From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees.
.. and how did that go?
I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.
Being recently on a large, well known military station, the opposite happened to me. While yes, when originally being vetted I had to supply certain information that most would cringe at supplying, when onsite I was asked for two forms of government issued identification (I chose drivers license and passport) which was just reviewed (not copied), immediately handed back to me and then asked to pose for a picture and signed an electronic pad. A minute later I was handed a new government issued ID. During my stay, I had the need to access certain restricted areas. As I entered restricted area buildings, I was handed a restricted area badge to wear over my new picture ID to let people know immediately what areas I had access to (the alternative is shoot first, ask questions later; I'll pass, thanks). On the other hand, I've visited many data center, collocation facilities, and even foreign military bases (both US and others), and since AT&T sparked this conversation, I've actually been to nearly 40 of their facilities throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID. I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. Randy