Comments of Robert Biggerstaff Concerning Data Base Workshop - P974806 April 11, 1997 Robert Biggerstaff Secretary RE: DATA BASE WORKSHOP -- REQUEST TO PARTICIPATE, P974806 To The Commission: Please accept this as my humble request to participate in the Data Base Workshop June 10, 1997. Introduction In the interest of truth in advertising, I would like to preface my remarks with some information about myself and my involvement in privacy issues. I am a degreed engineer and I have spent my entire professional career designing, developing, and working with computer database systems, both in the private sector and for systems used by the United States government. While not a zealot or fanatic, I would describe myself as someone with a heightened sense of privacy issues. This is a direct result not of any personal experience where I have been the victim of any crime or invasion of privacy, but rather the result of my "inside knowledge" of computer databases, their uses -- and misuses. As a public service, I operate an internet web site and publish information for consumers to help educate them on the issues of the invasive databases. I also have a somewhat unique perspective, as I have been on both sides of the table on privacy issues. My professional career has also included extensive tenures as a professional journalist, and as a consultant to legal firms and private investigators. The use of credit bureaus, credit headers, and other consumer databases, has now expanded in ways that far exceed their original scope. No doubt there is a need for systems by which credit grantors can independently determine credit worthiness of their clients. But credit bureau files are now used by marketers, private investigators, database vendors, and criminals many times more often than credit grantors. The system has been corrupted and distorted in ways never intended -- or anticipated. The marriage of financial data from credit bureaus to marketing and demographic data has created an interlinked system that is the most invasive instrument ever to come into existence. To top it all off, grocery stores are entering partnerships with database vendors where every item you buy is captured and stored in a database. Now someone can find out what foods you buy, what drugs you take, if you buy alcohol, cigarettes, condoms, pregnancy tests ... the list is endless. Do you want your neighbors being able to get this information? Your enemies? The government? I realize that this sounds quite alarming and even far fetched. I promise you it is not the latter. I have personally seen projects involving databases of this nature -- Nearly every grocery store with barcode scanners at the checkout line has this capability. Database vendors use fake surveys that seem anonymous because they have no name or address on them. But the surveys are secretly marked with hidden codes that tell the marketer the exact name and address of who provided the information. They call on the phone pretending to take surveys, when they are really collecting demographic information on you. Warranty cards, purporting to be necessary for you to receive warranty coverage on a product, collect all manner of personal and private information that is then used solely to populate direct marketers' databases. Even the government has contributed to the availability of personal and private information used for illegitimate purposes and fraud. For example anyone can use the Federal Trade Commission's (FTC) internet "web" site called Edgar, to obtain Social Security Numbers (SSNs) for thousands of people who have given their Social security Number to the FTC on various forms and filings. None of the people who provided their SSN to the FTC received any indication that their SSN was going to be made available to the general public in this manner. To learn more about the issues, and to lend my computer expertise to the discussion, I recently participated in a discussion group sponsored by the Federal Trade Commission. Through several weeks of involvement in that group, I learned a great deal about how other professions (lawyers, private investigators, marketers, employers, credit grantors, et. al.) use such information as credit headers, SSNs, and other personal identifying information. While I originally believed that there was no legitimate need for anyone to access this type of sensitive information without consent, I have since been persuaded otherwise. In that group, originally there were intractable opposing positions - one side demanding that no one have access to any personal information without a court order. The other side vehemently demanded that access to such information remain unfettered. As a result of this project, the first group learned that there were legitimate needs for access by the latter, and the latter group learned that there were significant consequences to society if access remained unrestricted. As a result, that group developed some excellent guidelines that most agreed were workable solutions that would-significantly satisfy the needs of both sides. These guidelines consisted of four major points:
For your review, I have attached as Exhibit 1 at the end of this document, an outline of recommendations put forth in that discussion group. The number of information brokers and databases is proliferating at a rapid rate. I have used the internet to easily and quickly locate many resources that for a small fee (some as low as $2.00) would provide extensive information - including SSNs, maiden names, prior addresses, and dates of birth. A partial list of these sites is listed in Appendix A. In accordance with the requirements for submission, I address 22 of the questions put forth in the Commissions invitation to comment. 1.2 What information is contained in the databases? Please provide specific examples. My research has concentrated on those businesses making their services available or promoting them on the internet. Information available from these vendors includes names, dates of birth (DOB), Social Security Numbers (SSN), credit information, employment information worker's compensation claims with medical information, spouses, children, relatives' names, current and previous addresses, maiden names .... the list is practically endless. Some services also will provide activity history (purchases) of credit cards and telephone activity, listing the date, time, and called number of the toll calls made from the subject's phone. An alarming development in recent years is the establishment of databases collecting consumer information on every individual item they purchase. These database are enabled by "preference cards" or other promotions where the stores obtain personal information such as SSN, DOB, address, etc., and subsequently collect and store all your future purchases. Now someone can find out what foods you buy, what drugs you take, if you buy alcohol, cigarettes, condoms, pregnancy tests ... the list is endless. Appendix B of this document contains a comprehensive list of services and schedule of fees from two representative database vendors, National Locator Data in Malabar, Florida; and ACME Information in Madison, AL. Additional examples taken directly from companies' web sites and promotional literature are presented below: ACME Information http://iquest.com/~leahwes/ACMEInf.htm
LEXIS-NEXIS, http://www.lexisnexis.com/lncc/p-trak/index.html Quotes taken directly from Lexis-Nexis promotional literature...
Information Resource Service Company
USA Datalink
1.5 Do the databases contain identifying information that consumers regard as sensitive? What information is considered to be sensitive? Why is such information regarded as sensitive? Please provide specific examples. My research found that there are 3 categories of sensitive information:
Criminal activity enabled by access to information in category 1 consists primarily of credit fraud. But other criminal activity such as stalking, theft, burglary, kidnaping, and even murder have been enabled by access to information maintained in these databases. A person's Social Security Number (SSN) is the defacto passkey to the entire portfolio of their personal and financial information. And because of the unique information infrastructure and interconnection of vast databases of information, knowing almost any otherwise innocuous piece of information about a person, such as only their last name and birth date, can enable you to obtain their SSN. Once armed with a SSN, anyone can obtain anything else they want. For example, armed with only my name and address, anyone can obtain my SSN and DOB from any number of services for around $20. Armed with only my name, SSN, and DOB, I was able to order a copy of my entire credit report (not just the credit "header"), sent to an anonymous PO box in a different city. Because of this, any information that can be used to obtain a SSN must also be considered as sensitive as the SSN itself. This is a chilling realization and has had an undesirable side effect that I am now reticent to give even my birth date to friends and coworkers for fear that it may find its way into the hands of some unscrupulous person. As for what information can be used to obtain a persons DOB or SSN, I refer you to the schedule of services and requirements in appendix "A". Let me say that almost any piece of innocuous information is considered sensitive by someone and thus in category 2. Age, income, relatives' names, are widely held to be sensitive. But many others are too. Many people face discrimination based on their religious or political affiliations and thus keep them confidential. Schools attended, charities supported, businesses patronized... all of these can be potential sources of disparagement and discrimination. 1.6 Do the databases contain identifying information that consumers regard as non-sensitive? What identifying information is considered to be non-sensitive? Why is such information regarded as non-sensitive? Please provide specific examples. The term "non-sensitive data" can be misleading. Computerization and compiling of ordinarily non-sensitive information can change it into sensitive information. A recent example is reverse-lookup phone books. Most people do not consider their phone number sensitive because it has traditionally been difficult to determine someone's name or address from only their phone number. Many people give their phone numbers to other entities that they would not give their address to. Classified ads are a prime example. Over the last year, several internet sites (Lycos,
Yahoo, etc.) made available, for little or no cost,
"reverse-lookup" directories. These systems
when provided with only a phone number as input, provided
the name and address for that phone number. Privacy and
security concerns, (as well as public outcry) have now
shut down all but one (Database America at
http://www.databaseamerica.com) of these sites. Several vendors continue to offer such reverse directory products to the public for a fee. Only one of them when contacted by me offered a person the right to suppress or remove their listing. 1.7 Who has access to the information in the databases? While many of the information providers will point out that their services are targeted to legal, law enforcement, financial, and investigative professionals, in most cases, anyone can use the services so long as they pay the appropriate fee. My research found in nearly all cases there was no restriction to use only by persons holding licenses or positions in these aforementioned professions. The result is that there are essentially no restrictions on access. Several internet sites (such as National Locator Data at http://www.iu.net/hodges/) even allow a person to enter a credit card and have the information faxed or sent electronically via E-mail. Many sites allow information to be retrieved anonymously or without any verification of the identity of the recipient or any verification that the recipient is entitled to the information. Some sites (The American Information Network in North Canton Ohio; http://www.ameri.com/sherlock/sherlock.htm) even advertise and promote that "the subject will not be made aware of your search." A small minority of the sources I found did have statements that some of the information provided was covered by the Fair Credit Reporting Act (FCRA) and use or release was governed by that act. I have no data that indicates such restrictions are enforced or how easily they are circumvented. It is my impression however that circumventions of FCRA restrictions is easily accomplished by pretext. There was one other exception to the rule. One site (Shadow Trackers of Boise, ID; http://idibbs.com/bus/shadowtr/top.htm)indicated that:
However, I do not know if this is in actuality their practice, nor do I know how high they place the bar in testing the morality of the request. Unfortunately, I only found this attitude was held by a subset of licensed private investigators. The oversight of licensing agencies appears to carry some weight, with some license holders. 1.8 How is the information in the databases accessed? What are the charges for accessing the information? Most all services identified by my research accepted search information via phone or fax, and provided the results the same way. A small number maintained proprietary direct computer systems for interactive modem access. A small number also had standard Internet based sites that allowed searches to be run and data returned interactively or via E-mail. Some other businesses have fees as low as $2.00 for SSN to Name and Name to SSN lookups. My own pseudorandom sampling found the median range to be $20 to $35 for general credit header information and $50 to $75 for complete credit reports. The variation in prices is very large between vendors, sometimes over a factor of 10 for the same information. Additionally, some sites charge for information that is available for free from the government, notably SSN death indexes. Some businesses have moderate "subscription fees" (generally $75 to $300 per month) that allow access, often unlimited, to their databases. Appendix B consists of a representative exhibit of two service's schedule of fees and services. 1.9 What are the uses of the information in the data bases? Are there beneficial uses of the information in these data bases? If so, please describe. Are there risks associated with the compilation, sale, and use of this information? If so, please describe. There are many, many legitimate and beneficial uses of these databases. Among beneficial uses identified in my participation in the FTC's discussion group on privacy include:
There are also many illegitimate uses, including:
1.10 Do these data bases create an undue potential for theft of consumers' credit identities? How is such potential for theft created? Please provide specific examples. What is the extent to which these data bases (as opposed to other means) contribute to consumer identity theft? Is this likely to change in the future? If so, please describe. The databases themselves do not create this potential. It is the lack of access controls and other policies that do this. A criminal finds it easy to commit identity theft and credit fraud because of two things:
Additionally, illegal access to information is rarely detected, and when it is it is long after the crime has been committed. Example: By walking around, a criminal picks a random name and address off of a mailbox in an affluent neighborhood. He then obtains the SSN, DOB, employer, spouse's name and SSN, and other identifying information from any number of database resources. He obtains fake identification using the name, SSN, and address of the victim. He then goes to a store and opens a credit line or credit card account with that store, and runs it up to the max. This can all occur in the span of only an hour. The victim doesn't even know the accounts were opened until creditors start sending bills and delinquent notices to him. There is another, lessor known, scam where crooks, after obtaining the SSN of someone in their 50's or early 60's, will file forged paperwork with the Social Security Administration to change that person's birth date as it is know to the social Security Administration, to make the person appear to be eligible to receive Social Security retirement benefits. Then the crooks will start collecting Social Security retirement benefits - doing so for several years until the real person reaches retirement age and the Social Security Administration discovers the fraud. Anecdotally, I am personally aware of at least one case where someone used these databases to find someone with the same name as themselves (so their existing photo IDs could be used) and assumed that person's identity. In addition to committing untold financial fraud that still causes problems for the victim, the perpetrator also committed criminal acts that were attributed to the victim. Curiously, it is the victim in these cases that bears the burden of proof that they are not the criminal. 1.12 Are there means that are currently available to address the risks, if any, posed by these data bases? If so, please describe. Absolutely. Although I believe that no single change can be implemented that can effectively address this problem, there are means available today that can reduce the risks significantly. A system of checks and balances needs to be implemented, so that if one control breaks down, the others can keep that failure in check, or at the very least, expose it. Access by persons who have no legitimate need is the most important problem. In my profession, the key to the security of any controlled access information system is positive ID of the recipient (authentication) and an accurate record of who accessed what data (activity log). Access control without authentication is meaningless. Unfortunately, that is what is in place now. The FCRA restricts access to limited entities, but there is little and often no authentication of the ID and credentials of the recipient. Stating on the phone that the subject "has applied for a lease for an apartment and I have his permission to get his credit report" is not sufficient! However, that is exactly the only authentication that many information providers require. Additionally, authentication without a good activity log is woefully insufficient. For example, you use an authentication system (a password or PIN number) to access an automated teller machine (ATM) with your debit card. However, if authentication is compromised (someone obtains your PIN number) you would never know of the compromise - except for the "access log". Your statement lists each access made to your account via an ATM. This log will alert you that unauthorized access took place. Applying these industry standard information security practices to credit headers and other sensitive database would indicate that two significant changes need to be implemented to have a secure system of access:
These two changes can be easily implemented today. 1.13 What means might be considered in the future to address any risks posed by these data bases? What impact will potential solutions have on the beneficial uses of these data bases? Consumers are becoming more computer literate. Passwords and Personal Identification Numbers (PINs) are now a widely accepted part of daily life for many people. Many other systems give consumers passwords or PINs for access to their accounts. For example, in my state Southern Bell provides residential telephone customers a 4 digit code on their telephone bill that allows them to access automated services to change or terminate phone service. Ostensibly, your mother's maiden name was used as a passcode to verify your identity to many database systems. Unfortunately, it is not difficult to obtain that information without the subject's knowledge. Consumers should be allowed to secure their records with the database vendor via a password known only to the vendor and the consumer. Consumers should be able to require (for a small fee) that any request for information that is made purporting to be with the subject's permission, should be confirmed before information is released. 1.15 Are consumers' privacy interests implicated by the collection, compilation, sale, and use of information from these data bases? If so, please describe. Are other legal interests implicated? If so, please describe. It flies in the face of traditional expectations of privacy, that anyone can collect all manner of invasive, private, and personal information without your permission, and then sell it for a profit. If the state Department of Motor Vehicles (DMV) took Michael Jordan's driver's license photo and made it into a trading card and sold it, that would be an inappropriate commercial use of his likeness. But the DMV in many states sells driver's DOB, SSN, address, and other sensitive information in exactly the same way. If a bank made the names, addresses, DOB and SSNs of all their customers available to the public, there would be a huge public outcry. This in actuality is what the credit bureaus and other database vendors do - as they make that same information available to anyone who pays their fee. 1.16 Are there means to address any privacy or other legal interests implicated by the collection, compilation, sale, and use of information from these data bases? If so, please describe. Proper access control would alleviate many of the concerns . . . but only if there was a swift and sure enforcement mechanism. The Telecommunications Consumers Protection Act (TCPA) [47 USC § 227] serves as an excellent example. Giving consumers the ability to recover $500 civil damages from offenders, forced telemarketers to face sure and swift consequences for noncompliance. Enforcement by a government with limited personnel and ever shrinking resources that may take years to find them has often invited businesses to disregard regulations and "roll the dice" with less than certain enforcement. Enforcement by 250 million citizens, each empowered with access to a small claims court and a $500 damage award for wrongdoing changes the odds. I believe that this would be an excellent model for changes to ensure compliance with laws regarding databases and information brokers. I also refer the reader to Exhibit 1. 1.17 How should the benefits of the collection, compilation, sale, and use of information from these data bases be balanced against privacy or other legal interests implicated by such practices? Are there other ways to obtain these benefits without implicating privacy or other legal interests? If so, please describe. The key is to curtail illegitimate access without severely handicapping legitimate use. In my work last year on the FTC discussion group on privacy, a comprehensive set of guidelines were developed that addresser this key. An outline of these guidelines in presented in Exhibit 1. 1.18 Is the ultimate use of the information disclosed to the subject individuals? At what point in time is the use of the information disclosed? What is the content of such disclosures? Is there any information that should be added to these disclosures? If so, please describe. I have worked for many years trying to make people aware of the issues raised by these database systems. When demonstrating the capabilities of these systems to other people, I have yet to find a single person who was previously aware that information they had unwittingly, yet freely provided, was being used in this way. The standard fine print on many consumer contracts says that the business may "report on the consumer to a consumer reporting agency" and may "obtain information about the customer from a consumer reporting agency." Even people who read the fine print were disgusted to see the information made so readily available, and shocked to learn that the fine print on a checking or credit card account application was essentially being used as an irrevocable blanket waiver enabling these acts. My involvement with consumers indicates that they want to be apprised of the following:
1.19 Do data base operators permit consumers to choose whether and how their personal identifying information will be collected and used? If so, please describe the choices provided to consumers. My experience has been that only rarely are such disclosures made. In fact, many database vendors intentionally obscure the ultimate use of the information, by conducting fake surveys, and adding irrelevant personal questions to warranty registration cards. Congress had to go so far (Drivers' Privacy Protection Act) as to require states to provide such disclaimers on driver's license and motor vehicle registration forms because of such abuses by the states in releasing personal identifying information without permission or even the knowledge that such releases were occurring. 1.20 Is there an effective mechanism for an individual to remove his or her name from a data base or otherwise control the use of their personal identifying information? If so, please describe. My work has specifically involved locating database vendors and trying to determine their policies and procedures for removing or controlling the use of a consumer's information. As a general rule, most of the services that are available for free (such as Fourll Corp and Infospace) allow someone to suppress their listing. However someone must know that the database and their entry in it exists in order to request that it be removed. On the other hand, most of the fee for service system do not allow you to delete or suppress your listing. Lexis-Nexis allows people to opt-out of their Ptrak system, but not their other databases. Of the fee based systems, I found none with a mechanism for the consumer to confirm that their name was removed - other than paying the requisite fee and searching for themselves in the database. 1.21 Do subject individuals have access to their data and the ability to correct errors? If so, please describe. Other than what is guaranteed by the FCRA or individual states, my research found that such access is rare. One credit bureau has offered consumers a free copy of their credit report annually, but they recently announced that they would no longer offer this service. My research found no fee based services (such as Lexis-Nexis) that allowed consumers to access their own data without charge. Because of this, it would cost a consumer thousands of dollars to obtain their data from the myriad of vendors now in operation. 1.23 Are there additional procedures that are used or available to assure the accuracy of the data and to limit use of the data to its intended purpose? What is the nature of such procedures? Are the procedures adequate? Please provide specific examples. Unfortunately, policies and procedures to limit access to such data are counter to the commercial nature of the database vendors. There is a negative financial incentive for vendors to limit access to their databases. Until there is a greater incentive for compliance, this trend is likely to continue with all but the largest and most visible vendors. 1.24 Is the collection, compilation, sale, and use of this information subject to any federal laws or regulations? If so, please describe. The FCRA restrict access to credit information - but it is easily circumvented. I have personally been able to surreptitiously obtain FCRA covered information by simple phone pretext. The FTC has had to obtained consent orders with some vendors to ensure compliance with the FCRA. It is interesting to note that one area of personal information is protected video rentals. Federal law prohibits the disclosure of the movies you have rented. It is peculiar that so much other, more sensitive information, is freely available. 1.26 Should the collection, compilation, sale, and use of information from these data bases be subject to additional regulations or laws? If so, what regulatory or legal requirements are appropriate? First and foremost, disclosure of a person's SSN and birthdate, except in certain limited circumstances, must be stopped. No other information is as sensitive as these. The SSN and DOB should be added to the list of information whose disclosure is restricted by the FCRA. Secondly, database vendors should be made liable for failing to verify the identity of the recipient and such recipient's right to obtain the information. But the most important step that can be taken is to implement effective access controls - otherwise any other restrictions will be useless. I refer the reader to Exhibit 1 which contains more specific recommendations. 1.29 Have such principles, recommendations or guidelines been effective in addressing concerns associated with the collection, compilation, sale, and use of sensitive consumer identifying information? How can the effectiveness of self-regulation in this area best be measured? My experience in this field with one major industry group, the Direct Marketing Association (DMA), shows that the guidelines are only partially effective. Their guidelines are not mandatory, and in fact, letters to the DMA that bring to their attention member agencies that violate the guidelines have been met with indifference from the DMA. Even if self regulation were to become more stringent, the effectiveness would have to be independently verified. Changes in liability, to make the information provider civilly liable to the individual for noncompliance would also go far to compel compliance. 1.30 Has technology evolved that could address concerns raised by the collection, compilation, sale, and use of sensitive consumer identifying information? Please describe any such developments. Yes. Computer technology is readily available for nearly instant notification of consumers via E-mail or phone when their information was accessed. 1.33 What efforts are underway to educate consumers about data bases containing sensitive consumer identifying information? Many groups sponsor internet resources to help apprise consumers of the issues of these databases and their uses. I myself run one such site at http://ourworld.compuserve.com/homepages/net-guru and provide a list of steps to take to secure information from illegitimate use, remove information from systems that allow removal, and educate consumers on the issues. Other resources include: Electronic Privacy Information Center. Computer Professionals for Social Responsibility Privacy Rights Clearinghouse Conclusion and Recommendations I wish to close my remarks with some additional recommendations and observations. The SSN is a master key to the vault of information. A person's SSN is singularly the most dangerous piece of information to find its way into the wrong hands. It is like a master key that will enable access to every other piece of information - date of birth, home address, credit card account numbers, medical records, and everything else. The Social Security Account Number must be given special protection, and subject to the most restrictive access controls. Birth dates are the back door to the SSN. Second only to the SSN, a person's birth date is the next most sensitive piece of information useful for someone with fraudulent intentions. Armed with nothing more than a person's last name and birth date, you can get their SSN from any number of sources. If you have the name and birth date, you can get the SSN - guaranteed. If adequate access controls are placed on obtaining SSNs, some of the risks associated with the birth date diminishes. However, independent of using it to obtain a person's SSN, it is still a critical tool for persons committing fraud or identity theft. Prohibit SSN use as "personal identifiers by businesses and most government agencies. In spite of strong recommendations discouraging the practice, the majority of employers and other commercial entities in this country continue to use an employee's SSN as their employee ID number, insurance account number, or otherwise as a "Unique Personal Identifier". My current employer does this. My SSN is printed on my company photo ID that is available to anyone at work who sees it. The result is that hundreds of people that do have a legitimate need to know my employee ID number, also get my SSN. As a part of doing business, the company provides lists of employees with their "employee ID" to many other sources. For example, my company had gift certificates for free groceries printed and given to employees as a Christmas bonus. These certificates, that were handled by any number of persons from cashiers, grocery clerks, print shop employees, et. al., provided the employee's name, the employer's name, and the employee's ID - which is their SSN. Many states also use a person's SSN (or derivative of it) for their driver's license number, professional licenses, and other documents. There are many instances where someone has a legitimate need to know a person's driving license or professional license number. They should not also be given the person's SSN. Use by agencies such as the IRS, Social Security Administration, DOD, FBI, and other services whose data are not subject to public disclosure may need to continue to use SSN as a unique ID. But motor vehicle, voter registration, property tax, and other systems that do not interface with Social Security Administration, IRS, or have other bona fide need, must be prohibited from requiring use of SSNs in their databases. The exceptions to the Privacy Act that currently allow this must be changed. An additional problem presents itself even when the data from the agency is not made available to the public. With the widespread use of the SSN as an identifier, not only is there an increased danger that the agency will release the SSN (accidentally or intentionally) to the public, but there is a directly proportional increase in the possibility for unscrupulous persons to access the data inside the agency that maintains it. The more people with access to systems with your information, the more ports of opportunity criminals have to gain access to it - either through bribes, extortion, or stealth. The government has recently announced plans to build a massive database on airline passengers that is a prime example of this type of risk. Not only would this database link together personal, financial, and other sensitive data in a central location, it would be accessible by untold numbers of people and at an almost infinite number of locations - many unsecure. Rental car clerks, travel agents, reservationists, and many others will have access to this information. Hundreds of thousands of people - and at least some small percentage not indisposed to criminal activity. New SSNs for victims. There are provisions to allow the Social Security Administration to issue a new SSN to a person who has had their number "stolen" and used by another person. But getting the Social Security Administration to do it is nearly impossible. From reports of others, it has literally taken an act of Congress where a constituent had to obtain the assistance of their congressional representative to intervene with the Social Security Administration on the constituent's behalf. Unfortunately for thousands of Americans who have their SSN compromised and used by criminals, in most cases the Social Security Administration refuses to issue a person a new SSN to prevent further fraud. It should be much easier for a person to secure a new SSN when their number has been disclosed or used criminally. Verification without releasing new information. In some circumstances, individuals or businesses have a legitimate need to verify that the SSN provided to them by the subject really is theirs. Congress has even mandated (illegal Immigration Reform and Responsibility Act of 1996) that such verification systems be studied and put into place for employers to use to determine whether a person is permitted to work in the US. This has even proposed to be a toll free "800" number that in reality would be available to every person with access to a phone - be they friend or foe. Similar systems are proposed (and in some cases already exist) for firearms purchases, hiring daycare workers, and other uses. But these systems allow either the user to provide just a name and get the SSN, or the reverse and provide just the SSN and get the name. This is exactly what criminals want, because with one piece of information, they can get the other. Such a system should require the user to provide both the name and SSN (and preferably some other information). Then the system should only reveal whether or not the provided name and SSN go together. Additionally, they should tightly control access to such a system, require positive ID of all users, keep a log of all accesses, and allow the SSN holder to get a list of all entities who accessed their information. SSNs should never be public information. As you know, a person's SSN is a passkey to their entire collection of personal and financial information. Many information brokers build databases of information from "public sources" - credit headers mostly, but also drivers licenses, government forms, regulatory filings, voter registration, and other similar records made publicly accessible. People have provided their SSN in many situations where there was no expectation or intention for their SSN to be made available to the public. Also, many people's SSNs have found their way into public records. For example, Congress even published in the Congressional Record, the SSNs of military officers receiving promotions. This concept of "once public, forever public" must be changed. Even if used on public documents or records in the public domain, a SSN must not be allowed to become public information and subject to unrestricted collection, publication, and rerelease. Allow proof of citizenship other than SSN. Where citizenship is a requirement, many entities require you to provide a SSN as "proof of citizenship". These include voter registration, jury duty, election to public office, and other situations. I tried to register to vote and provided my birth certificate, drivers license, passport, and Social Security card with my name (but with the number covered up). They denied me. They would not register me to vote without a SSN, even though that requirement was to prove citizenship - citizenship I clearly demonstrated with other valid ID. A passport, military ID, or other bona fide document demonstrating citizenship should be accepted as proof of such in all circumstances. Eliminate inferred information from the structure of the SSN. Because the Social Security Administration allocates "blocks" of SSNs to states, once a person knows your SSN, they also know where it was issued and approximately when. By happenstance, the one piece of information useful to criminals that is generally not on the credit headers, is a person's place of birth. But because of the structure and allocation method of SSNs, you can easily figure out where and when it was issued. And with SSNs now issued almost at birth, the date and place of issue is very often quite near the date and place of birth. Knowing the jurisdiction of birth, getting a person's birth certificate is quite easy - a useful tool for identity theft. Today, there is ample technology and infrastructure in place for SSNs to be allocated directly from the Social Security Administration, so number 555-01-1234 may go to someone in Florida and the next number 555-01-1235, go to someone in California. They should also implement additional randomization, so that someone could not determine the date of issue. Prohibit irrevocable, blanket waivers. Much of the publicly accessible information became so through fine print in irrevocable or blanket waivers. Many banks or business will not do business with an individual unless they sign waivers that grant the business the right to "report their [personal information] to a consumer reporting agency". This has been used as unconditional authority by the credit bureaus to re-release such information, long after the original use has expired. Even if the consumer closes the bank account and revokes the bank's ability to release further information, the consumer curiously has no right to stop the credit bureaus (or anyone else the bank disclosed such information to) from re-releasing the information. I realize that many of these suggestions seem quite unrelated to the mission of the FTC in general, and the relationship of private information and financial fraud in particular. But to stem the acts of financial fraud, you must plug the leaks of information that are the enablers of that fraud. Plugging one hole in the bow of the boat does little good if the holes elsewhere are left open. Thank you for your attention to this important issue, and your time in consideration of my comments. I remain, Sincerely, Robert Biggerstaff Robert Biggerstaff <Appendix> |