April 14, 1997

Secretary
Federal Trade Commission
Rm H-159, Sixth St. and Pennsylvania Ave. NW
Washington, D.C. 29580

Session One
Data Base Study -- Comment, P974806

These comments pertain to the section "Information Collection and Use," points 1.1 - 1.26.

In September 1996, there was a flurry of controversy surrounding the sale of personal information by the Lexis-Nexis company vis-a-vis its P-TRAK service. Although much of the brouhaha centered on the sale of Social Security numbers, which Lexis-Nexis had curtailed a few months earlier, the public outcry illustrated a growing concern about electronic privacy. The Lexis-Nexis phone lines were jammed with people requesting that their records be deleted from the P-TRAK data base.

What most of these people did not realize is that Lexis-Nexis is not the only seller of personally identifiable information. There are hundreds of companies throughout the country which obtain the same or similar "look-up" information as is sold via P-TRAK in which the Social Security number is not suppressed. Some information vendors limit themselves to "look-up" data such as names and name variations, current and former addresses, telephone numbers (including in some cases, unlisted numbers), Social Security numbers and date of birth. Others, as described below, also provide access to public records data bases.

A major source of "look-up" information is the three credit reporting bureaus -- the "credit header" data sold by Experian (formerly TRW), Trans Union and Equifax. Credit header data has been deemed to be out of reach of the Fair Credit Reporting Act. It can be sold to information vendors without restriction; no "legitimate business need" or "permissible purpose" is required for this data to be sold to information vendors and then re-sold to their customers. Other sources of "look-up" data are publishers' mailing lists and nationwide white pages directories

Some information vendors go beyond the "look-up" data sources by compiling and providing access to public records obtained from local, state and federal government agencies. Information obtained from public records includes real property information, voter registration files, motor vehicle registration and license information, occupational licensing records, court lawsuit information, Universal Commercial Code records, and for some states the vital statistics indexes for marriage, divorce and death records. Information vendors that combine the "look-up" data sources with public records information are able to provide their customers with the ability to compile virtual dossiers on individuals.

The following is a partial list of such information vendors. These were obtained primarily by using an Internet search engine and seeking the Web sites of information vendor. This list is by no means comprehensive. Such companies are used by a wide variety of investigative companies, including collection agencies, private investigators, skip tracers, employment background checkers, tenant screening services, insurance investigators, missing persons locators, and so on. (You may look in the Yellow Pages of the telephone book under Investigators to see the types of companies that might use the services of such information vendors.)

Lexis-Nexis (Ohio); CDB Infotek (owned by Equifax, and located in California); Information America (Georgia); IRSC (California); WDIA (National Credit Information service, Ohio); Autotrack (Database Technologies, Florida); Informus (Mississippi); Super Bureau Inc. (California); Atlas Information Services (Florida); Dig Dirt Inc. (New Jersey); Wind Associates (New York); ATT Information Brokers (Florida); Kadima Systems (California). Many of these and other similar companies obtain credit header data from the credit reporting bureaus -- Experian, Equifax and Trans Union.

One of the concerns we at the Privacy Rights Clearinghouse have about these information vendors is that their activities are virtually unregulated. Granted, when they provide access to credit reports, they must ensure that the requestor has a "legitimate business purpose." But much of the remainder of the considerable body of data to which they have access is not regulated by a code of Fair Information Practices such as provided by the Fair Credit Reporting Act for consumers' credit history data.

In addition, consumers do not have ready access to the data compiled about them. We have received many calls to the PRC hotline from individuals who tell a story that goes something like this:

"I'm looking for work, and I often get to the first interview stage, sometimes even the second interview. But then I'm dropped like a hot potato. I wonder if there's some information about me out there that is harming me."

We are aware of one job applicant who, after being turned down for many jobs, found out that a data base used by most of the department stores and retail outlets in his area listed him as having a criminal background. His record had been mixed erroneously with that of a criminal.

Our suggestion to hotline callers who wonder if there is some information "out there" harming them is to hire an investigative service to conduct a background check on them using one or more of the database services provided by the above-listed companies. And even after spending $50 to $150 for such a search, the job applicant cannot be absolutely sure that he or she has uncovered the information that might be harming him or her.

There are other harmful consequences of unrestricted access to information about individuals. "Identity theft" is one. We have seen a dramatic increase in calls to the PRC from consumers whose identities have been stolen for the purpose of obtaining credit cards and other services fraudulently. All the imposter needs is the name and Social Security number, something easily purchased from many information vendors.

Fortunately, some vendors are now making it more difficult to obtain SSNs. For example, Lexis-Nexis has voluntarily removed the SSN from the P-Trak data that is displayed on the subscriber's terminal. CDB Infotek replaces the last two digits of the SSN with 'x's. Information American has also restricted access to SSNs. But many more information vendors offer services which provide SSNs when a search by name and address is conducted, obtained primarily from credit header sources. (Two such services are WDIA's National Credit Information and Trans Union's ReTrace.)

The Privacy Rights Clearinghouse is not aware of any specific cases of data from an information vendor's data bases being used for identity theft purposes. Victims of identity theft usually do not know how their SSN and other data were obtained by the imposter. There are many low-tech ways to obtain the information necessary to commit theft of identity and credit card fraud, such as wallet theft and dumpster diving. But given the relatively low price of many "look-up" services, the sophisticated identity thief is not likely to pass up the opportunity that such data bases provide.

Another harmful use of such "look-up" information is to track down victims of stalking and domestic violence. Victims of these crimes who have moved to another location to escape a stalker or abuser need to be able to shield the location of their residence. If they reveal their new address to their credit grantors, who in turn report it to the credit reporting bureaus, they can be easily found.

Many individuals have occupations in which the ability to shield their home addresses is important: police officers and other employees in the law enforcement and justice systems, teachers, doctors and other health professionals, psychological counselors, social workers, and employees of "unpopular" government agencies like the IRS and state tax agencies.

But given the proliferation of information vendors which provide "look-up" services, it is difficult, if not impossible to prevent such information from getting into the hands of wrong-doers.

Certainly, there are many beneficial uses of the services of information vendors -- locating missing friends and relatives, weeding out violent employees, catching up with parents who do not pay child support payments, preventing sexual predators from working in child care centers and schools, and so on. For every "horror story" that we hear from PRC hotline callers, there is no doubt an equally compelling "hero story."

The balancing of beneficial uses of these data sources with the privacy rights of individuals is truly one of the most challenging public policy issues of this information age.

We believe that the answer to many of the problems discussed above can be found in regulating the information vendor industry with a code of Fair Information Practices, much like the credit reporting industry is regulated by the Fair Credit Reporting Act. The amount of information compiled about individuals is only going to grow. And the consequences for individuals about whom information is compiled are only going to become more significant. The data subjects must be able to have a right of access to this data (at a reasonable price, not $100), along with a right to have erroneous data corrected and a right to know who has accessed information about them.

This concludes the PRC's comments for Session One, Computerized Data Bases.