Francis J. Menton, Jr.
391 Bleecker Street
New York, NY 10014
April 14, 2000
Ms. Jennifer J. Johnson
Attention: Docket No. R-1058
Board of Governors of the Federal Reserve System
20th and C Streets, NW
Washington, DC 20551
Robert E. Feldman
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Secretary Gramm-Leach-Bliley Act Private Rule,
Federal Trade Commission 16 CFR Part 313-Comment
600 Pennsylvania Avenue, NW
Washington, DC 20580
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Attention: Docket No. 00-05
Office of the Comptroller of the Currency
250 E Street, SW
Washington, DC 20219
Manager, Dissemination Branch
Attention: Docket No. 2000-13
Information Management & Services Division
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Jonathan G. Katz, Secretary
File No. S7-6-00
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
Ladies and Gentlemen:
I have just located and read the comment of Mr. Roger Raker of American Background, a "consumer reporting agency" that apparently specializes in employment background checks.
Mr. Raker's comment is highly refreshing in its honesty and forthrightness, particularly by comparison to the duplicitous submission of his company's larger brother in reporting agencydom, Trans Union. While not saying it in quite so many words, Mr. Raker essentially concedes the heart of the matter: social security number (SSN) in association with name is how the financial services industry thinks it knows that you are you. Here is the key language:
"header information confirms the subject's current/previous addresses, date of birth, and social security number. . . . Without . . . identifiers provided by the header information associated with a credit report, neither American Background nor the end-user of the subsequent consumer report may have any degree of confidence regarding . . . the identity of the subject."
In other words, with matching name, address, and SSN, we know we've got the right person. For better or worse, in their wisdom, or lack thereof, the bank/credit provider/credit bureau/employee background guys have decided that name and address with SSN is proof of identity, a kind of digital "signature" if you will.
Well exactly how does this work if Experian, Trans Union and Equifax sell access to everyone's SSN? Now ten million people have access to the perfect forgery of your digital signature. These guys seem to have no idea that this can't possibly work.
Clearly, name plus SSN is not viable as proof of identity because it's far too easy to crack or "forge." But in today's world, as Raker shows, it is accepted. Therefore it cannot be permissible to have major players systematically breaching security and giving away all the "signatures" by selling SSN's. Among other things another form of proof of identity is required, with biometrics (fingerprint, eyeprint, voiceprint) offering obvious solutions.
But this problem is not yours to solve and goes far beyond this statute. Today's issue is financial privacy and we get there by plugging the one big hole, which is sale of SSN's by the credit bureaus.
Rest assured, once you do this the credit industry will move very quickly to another and far better form of identity proof, likely to be some form of biometrics. They just need a little push to get it right.
Meanwhile, I commend Mr. Raker's statement that "Prior to conducting such service, American Background has secured . . . . the express written permission of the individual subject prior to engagement of a consumer report." That sounds like proper consumer reporting ethics to me. Bravo, American Background! By contrast, Experian, Trans Union and Equifax sell SSN's without permission -- and indeed over express protest -- and then sell consumer reports to anyone who has the SSN. It turns the stomach.
Very truly yours,
Francis J. Menton, Jr.