[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fair Credit Reporting Act and Privacy Act



At 08:25 AM 2/5/96 -0500, you wrote:
>Probably the easiest way of ensuring that personal information isn't 
>wantonly distributed by credit agencies or (anyone else) is to update 
>our Privacy Act - which is ridiculously out-of-date and badly in need of
>being re-written.  It is also hampered by its apparent lack of teeth.

The parts of the Privacy Act that I remember are all restrictions on
_government_ actions, not private actions.  It's an important distinction;
even though TRW may know way too much about you, it's all information that
you voluntarily released to somebody, unlike data that the government 
requires you to give them.  And, yes, it's out-of-date and toothless.

...
>If the Privacy Act were rewritten to be as strict as the BDSG, businesses
>would have a (mandatory) legal requirement to:
...
>o Ensure that databases are *not* being maintained which describe the
>   characteristics of individuals (buying habits, income, property 
>   ownership, etc) wantonly propagated by marketing (direct mail, 
>   telemarketing, etc) companies.  

If you're going to propose laws, you should not only think about
whether they'll do what you want, but also about what else they'll do,
how they'll be enforced, what are the side effects of that enforcement, etc.
How is the government going to ensure _non_existence of databases?
If I'm a prosecutor, and claim that you _might_ have personal data about
somebody on your machines beyond the Politically Correct Data Elements,
can I get a search warrant for _all_ your databases?  What about that
encrypted file on your PC at work?  Such things have been used to hold
personal data before (even by police like the LAPD or Stasi.)
No thanks.

If you want to require that a database exists, then a business can
demonstrate that they have it by producing it (though proving
whether or not in really includes all transactions is still difficult.)

On the other hand, if you don't make the law adequately enforceable,
you're encouraging violation and selective enforcement.

>o the promotion of the use & implementation of encryption - including
>   the possibility of ITAR being reduced or eliminated for the export
>   of encryption products

Yes!  GAKed encryption, to be sure - once there's a requirement that
you be able to produce your data for the government, they'll discover
that they need guaranteed access to data that would otherwise be guaranteed
inaccessible by strong encryption.

>o reduced propagation of personal information

A much stronger way to increase privacy is to eliminate one of the most
popular unique keys used by these databases - the Social Security Number
which the government requires you to give almost anybody who gives you money.
Give each taxpayer a pile of taxid numbers (either cryptographically related,
or just randomly generated and stored in a big tax-department database)
so you can use a different taxid for everyone who needs one, making it
impossible for anybody but the government to correlate them.

#--
#				Thanks;  Bill
# Bill Stewart, [email protected] / [email protected] +1-415-442-2215
# http://www.idiom.com/~wcs