Home/red-rock-eater/Mastercard/VISA comment to the FTC

Mastercard/VISA comment to the FTCwriting

militaryinternationalmediacivil-libertiesprivacylaborlibrariesdemocracyrrelawcommerceforwarded-contentgovernment-infoauto-importedrre-post
1997-04-15 · 8 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/1997/Mastercard.VISA.comment..html

Content

This web service brought to you by Somewhere.Com, LLC.

Mastercard/VISA comment to the FTC

``` [Although this letter is entirely routine, it's an interesting window on the day-to-day turning of gears in lobbyland, and particularly the fine-grained attention to process through which the system is worked. Do privacy advocates have the resources to turn out an endless stream of letters like this one? Polls consistently demonstrate very high levels of public consternation about threats to privacy, but the issues are so diffuse and technical that it is very difficult to organize an effective counterlobby to represent the public's views. The United States is the one country in the world which does have halfways effective privacy lobbies, but they operate either on shoestrings or on agendas narrowly cut to the needs of those corporate interests who would actually benefit from specific improvements in privacy law. It's interesting to analyze the many reasons why everyone can't simply push a button and know with certainty that $10 of their money is going to an effective and well- organized privacy organization. Given that privacy rights are public goods, economic theory predicts that attempts at popular organizing around privacy issues will suffer from free-rider problems: if better privacy laws are passed, I will benefit from them regardless of whether I contributed my $10. Large, centralized economic interests, on the other hand, have mechanisms to manage free-rider effects. The officers of these organizations, for example, get personal benefits from the networking that is involved in putting together a political coalition. It is commonly argued that this asymmetry should motivate market-based solutions to privacy problems, wherein people who care about privacy can obtain an amount of privacy that's proportional to their investment in getting it. That argument may actually work in some cases, but in most cases it falls flat. For one thing, creating those privacy markets will often require legislation, and it takes real work to write legislation that doesn't tilt the playing field toward large, organized interests. For another thing, the cost of an extra increment of privacy often depends on the workings of the technical infrastructure, e.g., electronic commerce standards. But large interests have a vast incentive to shape this infrastructure in such a way that people are always identified and that information about them is easy to circulate and merge. When an infrastructure of that sort becomes deeply entrenched in the economic system, the cost of privacy becomes very high, no matter how much it might be valued. That's what's going on with the SET standard, which is being promoted by, well, the major credit card syndicates. There's no substitute for democracy.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu

---

[http://www.ftc.gov/bcp/privacy2/comments1/index.html]

April 15, 1997 Secretary Federal Trade Commission Room H-159 Sixth Street & Pennsylvania Avenue, N.W. Washington, D.C. 20580

Re: Data Base Study -- Comment, P974806

Dear Mr. Secretary:

This comment letter is submitted on behalf of MasterCard International Incorporated ("MasterCard")(1) and VISA U.S.A. Inc. ("VISA")(2) in response to the proposed Federal Trade Commission ("FTC") study of computerized data bases containing sensitive consumer identifying information ("FTC Study"). VISA and MasterCard thank the FTC for the opportunity to comment on the FTC Study.

Genesis of the FTC Study

The genesis of the FTC Study was a letter to the FTC from Senator Bryan, Senator Hollings, and then-Senator Pressler, which requested the FTC to conduct a study of "possible violations of consumer privacy rights by companies that operate computer data bases."(3)

More specifically, the letter requested that the FTC investigate the "compilation, sale, and usage of electronically transmitted data bases that include identifiable personal information of private citizens without their knowledge."(4)

The Senators' request arose in the context of the public focus on the LEXIS "P-Trak" "look-up" service, which was spawned by a spate of Internet messages and national news media stories about the types of consumer information that were then available on the P-Trak service. In addition to giving rise to the request for the FTC Study, the public focus also caused LEXIS to limit the types of consumer information available through P-Trak.

Congress, as a whole, responded to the P-Trak issue by including a provision in the Economic Growth and Regulatory Paperwork Reduction Act of 1996 that directed the Federal Reserve Board ("FRB"), in consultation with the FTC and other federal banking agencies, to conduct a study assessing the undue potential for fraud and risk of loss to insured depository institutions from the activities of companies engaged in the business of making "sensitive consumer identification information" available to the general public ("FRB Study").(5)

Under this provision, "sensitive consumer identification information" included social security numbers, mothers' maiden names, prior addresses, and dates of birth. Importantly, in enacting this provision, Congress exempted from the FRB Study entities that are subject to the Fair Credit Reporting Act ("FCRA")(6) as consumer reporting agencies.

Scope and Purpose of the FTC Study

The Supplementary Information to the FTC Study states that the FTC Study will include consideration of the collection, compilation, sale and use of computerized data bases that contain what consumers may perceive to be sensitive identifying information.(7)

Given the context in which the Senators' request for the FTC Study arose -- as well as the clear statement of Congressional intent embodied in the limitation of the scope and purpose of the FRB Study -- it is appropriate that the FTC has limited the study to so-called "look-up services." In order to maximize public benefit and efficiency, we urge that the focus of the FTC Study be further narrowed to specifically assess whether there are companies that disseminate sensitive consumer identifying information in a manner that could create opportunities for fraud. It is the use of such information for fraud purposes that raises the greatest concern and, as a result, was the focus of Congressional legislative action. Activities that may involve consumer information but do not give rise to fraud risks should be excluded from the scope of the FTC Study. For example, the FTC Study should explicitly exclude companies using consumer identifying information to communicate data between one another, such as those in which entities within a corporate family use consumer identifying information to share information on their customers. This approach is consistent with the Supplementary Information which indicates that the FTC Study will not address data bases used primarily for direct marketing purposes, medical and student records, or the use of consumer credit reports for employment purposes.(8)

It is also appropriate because Congress recently addressed affiliate sharing of information in the same legislation that requested the FRB Study.

Definition of Sensitive Consumer Identifying Information

The Supplementary Information to the FTC Study states that sensitive consumer identifying information may include some or all of the following: social security numbers, mothers' maiden names, prior addresses, and dates of birth.(9)

For purposes of the FTC Study, VISA and MasterCard believe that this definition of sensitive consumer identifying information is appropriate and need not be expanded. In this regard, it is our understanding that financial institutions principally rely on social security numbers, dates of birth, mothers' maiden names and prior addresses when ascertaining and verifying the identity of consumers or providing consumers with access to their records.

The FTC also requested comment on information that might be used in the future to identify consumers. MasterCard and VISA urge the FTC to adopt a definition of sensitive consumer identifying information that is based on current practices and not on predictions of future practices. New consumer identification methods such as those utilizing finger minutiae, voice analysis, iris scan and other biometric systems are in various stages of development, testing and evaluation by financial institutions and other private and public organizations. While it is expected that one or more of these new technologies may be used in the future to further refine consumer identification procedures, these technologies are not yet commonly used. VISA and MasterCard caution that if the FTC Study or its related recommendations are overly broad, they could have a counterproductive, chilling effect on the development of these or other consumer identification technologies that might otherwise enhance risk management and financial privacy in the future.

Dissemination of Sensitive Consumer Identifying Information

MasterCard and VISA have long been concerned about, and have worked diligently to address, the risks presented by credit card fraud and similar types of financial fraud. In our experience, where consumer information has been used to commit financial fraud, the information is generally obtained illegally -- by stealing U.S. Mail or a wallet or purse, improperly removing information from consumer files and, more recently, through illegal access to computer files. Additional restrictions on the flow of information would be unlikely to address these issues. Much greater benefits would be derived from increased resources for law enforcement in this area.

Structure of the Public Workshop

Finally, MasterCard and VISA commend the FTC for separately addressing issues associated with computerized data bases containing sensitive consumer identifying information from issues associated with consumer online privacy and the Bureau of Consumer Protection's June 1996 Public Workshop on Consumer Privacy on the Global Information Infrastructure. In particular, we support the FTC's proposed structure for the Public Workshop, in which Session One addresses computerized data bases and Sessions Two and Three address consumer online privacy issues. Such a structure more efficiently facilitates substantive discussion of these important topics. We urge the FTC to continue addressing these issues separately.

*

Once again, VISA and MasterCard appreciate the opportunity to comment on the FTC Study, and we hope that these comments are helpful. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at the number indicated above, Michael F. McEneney, at (202) 887-1568, or Clarke D. Camper, at (202) 887-8793.

Sincerely yours,

L. Richard Fischer

Enclosure: Comment Letter in the Microsoft Word 6.0 format on 3 1/2 inch diskette

cc: Russell W. Schrader, VISA U.S.A. Inc. Miriam L. Wahrman, MasterCard International Incorporated Michael F. McEneney Clarke D. Camper _________________________________________________________________

1. MasterCard is a membership organization comprised of financial institutions which are licensed to use the MasterCard service marks in connection with payment systems, including credit, debit and stored-value cards.

2. VISA is a membership association comprised of financial institutions in the United States which are licensed to use the VISA service marks in connection with payments systems, including credit, debit and stored-value cards.

3. Letter from Senator Bryan, Senator Hollings, and Senator Pressler to the FTC (Oct. 8, 1996).

4. Id.

5. Pub. Law No. 104-208, =A7 2422 (1996).

6. 15 U.S.C. =A7 1681 et seq.=20

7. 62 Fed. Reg. 10,272 (1997).

8. Id.

9. Id. ```

This web service brought to you by Somewhere.Com, LLC.