The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Selling the essence of you.

by Scott Bradner

I did not imagine that it might be legal. Apparently the Minnesota Attorney General can not either. A bank selling the account records of its depositors! Even including the depositor's Social Security numbers! But it looks like that is what may have happened. If true, it represents the type of arrogant disregard for individual privacy that many Internet users assume is the norm.

Banks have long been seen as the paragons of discretion. The image has been that information about your account is held in secret, except for the IRS and in response to court orders. It was always quite a scandal whenever it appeared that the secrecy had been violated. This is one of the reasons that there was so much controversy over the recently withdrawn federal program that wanted banks to get to "know their customers." This plan wanted banks to become an investigative arm of the government and report whenever there was suspicious activity in their customers accounts. How the banks maintain this image in the face of the fact that many banks issue credit cards and credit card issuers have been vilified as the worst violators of personal privacy I do not know.

Thus it came as quite a shock when the Minnesota Attorney General charged that US Bancorp had sold customer account information, including Social Security numbers, credit ratings, marital statuses, and birth dates, to the telemarketing company MemberWorks. The bank was to get commissions on whatever MemberWorks was able to sell to the bank's customers. In addition, the bank gave MemberWorks the ability to automatically withdraw money from the accounts of the bank's customers if MemberWorks claimed that they had sold something to the customer. In its defense, MemberWorks claims that they did not use the information and that any "protected customer information" was returned to the bank unused.

The bank claimed that it had not broken any laws and, sadly enough, they might be right (though the Minnesota Attorney General thinks differently.) That fact that there is any question that this sort of wholesale violation of the privacy of banking customers is against the law is an indication of the problem that we all face in using the Internet. If banks are not required to protect details about your personal life, just who might be?

This incident has made all the more urgent the push towards comprehensive privacy protection legislation underway in Washington DC. But, like most things in Washington, there is no guarantee that any laws that come out of congress, even ones that have titles like "Financial Information Privacy Act" will not actually wind up codifying the ability of powerful interests, like banks, to treat you as a source of information to sell. So it is not yet time to breathe easily.

disclaimer: Harvard, per se, does not breathe so the above must be my dark mutterings.