FC: Replies to Charles Platt on privacy and FTC do-not-call database

From: Declan McCullagh (declanat_private)
Date: Mon Jun 30 2003 - 21:57:44 PDT

  • Next message: Declan McCullagh: "FC: Jamie McCarthy on "treason" claims from the right and the left"

    Previous Politech message:
    
    "Charles Platt on privacy and FTC's do-not-call database"
    http://www.politechbot.com/p-04902.html
    
    ---
    
    Date: Sat, 28 Jun 2003 15:16:24 -0400
    From: Robert Gellman <rgellmanat_private>
    To: declanat_private
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    References: <5.2.1.1.0.20030627221430.047ebd20at_private>
    
    Declan McCullagh wrote:
     >
     > I would say with confidence that I believe the folks at FTC have no
     > ulterior motives in creating this registry. But administrations can
     > change and policies can shift, and in any case the FTC may have
     > little power to resist requests from law enforcement agencies for the
     > complete database.
    
    While I think that you are probably correct about motive, the issue is open 
    to some question.  Let's look at what the FTC actually did.  Here is a 
    routine use (disclosure authority) for the do-not-call system of records:
    
      "Records may be made available or referred on an automatic or other basis 
    to other federal, state, or local government authorities for regulatory, 
    compliance, or law enforcement purposes."
    
    IMHO, this routine use is overbroad and inconsistent with the Privacy Act 
    of 1974.  Here is a quick argument:
    
    First, the FTC collects records for a do-not-call database.  Allowing 
    disclosures to ANY government authority for ANY regulatory, compliance, or 
    law enforcement purpose (other than as relevant to the do-not-call 
    activity) fails to meet the statutory test that disclosures be compatible 
    with the purpose for the information was collected.
    
    Second, the notion of an "automatic" disclosure is very troubling and 
    questionable.  Disclosures by routine use are discretionary.  An agency 
    that allows an automatic disclosure of personal information without some 
    review is abusing its discretion and could be violating the Privacy Act in 
    other ways as well.
    
    Third, as written, the routine use appears to allow the agency to establish 
    a directory of email addresses and telephone numbers and to make that 
    available for automatic search by virtually any government agency for any 
    regulatory, compliance, or law enforcement purpose.  For the FTC to have 
    reserved that authority is appalling as well as illegal.
    
    There is more that could be said about this routine use, but I doubt that 
    you or your readers want to wallow in Privacy Act caselaw and minutia.
    
    However, I do have some advice to those who want to add their names to the 
    do-not-call list.  Do it by phone and not online.  I don't believe that you 
    have to give your email address on the phone.  I am sorry now that I 
    registered online.
    
    By the way, it took four tries before my registration resulted in the email 
    response from the FTC that was necessary to complete the process.  If 
    anyone registered online and didn't get an email from the FTC (which 
    requires a further response), then the registration probably didn't take.
    
    There are other problems and loopholes with the do-not-call list, but those 
    are subjects for another day.
    
    Bob
    -- 
    + + + + + + + + + + + + + + + + + + + + + + +
    + Robert Gellman                            +
    + Privacy and Information Policy Consultant +
    + 419 Fifth Street SE                       +
    + Washington, DC 20003                      +
    + 202-543-7923        <rgellmanat_private> +
    + + + + + + + + + + + + + + + + + + + + + + +
    
    ---
    
    Date: Sat, 28 Jun 2003 02:58:01 -0400
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    To: declanat_private
    Mime-Version: 1.0
    From: "Chris Hoofnagle" <souvarineat_private>
    
    Dear Declan,
    
    Fwiw: If the telemarketers had their way, only the line subscriber (not 
    even the spouse of the subscriber) could enroll, and you'd only be able to 
    enroll by mail after sending a copy of your DL.  I'm not kidding here--the 
    industry recommended every barrier possible to enrollment.
    They didn't even want the roommate of a subscriber to enroll.
    
    Law enforcement access is a continued concern, but some govt access is 
    necesary for enforcement of the rule.  In order to avoid enrollment, we 
    recommended that all telemarketers be required to send CNID--that way you 
    could avoid calls through tech measures.
    
    But in any case, most of the privacy concerns dissolve when one moves to an 
    opt-in system. Cell phone telemarketing already is opt-in, and those who 
    are wireless only experience far less marketing annoyance.
    
    C
    --
    Sent from Chris' Mobile
    
    ---
    
    From: Freematt357at_private
    Message-ID: <ea.3a883e8f.2c2edc32at_private>
    Date: Sat, 28 Jun 2003 07:55:30 EDT
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    To: declanat_private
    CC: otherat_private, politechat_private
    
    In a message dated Fri, 27 Jun 2003 14:22:48 -0400 (EDT), otherat_private 
    writes:
    I'm not sure exactly what someone could do with a huge database that links
    phone numbers with email addresses. But it triggered a reflexive concern,
    especially since I didn't see any notes about how the database is secured.
    
    
    
    
    Hi Charles and Declan,
    
    
    
    I almost added my phone numbers as well, but my paranoid other self thought 
    better, not about any worry if the Feds have my number, as they probably 
    have everyone’s number who subscribes to Politech- But the donotcall list 
    would make a great database for foreign marketers lets say the Chinese who 
    wouldn’t pay any attention to our law- Such a list would be ripe to call 
    as it virtually ensures that the list would be devoid of domestic 
    competition and give a foreign telemarketer unfettered access.
    
    
    
    Regards,   Matt Gaylor
    
    
    
    http://www.freeohio.us/
    
    ---
    
    
    From: Vance Kochenderfer <vkochendat_private>
    Message-Id: <200306292323.h5TNN2sY013291at_private>
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    To: declanat_private
    Date: Sun, 29 Jun 2003 17:23:02 -0600 (MDT)
    
    The Privacy Act notices for the do-not-call registry seem to be located
    at 68 FR 37491 and 68 FR 37494.  You can bring them up from the GPO's
    site at <http://www.gpoaccess.gov/fr/advanced.html>.
    
    Later,
    Vance
    
    ---
    
    From: "Bazeley, Michael" <MBazeleyat_private>
    To: "'Declan McCullagh '" <declanat_private>
    Subject: RE: Charles Platt on privacy and FTC's do-not-call database
    Date: Fri, 27 Jun 2003 23:12:46 -0700
    
    Asking for the email address eems a bit much, if you ask me. Interestingly,
    you can also sign up for the federal list through the California Attorney
    General's office, and they ask for nothing more than your name and phone
    number and zip code. The FTC says they use the email address to confirm the
    registration. But the AG's office makes no such requirement.
    
    Michael Bazeley
    
    ---
    
    Date: Fri, 27 Jun 2003 22:35:27 -0700
    To: declanat_private
    From: "Brian W. Antoine" <briana@nas-kan.org>
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    
    At 07:14 PM 6/27/03, you wrote:
     >I would say with confidence that I believe the folks at FTC have no 
    ulterior motives in creating this registry. But administrations can change 
    and policies can shift, and in any case the FTC may have little power to 
    resist requests from law enforcement agencies for the complete database.
    
       Also consider that the email address you give then isn't required to 
    stay valid
    for your registration to stay valid.  Give them a throw away address to use to
    confirm your registration and then toss it.
    
       I wonder how many new signups hotmail got today. *grin*
    
    
    -- 
                                           (UniKyrn on IM, ICQ#27068798)
    Brian W. Antoine                         http://www.nas-kan.org/
    
    ---
    
    Date: Fri, 27 Jun 2003 23:27:30 -0700
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    Content-Type: text/plain; charset=US-ASCII; format=flowed
    Mime-Version: 1.0 (Apple Message framework v552)
    From: Tom Collins <tomat_private>
    To: declanat_private
    
    On Friday, June 27, 2003, at 07:14  PM, Declan McCullagh wrote:
    >I'm not sure exactly what someone could do with a huge database that links
    >phone numbers with email addresses. But it triggered a reflexive concern,
    >especially since I didn't see any notes about how the database is secured.
    
    I wasn't comfortable with the email address requirement, so I used the 
    toll-free number to register my two phone lines.  It took about 2 minutes 
    per line.
    
    >    Consumers can register for the free government service by visiting the Web
    >site www.donotcall.gov. Telephone registration using a toll-free number --
    >1-888-382-1222 -- is available in states west of the Mississippi River,
    >including Minnesota and Louisiana, starting Friday, and nationwide by July
    >7, the Federal Trade Commission said.
    
    --
    Tom Collins
    tomat_private
    
    ---
    
    Date: Sat, 28 Jun 2003 01:10:12 -0700
    From: "James J. Lippard" <lippardat_private>
    To: Declan McCullagh <declanat_private>
    Cc: otherat_private
    Subject: Re: FC: Charles Platt on privacy and FTC's do-not-call database
    
    Note that no email address is required to register a phone number via
    phone call, you simply must call from the phone number that you wish
    to add to the registry (presumably they are using ANI to validate
    requests).  The email address is only required when registering
    through the web site (or requesting verification that a number is on
    the list through the website--in which case there's clearly no
    necessary connection between the email address and the telephone
    number, since anyone could request verification of any phone number
    using any email address--a fact which could be possibly exploited to
    cause the sending of unwanted email).
    
    ---
    
    Date: Sat, 28 Jun 2003 11:05:54 -0400
    To: <declanat_private>
    From: "Lawrence R. Ware" <larryat_private>
    Subject: Charles Platt on privacy and FTC's do-not-call database
    
     >I wonder if any politech recipients have added their phone numbers to this
     >interesting new database.
    
    Yes.
    
     >If they did, I wonder if they felt the momentary
     >misgiving that I experienced myself when the government-run system refused
     >to list my phone numbers as do-not-call until I provided a valid email
     >address for confirmation.
    
    Crossed my mind, but I wonder how else Mr. Platt expects an Internet web
    based sign up to work? Unconfirmed, (without a closed loop) would
    among other things allow me to un-subscribe his phone number, or yours
    for that matter. Want more interruption marketing? The telemarketer's
    will be jumping all over any number *not* on this list soon.
    The script kiddies would have a field day with it.
    
    Perhaps Mr. Platt would prefer to snail mail the FTC a letter, and include 
    a photocopy of his phone bill to prove he has control over
    the number instead?
    
    He could just use a throwaway Yahoo or hotmail account for this if
    the idea of adding to a government database bothers him that much.
    Considering how often people change email addresses for other reasons,
    the value of this database would be limited anyway.
    
    -larry
    
    
    # larryat_private
    # Orlando, Florida
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    -------------------------------------------------------------------------
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 01:19:10 PDT