|
<HTML> <head><TITLE>PRIVACY Forum Archive Document - (priv.09.19) </TITLE></head> <body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#660099" alink="#ff0000"> <table border=0 cellpadding=0 cellspacing=0 width=100%> <tr> <td width=15%> <center> <table border=0 cellspacing=0 cellpadding=0 width=100%> <tr> <td> <table border=1 cellspacing=0 cellpadding=0> <tr> <td bgcolor="#ffffcc"> <center> <font face="Arial, Helvetica, sans-serif"> <a href="http://www.pfir.org"><b>PFIR</b></a> <b>Perspective</b> </font> </center> </td> </tr> <tr> <td bgcolor="#ccffff"> <img src="/ipissues1.jpg" border=0> <center> <font size=-1 face="Arial, Helvetica, sans-serif"> <b>"CRIME or FAIR USE?"</b> </font> </center> <table border=0 cellspacing=0 cellpadding=2 width=100%> <tr> <td bgcolor="#ffffff"> <table border=1 width=100%> <tr> <td> <table border=0 cellpadding=0 cellspacing=0 width=100%> <tr> <td> <a href="/pfir-p.ram"><img src="/spkr1.gif" border=0></a> </td> <td> <center> <font size=-1> <a href="/pfir-p.ram">Listen<br>RealAudio</a> </font> </center> </td> </tr> </table> </td> <td> <table border=0 cellpadding=1 cellspacing=0 width=100%> <tr> <td> <a href="/pfir-p.mp3"><img src="/spkr1.gif" border=0></a> </td> <td> <center> <font size=-1> <a href="/pfir-p.mp3">Listen<br>MP3</a> </font> </center> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </center> </td> <td align=center> <table border=1 cellpadding=0 cellspacing=0> <tr> <td bgcolor="#ffffcc"> <table border=0 cellpadding=0 cellspacing=4> <tr> <td> <center> <font face="Arial, Helvetica, sans-serif"> "<a href="/reality">REALITY RESET</a>" </font> </td> <td> <table border=1 cellpadding=1 cellspacing=2 width=100%> <tr> <td bgcolor="#ffffff"> Today: <a href="/reality/2001-03-27">"Spraying the TV Screen"</a> </td> </tr> </table> </center> </td> </tr> </table> </td> </tr> </table> <p> <font size=+2><b>PRIVACY Forum Archive Document</b></font> <A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A> <font size=-1 face="Arial, Helvetica, sans-serif"> <A href="http://www.pfir.org"><b>PFIR - "People For Internet Responsibility" Home Page</b></A> </font> <p> <font size=-1 face="Arial, Helvetica, sans-serif"> <A href="http://www.vortex.com"><b>Vortex Technology Home Page</b></A> </font> <p> <font size=-1 face="Arial, Helvetica, sans-serif"> <A href="/privmedia"><b>Radio, Television, and Press Contact Information</b></A> </font> <p> </td> </tr> </table> <hr> <PRE> PRIVACY Forum Digest Saturday, 2 September 2000 Volume 09 : Issue 19 (<A HREF="http://www.vortex.com/privacy/priv.09.19">http://www.vortex.com/privacy/priv.09.19</A>) Moderated by Lauren Weinstein (<A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A>) Vortex Technology, Woodland Hills, CA, U.S.A. <A HREF="http://www.vortex.com">http://www.vortex.com</A> ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS PFIR Statement on Internet Hoaxes and Misinformation (Lauren Weinstein; PRIVACY Forum Moderator) The ":CueCat" -- Balancing Function and Privacy Can Be a Challenge (Lauren Weinstein; PRIVACY Forum Moderator) Privacy2000 Press Release 9/1 (Sol Bermann) AG Reilly Praises Decision to Keep Toysmart From Selling Consumers' Personal Information (Monty Solomon) Book Announcement: "Trust and Risk in Internet Commerce" (Jud Wolfskill) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "<A HREF="mailto:privacy@vortex.com">privacy@vortex.com</A>" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "<A HREF="mailto:privacy-request@vortex.com">privacy-request@vortex.com</A>". Mailing list problems should be reported to "<A HREF="mailto:list-maint@vortex.com">list-maint@vortex.com</A>". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp <A HREF="ftp://ftp.vortex.com/">ftp.vortex.com</A>", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "<A HREF="http://gopher.vortex.com">gopher.vortex.com</A>/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "<A HREF="http://www.vortex.com">http://www.vortex.com</A>"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 09, ISSUE 19 Quote for the day: "Thing, you're a handful!" -- Morticia Addams (Anjelica Huston) "The Addams Family" (Paramount; 1991) ---------------------------------------------------------------------- Date: Sat, 02 Sep 2000 16:24:12 PDT From: <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> (Lauren Weinstein; PRIVACY Forum Moderator) Subject: PFIR Statement on Internet Hoaxes and Misinformation Greetings. A new People For Internet Responsibility statement, on the topic of misinformation and hoaxes on the Internet, is now available. It also includes some initial discussion (which will be elaborated in future statements) on the conflicting complexities of "anonymity" in the Internet environment. The statement is at: <A HREF="http://www.pfir.org/statements/hoaxes">http://www.pfir.org/statements/hoaxes</A> Thanks very much. --Lauren-- Lauren Weinstein <A HREF="mailto:lauren@pfir.org">lauren@pfir.org</A> or <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> or <A HREF="mailto:lauren@privacyforum.org">lauren@privacyforum.org</A> Co-Founder, PFIR - People For Internet Responsibility - <A HREF="http://www.pfir.org">http://www.pfir.org</A> Moderator, PRIVACY Forum - <A HREF="http://www.vortex.com">http://www.vortex.com</A> Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Sat, 02 Sep 2000 12:25:01 PDT From: <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> (Lauren Weinstein; PRIVACY Forum Moderator) Subject: The ":CueCat" -- Balancing Function and Privacy Can Be a Challenge Greetings. As most regular readers of the PRIVACY Forum know, privacy issues can be very complex, and attaining an appropriate balance between functionality and related privacy concerns can be a tricky task. Sometimes a situation that looks like a major problem <B>may</B> turn out to be less serious than might be initially anticipated, especially when the developers of the associated systems are open to advice regarding these matters. Such is the case in today's Digest. You've probably heard the phrase "There's no free lunch" -- meaning that you very rarely ever get something of value for nothing. So when a major campaign, backed by major corporate enterprises, begins to distribute free Web scanning hardware devices, promoted as enhancing users' Web browsing experiences, it seems appropriate to be at least a little bit wary. This was the situation when I first heard about a new device called the ":CueCat," from developer Digital:Convergence Corp. of Texas (<A HREF="http://www.digitalconvergence.com">http://www.digitalconvergence.com</A>). Millions of these devices will be provided to users for free at Radio Shack stores or will be available by mail for a shipping and handling charge. The units are small bar code scanners which can read the universal product codes and other bar-type codes found on products, and which will also be printed in magazine advertisements, catalogs, and other materials. The devices interface with personal computers via a keyboard cable in-line connection. An array of major companies will apparently be aligning themselves with this system, to allow users to simply scan a bar code and be taken directly to the associated Web sites and often deeply-linked pages. The cuteness factor is assured by the device actually resembling a somewhat stylized feline. (Since I'm a cat lover, this wins a few brownie points regardless of other factors...) So far so good -- sounds pretty nifty doesn't it? When you think about it though, such a device can't work unless there is a linkage between the units and a database that points to the appropriate Web pages. That's in fact how the :CueCat works. Each unit has an individual ID (serial number). When a code is scanned, the unit interrogates a central server which returns the appropriate Web page URL, which is then displayed by your normal browser. The transmitted unit serial number is linked to the data that you provide to the system via a Web site when the unit is first initialized for use. While some of their earlier software apparently asked for a fairly wide variety of demographic data, I've been told that the newer releases have dropped all but the more basic of questions (name, e-mail address to return the registration info, the serial number of the unit, age range, gender, zipcode). Obviously, users will make their own choices about whether or not they wish to answer even those questions with accurate information. Zipcode data in particular is apparently used to return geographically relevant pages when possible. Digital:Convergence strongly asserts that only aggregated statistical data are made available to their clients, and that specific non-aggregated data is never made available. In fact, they have told me that as the data is processed at intervals, the linkages to individual serial numbers are discarded, making it impossible for retrospective links to be established after that time, even internally. There's another aspect to their system as well -- their ":CRQ" software which supports the :CueCat environment. A cable can be used to connect computers with a television, radio, or virtually any other audio source, to pick up special encrypted cue tone bursts ("See Our Cue"?) that will automatically transfer Web browsers to particular Web pages as specified <B>within</B> the program or broadcast, either immediately or on a delayed basis (e.g., if the user is offline at the time). No need to rely on those pesky users to manually decide to enter a URL -- this system does it automatically and apparently without the need for human interaction. While this could have significant positive applications (follow along with photos and details during a newscast or other program, for example), the ramifications of this sort of "remote control" over a user's computer are significant and potentially far-reaching, even with the control mechanisms built into the software. This will be an area that will bear watching as it develops and is deployed. Digital:Convergence posts an extensive privacy policy on their associated Web sites, addressing a variety of important issues. However, perhaps my greatest concern as I first looked into these products, was the question of how many people would hook these devices into their computers without realizing that they actually <B>do</B> feed certain data back to a central system. If history and human nature are any guide, the vast majority of people will never even think to look at the :CueCat privacy policy at their Web sites or bother to read any click-through license agreements. I broached this issue with Digital:Convergence's chief technical officer during a lengthy phone call. In a rather stark contrast to the usual defensive posture that many corporate executives take in such situations, he instead immediately offered to implement my suggestion of an additional pop-up box during the software installation process to make these privacy-related points clearer, and in fact he composed the text and offered several versions for my comments and suggestions during the course of our call. The new pop-up will apparently be implemented in the downloadable version of their software very shortly, and in the units distributed through stores (on CD-ROMS) as soon as possible. The :Cuecat system seems to be an excellent example of the many conflicting elements that can come into play and that need to be brought into some sort of harmony, when dealing with the integration of various technologies and the Internet, especially when privacy concerns are in the mix. There are far more ways to do such things wrong than right, and the good intentions of the developers of such systems, combined with a willingness to accept and <B>act</B> upon outside input in the case of potential problems, can be paramount. Proper, meaningful advance notification and realistic informed consent are crucial in Web environments (and the physical world), both to avoid actual abuses and the appearance of abuse. While the :CueCat and :CRQ systems do carry the potential for privacy problems, this does not necessarily mean that such problems will actually come to pass. In this case, and for now at least, I believe that Digital:Convergence deserves the benefit of the doubt with these products. Time will tell, and I'll keep you informed. --Lauren-- Lauren Weinstein <A HREF="mailto:lauren@pfir.org">lauren@pfir.org</A> or <A HREF="mailto:lauren@vortex.com">lauren@vortex.com</A> or <A HREF="mailto:lauren@privacyforum.org">lauren@privacyforum.org</A> Co-Founder, PFIR - People For Internet Responsibility - <A HREF="http://www.pfir.org">http://www.pfir.org</A> Moderator, PRIVACY Forum - <A HREF="http://www.vortex.com">http://www.vortex.com</A> Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Fri, 01 Sep 2000 09:11:50 EDT From: Sol Bermann <<A HREF="mailto:bermann@osc.edu">bermann@osc.edu</A>> Subject: Privacy2000 Press Release 9/1 NEWS FROM OSC August 31, 2000 FOR IMMEDIATE RELEASE PRIVACY2000: Are Privacy and the Free Flow of Information Incompatible? COLUMBUS, Ohio: As a flood of personal data is collected over the Internet, privacy has become a critical topic of discussion for businesses, consumers, advocates and the government. The Technology Policy Group and OSC will host Privacy2000, October 31-November 1 in Columbus, Ohio to address the needs of these groups. PRIVACY2000 draws from all sides of the privacy debate and allows participants the opportunity to interact with experts, learn best practices, and form their own privacy solutions. Whether discussing business planning, policy making or advocacy, Privacy2000 will have experts on hand to help participants achieve their privacy goals. But not all experts will agree on the best solution. Businesses can gain consumer trust by adopting privacy measures even as they improve the customer's shopping experience through effective personalization. In the hyper-competitive world of the Internet, the added convenience created by personalization can be a key differentiator, said Jeff Harbison, CEO of Elity Systems and a member of the Personalization Consortium. However, Ari Schwartz, senior policy analyst for the Center for Democracy and Technology, warns that "Privacy on the Internet can only be insured through work in three areas: baseline legislation incorporating fair information practices; self-regulatory models that encourage responsible industry practices and promote public education; and privacy enhancing technologies that will help users turn the tide on privacy invasive technologies." The issue of privacy will be one of the most controversial areas of public and private policy over the next decade. Some have asked, "If you have nothing to hide, why be so concerned about privacy? said George Trubow, Director of the Center for Information Technology & Privacy Law, John Marshall Law School. I answer, "it's not that I have something to hide, it's that I have something to protect, which is my own persona and personal dignity --that's what privacy is about. Numerous speakers will join Mr. Harbison, Mr. Schwartz, and Mr. Trubow in sharing their views on privacy during the two-day PRIVACY2000 conference. October 31 is designed for business leaders and policy makers who need to know the privacy playing field, and will offer a hands-on approach to learning about and coping with the legal, technological and practical issues related to the protection of personal data and the free flow of information. The day will conclude with a televised roundtable, followed by a networking reception. November 1 is designed for decision makers on the front lines of implementing policy and technology solutions, and will offer a unique, highly informative and interactive workshop, which will go from "soup to nuts" on how to create and implement a privacy policy. PRIVACY2000 is held at the Adam's Mark Hotel in Columbus, Ohio. For more information about PRIVACY2000, contact Sol Bermann, Legal Project Manager, Technology Policy Group, at (614) 688-4578, or <A HREF="mailto:bermann@osc.edu">bermann@osc.edu</A> or go to <A HREF="http://www.privacy2000.org">www.privacy2000.org</A>/. ------------------------------ Date: Sun, 20 Aug 2000 20:38:24 EDT From: Monty Solomon <<A HREF="mailto:monty@roscom.com">monty@roscom.com</A>> Subject: AG Reilly Praises Decision to Keep Toysmart From Selling Consumers' Personal Information <A HREF="http://www.ago.state.ma.us/toystoys.asp">http://www.ago.state.ma.us/toystoys.asp</A> Office of Attorney General Tom Reilly NEWS RELEASE FOR IMMEDIATE RELEASE AUGUST 17, 2000 CONTACT: MARSHA COHEN (617) 727-2543 A.G. REILLY PRAISES DECISION TO KEEP TOYSMART FROM SELLING CONSUMERS' PERSONAL INFORMATION BOSTON -- Attorney General Tom Reilly praised the fact that a decision by a federal bankruptcy judge will keep a bankrupt online toy store from selling consumers' personal information for now. United States Bankruptcy Court Judge Carol Kenner today denied a motion by Toysmart.com to approve a settlement it had reached with the Federal Trade Commission (FTC) to sell its customer list as an asset to a third party. Toysmart.com is an educational on-line toy store based in Waltham. Judge Kenner put off a final decision on whether the customer list can be sold in the future and, if so, whether restrictions will be imposed. The list cannot be sold as long as there is no buyer, which means that the rights of Toysmart's customers remain protected. "This decision is a victory for consumers and everyone interested in Internet privacy," said AG Reilly. "For now, the Attorneys General have achieved their goal by preserving the privacy rights of Toysmart's customers." "When this issue comes up again, and we expect that it could in this case, we will continue to fight for the highest standard when it comes to protecting the personal information consumers give over the internet," AG Reilly added. "I am proud that Massachusetts led this effort to protect the privacy rights of unsuspecting consumers and to keep their very personal information out of the hands of the highest bidder." AG Reilly led 43 other states and two territories, and the District of Columbia in objecting to the settlement, saying it did not go far enough to adequately protect the privacy rights of consumers, and urging that the customer list should not be sold without consumers first agreeing. Toysmart had posted on its website a policy pledging that the company would never share its customers' personal information with third parties. However, after financial problems forced Toysmart to file for bankruptcy, the company did seek permission to sell the customer list that contained consumers' names, addresses, billing information, credit card numbers and browsing and purchasing histories as part of its assets. This effort was opposed by the states and initially by the FTC. Recently, the FTC settled its concerns with Toysmart, and filed the stipulation in Bankruptcy Court that required Judge Kenner's approval. The other states and territories joining Attorney General Reilly in the case are Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virgin Islands, Virginia, Washington, West Virginia, Wisconsin, and Wyoming, and the District of Columbia. Assistant Attorney General Pamela Kogut of AG Reilly's Consumer Protection and Antitrust Division handled the case. Click here to read the Bankruptcy Court filing... <A HREF="http://www.ago.state.ma.us/oppositi.pdf">http://www.ago.state.ma.us/oppositi.pdf</A> [ Amazon.com (<A HREF="http://www.amazon.com">http://www.amazon.com</A>) has recently changed their privacy policy to explicitly state that they consider customer data to be an asset subject to being bought or sold: "As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets." Since for many businesses (Internet-based or "stone and mortar"), their customer data may be among their most valuable assets (sometimes their only real assets), this whole area is very much an open question worthy of rigorous study and debate. By the way, the Amazon.com privacy policy also acknowledges that they often attempt to determine when you open e-mail sent to you from Amazon.com. That is, they apparently are using an e-mail/Web server "bug" technique (such as "invisible" images) within at least some of their html-based e-mail. -- PRIVACY Forum Moderator ] ------------------------------ Date: Mon, 24 Jul 2000 16:35:51 EDT From: Jud Wolfskill <<A HREF="mailto:wolfskil@MIT.EDU">wolfskil@MIT.EDU</A>> Subject: Book Announcement: "Trust and Risk in Internet Commerce" The following is a book which readers of this list might find of interest. For more information please visit <A HREF="http://mitpress.mit.edu/promotions/books/CAMTHF99">http://mitpress.mit.edu/promotions/books/CAMTHF99</A> Trust and Risk in Internet Commerce L. Jean Camp As Internet-based commerce becomes commonplace, it is important that we examine the systems used for these financial transactions. Underlying each system is a set of assumptions, particularly about trust and risk. To evaluate systems, and thus to determine one's own risks, requires an understanding of the dimensions of trust: security, privacy, and reliability. In this book Jean Camp focuses on two major yet frequently overlooked issues in the design of Internet commerce systems--trust and risk. Trust and risk are closely linked. The level of risk can be determined by looking at who trusts whom in Internet commerce transactions. Who will pay, in terms of money and data, if trust is misplaced? When the inevitable early failures occur, who will be at risk? Who is "liable" when there is a trusted third party? Why is it necessary to trust this party? What exactly is this party trusted to do? To answer such questions requires an understanding of security, record-keeping, privacy, and reliability. The author's goal is twofold: first, to provide information on trust and risk to businesses that are developing electronic commerce systems; and second, to help consumers understand the risks in using the Internet for purchases and show them how to protect themselves. Rather than propose a single model of an Internet commerce system, the author provides the information and insights needed by merchants and consumers as they develop the Internet for commerce. L. Jean Camp is Assistant Professor at Harvard University's Kennedy School of Government. 6 x 9, 292 pp., 25 illus., cloth ISBN 0-262-03271-6 -------------------------------------------------------------- Jud Wolfskill Associate Publicist Phone: (617) 253-2079 MIT Press Fax: (617) 253-1709 Five Cambridge Center E-mail: <A HREF="mailto:wolfskil@mit.edu">wolfskil@mit.edu</A> Cambridge, MA 02142-1493 <A HREF="http://mitpress.mit.edu">http://mitpress.mit.edu</A> ------------------------------ End of PRIVACY Forum Digest 09.19 ************************ </PRE> <hr> <center> <A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A><p> <A href="http://www.vortex.com"><h4><i>Vortex Technology Home Page</i></h4></A><p> <A href="/privmedia"><h4>Radio, Television, and Press Contact Information</h4></A><p> </center> <p> <font size=-2>Copyright © 2001 Vortex Technology. All Rights Reserved.</font> </BODY> </HTML>