PRIVACY Forum Digest Sunday, 22 September 1996 Volume 05 : Issue 18 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS "PRIVACY Forum Radio" and Lexis-Nexis "P-TRAK" Interview/Update Info (Lauren Weinstein; PRIVACY Forum Moderator) Detailed Update Regarding Lexis-Nexis "P-TRAK" Database (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 18 Quote for the day: "Gee, I wish we had one of them Doomsday Machines..." -- General "Buck" Turgidson (George C. Scott) "Dr. Strangelove: Or, How I Learned to Stop Worrying and Love the Bomb" (Hawk; 1964) ---------------------------------------------------------------------- Date: Fri, 20 Sep 96 23:22 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: "PRIVACY Forum Radio" and Lexis-Nexis "P-TRAK" Interview/Update Info Greetings. In the message following this one, I've provided a detailed update on the current Lexis-Nexis "P-TRAK" personal information database furor, based on my own research. Since the situation has been changing very rapidly, this represents the most up-to-date information I'm aware of regarding both the service and your options for dealing with it if you so choose. With concerns over databases and personal information running at such a high level, this seems like the appropriate time to announce the first program from the PRIVACY Forum's new effort: "PRIVACY Forum Radio". As longtime readers of the forum know, one of my major concerns is getting the word out to people that privacy really matters, and that there are actions they can take to help protect themselves, *before* troubles arise. Whether related to computer, telecommunications, or database privacy issues, or the less esoteric aspects of privacy in our personal lives, to be forewarned is critical. PRIVACY Forum Radio will be an ongoing production of the PRIVACY Forum. It initially will include audio interviews, discussions, and other programs conducted with all manner of persons involved in the privacy, security, and related areas. Participants will include persons from business, industry, government, concerned organizations, and other individuals. Both the well-known "movers and shakers" and the unknown folks affected by privacy problems will be featured. All aspects of privacy in our personal, commercial, and public lives will be topics for various guests. Initial programs will be prerecorded, but shortly we'll begin live broadcasts offering listeners the ability to call in by phone, or send in e-mail queries, to directly participate in the discussions. The primary distribution medium for these PRIVACY Forum Radio materials is the Internet, via the Xing "Streamworks" system. Versions of the shows, including live programs, will be available for access by listeners at network connection rates as low as 14.4 Kbps per second. Some materials will also be made available at higher rates for those with the appropriate capabilities. In the very near future, we also plan to make some items available with accompanying video ("PRIVACY Forum TV"), using the same system. These shows are also available, by arrangement, for conventional radio syndication. Since my primary goal is to try get the word out about these issues as widely as possible, PRIVACY Forum Radio is also making available short (e.g. 60 second) "Privacy Bites", suitable for use by regular broadcast radio stations who want to help their listeners not only become aware of privacy risks, but to learn what they can do about them. Inquiries regarding any of these materials should be directed by e-mail to privacy-radio@vortex.com, or by voice to (818) 225-2800. The first special program from PRIVACY Forum Radio is an interview I conducted a few days ago with Lexis-Nexis Corporate Counsel Steven Emmert, on the subject of concerns over the "P-TRAK" database, and on the topics of personal information and databases in general. It provides fascinating insight into views of privacy from the "database industry" side of the fence. To hear this program, follow the PRIVACY Forum (and PRIVACY Forum Radio) links from http://www.vortex.com Links are present within the PRIVACY Forum Radio area explaining the technical details of hearing the interview and other materials, and for downloading the (free) Streamworks software for your system that you'll need if you don't have it already. This is an exciting step in the evolution of the PRIVACY Forum, one that I'm hoping will be a major stride towards helping people worldwide deal with the ever-encroaching loss of privacy that has become part and parcel of our modern societies. Please direct any questions about accessing or obtaining PRIVACY Forum Radio materials to the e-mail address or phone number mentioned above. Thanks much! --Lauren-- ------------------------------ Date: Fri, 20 Sep 96 23:20 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Detailed Update Regarding Lexis-Nexis "P-TRAK" Database Greetings. This is going to be a long message, but I urge you to read it in its entirely. As many of you are no doubt aware, considerable controversy has been raging around the Internet, and now in the mainstream press, concerning the Lexis-Nexis "P-TRAK" personal information database. Since the transmission of P-TRAK related messages here in the PRIVACY Forum early this month, various information, some accurate, some inaccurate, has been widely disseminated. In some cases, I've seen versions of the original PRIVACY Forum items in excerpted and usually unattributed form, sometimes having been modified or addended in manners that significantly alter the original content. Concern over P-TRAK has mushroomed around the country, perhaps especially due to Lexis-Nexis' high visibility. Many people are concerned about their personal information, however innocuous some might consider it to be, residing in publicly accessible databases. They want some measure of control over their personal data. It is this concern that has brought this story to national prominence. Lexis-Nexis has put forth an official statement concerning P-TRAK (accessible via http://www.lexis-nexis.com) which is accurate as far as it goes--but in my opinion leaves out some *very* important points which people should be aware of and that I'll describe in detail below. Adding to the confusion is the fact that over the last couple of weeks the mechanisms available for people to request removal from the P-TRAK database have been changing, largely due to the high volume of requests that Lexis-Nexis has been receiving. Callers to various Lexis-Nexis numbers were at times told conflicting or apparently inaccurate information, and the exact mechanisms for requesting removal, and what such a request really meant in practice, has been in a state of flux. Early deletion requests were taken by operators, then by voicemail systems, and then later callers were told all requests had to be by mail or fax. Most callers were asked for their Social Security numbers. Some were told that it was essentially useless to request removal, since they could easily pop right back on the database again later. Questions about how to verify removal persisted. Given all this, I decided to take it upon myself to go directly to the source, and had a number of detailed conversations with the Lexis-Nexis Corporate Counsel, Steven Emmert. Since Lexis-Nexis was in the process of making decisions on some of these issues, I held off this update until now to give Mr. Emmert time to get me the latest information, which he has done. As described in the previous message, I'm also pleased to announce that PRIVACY Forum Radio is presenting a detailed audio interview with Mr. Emmert, via the PRIVACY Forum web page (access via http://www.vortex.com). Mr. Emmert and yours truly discuss both the details of the P-TRAK controversy and some of the more philosophical aspects of personal information databases. If you're at all concerned about these topics, you will probably find the interview quite interesting. Where do the P-TRAK issues stand right now? First off, it should be noted that Lexis-Nexis is a reseller of the data in P-TRAK, not the collector. They don't verify or otherwise amend the original information. The information itself is the so-called "credit header" data which FTC and other decisions ruled were not covered under the FCRA (Fair Credit Reporting Act) and could be openly disseminated. This includes name, address, phone number, Social Security number, and other related data. Lexis-Nexis obtains this info from one of the big credit data agencies (published reports have suggested that this is Transunion). Lexis-Nexis receives this data, which includes more than 300 million records, on a monthly basis. While Lexis-Nexis notes that their marketing focus is to government, law enforcement, and the legal profession, it's important to realize that the P-TRAK database is not *restricted* in any way to ensure that only persons in those categories are using the data. Anyone who wants to the pay the appropriate fee can obtain search data. This is a crucial problem in the database industry--the almost total lack of even rudimentary "need to know" requirements before gaining access to information that many persons consider (obviously erroneously in many cases!) to be private. Lexis-Nexis points out that you cannot view Social Security numbers through P-TRAK. This is true. When the database was originally established in June of this year, SS#'s were available for viewing, but in short order concerns led to their display being terminated. So, you can't derive a SS# from someone's name via P-TRAK. HOWEVER--this does not mean that SS#'s are not in the P-TRAK database. In fact, they are there, and if you already have an SS# you can use it to search in P-TRAK for all of the other data associated with that number (e.g., name, address, phone number, and so forth). Lexis-Nexis considers the SS# to be the only reliable personal identifier, and in fact has told me that when a person requests removal from the P-TRAK database (more on this below) the best chance of actually getting removed exists when that person provides their SS#. Name and address are considered less desirable for this purpose, due to name duplications, name or address changes, etc. This is the reason that callers asking to be removed have typically been asked for their SS#'s. To Lexis-Nexis' credit, it should be noted that they have competitors (some on the Internet) who don't restrict SS# information at all, and don't offer any opportunity to be removed from their databases either. Still, it's important to understand that SS#s *are* in the P-TRAK database, and that you still can search *by* SS# in that database. Information available for direct view in P-TRAK includes name, maiden name (if any), current address, up to two previous addresses, phone number, and year/month of birth. Mother's maiden name is not included. The source of phone numbers is of particular interest. Lexis-Nexis in their statements has likened all this data to the telephone company "white pages", pointing out that it is all based on publicly available information. But the definition of "publicly available" is very broad--much broader than most people realize. Phone numbers in P-TRAK are *not* derived from telephone company (e.g. white pages) information. They are obtained from a variety of other sources, notably data provided by businesses that have conducted transactions or other business with a person, to whom that person may have provided their phone number. As such, unlisted (non-published) phone numbers *can* appear in P-TRAK, since an unlisted designation only affects phone company records, not all the other places where you have provided a number, probably with the expectation that the number would not be provided to commercial databases! There are no legal restrictions on the dissemination of such phone numbers, even though many persons keep their phone numbers unlisted for quite valid and serious reasons. OK, let's say you've decided that you consider the information in P-TRAK to be significant to you, and you want your record deleted. First off, be aware that it could take up to 60 days for a deletion to occur. This is due to the 30 day cycle on the database source; the deletion request needs to be present long enough for a complete cycle to process. Can you verify (for free) that a deletion has taken place? No, not easily; you need to pay for a regular P-TRAK search. Previously there was a contact person for verification of deletions, but due to the high volume of requests that option is apparently no longer being offered. Will you stay off the list once a deletion request has been processed? Maybe. It would seem to depend strongly on how much information you provided with your original request. If you provided a SS#, you probably have a better chance of not finding yourself with a new record in a future cycle due to non-identical name or address information appearing for you in a future load of incoming data. Do you want to provide your SS# with your request for deletion? That's a personal decision of course. What if perchance you don't currently have a record in P-TRAK? Will your deletion request be held until a record does come in? No, it will not. If you don't have a matching record at the time your deletion request is processed, that request will be flushed, and if a record for you appears in future data that record will enter the P-TRAK database. There is no mechanism present for a "permanent" deletion request that would deal with such situations. As noted above, the methods for requesting deletion have changed over the last two weeks. In fact, they've even changed in the few days since the recording of the interview with Steven Emmert (a different fax number and the re-establishment of voice requests on a new number). So be sure to use the information specified below, not the number that Mr. Emmert provided during the interview. The following is the most up-to-date information as of this writing, and comes directly from my communications with Lexis-Nexis. Here are your options: Telephone (toll free): 1-888-965-3947 Please note that this is a new number at Lexis-Nexis and is not scheduled to be working until this Monday morning (9/23) Eastern Time. It is currently scheduled to go to live operators, but if volume is very high it might be switched to voicemail. FAX (toll free): 1-800-470-4365 Again, this number is scheduled to become functional on the morning of 9/23, Eastern Time. Mail: P-TRAK, P.O. Box 933, Dayton, OH 45401 Email: p-trak@prod.lexis-nexis.com A web form for removal requests is also available at Lexis-Nexis via http://www.lexis-nexis.com. The minimum information required to request removal is full name and mailing address. As noted above, Lexis-Nexis feels that the strongest likelihood of a successful removal will occur when Social Security number is also provided. The web form (as of this writing) doesn't request SS#, and you of course should use your judgment about choosing to send your SS# in e-mail. My own recommendation would be to use the telephone or fax options. By no means is P-TRAK the most onerous database of personal information now available. But I believe the furor that has erupted demonstrates the deep-seated concerns that many people have with details of their personal lives being collected and sold merely as "information commodities", with the subject of that data having virtually no input on how it will be used, or abused. It's time for a detailed examination of what information should and should not be considered to be "public", who should have access to that data, and under what circumstances. Some database companies themselves admit that this is not an area that they can unilaterally address in any general way--they have competitive concerns. Only through serious legislative efforts can we really begin working toward reasonable changes in the commercial database field. And we'd better get started now, unless we want the 21st century to be a time when the word "privacy" becomes nothing more than an amusing anachronism in the history books. --Lauren-- P.S. Be sure to check out my audio interview with Steven Emmert of Lexis-Nexis on PRIVACY Forum Radio if you can. Just follow the PRIVACY Forum links from http://www.vortex.com to PRIVACY Forum Radio. --LW-- ------------------------------ End of PRIVACY Forum Digest 05.18 ************************