1984: CIVIL LIBERTIES AND THE THURSDAY, APRIL 5, 1984 HOUSE OF REPRESENTATIVES, SUBCOMMITTEE ON COURTS, CIVIL LIBERTIES AND THE ADMINISTRATION OF JUSTICE Washington, DC. The subcommittee met, pursuant to call, at 10:40 a.m., in room 2226, Rayburn House Office Building, Hon. Robert W. Kastenmeier (chairman of the subcommittee) presiding. Present: Representatives Kastenmeier, Glickman, Berman, and DeWine. Staff present: Deborah Leavy, David W. Beier, counsel; Joseph V. Wolfe, associate counsel; and Audrey K. Marcus, clerical staff. Mr. KASTENMEIER. The committee will come to order. This morning the subcommittee continues with our fourth day of hearings on 1984 Civil Liberties and the National Security State. Today, we will examine privacy protection in the computer age. The threat to personal privacy is a growing worry. A recent Harris poll showed more Americans, 48 percent, to be very concerned about this issue than ever before, and no wonder. The same poll revealed four out of five believe it would be easy for someone to assemble a master file on their lives that violate their privacy. This hearing will consider whether that threat is real. I would like to step back for a moment in order to gain some perspective. At the turn of the century, Americans had no drivers' licenses, no Social Security cards, no Selective Service registration. Only a few decades later, a small percentage paid income tax, and even fewer had passports. All that, of course, has changed. Added to that web of information are, in recent decades, records generated by credit cards, credit reports, insurance claims, banks, and a host of other reasons to collect transactional information, personal data tracking, the transactions of modern life. Ten years ago, the consensus developed that there was a need for Government intervention to protect such personal information. The Congress determined that Government should use such data only for the purpose for which it was collected, and that there should be no national data bank, no Big Brother computer. (259) Since the Privacy Act became law, there has been a tremendous increase in the collection of personal data in public and private sectors, data subject to increasing computerization. This phenomenon leads us to the question: What are the dangers? Is the increase in personal data bases, combined with the capability of computers to interact with each other, plus the trend toward national identifiers, leading us to the creation of a national data center-an idea firmly rejected once by Congress. The rapid advances of technology make it urgent that we in Congress reexamine the privacy protections provided by law to ensure that these defenses and personal freedom are not breached. We begin this task this morning. Our first witness this morning has made our subject a major field for concentration. He is Robert Ellis Smith, publisher of the Privacy Journal, an independent monthly on privacy in the computer age. Mr. Smith is also the author of Privacy: How To Protect What's Left Of It and The Big Brother Book of Lists; a former newspaper reporter, and he is also a lawyer. Mr. Smith, I would like to greet you this morning. We have your statement and you may proceed as you wish, sir. [The statement of Mr. Kastenmeier follows:] STATEMENT OF Robert W. Kastenmeier, ChairMAN, SUBCOMMITTEE on Courts, CIVIL LIBERTIES and the AdministratTION OF JUSTICE, APRIL 5, 1984 This morning the subcommittee continues with our fourth day of hearings of "1984: Civil Liberties and the National Security State". Today we will examine Privacy Protection in the Computer Age. The threat to personal privacy is a growing worry: a recent Harris poll showed more Americans (48%) to be "very concerned" about this issue than ever before. And no wonder: this same poll revealed that four out of five believe that it would be easy for someone to assemble a master file on their lives that would violate their privacy. This hearing will consider whether that threat is real. I'd like to step back for a moment in order to gain some perspective. At the turn of the century, Americans had no drivers' licenses, no social security cards, no selective service registration. A few decades later, only a small percentage paid income tax, and even fewer had passports. All that, of course, has changed. Added to that web of information are, in the recent decades, records generated by credit cards. credit reports, insurance claims, banks, and a host of other reasons to collect "transactional" information-personal data tracking the transactions of modern life. Ten years ago, a consensus developed that there was a need for government intervention to protect such personal information. Congress determined that government should use such data only for the purpose for which it was collected, and that there should be no national data bank, no "Big-Brother" computer. Since the Privacy Act became law, there has been a tremendous increase in the collection of personal data in the public and private sectors, data subject to increasing computerization. This phenomenon leads us to question: What are the dangers? Is the increase in personal data bases, combined with the capability of computers to interact with each other, plus the trend toward national identifiers, leading us to the creation of a national data center, an idea firmly rejected by Congress? The rapid advances of technology make it urgent that we in Congress reexamine the privacy protections provided by law to ensure that these defenses to personal freedom are not breached. We begin this task this morning. TESTIMONY OF ROBERT ELLIS SMITH, PUBLISHER, PRIVACY JOURNAL Mr. SMITH. Thank you, Mr. Chairman. I begin my statement this morning with a quotation from Alexander Solzhenitsyn, who indicates that as we give out the bits of information that you referred to throughout our daily lives, we really are creating what can best be described as a spider's web, a really vast network of information; some of it responsibly handled, some of it not so responsibly handled. As Solzhenitsyn points out, we eventually develop a respect for those who control that information. And like any spider's web, it eventually can have the capacity to immobilize us. I would like to today give an inventory of some of the data banks that now exist and also highlight what I think is a rather dangerous trend, namely, the Government is starting to learn that it doesn't have to gather the information itself, but can simply purchase it in the private sector. This has blurred the line between governmental action and commercial activity. Particularly it means the Government is relying on information collectors that have never had a strong reputation for accuracy or timeliness or responsibility in their information collection. It is interesting to me, for instance, that the Government now is starting to rely on credit bureaus a good deal. On the other hand, the Federal Trade Commission, an arm of the Federal Government, has continually cited many of these same organizations for their sloppy recordkeeping. It is rather a strange irony. On page 5 of my testimony there is a chart that indicates the sort of data that was collected in the fifties, the good old days, I guess. This was before computerization. The dotted lines on these charts indicate manual exchanges of information. The credit bureau then was kind of a local mom-and-pop operation that was set up by the local department stores in town, not really tied into any other information collection throughout the community or Nation. That is not the situation at all today. I don't think we can solely blame computers for the development. There were some simultaneous developments after the war. One was the increased reliance on insurance in our lives. Although many people had insurance during the mid part of this century, it wasn't as essential as it is to our lives now. Certainly, health insurance did not loom as large then. Most retail purchases were not made on installment credit as they are now. Also, we were not as mobile a population; we stayed put. So that if you went into the department store and asked for credit, the merchants could rely on the fact that they knew your family, or they knew your roots. Now, by and large, in the marketplace, we deal as strangers; so that gives rise to the need for credit bureau-type operations. It is also no secret that we had fewer transactions with the Government then in the fifties. That was an age when there was no Medicare and no Medicaid, no supplemental security income, no food stamps, very little student aid, no equal opportunity laws that required the collection of a lot of data. That all has changed, not only with the development of the computer but with some of these other trends. Moving on now to chart 2, which is on page 7 of my testimony, you can see that the credit bureau has taken on much larger importance. It has become computerized. Because computerization re quired a lot of capitalization, a lot of large national firms bought up the credit bureaus in order to automate them. Most credit bureaus in the country now are owned by one of five large regional operations. The credit bureau on this chart is the switchboard of the whole operation. It collects information from disparate sources and distributes it to other disparate sources. Once again, the bold lines on chart 2 indicate computerized exchanges of information. You can see in the seventies that they were just starting to catch on. You can also see that, by and large, they were confined to the commercial sector, the computer exchanges of information; very little between the Federal Government and the private sector at that point. Let's move on now to the current situation with the next chart, chart 4, which indicates some of the new data exchanges in the 1980's. You can see now that the emphasis has shifted to the left of the chart with regard to mailing list companies now taking on a much larger role, and the Federal Government getting involved in all of this. Just this month, the Office of Management and Budget is completing agreements that will permit any Federal agency to have 24hour remote computer access to individual credit reports. The credit bureaus will be linked with the Federal agencies and have computer capability to process millions of transactional bits of information from banks, creditors, credit card companies, and retail ers. They also pick up information from courthouses around the country with regard to mortgages, liens, divorces, and lawsuits. In turn, the credit bureaus will receive computerized information each month from the Federal agencies on individuals with Government loans, contracts, and grants. Most shocking to me is that these organizations have never had a good reputation with regard to the accuracy of their information. I mention in my testimony some of the horror stories and the people who have been victimized by all this. I should stress as we look at the chart, that it does not work as efficiently as it may look. This is really a Rube Goldberg device that we have created but there are lots of slips in the system. The point is, however, that the technology now is in place for all of these exchanges, and many of them are going on. The most disturbing exchange is the one between credit bureaus and Federal agencies. The next most disturbing one is the one between mailing list companies and the Internal Revenue Service. Now, the IRS has used mailing lists, at least on the regional level, for many years. What they are now proposing to do is use so-called demographic profile lists. These lists indicate the lifestyle of individuals. These are lists that computers create with the collection of information from disparate sources. These so-called demographic lists would include people's purchases, their home ownership, their automobile ownership, the ethnic group that they belong to, the number of children; and also census information about their relative affluence. These lists are precise enough for marketing products; but they are not precise enough for tax investigations at all. But that is what the IRS proposes. This is a very good example of how the Federal Government is discovering that it doesn't have to gather the information itself and follow all those procedural safeguards of the Privacy Act, but that it can buy the information in the marketplace. Another disturbing trend is that the Department of Treasury is proposing that direct deposit of payroll checks be mandatory for all 2.8 million Federal employees. I think an individual ought to have a right to choose a depository institution and not have to report that to the Government; and should have the right not to have a deposi depository institution. I also think, and there is some evidence of this, that once the Federal Government institutes this mandatory direct deposit, the private sector will follow suit. I had a call from a person in Orlando, FL, who told me that his company wanted him to authorize withdrawal of his account as well as deposit in case there was some overpayment by error. What this means is that we will be seeing many more exchanges of personal data between another large government agency, the Department of Treasury, and the Nation's banks. There has been testimony in the Congress about computer match procedures instituted by the Federal Government for about the past 3 or 4 years. It is extremely controversial. Many matches create a general search of the kind that the framers of the fourth amendment intended to ban. Matches are in fact governmental actions generally searching one's papers and one's effects. A few States have access to individual bank account information. Massachusetts, for instance, requires that all banks match Social Security numbers with lists of welfare recipients to see which recipients may have savings accounts over the allowable limit. Most State welfare departments now exchange data with private employers and with public employers to determine who may be on a payroll and receiving income over the allowable limit. These exchanges don't always work as efficiently as they look on paper. For instance, many matches might involve looking at the payroll records of February, compared to the welfare rolls of March. If somebody turns up on both lists, a so-called hit, he or she may be on both lists legitimately. There have been lots of problems with that. People get knocked off the rolls and then they have the burden of showing that they in fact belong on the public assistance rolls. The Treasury Department, in trying to restrict travel to Cuba, which has been done for many, many years, is now not looking at the passport as the main means of control of travel outside the United States to a particular country; but the Department has discovered a fact of life: you look to the credit card companies for a way to maintain surveillance. The Treasury Department, in fact, is not prohibiting travel to Cuba. It is prohibiting the use of plastic in Cuba-and it proposes monitoring private credit card companies in order to see who has been trying to use credit in Cuba. That scheme has been enjoined |