STATEMENT OF MARC ROTENBERG, DIRECTOR, WASHINGTON OFFICE, COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY, ACCOMPANIED BY MARY J. CULNAN, SCHOOL OF BUSINESS ADMINISTRATION, GEORGETOWN UNIVERSITY Mr. ROTENBERG. Mr. Chairman, Congressman McCandless, thank you very much for the opportunity to testify this morning. The computer science profession has a particular concern about the adequacy of privacy safeguards in the United States. For more than 20 years we have played an ongoing role in efforts to ensure that information that is collected and maintained in large automated information systems is properly safeguarded and used for its intended purpose. Absent such safeguards, we know that the risks to personal privacy are great and severe. In fact, I would say that Professor Flaherty has understated the extent of the privacy problem in the United States today. I would like to recall a statement that was made by the ranking minority member of this committee, Congressman Frank Horton, almost 25 years ago. Mr. Horton said when Congress first considered the issue of the computerized collection of records that "one of the most practical of our present safeguards of privacy is the fragmented nature of personal information. It is scattered in little bits across the geography and years of our life. Retrieval is impractical and often impossible. A central data bank removes completely this safeguard." That is the underlying concern in the privacy realm in the United States today. We are centralizing an enormous amount of personal information without the knowledge or the informed consent of the people whose records are involved. Let me describe where I think we could begin to correct this problem. Once again, I would go back in time to the period when Congress considered how to establish privacy safeguards for automated information systems. Computer scientists came together with policymakers and Members of Congress to draft a set of principles. It was called the code of fair information practices. The underlying principle in the code was that information which is disclosed for one purpose should not be used for another purpose without the consent of the individual involved. It is a simple proposition, really. When you give over information to receive a service, to buy a product, you reasonably expect that unless someone tells you otherwise the information will only be used for the purpose for which you have provided it. As I said, it is the cornerstone to the code of fair information practices and truly the thread which ties together the privacy law within the United States. I will say simply that many of the current information products available in the private sector clearly violate the code. The information is acquired without the consent of the people involved and it is disclosed, sold and exchanged without their knowledge. Let me look at a particular example and try to explain the double-edged nature of transactional data that is generated by computer systems. Consider, for example, the monthly billing statement that you receive from the telephone company. To you this could be valuable information to verify phone charges. You can tell, for example, if someone in your family has made a call they weren't supposed to make, if you have been billed for a call that you didn't make. You as the phone subscriber have the right to that transactional data so that you can determine that the company that is billing you for the services has properly billed you. But if that transactional data were sold to a third party, it would provide an intimate look into your personal life: Who you called, when you called them, how long you spoke to them. Effectively, a list of your close friends and associates. It would be as if someone had leafed through your address book, copying names and addresses down without regard for any of your interests whatsoever. That is the situation we face today in the United States, because there is an absence of adequate safeguards to protect the flow of transactional data from the organizations to which we provide the information to third parties that we have never had any contact with. The Citicorp point-of-sale marketing program is really only one example. I will briefly describe some of the problems I see with the program. I don't so much mean to single out Citicorp. As I say, there are other companies doing it. At the same time, I will also not back off from criticism of Citicorp, because they are only telling part of the story here. The part of the story that they are telling is the ability for marketers to have more detailed information on consumers and therefore to be more responsive to consumers. I would agree that is a benefit to both marketers and consumers and under the proper circumstances should go forward. The problem with the program is that the information is not just available to the local grocery store owner who is trying to decide what products to offer next to their particular consumers or how to build customer loyalty. Citicorp, in the way that they have designed the program, is offering computer systems to the supermarket chains, which in many cases can't afford these systems, in exchange for copies of the data that is being collected. So the data flows not only into the local supermarket chains, but also to Citicorp, which, as you know, is one of the largest financial institutions in the country. The question becomes, why should Citicorp become an information broker for the buying preferences of American consumers, and do American consumers know that that is actually taking place? Another example that worries me greatly is a product that will be out this summer called Lotus marketplace. It is a computer disk, a CD-ROM which contains the buying preferences of 120 million American consumers. Let me tell you briefly what categories of information are contained on this disk: The name of the consumer; the address; the age; the gender; the marital status; the estimated household income; lifestyle information; dwelling type. Actual buying habits as measured across 100 different product categories. This information is the most easily accessible collection of personal data on American consumers that has ever been made available in this country, and barely a word has been spoken before you, sir, in the U.S. Congress about the privacy implications of such a product. Citicorp will say and Lotus will say "we are not disclosing personally identifiable information; we are disclosing lists; we are simply providing a group of names to marketers who could pursue these people and decide whether or not to offer their products or services.' If I believed that that is as far as these products would go, then I would not be as concerned as I am today, but I have great reason to believe that personally identifiable information will readily be disclosed as these products become increasingly available. Equifax, for example, which is one of the largest list brokers in the United States, is now using the data that they have collected to conduct employee prescreening. That means they go back through the data bases that they have put together from credit records, from financial records, criminal records, educational records, medical records, and make determinations for their organization about who they are going to hire. What is it that will stop Citicorp, what is that will stop Lotus and Equifax in this joint venture from using the information that they have collected in a similar fashion? And of greater concern, selling it to other people so that they too can have the benefit of leafing through our personal histories that have been recorded through the collection of this transactional data. Mr. WISE. We are going to recess the hearing for 30 to 45 seconds so that we can continue the rolling quorum. I think this will conclude it. [Recess taken.] Mr. WISE. The hearing will resume. Mr. ROTENBERG. Thank you, Mr. Chairman. What is taking place is a form of marketplace deception cloaked under the banner of innovation. The rules about information collection, protection and disclosure are well understood. The code of fair information practices is well known. It is not being followed. The other critical piece is that the American public is very much concerned about privacy protection. Ninety percent of people who were polled in 1986 said that large organizations collect too much information on individuals and 80 percent said that information should not be disclosed to others without their consent. The question becomes, simply, what can be done? The answer, sir, I believe, is to begin where you have begun, and that is to fill in a key missing piece in privacy protection in the United States, the establishment of a data protection board. It was in 1973 that Senator Ervin, following the culmination of a series of very exhaustive and detailed hearings, saw the need for the creation of a data protection agency that could act as an independent privacy ombudsman that could draw attention to these issues. It wasn't so much that it would regulate the private sector, but rather would help organizations adopt better information practices that could help protect personal privacy. Senator Ervin pushed very hard for the data protection commission back in 1973, but it did not become a part of the Privacy Act that eventually became law. Nonetheless the Privacy Protection Study Commission was created. The recommendation of the commission in 1977 was the same as Senator Ervin's committee had reached in 1973, that the United States needed an independent pri vacy ombudsman to get on top of these issues so that the ongoing privacy abuses that we see today would not continue. We feel very strongly that it is necessary for the United States to fill in this missing piece, to reestablish our place in the world community as a leader in privacy protection. We have lost that position. We have lost it to the western Europeans. As Professor Flaherty said, there are meetings now. There was a meeting in Luxembourg at the end of March where the seat that was set aside for the U.S. representative remained empty because we had no one to put at that meeting to express the concerns of privacy protection for the United States. That seat must be filled next time that meeting occurs. We need the data protection board. I very much appreciate your efforts on this issue and would be happy to answer questions. Mr. WISE. Ms. Culnan, did you have anything to add? Ms. CULNAN. No. [The prepared statement of Mr. Rotenberg follows:] Summary Statement of Marc Rotenberg, Director, Washington Office, Professor Mary J. Culnan, Dr. Ronni Rosenberg, National Science Foundation Fellow, on Computer Privacy and H.R. 3669, before The Subcommittee on Government Information, Justice and Agriculture, Committee on Government Operations, U.S. House of Representatives May 16, 1990 |