Guarding Consumer Privacy

by Michel Lowe

“How you know you got chromosomes, kid?”
– Anti-drug commercial circa 1973 linking LSD use to chromosome damage.

Protecting personal information is one of the most urgent issues in today’s civil liberties battles – protection from commercial exploitation, criminals, and even the government. Consumers worry about the uncontrolled release of their financial information and personal identity data. Criminals used pilfered Social Security numbers and other consumer data to bilk unwary consumers and businesses out of over $56 billion in 2006. Consumer privacy and protection of personal information is a serious business. But to paraphrase the quote above, “How you know you got a right to privacy, kid?”

There is no right to privacy explicitly stated in the United States Constitution. As enlightened as the founding fathers were on protecting personal liberty they were remarkably silent on the subject of personal privacy. Privacy rights vary with geography – Europe tends to worry less about physical privacy and more about data privacy while Singapore has little of either. This paper will focus on Americans’ privacy rights and guarding private consumer data in the United States.

You Can’t Protect What You Don’t Have
Americans gave little concern through their first two centuries to individual privacy rights. The “man’s home is his castle” from English common law seemed to be sufficient. What went on behind closed doors was no one’s business.

The early 20th Century brought innovations in banking and finance that for the first time made consumer privacy an issue. Lenders collected and exchanged consumer information with each other. And though Supreme Court Justice Louis Brandeis, writing a dissenting opinion in Olmstead v. United States, said that the right to privacy is “the most comprehensive of rights and the right most valued by civilized men,” the majority of the court did not agree. Almost 40 years passed before the court again took up the right to privacy.

By the 1960s Americans had become concerned about the information private industry was collecting on them as well as what information their government collected. Local and national credit bureaus maintained income and payment information on consumers. Often this information was written on paper, stored in filing cabinets, and might or might not be current or accurate.

IRS computers amassed volumes of financial data on every taxpayer. As evidence of abusive investigations by government security agencies accumulated, many Americans began to mistrust their government. But there was no legal framework for consumer privacy or a right to privacy that could be used to challenge government or private industry data collectors.

It took Justice William O. Douglas, writing the majority opinion in Griswold v. Connecticut, to push the Supreme Court into recognizing a constitutionally protected right to privacy. Douglas famously said “emanations” from the First, Third, Fourth, Fifth, and Ninth Amendments cast “penumbras” around a guaranteed right to privacy.

Consider the Fourth Amendment’s declaration that people have the right “…to be secure in their persons…against unreasonable searches and seizures.” It sounds like the framers were thinking of a right to privacy without actually calling it one. Justice Douglas agreed.

The Supreme Court decided Griswold in 1965. The 1966 Freedom of Information Act followed closely on its heels. FOIA gave individuals the right to access the information the government collected on them. The Fair Credit Reporting Act extended FOIA-like access to information collected by credit bureaus and lenders.

The dynamic duo of privacy law is the 1973 Roe v. Wade decision and the Privacy Act of 1974. Roe extended the right to privacy to include the privacy to make decisions concerning women’s own bodies. The Privacy Act gave consumers rights of redress against unwarranted government intrusion into their personal affairs. Where FOIA allowed consumers to find out what was in their government records, the Privacy Act gave them the right to contest the information itself and order it corrected.

Through the following two decades federal legislation enhanced and strengthened consumer privacy protection including the Tax Reform Act of 1976, the Right to Financial Privacy Act, Electronic Fund Transfer Act, Electronic Communications Privacy Act, Driver’s Privacy Protection Act, and the Health Insurance Portability and Accountability Act (HIPAA). The states tagged along, sometimes leading, mostly lagging the federal privacy laws and regulations.

Trouble in Paradise
From the above it would appear that all is well for consumer privacy. America, a nation of laws, now has laws to protect personal information, financial information, medical information, and even DMV records. If any of the information legally collected should prove erroneous, Americans can compel data collecting businesses and agencies to correct those errors. And though Roe has been nibbled away some since 1973, its basic contention that women and their doctors have the privacy right to decide what is best is essentially intact.

So how could there be any controversy surrounding consumer privacy? As happened so much in the last decades of the 20th Century, technology’s advance outstripped both the law and society’s ability to cope.

Following Moore’s Law, since the 1950s computers have doubled in power about every eighteen months. What is more, they have dropped in price. For under $2,000 MBA students can fold up and carry around the mainframe capacity of the 1970s in their backpacks. Communications networks have proliferated and increased in speed by factors of thousands over their 1970s counterparts. The “high speed” data communications network of the ‘70s consisted of 9600 bits per second tributary links connecting to 56,000 bits per second trunks. Today’s networks move data at rates of hundreds or thousands of kilobits per second. Employee productivity in the ‘80s, ‘90s and the early 21st Century has taken tremendous strides because of the power and low cost of computers and data networks.

As a result of this cheap computing power business and government have automated at rates never before imagined. The result of the cross pollination of cheap computing power, high speed data networks, and powerful software has made consumer data collection an almost trivial task.

And because they can, businesses do collect data. Tons of it.

At every point along the supply chain businesses collect data on production and consumption. The most valuable data is the consumption data because this is information that tells businesses what their customers want, what they will pay for it, how much, and how often. This information goes into sales forecasts and strategic marketing plans. It drives business.

What other data does business collect? It depends on the business. Manufacturers collect and process consumer preference and buying data. Financial services companies want consumer spending, saving and investment data. Health care providers and insurance companies track consumer health and welfare information as well as each other’s activities. And it all happens automatically.

Because of all that cheap automation and high speed networking, companies can collect the information they need at the point of sale. Bar codes and RFID chips make anonymous transactions like cash purchases traceable by items bought, by date and time, and by location.

Marketers have used anonymous sales data for decades to build profiles for geographic market segmentation by zip code, MSA, county or township. But today’s data is often tagged with personal information about the consumer because, odds are, the consumer paid for it electronically.

According to Newsweek columnist Robert Samuelson, “In 1990 most Americans regarded paying for groceries by credit card as unnatural. Now cards cover about 65 percent of food sales.”

Plastic Nation
About nine percent of American families rely exclusively on cash because they do not have a bank account. The Federal Reserve reports that about $800 billion in currency is in circulation with foreigners holding half or more of it outside the country; the US dollar is viewed worldwide as a safe store of value. But the overwhelming number of Americans use bank cards and checks to pay for goods and services.

As of 2005 Americans held about 1.7 billion credit and debit cards – approximately seven cards for every American over the age of 15. At its peak in 1995 the US banking system processed 50 billion checks ; by 2003 that number had fallen by nearly 27 percent to 36.6 billion checks. The number of electronic payments by charge cards and online banking rose during the same period almost 200 percent, from 15 billion to 44 billion per year. By 2010 experts expect electronic payments to account for 70 percent of all purchases. Each of these electronic transactions provides the merchants, banks, and credit card companies with critical information tying the specific purchase to a specific consumer.

Merchants and charge card providers are happy to collect, retain, and exploit this trove of consumer data. Federal and state regulations (e.g. the Right to Financial Privacy Act) provide strict control over the information credit bureaus can retain as well as its ultimate disposition; they give consumers the right to dispute errors and order corrections.

Business Responsibility to Consumer Privacy
But there is little control over the information collected at the point of sale by merchants. And since the 1990s, third-party data aggregators like ChoicePoint and Acxiom have filled a business data void. These companies vacuum public information such as property tax records, land titles and police reports. They cross tabulate this public record data with private information they purchase or exchange with the credit bureaus or directly from the point-of-sale merchants to produce detailed profiles of nearly every consumer in America.

This market in private, consumer information is largely unregulated because most of this information is considered the property of the business that collected it.

Take phone records as an example. There was controversy recently over the phone companies turning their customer records over to government agencies who were mining the data for evidence of terror plots. Most Americans assume that it takes a subpoena to pry phone records away from Verizon or AT&T.

Customer billing records are considered the private property of the phone companies and they are free to use them as they see fit. All it takes for the government to get hold of them is a “National Security Letter” from the FBI or Homeland Security stating that the records will be used by the government to counter terrorism. So along with the terrorist’s call records buried in the data dump are records of your calls to Aunt Tillie, your business associates, and your phone sex calls, none of which relates to terror, some of which may embarrass you, and none of which you control.

A few states like California have laws governing data collected by the third-party information purveyors , but most do not. There are regulations like HIPAA and the Financial Privacy Act that block leaks of specific types of information but there is no overarching federal legislation.

Business has watched over consumer information best when it has a vested interest in data security. Credit card companies and their member banks are liable for all fraudulent charges on a customer’s credit card above $50 so they have implemented extensive anti-fraud countermeasures including artificial intelligence systems to detect suspicious activity. This suggests that the best way to ensure businesses take consumer privacy seriously is not more litigation but rather a market-based solution. When privacy breaches become unacceptably expensive but good privacy behavior is rewarded, businesses will take consumer privacy more seriously. To quote Bruce Schneier’s book, Beyond Fear, “If misuse was illegal and companies were liable for the results of data theft, companies that knew they would be fined for misusing customer data would take pains to prevent it. It’s simple economics.”

Government Responsibility to Consumer Privacy
The federal government, in prosecuting the war on terror, has become the worst perpetrator of privacy law violations ever. Based on the president’s secret order, drafted only days after the 9/11 al-Qaeda attacks, the National Security Agency began a program of warrantless wiretaps on Americans’ International phone calls. The courts eventually held that the NSA program was unconstitutional but that was five years after the program began. Because it is still classified, no one outside an exclusive list of executive branch officials really knows how far the government’s data gathering extends, what information has been collected, how it was obtained, and what its final disposition will be.

What is known is that operating under a variety of names and controlling authorities the government has collected Americans’ electronic communications – voice and data – and stored them for later analysis. The FBI’s “Carnivore” Internet data interception project became public in July 2000 though details of the program were only available, grudgingly, three years later. Carnivore intercepts “relevant” traffic from its physical connections at ISPs though the specifics of what constitutes “relevant,” or for that matter which ISPs are part of the program, remains classified. Americans must assume on faith that the Bureau is gathering data it is lawfully entitled to.

The Defense Department’s “Total Information Awareness” program was intended to provide a platform of research tools such as data mining techniques to discover terrorist networks. The theory is that terrorist conspiracies can be uncovered by detecting telltale patterns of contacts and purchases submerged in an ocean of innocent consumer activity. But the public and congress doubted the program and it was officially de-funded in 2003. Parts of TIA are still alive and well, drawing funding from the classified portion of the DoD budget.

The NSAs forte is electronic data gathering – “signals intelligence.” Its capabilities are classified but author James Bamford in his 1983 book The Puzzle Palace revealed that NSA can potentially intercept any information broadcast over radio waves. He documented technology the agency used 20 years ago to receive terrestrial radio signals bounced off the moon. Americans should assume that unless it is encrypted someone is reading their email and listening to their cell phone conversations.

Aside from sinister programs with “Big Brother” overtones, the bureaucracy has proven itself inept at the simple mechanics of guarding its citizen’s privacy. In 2006 the Washington Post reported that Justice, Homeland Security, and other agencies buy consumer personal information from the same data aggregators marketers use, companies like ChoicePoint, without following the guidelines required by the 1974 Privacy Act. The agencies also do not ensure the accuracy of the data they purchase.

Lost, stolen and misplaced government laptops and storage media have exposed millions of Social Security numbers and other sensitive personal data to potential abuse. Despite government wide security policies requiring that all such data be encrypted, none was.

The states are not much better at protecting consumer information. In 2005 alone the Oregon DMV lost a laptop containing records of 500,000 drivers; Georgia lost the records of 465,000 residents; the University of Utah lost information on 100,000 past and present students. In June 2007 an employee was fired after stealing and selling 2.3million consumer records that included account information and Social Security numbers. Closer to home, a data breach at Radford University in southwest Virginia this winter (2007) compromised the records of 100 current students and Social Security numbers of over 2,400 children from the community who were enrolled in a health program run by the university.

The issue of government losing consumer data begs the question, “Who watches the watchers?”

When ChoicePoint was caught selling consumer data to an organized crime ring Congress held hearings. After similar personal data losses at the Department of Veterans Affairs, State, and the Los Alamos nuclear research facility, there was more talk on Capitol Hill. As to the government itself, independent security auditors like the SANS Institute and CERT regularly give it failing grades on data protection.

Guarding Our Own Privacy
So if government is uninterested or unwilling to protect consumer data and business is interested only so far as it affects the bottom line, it must be up to individuals to protect their own data. Pitted against the credit bureaus, ChoicePoint, Carnivore, and the NSA, what chance does the individual stand?

Not much.

But most of the time American consumers want their data to be public, at least some of it. Online shoppers are pleased that “remembers” their most recent purchase and recommends new items when they visit the web site. Everyone agrees that low cost home loans are a good thing; most Americans’ easy access to credit is made possible by the free exchange of consumer information between lenders, the credit bureaus, the ChoicePoints in the marketplace, and credit rater Fair Isaac.

This is because consumers surrender some of their privacy in exchange for convenience and savings. Schneier writes that security is a trade off. “Perfect, impregnable, completely foolproof security is a pipe dream.” So too is consumer privacy.

Individuals have a great deal of control over some of their private data. They can choose the anonymity of a cash-only lifestyle (though they would find it impossible to rent a car). By refusing to bank online or make purchases off the Internet consumers can limit the amount of their information “out in the ether.” But for most Americans these are not viable options. Besides, there are still the third-party information aggregators processing public records.

Aside from lax data handling by third parties, most fraud perpetrated using consumer privacy data results from not following good computer hygiene. Ordinary consumers have a high suspicion of “junk mail,” door-to-door salesmen and offers “too good to be true.” Yet they often fail to use similar common sense on the Internet. Computer users who neglect to install an antivirus software program and keep it up to date, who surf the Internet over a broadband connection without a personal firewall and who open attachments in unsolicited email are asking for their computers to be compromised along with their private data.

Antivirus programs and personal firewalls should be the first line of defense in protecting a consumer’s computer privacy. The newest versions of Internet Explorer and Firefox include enhanced web security that helps detect “phishing,” bogus web sites set up by cyber scammers to solicit personal identification information, account numbers, and passwords.

A used computer can be a source of consumer personal information. “Deleted” files and emails are not physically removed from the computer’s hard drive; crooks can restore them with the aid of free software downloaded from the Web. Before an obsolete computer is junked consumers should reformat the hard drive – it erases the data making it almost impossible to recover. Taking a hammer to the hard drive is a cheap, simple alternative.

What about non-computer information? Every one of those 1.7 billion charge cards generates a billing statement every month – most of them printed on paper and mailed to the card holders. This leaves consumers vulnerable to “dumpster divers,” identity thieves who sort through garbage to recover bank statements and credit card invoices. Government agencies use a “burn bag” to collect sensitive documents and destroy them. They use high speed shredders or actual incinerators. Consumers can do the same thing. Home shredders can be bought at office supply stores for under $50. Even the least expensive shredder offers more protection than the garbage can. Tossing old bills on the fireplace is foolproof document disposal.

Cynics say we get the government we deserve. Privacy experts say the same about consumer data protection. Until individuals take steps to guard their own data, they get the personal privacy they deserve. And until consumers advocate, lobby, cajole and vote, consumer privacy will get little or no government attention. In business consumers vote with their dollars; until they demand products that protect their privacy they will suffer the status quo.

Americans in the 21st Century are faced with a delicate balancing act: keeping personal data private while making some of their consumer information public. Clyde Crews, writing in the Detroit News, called us a “database nation” of easily accessed public and private consumer information. He said:

In the new “surveillance” state, or whatever we call the rise of government-run biometrics, cameras, compulsory IDs and data-mining, keeping public and private data separate is critical for the health of our civil liberties…New technologies always bring risks. But even the risks of a “database nation” are controllable if we adhere to constitutional principle. Orwell’s Big Brother need not win.

Leave a Reply