heighten the risk if industry were not simultaneously developing tools to circumscribe the use of information obtained by bad actors.
By focusing too closely on the issue of identity theft one risks ignoring the broader beneficial uses of these data bases. Admittedly their existence creates a potential for theft, just as a telephone directory and a street map create a potential for sophisticated burglary. But the thief in both instances must be willing to undertake criminal activities that far transcend the mere accessing of information. In short, the risk exists, but other significant social and economic benefits of the information also must be considered.
Question 1.13: What means might be considered in the future to address any risks posed by these data bases? What impact will potential solutions have on the beneficial uses of these data bases?
Comment: Both access to data and adverse secondary uses to which data might be put, such as identity theft, could be limited by encryption, digital signatures, very strong access controls and/or new biometric personal identifiers. The use of such identifiers may themselves raise privacy considerations.
Question 1.15: Are consumers' privacy interests implicated by the collection, compilation, sale, and use of information from these data bases? If so, please describe. Are other legal interests implicated? If so, please describe.
Comment: Implication of privacy interests is not the same as expectation of privacy and not all expectations of privacy are reasonable. Whether consumers' privacy interests are implicated is dependent upon the manner in which the information is disseminated; how the information came to be collected; the purpose(s) for which those accessing the information plan to use it; and the privacy sensitivity and sophistication of the consumers who are the subject of that use.
Considering these in reverse order, as was suggested in the Comment to Question 1.5, an individual's expectation of privacy will vary depending upon the transitory desires of the subject of the information. Individuals' knowledge as to the nature of information flows also modifies their expectations as to its privacy. Thus, outside of certain extremes, a general expectation of privacy is not fixed.
Expectations as to the manner in which the information might be used is an important consideration. For example, a young person who freely shares his or her academic performance with friends or even casual acquaintances, might be reluctant to do the same in the presence of his or her employer.
Individuals' efforts to guard against the release of information will vary widely depending on the perceived confidentiality of the information involved, and what information, if any, they wish to have passed on. For example, some individuals may intentionally choose to release misinformation to everyone (e.g. as to their income) except those persons with a legal or other perceived "need to know." If one of these latter persons should release the correct information to a publicly available data base, the individuals may feel that their privacy interests have been implicated and reasonable expectations violated.
Finally, the manner in which the information is disseminated may counter individuals' privacy expectations. A criss-cross street directory is a book that allows one to determine who lives at a particular address by looking up the person's house number. The information is the same as that in a standard telephone directory. Yet it may surprise some individuals that their names could be located in that manner, even though their addresses and names are listed in the phone book. It may not have occurred to them that anyone would undertake the effort to compile and arrange data in such a fashion. Thus, while privacy interests may be implicated, their expectations as to the privacy of the data are based on outmoded assumptions.
Question 1.16: Are there means to address any privacy or other legal interests implicated by the collection, compilation, sale and use of information from these data bases? If so, please describe.
Comment: To the extent the privacy implications are based on individuals' surprise reaction to the ability of publicly available data to be reassembled in an unexpected manner, the only answer is to allow individuals to remove their names from public sources where doing so does not undermine the legal or any other important public policy purposes for which the public record was created.
Question 1.17: How should the benefits of the collection, compilation, sale, and use of information from these data base be balanced against privacy or other legal interest implicated by such practices? Are there other ways to obtain these benefits without implicating privacy or other legal interests? If so, please describe.
Comment: To the extent the underlying information is publicly available there are two costs/benefit equations to consider: the cost of compromising the societal purpose for which the data is made publicly available; and the cost of accomplishing (or undermining) the goal(s) which the collection, compilation, sale and use make possible in the absence of the data. The former depends on a case by case assessment of the purpose. As to the latter, it is impossible to quantify all of the costs and benefits of more ready available information, or the loss in perceived privacy it entails. It is a balance in which economic costs and benefits are a factor, but not necessarily the predominate factor, in the analysis. Social costs and benefits may weigh as heavily.
Consider, for example, locator information. In the absence of a look up service, one could still locate an individual who had moved to an obscure place, but the time and economic costs of hiring private detectives, or reviewing directories in every potential new locale, is high. One would undertake such an effort only if the purpose for which the individual being sought was extraordinarily important. This meant that the relocated individual had a "de facto" expectation of privacy as to his or her whereabouts. The expectation resulted from the fact that high costs acted as a substantial barrier to discovery. However, the same privacy implications arise from a successful laborious search as exist with a look up service. Of course, the existence of an economical look up service means that individuals are more likely to be sought and found for a greater variety of purposes. Whether this is a benefit or a cost ultimately is a social judgment. It does, however, represent a change in longstanding expectations.
The ability of individuals to "disappear" and start life anew (which in some senses is analogous to the ability of individuals to declare bankruptcy) is a part of our social fabric. It traditionally has been treated as an extraordinary occurrence, not to be encouraged lightly, because of the hardships it can impose on others. In the past, those who chose to relocate also encountered significant hardships. Thus, there was rough parity between the effort involved in accomplishing their disappearance and the effort involved in discovering their new location. To the extent technology has made relocation less difficult, it also has correspondingly lowered the cost of rediscovery. Is disappearance still a desirable social goal? Absent ("deadbeat") fathers, unidentified contagious disease carriers, and freedom from stalking are among the social costs and benefits nonidentification makes possible. Since it is difficult to limit technology's use to accomplishing specific tasks but not others, the social question is which of these results do we wish to encourage at the cost of implicating individuals' privacy.
National Retail Federation