Secretary
Federal Trade Commission
Room H-159
Sixth Street & Pennsylvania Ave., NW
Washington, DC 20580
Re: Data Base Study -- Comment, P974806 Data Base Workshop -- Request to Participate, P974806 To the Federal Trade Commission:
The Department of Justice ("Department") hereby submits these comments in response to the request of the Federal Trade Commission ("FTC") for comments on its workshop on Consumer Information Privacy and its Data Base Study. Pursuant to the FTC's request, the Department requests the opportunity to participate in the Data Base Workshop by submission of these comments. The Department, of which Federal Bureau of Investigation is a part, is an executive branch agency charged with federal law enforcement responsibilities. The Department is deeply concerned about the safety and security of American citizens. The Department is vigilant to take appropriate measures to guard their privacy while using all the resources at its disposal, including information resources, to investigate and prosecute violations of the federal criminal law. The FTC invited comment about the collection, compilation, sale, and use of computerized data bases that provide sensitive consumer identifying information. Public Workshop on Consumer Information Privacy, 62 Fed. Reg. 10271, 10272-73 (1997) In particular, Question 1.24 asks about federal laws regulating such activity. Question 1.26 asks whether additional regulations or laws are necessary or appropriate. No federal law regulates such activity on a general basis. The FTC is familiar with the scope and limitations of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., which imposes restrictions on the furnishing of a "consumer report" by a "consumer reporting agency." FTC policy has been to treat market lists from a credit reporting database based on such "identifying information" as name, zip code, age, social security number or "substantially similar identifiers," as not rising to the level of a "consumer report." See Trans Union Corp. v. FTC, 81 F.3d 228, 232 (D.C. Cir. 1996) (discussing Letter from FTC to TRW, September 24, 1992). Other federal laws are subject to their own limitations. The Privacy Act, for example, applies to government entities only. 5 U.S.C. 552a. See 5 U.S.C. 552(f) (definition of "agency"). The Social Security Act has an analogous provision prohibiting disclosure of Social Security account numbers and related records by "authorized persons," who are defined as including only government employees. 42 U.S.C. 405(c)(2)(C)(vii). The Social Security Act also provides penalties for fraud related to procurement of Social Security number information. 42 U.S.C. 1307(b). On an ad hoc basis, Congress has occasionally protected privacy of records with regard to particular records or particular industries. These protections relate to financial records, 12 U.S.C. 3401-34, drivers licenses, 18 U.S.C. 2721, wire and electronic communications records, 18 U.S.C. 2703, video rentals, 18 U.S.C. 2710-2711, and telephone network customer information, 42 U.S.C. 222. These restrictions on use of sensitive records are important to protect American citizens. They serve not only to protect the dignity of Americans by keeping their personal information private, but also to deter identity fraud and other kinds of fraud. Deterring fraud is an important federal law enforcement interest. See, e.g., 18 U.S.C. 1002 (possession of false papers to defraud the United States), 18 U.S.C. 1028 (fraud and related activity in connection with identification documents), 18 U.S.C. 1029 (fraud and related activity in connection with access devices). See also 18 U.S.C. 1341 (mail fraud); 18 U.S.C. 1343 (wire fraud); 18 U.S.C. 1344 (bank fraud). This concern takes on added significance in the context of computers, where access often occurs without face-to-face interactions. See 18 U.S.C. 1030. Congress has repeatedly recognized that the needs for protecting privacy and deterring fraud must be balanced by the need for effective law enforcement. All of the industry-specific provisions mentioned above permit reasonable access by law enforcement. See, e.g., 12 U.S.C. 3413(a)-(o) (financial records); 18 U.S.C. 2703(c)(1)(C) (local and long distance telephone toll billing records); 18 U.S.C. 2710(b)(2)(C) (video tape rental records). In the absence of incentives to the contrary, collection, compilation, sale, and use of computerized data bases that provide sensitive consumer identifying information will likely proliferate with the rise of electronic commerce and other cyberspace activity. This increase would be driven both on the supply side and on the demand side of the market. Because electronic commerce is conducted on computers, the supply of consumer identifying information stored on computers in an easily accessible format will increase as use of electronic commerce increases. The demand for this information is likely to be potent because of its marketing value for those companies who collect it, both for evaluating preferences of particular customers and for estimating the appeal of particular products and services. This information will also be sought by other companies who would use it for similar purposes. In fact, as face-to-face interactions decrease, companies will increasingly rely on such information to "profile" market segments. The proliferation of these computerized data bases will simplify the perpetration of many kinds of fraud, including identity fraud. The Department is concerned about this potential. Law enforcement is also faced with concerns about the decrease in direct interactions between individuals. The rise of electronic commerce will not only facilitate crimes such as money laundering, 18 U.S.C. 1956, but it will also affect the availability of investigative leads and evidence. Computerized data bases will become increasingly important in the investigation and prosecution of all kinds of crime. No longer will it be possible to interview bystanders about the whereabouts of an individual. Instead, crimes will have to be traced electronically. Society's continual recognition of the need for reasonable law enforcement access to otherwise protected records should be preserved in the area of computerized data bases. A desire for anonymity in the world of electronic commerce should not be used as a cover to avoid accountability. Policy makers must be vigilant for unintended consequences of privacy laws that, if written without procedures for access by law enforcement, could severely hinder public safety efforts. Of course, the procedures for government access should be tailored to the type of information at issue and ensure that privacy is appropriately protected. The Department appreciates the opportunity to share these views with the FTC.
Respectfully submitted,
Scott Charney
Chief
Computer Crime and
Intellectual Property Section
Go to . . . CCIPS || Justice Department Home Pages
Updated page October 21, 1997
usdoj-jmd/irm/css/jea