Public Comments: August 2010 – WPF files comments on deeply flawed SEC plan

 

Background:

The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC’s new regulations would “Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public.” The comments also note that the SEC’s plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.

—–

Comments of the World Privacy Forum, the Center for Digital Democracy, Consumer Action, the Center for Financial Privacy and Human Rights, Privacy Rights Clearinghouse, and Privacy Activism to the Securities and Exchange Commission

Regarding SEC Notice of Proposed Rulemaking on Asset-Backed Securities, File Number S7-08-10

VIA email and www.sec.gov/rules/proposed.shtml

Elizabeth M. Murphy
Secretary,
Securities and Exchange Commission,
100 F Street NE
Washington, DC 20549-1090

August 2, 2010

 

The World Privacy Forum appreciates the opportunity to submit comments on the SEC’s proposed rule on Asset-Backed Securities. The World Privacy Forum is joined in these comments by the Center for Digital Democracy, [1] Consumer Action, [2] the Center for Financial Privacy and Human Rights, [3] Privacy Rights Clearinghouse, [4] and Privacy Activism. [5] The proposed rule appeared at 75 Federal Register 23328 (May 3, 2010), <http://edocket.access.gpo.gov/2010/pdf/2010-8282.pdf>. The World Privacy Forum is a non- profit, non-partisan public interest research group. Our activities focus on research and analysis of privacy issues, along with consumer education. [6]

Executive Summary: While we understand the purpose of and motivation for the Commission’s proposed rule, the proposal is a direct and substantial threat to the privacy of every individual who obtains a mortgage. If adopted, the proposal would be an unprecedented release of individual-level financial data and would greatly increase borrowers’ risk for identity theft and other problems related to the public release of detailed financial information. Specifically, the SEC’s proposed rule would:

  • Expand the risk of identity theft for every borrower whose information would be disclosed because of the rule;
  • Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public;
  • Circumvent or undermine privacy protections in other laws, including the Fair Credit Reporting Act, Health Insurance Portability and Accountability Act, and the Privacy Act of 1974;
  • Weaken the utility and security of knowledge-based authentication techniques and activities by exposing details of mortgages to more people throughout the world and would undermine NIST electronic authentication recommendations;
  • Undermine the financial stability of households;
  • Threaten the stability of the asset-backed instruments that the proposed rule seeks to
    protect by placing all borrowers at greater risk to be victims of criminal activity and thereby lowering the value of the asset-backed instruments.

We discuss the specific problems with the SEC’s proposed rule in more detail below.

1. The records that the Commission wants to disclose can be linked to addresses and to individuals with minimal effort.

For mortgage borrowers, the proposed rule would require the disclosure of personally identifiable, individual-level information about each loan and each borrower. The inherent problem is that the level of detail the SEC plans to make public via its online EDGAR database [7] will lead to identifiability of individual borrowers, and the information the SEC plans to release is extremely sensitive. Professor Latanya Sweeney [8] has written a white paper that addresses the ways publicly available tax assessment real property databases can be used to re-identify mortgage information in the proposed data releases that are described in the SEC’s proposed rule on Asset-Backed Securities. Dr. Sweeney is well-known for her research on re-identification risks based on public datasets. [9]

The datasets that the SEC plans to release via EDGAR are unprecedented in their scope and detail. Schedule L at the end of the proposed rule includes the detailed disclosures that would be required for every asset covered by a loan packaged for sale. We focus here on consumer mortgage loans, but the same analysis applies to other consumer loans, such as automobile loans, leases, and student loans. These comments do not address commercial mortgages, equipment loans, or corporate debts. Commercial lending does not normally raise privacy concerns.

The specifics here are important, and we will point out some but not all of the items that must be associated with each asset (loan) being sold through an asset-backed security. All of the detail reproduced comes from Schedule L at the end of the published proposed rule.

We emphasize that all of the information in Schedule L that we describe here will become public. The Commission acknowledges that it is “proposing to require asset-level information in a standardized format to be included in the prospectus and periodic reports and filed on EDGAR.” (page 23356). All information in the SEC’s EDGAR system is available worldwide at no charge. Thus, all information will be freely available to any user around the world, whether that user is a potential purchaser of an asset-backed security or a criminal in another country seeking personal information on Americans for nefarious purposes. We observe that companies already profit by taking EDGAR data and repackaging it for use by others, and it is highly likely that any new data would be copied and repackaged for sale. [10]

Information about the asset (loan) that would be made public via EDGAR includes:

  • Origination date (Item 1(a)(5))
  • Original asset amount (Item 1(a)(6))
  • Original asset term (Item 1(a)(7))
  • Asset maturity date (Item 1(a)(8))
  • Original amortization term (Item 1(a)(9))
  • Original interest rate (Item 1(a)(10))
  • Interest type (Item 1(a)(11))
  • Amortization type (Item 1(a)(12))
  • First Payment date (Item 1(a)(14))
  • Primary servicer (Item 1(a)(15))

While the proposed rule calls for even more detail, these items of information will be sufficient to uniquely identify many, if not most, loans. However, there are many more details as well.

General information about the residential mortgage that would be made public via EDGAR includes:

  • Lien position (Item 2(a)(2))
  • Prepayment penalty indicator (Item 2(a)(3))
  • Mortgage insurance requirement indicator (Item 2(a)(6))
  • Cash out amount (Item 2(a)(8))
  • National Mortgage License System registration number of the company that originated the loan (Item 2(a)(12))
  • Interest paid through date (Item 2(a)(14))

With the previous terms and the many other details that we have not reproduced here, the information that the rule requires to be made public represents the “fingerprint” of each loan. There is a high likelihood that the fingerprint of each loan is unique just with the information identified to far. Yet there are still more details that the proposed rule would make public.

For Adjustable Rate Mortgages, additional required information that would be made public via EDGAR includes:

  • ARM Index (Item 2(a)(18)(i))
  • ARM Margin (Item 2(a)(18)(ii))
  • Fully indexed interest rate (Item 2(a)(18)(iii))
  • Lifetime rate ceiling (Item 2(a)(18)(ix))
  • Lifetime rate floor (Item 2(a)(18)(x))
  • Next adjustment date (Item 2(a)(18)(xi))
  • Initial minimum payment (Item 2(a)(18)(xix))

Next comes information about the property, which includes:

  • Geographic Location by identifying the Metropolitan Statistical Area, Micropolitan Statistical Area, or Metropolitan Division, as applicable (Item 2(b)(1)).
  • Occupancy status (Item 2(b)(2)).
  • Sales price (Item 2(b)(3)).
  • Property type (Item 2(b)(4)).
  • Original appraised property value (Item 2(b)(5)).

We have left out dozens of items of information about each loan, but we think that the point should be clear. The public descriptions will almost certainly be unique for each mortgage loan, and once the property is identified, the owner will also be readily identifiable with little effort.

We can now move on to the information that the SEC is proposing to make public via EDGAR about the borrowers (obligors). It is here where the Commission breaks new ground by proposing to require the publication of details about individual borrowers that have never been available publicly before. This information will not, by itself, identify the borrowers without additional effort. The disclosure will, however, expose their personal financial status to the world, and with minimal effort, the same information can also be used to affirmatively identify them.

Credit scores, monthly debt, length of employment, income, and these other details that the SEC plans to make public regarding individual borrowers can be layered with other data about individuals. This is already a common practice in the marketing world. [11] Given the robust amount of detail, the SEC will create with this rule a high-value, high-sparsity dataset with rich new details on hundreds of thousands of individual borrowers. Over time, this dataset will include information about tens of millions of borrowers. High-sparsity datasets are famously useful for their utility in accurately identifying unique individuals, particularly in combination with other data, such as census data. [12] It is well-established that financial data may be used to defraud individuals. [13]

The SEC plans to make the following individual information public via EDGAR about individual borrowers (obligors):

  • Obligor credit score (Item 2(c)(2)).
  • Co-obligor credit score (Item 2(c)(5)).
  • Liquid/cash reserves, or the dollar amount of remaining verified liquid assets after the close of the mortgage (Item 2(c)(13)).
  • Monthly debt, or aggregate monthly payment on other debt, in increments of $500, $1000, $5000, or $10000 (Item 2(c)(15)).
  • Percentage of down payment from obligor own funds (Item 2(c)(18)).
  • Length of employment, in nine ranges (Item 2(c)(22)).
  • Length of employment: co-obligor, in nine ranges (Item 2(c)(23)).
  • Obligor wage income, in increments between $500 and $10000 (Item 2(c)(26)).
  • Co-obligor wage income, in increments between $500 and $10000 (Item 2(c)(28)).
  • Obligor other income, in increments between $500 and $10000 (Item 2(c)(28)).
  • Co-obligor other income, in increments between $500 and $10000 (Item 2(c)(29)).
  • All obligor wage income, in increments between $500 and $10000 (Item 2(c)(30)).
  • All obligor total income, in increments between $500 and $10000 (Item 2(c)(31)).

Table 12, Schedule L-D Item 2 call for even more information on residential mortgages that are delinquent. There are dozens of categories of information about modified loans, including

  • Non-pay reason (Item 2(a)(1)). There are codes for the death of the borrower, illness of the borrower, illness of a family member, marital difficulties, business failure of a self-employed borrower, unemployment, incarceration, and other reasons.

Some of the property and loan information that the SEC proposed to make public is public record information. This is the very same public record information already available and organized for search and review by unregulated private sector companies. This means that the SEC dataset is completely identifiable at an individual level.

For example, Record Information Services is one of the many commercial companies that sell information about mortgages. [14] Here is some of what they offer on their website:

New and Previously Recorded Mortgages

This information would be of interest to those who need to reach new homeowners, including mortgage brokers or insurance agents.

* We offer this information on a current basis as well as an archived history that goes back over four and one half years.

* We offer this information with or without phone numbers.

* You can access this data through our web site or we can customize a list for you based on any of the above criteria.

* We offer current information as well as archived data that can also be useful to target for direct mail purposes.

We compile many different fields of information on each mortgage: lender, buyer, address, purchase amount, term, interested rate, and fixed or variable, mortgage type such as FHA, Conventional, VA, etc.

The paragraph that we highlighted at the end makes our point. The details of a mortgage are available from publicly filed documents, and the information is searchable in available databases. Thus, the details from the Commission’s proposed disclosures allow anyone to search existing public or commercial databases to locate the specific mortgage that matches already known specifications. The lack of an address in the SEC disclosures will not prevent a particular property (and thus its owner) from being identified.

What is certain is the new SEC data will greatly enrich the currently available information about the lives of borrowers, and it will become part of what is sold about individuals. This dataset will give bad actors, such as identity thieves, a veritable roadmap for criminal activity on a potentially very large scale.

A second example comes from NETRonline. [15] This company offers a sample file that shows specifically the level of detail.

Tax Parcel: 27-18-30-05-00-0160 Assessment Year: 2008
Land Value: $28,426.00 Improvements: $29,151.00
Tax 1
Tax Type: COUNTY
Tax Period: FULL YEAR
Tax Status: UNPAID
Tax Amount: $1,533.49
Due Date: 01/31/2009
Delinquent Date:
Homestead Exemption: NO
Other Exemptions: NO
Tax Year: 2008
Tax Notes: NO EXEMPTION INFORMATION AVAILABLE. NO DELINQUENCIES

Mortgages
Mortgage 1
End Type: CLOSE END
Mortgagor Name: SHPRESA ULI, GENO ULI AND FLORIA ULI Mortgagor Type: HUSBAND AND WIFE
MERS:
Mortgagee Name: PJ YATES. INC.
Mortgagee Type:
Mortgagee Type:
Mortgage Amount: $30,000.00
Mortgage Credit Limit: $0.00
Maturity Date:
Mortgage Date: 12/13/2006
Date Recorded: 07/17/2007
Instrument Number: 2007-162110
Book/Page: 6095/1483
Trustee:
Notes:

In addition, the same company offers a sample encumbrance record. [16] This record is an actual copy of the actual multi-page mortgage document. Any doubts that might be left by a computer search for a property matching SEC data will be dispelled by a quick review of all the additional terms, which will pinpoint the precise loan and property.

In case the Commission is not aware of the general public interest in mortgage documents for some individuals, we direct attention to a commercial data broker’s blog about celebrity foreclosures.[17] We suggest that it would be simple for any interested party to compile the same information – whether or not there is a delinquency – about elected officials, SEC staff and commissioners, judges, and others in the public eye. The additional level of detail that the Commission would require to be placed in the public domain would make interesting reading for tabloids, neighbors, coworkers, lawyers, and others.

We offer a third example from a public source. In Allegheny County, PA, for example, there is an online database of county information available to the public at no cost. [18] This database is available for every county in Pennsylvania, as well as for many other counties in the U.S. [19] For each property in Allegheny county, a tremendous amount of descriptive information for a house (year built, stories, rooms, other characteristics), its owners, and its mortgage holder is disclosed. Those who subscribe to the service have access to additional search features.

Using either the public or the subscription service, it would be an easy task for any interested party to use the information that the SEC proposes to disclose in order to identify a particular property and property owner. Anyone with a database of properties derived from public data (or otherwise) can automate the search and readily produce a list that ties SEC property and borrower data to a particular property and owner. Many other jurisdictions offer similar databases. Again, there is nothing unique or unusual about the Allegheny County real estate database.

2. The proposed disclosures would be an open invitation to identity thieves and other criminals.

The proposed Commission-mandated disclosures would be an open invitation to identity thieves, providing additional information that would allow crooks to target the most credit-worthy borrowers with increased accuracy. Authenticating information about borrowers released by the Commission would facilitate fraud. It is unfortunately a factual statement to say that quite literally everyone with a mortgage would be at greater and real risk. Identity theft is already a major problem and would certainly grow worse with more information in the public domain. According to the Federal Trade Commission, from 2000-2009, the number of identity theft complaints received increased from 31,140 to 313,982.[20]

The FBI maintains active statistics on its efforts to combat mortgage fraud. The high losses and large number of investigations and suspicious activity reports are indicative of just how big of a problem mortgage fraud already is. The most recent FBI statistics are as follows:

  • Estimated annual losses due to mortgage fraud: $4 billion to $6 billion;
  • Total mortgage fraud Suspicious Activity Reports (SARs) in fiscal year 2009: 67,190,
    with more than $1.5 billion in losses;
  • So far in fiscal year 2010 (through 2/28/10): 29,780 SARs
  • Total FBI Mortgage Fraud Task Forces/Working Groups: 77
  • Pending FBI Mortgage Fraud Investigations (through 2/28/10): 2,989, with 68 percent
    involving losses of more then $1 million
  • Mortgage fraud cases opened in fiscal year 2009: 1,571 (compared to 136 in all of fiscal
    year 2004) [21]

In January 2010, the Identity Theft Resources Center (ITRC) reported a marked increase in mortgage fraud, noting its relationship to identity theft:

Mortgage Fraud on Rise
Over the past year, ITRC victim advisors have been reporting a marked increase in the number of requests for information regarding mortgage fraud. By definition, this type of fraud is categorized as “financial”. As a result of these inquiries and the number of related cases, the ITRC created new ITRC Solution 28 – Mortgage Identity Theft. This solution covers ways to minimize risk, steps to clear name, and resources to contact. [22]

The ITRC has more information about mortgage fraud on its website. [23]

We note that the SEC participated in the President’s ID Theft Task Force. The recommendations of the Task Force state that part of the prevention strategy adopted of should include reducing the amount of sensitive financial information circulating about consumers. The report also urges financial institutions and other entities to rely on strong authentication techniques to prevent misuse of data in circulation already, such as SSNs. [24] The proposed SEC rule directly contravenes the Task Force recommendations by greatly increasing the amount of sensitive financial information about individual borrowers made publicly available.

3. The vast amount of information already in unregulated public and private databases make the Commission’s attempts to mask location of properties and identities of borrowers meaningless.

On page 23357, the Commission states:

We are sensitive to the possibility that certain asset-level disclosure may raise concerns about the personal privacy of the underlying obligors. In particular, we are aware that data points requiring disclosure about the geographic location of the obligor or the collateralized property, credit scores, income and debt may raise privacy concerns. As we stated in the 2004 ABS Adopting Release, issuers and underwriters should be mindful of any privacy, consumer protection or other regulatory requirements when providing loan-level information, especially given that in most cases, the information would be publicly filed on EDGAR.236 However, as we noted above, information about credit scores, employment status and income would permit investors to perform better credit analysis of the underlying assets. In light of privacy concerns, instead of requiring issuers to disclose a specific location, credit score, or exact income and debt amounts, we are proposing ranges, or categories of coded responses.

For instance, to designate geographic location of an obligor who is a person, instead of requiring, city, state or zip code of the property, we are proposing that issuers provide the broader geographic delineations of Metropolitan or Micropolitan Statistical Areas. 237 Metropolitan and Micropolitan Statistical Areas are geographic areas, designated by a five-digit number, defined by the U.S. Office of Management and Budget (OMB) for use by Federal statistical agencies in collecting, tabulating, and publishing.

For the Commission to state that the proposal “may raise concerns about the personal privacy of the underlying obligors” is an incredible understatement in today’s environment. The Commission’s proposal would undermine the financial privacy of every individual who obtains a mortgage. The disclosure would place every individual at greatly increased risk for being the victim of crooks, fraudsters, and identity thieves all over the world. The Commission’s characterization of its proposal as perhaps raising concerns about privacy is inexcusable and disingenuous.

Unfortunately, the Commission’s attempts to mask the location of particular properties and the identity of borrowers will not work. There is too much information about mortgages available to pretend that the location of a particular property cannot be found. The same is true for information about individuals. With fuzzy searching capabilities, it will not be difficult to link a mortgage to a particular property or to a particular individual using existing available data sources. Relatives and neighbors will have additional, non-public information that will enable them to identify properties and individuals. Indeed, individuals may be highly motivated to find a neighbor’s credit score, the balance of a relative’s mortgage, or the interest rate of a coworker. We did not review here the details of car loans and leases, but the level of detail is the same. Makes and model numbers will facilitate record linkages. Just to make the point, you can find a database of about 75 million car owners by vehicle make, model, year and more at <http://listfinder.directmag.com/market?page=research/datacard&id=218919>. This is by no means the only database of car owners.

4. If adopted in its present form, the SEC rule would represent the largest public disclosure of personal financial information ever mandated by federal law.

We cannot find any precedent anywhere for a disclosure so massive and so detailed as the one that the Commission proposes. Laws like the Fair Credit Reporting Act were enacted to limit the ability of credit bureaus to disclose publicly personal information about the subjects of credit reports. Credit information can only be used and disclosed for a permissible purpose specified in the statute. See 15 U.S.C. § 1681b. Indeed, credit bureaus have no incentive to make their information public, nor do the vast majority of individuals. You cannot buy a credit score on another individual. Yet the Commission’s disclosure would make credit scores, wage information, other income information, and more financial details freely available to anyone who cares to make a small effort to find more information on another individual. It may not take any effort for information intermediaries to sell the information to all comers. Such an activity would fall outside of any existing regulation because it would use information that the Commission placed in the public domain. Indeed, the public availability of the information might undermine laws that protect privacy in other spheres.

If the Commission places information about income and credit in the public domain, where it can be bought and sold without restriction, the credit industry and financial institutions may have stronger arguments for removing existing privacy restrictions on their activities.

5. Some of the personal information that the Commission would make public would shock the conscience of Americans, may violate the constitutional right to privacy, and undermines the protections in other laws.

We do not believe that the American public would stand for a federal law that made public information about wages and income, credit scores, death of a borrower, illness of a borrower, illness of a family member, marital difficulties, business failure of a self-employed borrower, unemployment, and incarceration. Yet that is the consequence of the Commission’s proposal. Indeed, the Commission is proposing to do indirectly what it may not be allowed to do directly. If the federal government proposed to disclose the information that the Commission wants to make public, we believe that the American public would not stand for it. We cannot describe the precise scope of the constitutional right to privacy, but we have little difficulty suggesting that the mandated public disclosure of the information would violate the constitutional standard. Further, the Commission proposal undermines existing protections in the Fair Credit Reporting Act, the privacy rules in the Health Insurance Portability and Accountability Act, and the Privacy Act of 1974. At least some of the information that the Commission proposes to release is expressly protected when in the possession of the Internal Revenue Service under 26 U.S.C. § 6103.

For the Privacy Act of 1974, we observe that a Commission system of records to collect and disclose the personal information in its proposal would violate the Act because the Commission cannot justify public disclosure of income and other information about individuals under the Privacy Act of 1974’s standard that requires that disclosures be compatible with the purpose for which the information was collected. 5 U.S.C. § 552a(a)(7). We do not think that the Commission’s attempt to avoid identifiability works or brings the information outside the scope of the Privacy Act of 1974. If so, then the Commission’s proposal fails to comply with both the procedural requirements of the Privacy Act of 1974 and its substantive standards. We see no evidence that the Commission considered the Act’s requirements. By requiring third parties to collect personal information, the Commission appears to be evading the requirements of the Act that fall directly on the Commission.

6. The proposal will not accomplish its purpose of bringing more certainty and transparency to the valuation of securitized assets. It will raise the cost of mortgages and other consumer loans.

We do not take issue with the broad objectives of the Commission’s proposals. However, even if we could wholeheartedly embrace the required disclosures, we would conclude that they would only bring more instability to the financial system. By exposing every residential borrower to identity theft and other crimes, the disclosure itself will make mortgages less secure than they would be in the absence of the disclosure. Disclosure will also threaten the financial stability of many obligors by making it harder to use past history as a prediction of future performance. Obligors will be the victims of crime and marketing activities that will drain them of assets, destabilize their ability to earn a living, and undermine the American dream of homeownership by making nearly every homeowner a potential victim of identity theft.

We suggest that the Commission read some of the stories about the consequences of identity theft on the lives of Americans. Those who are victims often face years of battling to preserve their rights and their good names. There are examples on the website of the Privacy Rights Clearinghouse at <http://www.privacyrights.org/cases/victim.htm>.

Other consequences will be a diminution in the value of mortgages to investors because of the increased costs of servicing them. We observe that the costs of identity theft do not just fall on consumers. Those who make loans pay as well. Loans made to fraudsters will never be repaid, and the losses will fall on asset holders. Even if the increase in identity theft only raises costs by a few percent, investors will demand higher returns to protect against those losses. The resulting increased interest rates will make home ownership more costly and less available. The proposal will stunt economic growth.

7. The Commission has proposed no protections against reidentification, reuse, redisclosure, or republication of personal financial information.

The Commission’s proposal places in the public domain much personal financial and other information about individuals. Yet nothing in the proposal seeks to limit how anyone may use or redisclose the information. Although we believe that it would be trivial for an interested party or even a business to reidentify virtually all of the personal information that the Commission would make public, the proposal does not seek to prevent reidentification.

We would make a proposal to fix this problem, but any attempts to restrict use of public information would likely conflict with the First Amendment. We cannot propose a constitutional way to restrict the data. Even if we could, any restrictions would not be effective outside the United States where the Commission’s EDGAR database is readily (and necessarily) available. Because adding restrictions on the use of the information is a dead end, the Commission must find another way to protect both the privacy of individuals and the integrity of the financial system. The only other choice is to disclose less data.

8. The Commission’s mandatory and detailed disclosure requirements will undermine the utility of knowledge-based authentication (KBA) activities by exposing details of a mortgage and other financial activities to more people, including crooks.

Authenticating and identity-proofing individuals for Internet and other activities are sometimes accomplished by proving the identity of someone accessing a service, such as a website, through the use of personal information known to the individual. [25] Identity Proofing typically employs questions and answers to prove that the asserted identity of an individual is authentic. For the identity proofing to be rigorous, identity proofing vendors often use queries based on data that the end-user did not provide. Instead, the identity proofing questions and answers are developed from a variety of sources – often culled from financial data — to maximize the ability to uniquely identify an individual. Sometimes, financial information is used because it is not information that would be normally available to a third party. The SEC is surely familiar with the detailed NIST guidance on this matter. [26]

Financial institutions already use KBA methods to authenticate users. [27] This type of authentication method often employs financial data as part of its query-response activities. We note that increasingly, hospitals and other health care providers including the Veteran’s Administration, are also shifting to KBA solutions for online access to health files. [28]

However, by making more financial information – especially information about mortgage payments – widely available in the public domain, the Commission’s proposal will undermine the value of mortgage and other information for KBA. Just to make the point more clearly, we note one website that lists the following examples of KBA questions:

* What bank holds your car loan?
* Who is your mortgage company?
* What is the make and model of your vehicle? * What is your spouse’s name? [29]

The first three questions could be answered from data that the Commission proposes to make public. Whether use of this data for KBA is good or bad otherwise is a broader issue, but we see no reason for the Commission to undermine its utility without even thinking about it. These kinds of authentication systems are being implemented much more frequently now that two- factor authentication is becoming more commonplace. Additionally, we wonder if the SEC was fully aware of the National Strategy for Trusted Identities in Cyberspace [30] before it published this proposed rulemaking. The SEC rulemaking would undermine sections of the draft National Strategy.

Conclusion

The SEC’s proposed rulemaking is regrettably irresponsible. It would deeply undermine the security and privacy of individual borrowers, increase the risk for identity theft and fraud to an unacceptable degree, weaken the utility and security of knowledge-based authentication systems, and threaten the value of securities that the proposal seeks to protect. The SEC’s proposal would likewise undermine some of the “strong authentication” security proposals of the National Strategy for Trusted Identities in Cyberspace by undermining identity-proofing knowledge-based authentication systems. Finally, the data the SEC’s proposed rule will make public will become a treasure trove for marketers of every variety, both legitimate and nefarious. If the rich new set of financial and personal data (including health data) is placed in the public domain, this information will be combined with other public data sources in ways the SEC has not envisioned. The SEC did not take nearly enough care with its proposed rulemaking, and its proposed privacy protections are not responsive to the problems the rulemaking creates.

The SEC needs to significantly revise this rulemaking and curtail the amount of information it is releasing about individual borrowers via EDGAR.

We urge the Commission to reconsider its proposed rulemaking, recognize the threat it presents to the privacy of every consumer who borrows money, protect the integrity of securities by not exposing borrowers to identity theft, and revise it approach to privacy substantially.

 

Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum

Jeff Chester,
Executive Director,
Center for Digital Democracy

Michelle de Mooy,
Senior Associate,
National Priorities Consumer Action

J. Bradley Jansen,
Executive Director,
The Center for Financial Privacy and Human Rights

Beth Givens,
Director,
Privacy Rights Clearinghouse

Deborah Pierce,
Executive Director,
Privacy Activism

 

 

 

___________________________________________________

Endnotes

[1] <http://www.democraticmedia.org/>

[2] <http://www.consumer-action.org/>

[3] <http://financialprivacy.org/>

[4] <http://www.privacyrights.org>.

[5] <http://www.privacyactivism.org/>

[6] For more information, see <http://www.worldprivacyforum.org>.

[7] <http://www.sec.gov/edgar.shtml>. The EDGAR database is readily available online and access to the database is free for all.

[8] Distinguished Career Professor, Carnegie Mellon University, School of Computer Science, Institute for Software Research; Visiting Professor, Harvard University, Computer Science, Center for Research on Computation and Society; Visiting Professor, Massachusetts Institute of Technology (MIT), Computer Science and Artificial Intelligence Lab (CSAIL); Director, Laboratory for International Data Privacy, also known as the “Data Privacy Lab”, School of Computer Science, Carnegie Mellon University; Co-Director, PhD Program in Computation, Organizations and Society, School of Computer Science, Carnegie Mellon University.

[9] Latanya Sweeney, Re-Identification Risks of SEC Proposed Data Elements Using Publicly Available Real Estate Data, available at: < http://dataprivacylab.org/projects/realestate/>. See also Professor Sweeney’s website at <http://privacy.cs.cmu.edu/people/sweeney/>.

[10] Professor Daniel Solove offers an excellent legal analysis of the implications of the availability of detailed financial and other information about consumers. Daniel Solove, The Digital Person: Technology and Privacy in the Information Age (2004).

[11] The Modern Permanent Record and Consumer Impacts from the Offline and Online Collection of Consumer Information, Testimony of Pam Dixon, Executive Director, World Privacy Forum, Before the Subcommittee on Communications, Technology, and the Internet, and the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce (Nov. 19, 2009), available at <http://www.worldprivacyforum.org/pdf/TestimonyofPamDixonfs.pdf>

[12] See Arvind Narayanan and Vitaly Shmatikov, Robust De-Anonymization of Large Sparse Datasets, 2008 IEEE Symposium on Security and Privacy (Feb. 5, 2008), available at <http://userweb.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf>. See also Federal Trade Commission letter to Netflix regarding release of such datasets (March 2010), available at <http://www.ftc.gov/os/closings/100312netflixletter.pdf>.

[13] See for example Karen Blumenthal, How Banks, Marketers Aid Scams, Wall Street Journal, July 1, 2009, available at <http://online.wsj.com/article/SB10001424052970204556804574260062522686326.html>. See also Charles Duhigg, Bilking the Elderly with a Corporate Assist, New York Times, May 20, 2007. <http://www.nytimes.com/2007/05/20/business/20tele.html?_r=1>.

[14] See <http://www.public-record.com/content/databases/mortgage/index.asp>.

[15] See <http://datastore.netronline.com>.

[16] <http://datastore.netronline.com/samples/oande_sample.pdf>.

[17] <http://www.zillow.com/blog/celebrity-foreclosures/2008/06/#{scid=news-site-rightlink3>.

[18] <http://www2.county.allegheny.pa.us/realestate/Default.aspx>.

[19] See, e.g., links to all county tax assessment database websites in the state of Pennsylvania, available at <http://www.papublicrecords.com/pa_property_records.htm>.

[20] Federal Trade Commission, Consumer Sentinel Network Data Book 5 (2009).

[21] FBI Mortgage Fraud Web Page, available at < http://www.fbi.gov/hq/mortgage_fraud.htm>.

[22] <http://www.idtheftcenter.org/artman2/publish/headlines/Mortgage_Identity_Theft.shtml>. See also Government Accountability Office, Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain 8 (2009).

[23] <http://www.idtheftcenter.org/artman2/publish/v_art_solutions/ITRC_Solution_28.shtml>.

[24] <http://www.idtheft.gov/reports/StrategicPlan.pdf>, at 6.

[25] Recommendations of the National Institute Of Standards and Technology, Electronic Authentication Guidelines, NIST Special Publication 800-63 Version 1.0.2 (2006), at 22-3, available at <http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf>.

[26] Id.

[27] See, e.g., the KBA system in place at <http://www.annualcreditreport.com>. Each credit bureau that offers credit reports through this site utilizes some form of KBA techniques for identity proofing.

[28] See Anakam, The Department of Veterans Affairs Selects Anakam to Provide Trusted Authentication as Part of its Overall Identity Management Strategy, Press Release (July 21, 2009), available at <http://www.anakam.com/News/Article/32/>. The Anakam system that relies on KBA and is just one example of such a system.

[29] < http://www.dataxltd.com/identity–authentication/knowledge-based-authentication.html>.

[30] See <http://www.whitehouse.gov/the-press-office/fact-sheet-national-strategy-trusted-identities-cyberspace>, and <http://www.dhs.gov/xlibrary/assets/ns_tic.pdf>.