Index:
[thread]
[date]
[subject]
[author]
From: Steve McBride <spm2101@columbia.edu>
To : <cpc@emoglen.law.columbia.edu>
Date: Wed, 09 Mar 2005 00:00:35 -0500
Paper 1: Legislative Solutions to Protecting Personal Data
Paper 1: Legislative Solutions to Protecting Personal Data
Steve McBride
After reading the book No Place To Hide [1], my main concern was the lack
of legislation protecting citizens from improper uses of their data,
whether by the government, corporations, or identity thieves. While I
don't expect civil actions for negligent behavior on the part of data
miners to force Acxiom or Choicepoint to change their behavior, I do
believe that targeted legislation in areas of concern offer the most
realistic route to ensure an acceptable level of privacy for the average
citizen. At least we could curb the most egregious privacy abuses.
Negligence actions against data miners would provide compensation to
victims. Other regulation, such as more enforcement against identity
thieves and restrictions against uses by law enforcement would offer
deterrent effect. Individuals should have the ability to get any
information a company has on them at request, as well as a process for
correcting or deleting any mistakes. Finally, in some cases, certain types
of data collection may need to be restricted altogether.
Consumers should be able to sue companies based on negligently using
information. Data collection companies should be required to verify the
legitimacy of clients requesting consumer information or face liability to
consumers. This would make companies like Choicepoint take more safeguards
in selling sensitive data. Much of the cost would be passed along to
consumers in the form of higher prices, but some new safety guards would be
implemented simply because they prevent enough suits to save the companies
money.
One of the most disturbing examples in No Place to Hide was Michael Berry
[2]. The fact that a victim of identity theft cannot even get police to
investigate the crime when he knows the address of the thief is amazing. I
don't want to get too specific in trying to structure a better law
enforcement regime but I want to point out that law enforcement needs a
cohesive strategy for policing identity theft that is lacking today.
Legislation should provide police a framework for law enforcement to
investigate and prosecute identity theft. Obviously, enforcement wouldn't
stop all identity theft, but it would deter a significant amount, and give
the consumer some cushion against misuse of their identity.
Sticking with law enforcement, there also needs to be some legislation into
what law enforcement can and cannot do with information, and there need to
be penalties for misuse. Although sweeping restrictions on data use by
police seems unlikely in the near future, limitations on extreme misuses
are feasible. Procedures for who can use sensitive information and for
what purposes need to be laid out and followed more closely.
Most importantly in guaranteeing some measure of electronic privacy,
individuals need the ability to monitor and correct information that third
parties have collected about them. To a limited extent, this already
exists with the Fair Credit Reporting Act, but the FCRA is not extensive
enough to provide adequate consumer protection [ 3]. Something similar
needs to be extended to any information gathered about people through any
company. Consumers need absolute authority to review, correct, and delete
any information that any third party has about them. Corporations should
be required to report on stolen data to consumers, similar to the
California identity theft statute that required Choicepoint to report
stolen data to all affected Californians [4]. This report should include
not only whose information was stolen, but also specifically what
information was stolen.
Eventually, I believe that collecting certain types of personal information
may be totally banned. Today, this type of legislation is probably
unrealistic, but after twenty or thirty years of experience with broad data
collection, society will learn by trial and error what kinds of data
collection lead to problems and will move to limit their collection [5].
My guess would be financial data like credit card numbers will go first as
corporations are slow to react to better identity thieves. If data
modeling gets too good, data collection of information like purchasing
history may also need dealt with.
Alternate strategies such as a constitutional amendment or sweeping, broad
legislation on data collection may be more philosophically satisfying than
industry endorsed legislation, but in my opinion are not realistic
alternatives. I don't think Congress would ever pass a broad ban on this
type of operation. For one thing, a large portion of the public likes and
benefits from data collection. I derive value from getting lower interest
rates because of a good credit rating. Shoppers at Rite Aid get discounts
on products because of their club cards. The loss of privacy incurred from
the data collection is real, but the average American has proven she will
gladly sacrifice some privacy for a price break. On the corporate side, a
huge industry has sprung up around data collection, with an effective
lobbying group to go along with it. Acxiom is not going to be put out of
business without a fight, and Kroger will spend millions to be able to
continue handing out Kroger cards. Given the lack of public interest and
the strong financial stakes to the data collection industry, I don't think
we can reverse what has been done. The genie is out of the bottle.
In my opinion the most realistic solution to issues of privacy raised by
data collection is targeting legislation at specific problems that evolve
as we learn the pitfalls of having so much information collected about us.
It gives the advantage of being able to curb the worst abuses while keeping
the benefits we gain from the use of this data. Possibly in the future we
will have learned enough about the ups and downs of data collection that we
can formulate a simple rule to satisfy all interested parties. At the
present, however, the interests of industry and privacy are too far apart,
and we're still not sure what the social value of data collection can be.
Targeting legislation to deal with the most obvious problems seems to me to
be the best solution.
Notes:
[1] Robert O'Harrow, Jr., No Place To Hide (2005).
[2] Id. at 74-78 and Chapter 3 in general. When an identity thief began
opening up credit cards under Berry's name, police refused to investigate
due to jurisdiction issues and lack of resources.
[3] 15 U.S.C. § 1681-1681u. The FCRA only covers credit reporting
agencies and it is up to the credit reporting agency's discretion to
investigate and correct any mistakes on your report.
[4] The California Online Privacy Protection Act of 2003, Cal. Bus. & Prof.
Code § 22575 - 22579 (2004). For discussion of the Choicepoint fiasco, see
Tom Zeller, Jr., Breach Points Up Flaws in Privacy Laws, NY Times, Feb 24,
2005.
[5] Choicepoint is already curbing its sales of Social Security Numbers and
Driver's Licenses in an attempt to slow the upcoming legislative backlash
against it. See Margaret Kane and Matt Hines, "Choicepoint Faces Inquiry,
Will Curtail Data Sales", CNET (March 4, 2005); available at:
http://news.com.com/ChoicePoint+faces+inquiry%2C+will+curtail+data+sales/21
00-1029 3-5599516.html
-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list
Index:
[thread]
[date]
[subject]
[author]