Data Brokers and the Federal Government: A New Front in the Battle for Privacy Opens | Introduction and Background
You are reading the Introduction and Background of Data Brokers and the Federal Government: A New Front in the Battle for Privacy Opens
Report Links:
-
Download Full Report (PDF)
-
Read the Report Front Matter and Executive Summary, below
-
Jump to other sections of the report: Executive Summary | I.Introduction | II. Discussion | III. Recommendations | IV. Conclusion | Appendices
I. Introduction and Background
The US federal government uses commercial data brokers [1] extensively for a wide variety of governmental activities. It is unquestioned that the government provides considerable revenue to commercial data brokers. How much? A reasonable and conservative estimate is that the number ranges in the billions of dollars. Over the course of the last 20 years, the extent of the relationship has become clear through a series of detailed investigations and scholarly research. For background purposes, we reference a leading study and discuss a newer use. This report does not seek to reinvestigate and re-document known uses.
Generally, government use of commercial data providers accelerated after 9/11 and has been quite extensive in the area of law enforcement. [2] The extent of the use was documented through repeated Freedom of Information Act requests and subsequent analysis by Chris Jay Hoofnagle, who then worked at the Electronic Privacy Information Center and is currently the Director of Information Privacy Programs, Berkeley Center for Law & Technology, UC Berkeley School of Law. His paper, Big Brother’s Little Helpers: How ChoicePoint and Other Data Brokers Collect and Package Your Data For Law Enforcement, [3] collects and summarizes older activity.
In 2008, the data broker ChoicePoint that was a primary subject of Hoofnagle’s work was acquired by Reed Elsevier for more than $3 billion. [4] ChoicePoint is now part of LexisNexis, a very large commercial data broker that is part of the Reed Elsevier conglomerate. The federal government is a significant customer of LexisNexis. On its website, LexisNexis says that “70 percent of local agencies and almost 80 percent of the Federal government use LexisNexis.” [5] One LexisNexis product, the Accurint for Law Enforcement database, is used by over 4,000 federal, state, and local law enforcement agencies across the country. [6]
Recently the company announced a new service to help law enforcement officers monitor social media. The service debuted Oct. 19, 2013. “Social Media Monitor, a new capability in the LexisNexis Accurint® for Law Enforcement platform that is powered by the technology of DigitalStakeout®, allows agencies to discover risks and threats by leveraging social media to provide actionable intelligence.” [7] LexisNexis describes in one of its federal agency case studies for its public records service [8] that its service was used to “[l]ocate missing or hard-to-find people and track ownership of assets.” [9] The study noted the agency subscribed to LexisNexis Public Records because it “provided ability to look across all 50 states with one search. The company noted in a release that: “Our government solutions allow law enforcement and government agencies to derive insight from complex data sets, improve operational efficiencies, make timely and informed decisions to enhance investigations, increase program integrity, and discover and recover revenue.”[10]
This report does not address the value or quality of these commercial databases or does this report assess necessary outsourcing of some database activities by the federal government. It is the privacy consequences of outsourcing that are the subject of this report. The OMB Do Not Pay Initiative properly asks whether information in commercial databases is sufficiently respectful of privacy so that government use of the information is appropriate.
The first real test of this question is likely to come because the US Treasury is currently testing The Work Number as part of a pilot program for the government’s Do Not Pay Initiative. [11] The Work Number has been controversial for the scope of its payroll information and its lack of transparency, with one critic saying it was like a secret CIA. [12] The Work Number collects employment and salary information on Americans, and a lot of them. According to a company news release, “[t]he database includes more than 50 million current payroll records, updated each pay period to provide the most up-to-date information to lenders.” [13]
In some cases, the reporting of payroll and information is mandatory for employees, but some employers obtain consent before sending employee information sent to The Work Number. [14]
The Work Number is part of Equifax, one of the leading credit bureaus. The Work Number database is said to contain information on more than 190 million Americans, [15] with as many as 12 million added each year. Information from The Work Number is sold to debt collectors, financial service companies, and other entities. Equifax says that employment verification information (that is, where you work, but not specific pay information) is only sold to debt collectors with consent, as required by the Fair Credit Reporting Act. [16]
The Privacy Rights Clearinghouse has raised issues relating to the accuracy of the information in The Work Number. [17] There does not appear to be any public information on the accuracy of the database, and that will be an important issue if the database is to be accepted for permanent use in the Do Not Pay Initiative. There is ample reason to be concerned about the accuracy of commercial databases. In 2013 at the conclusion of its national, Congressionally-mandated national study of credit report accuracy, [18] the Federal Trade Commission found that 21% of consumers had verified errors in their credit reports, 13% had errors that affected their credit scores, and 5% had errors that were serious enough to be denied or to pay more for credit. It remains to be seen whether The Work Number has error rates that high and whether those rates would meet OMB’s standard of sufficient accuracy to assure fairness to data subjects.
One reason the OMB memo is so welcome is that it provides an opportunity for an inquiry about the accuracy of commercial data brokers and databases that the government uses. This a subject rarely debated because the data broker companies generally are not compelled to supply accuracy information in this way.
Government Reliance on Commercial Databases has Few Legal Limits
There are few legal or regulatory constraints on the government’s use of commercial data sources about individuals. Commercial database owners are largely unregulated for privacy, and they are generally free to sell information as they please with little regard for accuracy, currency, completeness, or fairness. Individual consumers may or may not have a practical remedy when commercial databases include personal information that is wrong, untimely, incomplete, or unfair. Consumer legal remedies are difficult at best and impossible at worst unless a statute like the Fair Credit Reporting Act [19] provides a specific remedy, such as the ability to access and correct a file. When a person has a data problem and it does not come with a legal remedy, these are the anecdotes where people describe spending years trying to clean up their files. In some extreme cases, people are forced to prove their identity in novel ways such as x-rays, or they must travel with documents proving their identity due to these kinds of entrenched errors. [20]
The key privacy law that defines how the US government may process most records about individuals is the Privacy Act of 1974. The Act has its own shortcomings, but that is a topic for another day. It imposes some useful privacy limits on federal government activities involving personal information, and more importantly, it gives privacy rights to individuals. Federal agencies have long evaded the privacy standards in the Privacy Act of 1974 by using information from commercial databases that do not meet the standards of the Act. [21] The new OMB Do Not Pay policy takes useful steps in the direction of limiting that type of abuse.
How The Do Not Pay Initiative Affects Data Brokers
The Do Not Pay Initiative and the resulting OMB memo about how to handle the privacy of databases used in the initiative is an important part of debate about data brokers and the privacy policies that they do — or should — follow.
The OMB memo requires agencies involved in the Do Not Pay Initiative to apply privacy standards for evaluating the use of commercial databases with personal information. [22] The standards themselves are not new. They are the same standards that federal agencies have compiled with for the nearly forty years that the Privacy Act of 1974 has been in place. What is new is that the standards will apply externally to commercial services and databases provided to the government and not just internally to government activities or information that the government maintains.
The Do Not Pay Initiative seeks to curb waste and fraud in the federal government by limiting, reviewing, and verifying information to identify inappropriate federal agency payments. [23] Excluded from this Initiative are regularly occurring salary payments for members of the military. Also excluded are benefits to employees such as those enrolled in FEDVIP or long-term care. [24] Even with these exclusions, though, the mandate of the Initiative is broad.
To facilitate the review and verification process, the Initiative uses two newly-built online portals to centralize and disseminate information. This report focuses on one of them, the Do Not Pay Portal. [25]
The Do Not Pay Portal is a centralized website where government agencies can seek to verify or determine eligibility of individuals for receiving government payments. Determining which individuals are ineligible for payments requires a great deal of personal and sensitive information. The portal seeks to use external sources because the US government does not always have the necessary information in its own files. The US Treasury describes the “Do Not Pay Business Center [as a location that] provides many data sources – in one place – that your agency can review to verify eligibility.” [26]
This is OMB’s description of the Do Not Pay Initiative:
In response to the President’s June 2010 directive, the federal government has worked aggressively to develop tools that will enable the centralized, detailed review of relevant databases envisioned as part of the “Do Not Pay List.” As a first step, agencies reviewed internal controls and processes surrounding its existing pre-payment and pre-award procedures and databases monitored pursuant to those procedures. Building on these reviews, OMB and the Department of the Treasury (Treasury) have established the Do Not Pay solution, available for use by all agencies. The Do Not Pay solution is comprised of two components geared toward reducing improper payments:
A web-based, single-entry access portal that enables agencies to access the data sources identified in the June 2010 Memorandum (including the Death Master File, the Excluded Parties List System, Treasury’s Debt Check Database, and the List of Excluded Individuals and Entities). In addition, Treasury will continue to add other high-value data sources to the portal.
Data Analytics Services that utilize additional data sources which are not available through the Portal. These include Treasury’s Office of Foreign Assets Control List, zip code data, prison information, and several privately available sources. The sources are augmented by advanced data analytic activities for identifying trends, risks, and patterns of behavior that may warrant further review by the agency. [27]
Of particular note are Treasury plans to add other data sources to the portal. It in fact, has already done so.
Current Databases Used in the Do Not Pay Initiative
The Treasury Do Not Pay Portal launched in April 2012. As of 2013, it uses an array of databases, some for vetting vendors, some for checking on individuals. The focus of this report is on how the Initiative affects individuals.
According to the Department of the Treasury, the Do Not Pay portal uses information compiled from the following databases to determine payment eligibility, including of individuals:
Excluded Party List System (EPLS)
Identifies parties excluded from receiving Federal contracts, certain subcontracts, and certain types of Federal financial and nonfinancial assistance and benefits (Examples include:
Verifies whether an individual that is receiving unemployment payments is still living, owes federal non-tax debt, and/or is recently employed;
Identifies providers, individuals, or vendors that are excluded from doing further business with the government or should be subject to more oversight based on past performance; and
Identifies keying errors that could cause the wrong entity to receive a payment
Keeps the Federal purchasing community aware of administrative and statutory
exclusions across the entire government, suspected terrorists, and individuals barred from entering the United States.
Death Master File (DMF)
Verifies whether an individual that is receiving unemployment payments is still living, owes federal non-tax debt, and/or is recently employed.
List of Excluded Individuals/Entities (LEIE)
Verifies whether an individual that is receiving unemployment payments is still living, owes federal non-tax debt, and/or is recently employed
Identifies providers, individuals, or vendors that are excluded from doing further business with the government or should be subject to more oversight based on past performance
Debt Check
Verifies whether an individual that is receiving unemployment payments is still living, owes federal non-tax debt, and/or is recently employed
Identifies vendors that owe federal non-tax debt and ensure vendors that owe debts are paid via the Treasury offset process instead of through a credit card.
Central Contractor Registration (CCR)
Identifies providers, individuals, or vendors that are excluded from doing further business with the government or should be subject to more oversight based on past performance
During the payment process, ensures that the name associated with the DUNS is the name associated with that DUNS in CCR, thus preventing payment to the wrong entity
Identifies keying errors that could cause the wrong entity to receive a payment
The Work Number
Verifies whether an individual that is receiving unemployment payments is still living, owes federal non-tax debt, and/or is recently employed for agency programs that are means tested
Verifies the accuracy of income levels at the time of enrollment
Office of Foreign Assets Control (OFAC) feed
The Work Number is a commercial database that has received a great deal of critical attention. According to the User Guide for the Do Not Pay portal, “The Work Number is the leading provider of employment and income verifications; the data provided could help you determine eligibility for certain government programs.” [28]
The OMB rules that will determine whether The Work Number meets privacy standards are discussed in detail below. The Treasury Department and other participants in the Initiative must follow the new OMB rules for The Work Number database, including providing public notice and the opportunity for public comment. How Treasury handles its use of The Work Number will be the first test of the sincerity and viability of the new OMB privacy guidance. One of the key recommendations in this report is how notice and comment for The Work Number should be accomplished.
___________________________
Endnotes
[1] This report relies on Federal Trade Commission definition of data broker found in its report, Protecting Consumer Privacy in an Era of Rapid Change, Federal Trade Commission Report, p. 68, March 2012. “Data brokers are companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.
[2] See generally, Robert O’Harrow, Jr., No Place to Hide (2005).
[3] Hoofnagle, Chris Jay, Big Brother’s Little Helpers: How Choicepoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement, 29 N.C.J. Int’l L. & Com. Reg 595 (2003), available at SSRN, http://ssrn.com/abstract=582302.
[4] The deal was announced in February 2008, and closed 2008. See New York Times, Reed Elsevier to acquire ChoicePoint for $3.6 billion, (Feb. 21, 2008), http://www.nytimes.com/2008/02/21/technology/21iht-reed.4.10279549.html?_r=0. See also LexisNexis 2008 Annual Report (“On 19 September 2008, Reed Elsevier acquired ChoicePoint, Inc. ChoicePoint has merged with the LexisNexis Risk Information and Analytics Group, creating a risk management business with approximately US$1.4bn revenues. ChoicePoint’s principal operating groups are Insurance Services, Screening, Business Services and Government Services.”). http://www.reedelsevier.com/annualreport08/business/Pages/lexis-nexis.aspx.
[5] http://www.lexisnexis.com/risk/about/.
[6] “Accurint for Law Enforcement is a proven and effective tool already used by over 4,000 federal, state and local law enforcement agencies across the country,” http://www.lexisnexis.com/risk/downloads/casestudy/realcrimesrealresults.pdf.7 http://www.lexisnexis.com/risk/newsevents/press-release.aspx?Id=1381851197735305.
[8] http://www.lexisnexis.com/en-us/products/public-records.page.
[10] http://www.lexisnexis.com/risk/newsevents/press-release.aspx?Id=1314881279715051.
[11] See https://smartpay.gsa.gov/cardholders/smartpay-charge-cards/purchase-card/do-not-pay and https://www.theworknumber.com/SocialServices/News/newsletters/vol2_2012/federal-do-not-pay-program.asp.
[12] Bob Sullivan, NBC News, The Red Tape Chronicles, Your employer may share your salary, and Equifax might sell that data (Jan. 30, 2013), http://www.nbcnews.com/technology/exclusive-your-employer-may-share-your-salary-equifax-might-sell-1B8173066. See also Jeff Gelles, Credit-reporting companies know more than they tell you, Philadelphia Inquirer (Feb. 4, 2013), http://articles.philly.com/2013-02-04/business/36723466_1_credit-reports-free-reports-credit-reporting-system.
[13] PR Newswire, The Work Number and DealerTrack Partner to Provide Automated Employment and Income Verification to the Auto Finance Industry (March 9, 2011). http://www.reuters.com/article/2011/03/09/idUS134583+09-Mar-2011+PRN20110309.
[14] See, e.g., http://www.hr.emory.edu/eu/docs/talx-guide.pdf and http://www.gcu.edu/Documents/upload/Faculty%20and%20Staff/Employment%20Verification%20FAQs.pdf.
[15] The Work Number, Commercial Verifiers Page, “The Work Number is a service that organizations can use to verify employment and income information. The more than 190 million records on The Work Number database are provided to us by over 2,000 employers and are updated on a regular basis.” http://acceptance.theworknumber.com/Verifiers/Help/faq.asp?category=general.
[16] See Kashmir Hill. Sadly, It’s Not Actually This Easy To Find Out How Much Money Someone Makes, Forbes (Feb. 4, 2013), http://www.forbes.com/sites/kashmirhill/2013/02/04/equifax-the-work-number/.
[17] See https://www.privacyrights.org/ar/WorkNumber.htm.
[18] Federal Trade Commission, Report to Congress Under Section 319 of the Fair and Accurate Credit Transactions Act of 2003 (2012), http://ftc.gov/os/2013/02/130211factareport.pdf.
[19] 15 U.S.C. § 1681 et seq. The FCRA regulates consumer reporting agencies (“credit bureaus”), but credit reporting is a narrow part of the commercial database world. Those companies regulated under the FCRA typically offer numerous unregulated databases to government and commercial companies.
[20] Many of these case studies have been documented over the years. See generally the Identity Theft Resource Center, http://www.idtheftcenter.org/, and the Privacy Rights Clearinghouse, https://www.privacyrights.org/. See also the medical identity theft reporting of the World Privacy Forum for the documentation of identity and medical information, https://www.worldprivacyforum.org/category/med-id-theft.
[21] Agencies do this by consulting commercial database and by avoiding including information in a Privacy Act system of records subject to privacy standards.22 DNP relies on five existing federal databases, which are described below. These databases are subject to existing privacy rules applicable to the federal government when those laws apply.
[23] The Do Not Pay Initiative will also affect businesses and other legal persons. However, because this report focuses on privacy and because only individuals have privacy rights, the consequences for legal persons of the Do Not Pay Initiative are not under review. We note, however, that better quality records benefit all data subjects, whether they are individuals with privacy rights or not.
[24] Do Not Pay Webinar Questions, April 2012, p. 5. http://donotpay.treas.gov/DoNotPayWebinarQuestionsApril2012.pdf.
[25] The Do Not Pay Program also includes a website called PaymentAccuracy.gov, which we do not cover in this report. This website publishes general information about improper payments made regarding certain high-risk government programs. The PaymentAccuracy.gov website also allows the public to report suspected fraud, waste, and abuse.
[26] Do Not Pay Portal, http://donotpay.treas.gov.
[27] Office of Management and Budget, Reducing Improper Payments through the “Do Not Pay List” (April 122, 2012) (OMB M-12-11). https://smartpay.gsa.gov/sites/default/files/wysiwyg/OMB%20Memo%20on%20Do%20Not%20Pay%20List.pdf.
[28] Do Not Pay Portal User Guide DNP User Guide R 1.3.0.1 v4 at p. 19, http://donotpay.treas.gov/Do%20Not%20Pay%20User%20Guide.pdf.
Roadmap: Data Brokers and the Federal Government – A New Front in the Battle for Privacy Opens: I. Introduction and Background