From the NY Times.
Companies Agree to Protect Personal Data
By KATHARINE Q. SEELYE
WASHINGTON -- In a move to head off restrictive legislation, more than a dozen companies that use cyberspace to disseminate personal information, including Social Security numbers, announced on Wednesday that they would voluntarily limit access to it.
But consumers will first have to take steps of their own to restrict that access, by requesting that their names be removed from databases of private information made available to the general public.
The agreement involves 14 "look-up" service companies, including Lexis-Nexis, that account for about 90 percent of the traffic in personal information. Three of those companies are among the nation's largest credit-reporting agencies.
On request, the companies said, they will restrict the access that the general public has to private information, including Social Security numbers, dates of birth, unlisted telephone numbers and mother's maiden name.
The agreement does not apply to information generally available in public records like court documents and marriage and divorce papers. Further, all the private information will still be available to law-enforcement agencies, and some of it to law firms and to banks and other businesses.
Critics noted that while the agreement would allow people to keep their names out of databases of private information available to the general public, it would require them to "opt out," meaning that they would have to reach each of the 14 companies to have their names removed.
"Many people don't even know that these entities exist," said Deirdre Mulligan, staff counsel to the Center for Democracy and Technology, a civil liberties organization focusing on privacy on the Internet. "Access doesn't matter if you don't know they are there."
The companies have not determined exactly how consumers can "opt out." But Ronald Plesser, a Washington lawyer serving as the companies' spokesman, said the consumer would probably have to contact each of them.
"They can expect they will be on Web pages, there will be advertising, there will be public education," Plesser said, adding that the companies did not intend "to send individual letters" to all consumers.
Timothy Davies, chief operating officer of Lexis-Nexis, said the agreement was a "great milestone" in self-regulation, in part because if the companies do not keep to their pledge, they can be prosecuted by states for deceptive practices. He said the consumer would be better served by self-regulation than by legislation because the legislative process was too slow in the fast-moving world of cyberspace.
The 14 companies, which pledged to make the restrictions effective by the end of next year, are Acxiom Corp., CDB Infotek, DCS Information Systems, Database Technologies Inc., Equifax Credit Information Services Inc., Experian, First Data Solutions Inc., Information America Inc., IRSC Inc., Lexis-Nexis, Metromail Corp., National Fraud Center, Online Professional Electronic Network and Trans Union Corp.
The companies also said they would be responsible for determining that their subscribers are legitimate and that they have a legitimate need, such as tracking down deadbeat parents or looking for witnesses, for the information they are seeking.
The Federal Trade Commission, which worked closely with the companies to develop the restrictions, offered encouraging words in response to the agreement and said it would delay proposing legislation that would further protect the privacy of consumers.
"Self-regulation ought to be given a chance," said Robert Pitofsky, the commission's chairman, who hailed the industry move as "innovative and far-reaching."
"In an industry that is moving as rapidly as this," Pitofsky added, "it may make more sense not to solidify regulation through statute but leave it to self-regulation."
Advances in technology have made private information easily accessible to anyone roaming through cyberspace. That development -- particularly after the introduction last year of a Lexis-Nexis product called P-Trak, which gave access to dates of birth and Social Security numbers -- has prompted numerous cries of invasion of privacy and threats by Congress to curb the industry.
More than 80 bills have been introduced to impose such restrictions. But the industry's announcement on Wednesday, and the blessing by the Federal Trade Commission, may keep that legislation at bay.
Sen. John McCain of Arizona, chairman of the Senate Commerce Committee, which has been considering such privacy legislation, said through a spokesman that he was impressed with the industry for taking the initiative and wanted to give the new plan a chance to work.
Similarly, Sen. Richard Bryan, D-Nev., who has been a leading advocate on privacy matters, said he was pleased with the industry, and added that it would not be fair for Congress to encourage self-regulation and then adopt legislation anyway.
Consumer and civil liberties advocates also applauded the move, as did the Clinton administration, but some also cautioned that the self-regulation did not go far enough in giving individuals redress.
Carole Lane, author of "Naked in Cyberspace: How to Find Personal Information Online," (Pemberton Press, 1997), said in an interview that the restrictions were mostly cosmetic. "They don't protect the consumer because nothing prevents you from hiring a business to do your search," she said. "If you really want someone's Social," she said, referring to the Social Security number, "you just have to jump through a few more hoops and pay more."
Evan Hendricks, editor of "Privacy Times," a Washington newsletter that covers information law, generally praised the agreement as a "giant step" beyond any self-regulation that any other industry had taken. But he said "we have to keep the lights on" because most industries did not have a good track record on regulating themselves.
He also said that the code was very narrowly focused and did little to advance overall privacy matters, but that was not the industry's fault. "It's how we've done privacy policy in this country, by narrow slices," he said. "We have a law for video-rental records, but we don't have a national law for the privacy of our medical records. And it doesn't affect the broader issue of Internet privacy."
Thursday, December 18, 1997
Copyright 1997 The New York Times
|
