Battle for privacy has right fight, wrong focus

Last year, Internet users were incensed by a Lexis-Nexis Corp. people-finder service
called P-TRAK. The database consisted of name, address, phone number, Social Security
number and other personal information. The data came from so-called credit header
information in credit bureau files.


Credit reports are highly regulated, but credit header information is not. P-TRAK was
not unique. Other services traffic in similar data on the Net and elsewhere.


That didn't matter. P-TRAK became a lightning rod for general outrage about loss of
privacy. Stories in national newspapers followed, along with political responses.
Lexis-Nexis retreated under all the publicity. It offered people the opportunity to opt
out of its database and also restricted Social Security number availability.


That wasn't enough. P-TRAK sparked broader inquiries in the press, federal agencies and
Congress.


Within a matter of weeks, the Federal Trade Commission asked Congress to restrict the
availability of credit header information. Just before it adjourned in 1996, the Hill
ordered first one study of the problem and then another. The second study is being
conducted by the FTC, which held a workshop in June focusing on privacy.


A second Social Security number snafu came earlier this year when the Social Security
Administration decided to make information about individuals' Social Security earnings and
benefits available directly through its World Wide Web site. Users had to identify
themselves online by name, Social Security number, date of birth, place of birth and
mother's maiden name.


Some privacy advocates objected that this identifying information is too easily
available, so that anyone can retrieve anyone else's SSA records. This story started on
the front page of USA Today and quickly spread to other newspapers and television news.


This time it took only days for bills to be introduced in Congress prohibiting the SSA
online service. SSA quickly pulled the plug and announced a series of public meetings
around the country.


At a May congressional hearing, Marc Rotenberg of the Electronic Privacy Information
Clearinghouse told a funny and telling story. During the height of the SSA Web site
controversy, someone called him to complain that SSA was asking people to disclose their
Social Security number! The caller felt this was an invasion of privacy. Rotenberg
patiently explained that SSA, as the issuer of the numbers, was perhaps the only
organization entitled to request such a disclosure.


The Social Security number has become a symbol for the general loss of privacy. Far
beyond the number's actual significance, people feel threatened when asked to disclose it.


It's true that someone with your Social Security number and criminal intent can inflict
a lot of damage. The problem is that citizens seem to scream only when their Social
Security number is involved. Otherwise, people give away tremendous volumes of personal
data to America's vast marketing and information industries.


Supermarket frequent shopper programs offer good examples. Week after week,
supermarkets record everything you purchase--food, drugs, books, liquor, household
products. The resulting database is a gold mine of personal data that can be bought and
sold without restriction.


Needless to say, Congress is no more consistent. Last year, it passed new laws creating
major new databases of personal information for welfare, child support, new employees and
immigration. Privacy concerns were ignored. Yet this year, Congress fell all over itself
to complain about the loss of the sacred right of privacy.


The Social Security number has become the highly-charged third rail of privacy. Touch
it, and you die. That is a warning to anyone who traffics in personal information,
including federal agencies.


There is, of course, more to the P-TRAK and SSA controversies than disclosure of Social
Security numbers. Both raise a host of legitimate questions about the protection of
privacy and the control of personal information. But I believe it was the Social Security
number connection that produced most of the reaction. If the public and the press ever
learned to react as sharply when asked for other personal information, the cause of
privacy would be considerably enhanced.


Robert Gellman, former chief counsel to the House Government Operations
Subcommittee on Information, Justice, Transportation and Agriculture, is a Washington
privacy and information policy consultant. His e-mail address is rgellman@cais.com.


inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above