FTC: Consumer Privacy Comments Concerning Information Services--P974806
August 21, 1997 Federal Trade Commission Re: Database Study Comment- P974806, General Comments. Dear FTC and those interested in the debate: We decided to respond with a few thoughts about computer databases, privacy and related issues. The scope of this comment is restricted to the subject of databases that contain public records and credit header information. We are not familiar with the direct marketing industry and associated databases and list. Our firm is a licensed investigation company which locates missing heirs, missing policy holders, beneficiaries, missing investors and on occasion missing debtors & child support parents. Some of these cases are extremely old with last known addresses dating back to the 1960s, 70s and 80s generally. We have solved cases which dated back into the 40s and 50s but those are rare. None of these people would have been located by us if it were not for the computer databases. Because of our use of these databases we are able to economically solve cases that were not solvable 10 years ago, or they would have cost a fortune to solve. We have noticed that the privacy movement is gaining momentum and is being very successful at curving back availability of public records and credit header information. The privacy movement, which attempts to speak for all consumers, is creating changes in our public records that may be detrimental to American society as a whole. The result of removing public records is always shown as increased privacy for the consumer. But there is a downside to the consumer as well. It must be realized that we in the investigation and research fields do our work on behalf others. A large percentage of investigative clients could be best described as small business or average consumers. The people who care enough about privacy can organize and make an impact on the political scene simply because they have one thing in common, their beliefs in privacy and that they all share this common belief at the same time. In fact, everyone is for privacy to some degree. The consumers that need information or research that originates from public records and or computer databases is actually a large group of consumers also. However, they are not constant in their need for information or investigative work and therefore could never be organized into a "political action group". These consumers of investigative information are always changing as their life situations change, unaware of this debate going on for research records. You will never hear from a group called the "Consumers' Group for Investigative Databases" simply because these consumers usually have plenty of other problems to solve in their lives and are not prone to seek out others in the same boat. Basically, the point is that consumers are the beneficiaries of much of the information that the privacy lobby wants to do away with. This group of consumers may actually be a silent majority, larger than the lobby that considers simple identification information as private and sensitive. If some of these consumers were involved in this debate, they would prefer that new regulation not go into effect that eliminates their means of gathering the truth. This is already occurring. If a average citizen is asked to define a "criminal background check" they usually say that it is a check into the persons past to determine if they have ever been convicted of a crime. This normal answer is partially correct because it reflects a belief that this can be fully accomplished in this country. The fact is, if Charles Manson applied to work at your small business tomorrow, and you ran a criminal background check, he would come up clean. Most record checks only go back seven years. Your right to know or to act on older information as an employer as been significantly reduced by regulation. Not only that but in about half the country you have to check on a county by county bases. How would you know what counties to check. Some people move often. What counties or states have they lived in? The privacy lobby wants to eliminate the records needed to find out. There is no nationwide scan for the private sector to use. Law enforcement computers are off limits. By far, the best and most economical means to determine where someone has lived in recent years is credit header address information. This address history information may be the only way that it is determined that someone lived in Seattle 6 years ago, was convicted of rape, and now wants to work in a hotel in New Jersey, where ...and this is important, consumers are staying. These consumers are unaware that a combination of credit header information and public records made their stay safer. The hotel management may not even know all the mechanics of how this information was developed for them. This is just one example of consumers benefiting from these records. This happens thousands of times everyday. Since a crime is prevented and not committed, it does not reach the news. Lets say that you are sick of your job and you run across the business opportunity of a life time. You have a private investigator check out the president of the company who wants to sell you inventory. It is discovered through several database checks that this guy has run scams in several states and has taken people for their life savings. He has used several different names which became evident during the database searches. There is a downside. This scam artist is a "consumer" too. If the privacy lobby had their way you may never have found out who you were up against. Lets say your aging mother, with considerable life savings, recently fell in love with a charming fellow who appears to have a grand life style but no visible means of support. In conversation with him you become even more suspicious. Who is he? If the privacy lobby has their way, you may have no means to find out. He is a consumer too. Do you have permissible purposes? The roof you just had replaced for $4,000.00 starts to leak. You determine from a contractor friend that it was very poorly done. You want to straighten this problem out but you can't find the roofer, even just to have an initial conversation about the problem. Will you be able to find him? How can he be held accountable if the means of identifying and locating him have been outlawed or regulated out of the market? After all, he is a consumer too. Does his right to privacy outweigh your right to contact him? If real world chances of him being held accountable are slim, will he increase his quality of work or decrease it? Do we want to effectively destroy accountability in this nation? It must be realized that fraud is at work on every level of our society. We guard against and attempt to prevent fraud ourselves everyday. It is only prudent. This honorable resistance to fraud comes from the largest conglomerates down through every conceivable industry to the individual. Law Enforcement also fights fraud but usually after there is a victim of a very large case. What is real important to grasp is the volume of fraud prevention work performed everyday by the private sector on their own behalf and on behalf of consumers. This volume of work would bury Law Enforcement if it were shifted to their sector. They could not handle the volume. Then you also would have the "Big Brother" problem. Do we really want "Big Brother" pre-qualifying every transaction in this nation for us. If database records were removed from the private sector you will effectively take away the most powerful fraud fighting tools. Once it became evident that fraud prevention was down and Law Enforcement was overworked, our fraud professionals would have a field day. The problem would most likely snowball from there. We would have government waiting rooms filled with victims. Another issue that seems to be drawing a lot of focus is Social Security Numbers. Privacy people want to eliminate their use. They warn that "they" can get your SSN and find out everything about you. I have heard some privacy advocates proclaim that SSNs are not public. This is not true. Many SSNs are public record. It depends on your life experiences. These numbers can show up in divorce records, probate records, voter records, bankruptcy records, criminal records, professional records and so forth. No one knows what percentage of Americans have their SSNs in public records but it is considerable. If someone can take one of these numbers, which may be public record, and access your bank records & credit card records it would appear that the bank or credit card company is guilty of negligent security. If they release sensitive information because someone gives them a number, which could be public record, shouldn't the solution be focused at the company's negligence, not the SSN number. Why not use PIN numbers more often? It should be noted that mothers' maiden names have showed up in public records for decades (and centuries). Maybe Corporate America needs to consult with real security professionals. We are on the verge of turning our public records system upside down because of negligent security in another area of the economy. And then there is the problem with instant credit. This creates the motivation for identity theft. The Fortune 500s make it too easy for someone to steal someone's identity. What percentage of the population wants instant credit anyway? Does anyone want to find out? Could there not be a common sense fix to this problem? Why not find out what percentage really wants this capability and associated risk. It could be required that people who want instant credit capabilities notify the credit bureaus of this desire. If they decide later that it is not a good idea they could turn the option off. This may hurt impulse buying, but if our bankruptcy rate is any indication, this may not be a bad thing. In any case, rules could be tightened up at the cash register instead of revamping our whole public records system. The reason SSNs are so prevalent as an identifier is obvious. They are unique and they work. And probably over 99% of the time they are used for prudent and ethical reasons associated with records. No one else has the same SSN (legally anyway) so it is common to use this number to associate records with a particular individual, to tell two John W. Smiths apart. The identification mix up problems grew with our growing population and growing mobility. With over a quarter of a billion people in this country, many with similar or identical names, the problems of confusing individuals is ever present. The SSN became a way of identifying specific John Smiths from others. The number makes a great identifier in public and private records. It makes a bad PIN number over the phone. In fact, at this time, there is no substitute for the SSN as an identifier. A name and date of birth are useful but does not work well with females who marry and divorce and therefore change names. An idea for debate that may never have been brought up before is making all SSNs public record across the board. The privacy lobby should think this through before immediately discarding this as a terrible idea. If this number was made public across the board, no business would release detailed financial or personal information about you just because someone supplied a SSN. It would bring about more true privacy. The SSN would be just a number which acts only as a name extension in records. This would free up the privacy people to fight much more important battles coming down the pike. Making all SSNs public has the potential to disarm them as "a key to your entire life" syndrome. This is just an idea but seems more practical than trying to bottle up billions of public records and proprietary records that have been open and unregulated for years. They have been sold and resold in bulk and are now residing on uncounted thousands of private sector computers ranging from main frames to PCs to CDs. In other words, if SSNs become highly regulated now, and are supposed to be very hard to obtain them, they will continue to be used as PIN numbers. But the SSNs are still "out there" and available. There is not a federal regulation made that will find all those files and erase them. The genie is out of the bottle and has multiplied himself a thousand times over. You can pass genie stuffing regulation but in reality, it would give a false since of accomplishment. It may be politically difficult to make all SSNs public record. But the regulators and law makers should come clean with the American people and let them know that since the numbers have been unregulated for so long, and used by so many for so many different purposes, that the government can no longer categorize them as private. Law makers could discourage their use as PIN numbers and suggest they be used in the future only as a name association tool for records. Overall, this debate can be brought down to basic conflicting concepts. It is not just public vs. private. It is anonymous citizenship vs. open citizenship, it is responsibility vs. dodging the "evil" system that makes one accountable, it is being able to identify vs. not being able to identify, the freedom to search out information vs. losing that freedom, the ability to fight fraud vs. the "protected sensitive consumer" who commits fraud. We are all consumers. Our convicted felons are "consumers". It is untrue that a free and open society should be totally private. Some in the privacy movement use the word "anonymous" in their verbiage. And there are times when being anonymous is proper. But to go through life in America as anonymous is not possible. If you want to participate as a citizen, a voter, a borrower of money, a professional, a business owner, a land owner, a driver of motor vehicles, a criminal, a plaintiff or a defendant then the rest of us have a right to know who you are should the need arise, simply because your actions may effect our lives. That knowledge is essential for the public's general welfare. If you want to be anonymous just do not participate in society. The dangers of an anonymous society greatly outweigh the dangers of an open society. Fraud would breed if we could not identify individuals. The consumer would have no practical recourse. And who would stop the fraud, the government? Sure there are privacy issues worth fighting for but are public records one of them? It should be pointed out that none of these proposed privacy rules and laws really does anything to curtail the governments use of these records. After all, they created many of these records with your tax dollars. But if these records are removed from public access, "Big Brother" would have a monopoly. Can you imagine how fast their budgets would grow? Would this foster more government corruption? They can't plug all the leaks in their computer systems now. What if they had to manage departments several times larger. Who would watch the watchers? In years past the KGB had an information monopoly. The citizens themselves had no power or freedom to gather information or to investigate the truth. They had to depend solely on their government. Do we want to head in that direction? Finally, it is understandable how this debate came about. The rush of computer technologies has taken most of us by surprise. Computer power is the new ingredient in the mix. With it comes a mass of information at the finger tips. Much of this information has always been around. It was interesting to read the debate about the phone list services on the internet and how they should not allow reverse lookup by phone number or address. I recently spent most of a day conducting research in City Directories from the 1940s & 50s with both phone number and address lookup capabilities. Employment information was also given for the majority of people listed. And these capabilities date back much further than the 1940s and were available to anyone who went to the library. What is new is for the first time it is becoming obvious just how many public records we have in this country. It was never so evident when we had them spread out in dusty rooms but when they are collected together it is impressive and perhaps scary to privacy people. Databases for the first time make the quantity of these public records very visible. This should be considered a good thing. These records should be considered a national resource. Is this information private? Should it be regulated? Our personal opinion is that it is already regulated. Accountability also pertains to those professionals who research these records and develop reports for their "consumer clients" or on behalf of their own organizations. Should public records be restricted to permissible purposes only? Any purpose that is currently legal should be acceptable. Should credit headers be restricted to permissible purposes? Again, any purpose that is currently legal should be acceptable. One idea that may help is when the public fills out a credit application, it should state that your name, addresses, date of birth, and SSN are included in databases which are used to fight consumer fraud, locate debtors and missing account holders in good standing if they move without forwarding information. This would let the consumer know how else the information may be used and to perform an educational function at the same time. Combine this with audit trails, which exist, and with screening of professionals and companies who can use the systems and you have developed accountability. If however, regulators decide to impose permissible purposes to headers it needs to be pointed out that one such purpose, "release or consent of consumer", would not work very well. Most header reports are for the purpose of finding the consumer. If you have to get their permission first you have a catch-22. Many times this is an initial effort to find someone to settle a dispute. It may be months away from court if it goes that far, and it may eventually result in a judgment for one side or the other. It must be noted that if headers were restricted at the start of this scenario, the case may never have been heard by a judge. This would in effect, hamper the due diligence required just to get to the court room. Do consumers want to make their judicial system even more ineffective? We have heard from several sources that 80% of court judgments are never satisfied. If investigative data is suppressed this rate may reach into the 90% range. As a self serving suggestion, we believe any header permissible purpose should definitely include investigations to find someone because they are owed funds, which we do a lot of. With over 40 billion dollars in lost assets, of which the owners are "missing", we feel this work is one of the most beneficial ways headers are used to help the consumer. In fact, header information has helped accomplish a lot of good things in a wide variety of cases. It would be impossible to include all the beneficial purposes in which they could be used. As a result, we would suggest that a simple regulation state that they cannot be used for fraud, identity theft or any other illegal acts or otherwise face severe penalties. These severe penalties should be enforced. It should also be mentioned that some in the privacy lobby would prefer that credit headers be totally eliminated. There are many times when someone has a permissible purpose to pull a full credit report but a header is all they need for a new address. If the header were removed from the option list you would have many more full credit reports floating around. This in effect would have an opposite effect on privacy than they are seeking. In summary, our suggestion is that self regulation with very little or no government regulation is the way to go. Any government regulation should be focused at poor security at the cash register or credit granting desk that allows identity theft to occur. If you eliminated this problem at this point in the chain of events, you will have made an efficient fix. Reworking our public records on a national basis would cost a fortune and would lead us down an unknown dark road. Thanks for allowing us to comment. We hope the privacy lobby will consider some of these points. They truly do have battles worth fighting for, many of which we agree with. This issue is not one of them. Sincerely, Gary Routh |