Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!isi.edu!woolf From: woolf@isi.edu (Suzanne Woolf) Newsgroups: comp.org.eff.talk Subject: Re: Citizens of the City of Mind Message-ID: <17230@venera.isi.edu> Date: 20 Mar 91 17:25:16 GMT References: <3622.27d4c133@iccgcc.decnet.ab.com> <1991Mar11.070712.4223@cs.ucla.edu> <3778.27dd2150@iccgcc.decnet.ab.com> <1225@airs.UUCP> Sender: news@isi.edu Reply-To: woolf@dca.isi.edu (Suzanne Woolf) Organization: USC-Information Sciences Institute Lines: 79 In article <1225@airs.UUCP> airs!ian@uunet.uu.net (Ian Lance Taylor) writes: >In article <3778.27dd2150@iccgcc.decnet.ab.com> herrickd@iccgcc.decnet.ab.com (daniel lance herrick) writes: >>In article <1991Mar11.070712.4223@cs.ucla.edu>, gast@lanai.cs.ucla.edu (David Gast) writes: >>> >>> Anyway, when did I ever make Equifax my agent and ask them to sell info >>> about me? >>> >>You freely gave information that is valuable and Equifax is selling >>it as the agent of the person you gave it to or as their own agent. > >While the information is freely given, it is easy to not be aware that >you are giving out information, and it is hard to become aware, after >the fact, that you have given it out. This could be considered a >hazard of living in this society, but I would just as soon eliminate >the hazard. > At the risk of wandering off on a tangent, this strikes me as a critical aspect, not much discussed, of the debates on the nature of privacy, private information, etc. The argument that "You freely gave valuable information" to Equifax makes an assumption: that information I give, or my credit card company gives about me, to Equifax is theirs to do as they wish (subject only to the law) *regardless of the intent* of the information provider. Another way to put the question is this: If I give someone information about me for a specific purpose, should there be any limitation on what they can do with it outside of that purpose? Or must I give up all say over the further propagation of that information? Do I, by consenting to one use of the information, consent to all? Currently, in practice, yes. However, I don't think it should be this way. I give my bank information about me so that I may conduct my financial affairs with them, not so they can sell my name to credit card companies. When I buy something by mail order I give them my address so that they can deliver to me the merchandise I have ordered, not so they can sell my name to mailing list companies. When I give information about my finances on my mortgage application, it's so they can verify my credit, not so they can put me on Equifax's Hot List of credit seekers. Etc. By entering into a business relationship with any of these people I don't feel I've given prior consent to them to use information provided as part of the transaction for any other purpose, and it bothers me quite a lot that they regularly get away with acting as if I had. Increasingly you hear the argument that "If you don't want them to do this, don't do business with them": "If your phone company puts CallerId on your phone and you don't want me to have your phone number, don't call me." "If you don't want to end up on mailing lists, don't order anything through the mail." "If you don't want bank/credit card company junk mail, don't have a credit card or apply for a loan", etc. But it seems to me there are-- there ought to be-- more choices than that, especially as the limitations we have to live under to protect our privacy keep getting more restrictive. To some extent we can encourage this to happen by not doing business with people that resell customer information without notification or consent. But I'm interested in other people's ideas about how to handle this problem when *every* service provider you can find is reselling information without permission, or when it proves impossible to find out who is selling the information, or when the offender is quasi-public (e.g. the phone company). I'm generally uncomfortable with suggesting "more laws" as an answer to anything, but what would people want to see in a "Propagation of Private Information" law? What should the principles behind it be? We have specific laws that cover specific types of information (e.g. credit); how, and to what, should they be extended? "Live with it" is not an answer: Of course we *could*, but why should we? Why can't we figure out a way to increase the choices available, instead? --Suzanne woolf@isi.edu