Your Privacy for Sale

The indiscriminate gathering and sale of personal information, including Social Security numbers, have made many Americans unwittingly vulnerable to “identity theft” and other fraud in this age of computerized databases. Privacy concerns had triggered a Federal Trade Commission study, but the results proved to be disappointing. Creeping intrusion into our private affairs should be high on Washington’s vigilance list.

Consumers are being told by the FTC that they will be protected under new privacy principles. But the standards are being set by the companies that gather and sell our personal data for profit, and compliance is voluntary. The FTC has decided to let the Individual Reference Services Group, which represents the data industry, have a try at self-regulation, a dubious decision. In contrast, the Federal Communications Commission prohibits telephone companies from using data on customers’ calling habits to market new services unless the customers approve such use.

Information that can be used to identify and locate a person or verify identity has always been publicly available in government records, real estate records, telephone directories and other documents. Businesses known as “look up” services or locators collect personal data and now, with computer technology, can easily compile it for sale to private clients.

The new technology has made it possible to combine information from multiple sources more quickly and sell it cheaply. Increasing access to data from nonpublic sources like credit reporting agencies has raised the blinds on privacy. The “nonpublic” information the services provide can include Social Security numbers, dates of birth and mothers’ maiden names, authenticating data that can be used for fraudulent purposes. Federal, state and local government agencies use the services in law enforcement--to track down debtors, for instance, or in the prosecution of financial crimes. The private sector subscribes to the databases to verify information and investigate potential fraud.

Ordinary citizens--and would-be “identity thieves”--can get some of the same information by using the Internet. One online service is reported to have offered its subscribers a person’s Social Security number, birth date and telephone number for $1.50. Imagine what a crook could do with that.

Across the country, the privacy standards, which take effect next year, tend to favor data service firms over individuals. For example, the firms say they support restrictions on the sale of authenticating information like Social Security numbers from nonpublic sources but allow distribution of this same information to so-called qualified buyers. It’s unclear precisely which customers fall into this category, but clearly fees must be a factor.

The FTC correctly pointed to some shortcomings in the industry’s approach, which would essentially provide no controls on the uses of public records and publicly available information. Meanwhile, data service firms are not required to maintain audit trails of records accessed by information users. These audit trails would be particularly important in tracing seemingly legitimate entities that obtain personal data for illegal uses.

Despite these concerns the FTC insists that the industry plan is “more comprehensive and far-reaching than any other voluntary, industrywide program in the information sector.” That assertion may be still another reason to worry.