TUCoPS :: Privacy :: priv_115.txt

Privacy Digest 1.15 9/5/92

From privacy@cv.vortex.com Sat Sep  5 16:33:23 1992
Return-Path: <privacy@cv.vortex.com>
Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST)
	id AA22212; Sat, 5 Sep 92 16:33:04 EDT
Posted-Date: Sat, 5 Sep 92 12:44 PDT
Received-Date: Sat, 5 Sep 92 16:33:04 EDT
Received: by cv.vortex.com (Smail3.1.26.7 #2)
	id m0mR63u-0001viC; Sat, 5 Sep 92 12:44 PDT
Message-Id: <m0mR63u-0001viC@cv.vortex.com>
Date: Sat, 5 Sep 92 12:44 PDT
From: privacy@cv.vortex.com (PRIVACY Forum)
To: privacy-forum@csrc.ncsl.nist.gov
Subject: PRIVACY Forum Digest V01 #15
Status: R

PRIVACY Forum Digest      Saturday, 5 August 1992      Volume 01 : Issue 15

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

	Selling customer lists (James Camp)
	Selling video customer lists (Larry Hunter)
	Wells Fargo Bank changes customer security system (Randy Gellens)
	Vernam Cipher (Art Zimmermann)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.


    Quote for the day:

	"Gentlemen!  You can't fight in here--this is the war room!"

			-- The President
				"Dr. Strangelove:
				 Or, How I Learned to Stop Worrying
			         and Love the Bomb" (1964)


Date:    Wed, 26 Aug 92 06:48:44 PDT
From:    jamesc@scotch.nic.ddn.mil (James Camp)
Subject: Selling customer lists

>A local video rental store went belly-up, and the contents of the store
>were put up for auction.
>In addition to some 2400 used videotapes  . . . , and a two-drawer
>filecard cabinet labeled "mailing list" . . .  with name, address, place of
> work and >originally-presented ID on the front, and on the back a list of
> the names of all the videotapes that customer had rented.

All of the video stores I've done business with required a credit card
number to guarantee the account.  If this data were also in the files,
the security of many (former) clients could be put in jeopardy.


Date:    Wed, 26 Aug 92 10:07:16 -0400
From:    hunter@nlm.nih.gov (Larry Hunter)
Subject: Selling video customer lists

In the privacy forum digest V01 #14, Jerome Saltzer describes the sale of
customer lists from a bankrupt video rental store.  He says:

  Exactly how the new federal law prohibiting disclosure of videotape rental
  records applies to this situation is not at all clear.  But it seems safe to
  say that business ethics can't be very effective in protecting data when the
  business vanishes.

As part of a new CPSR project, I have been putting together a demonstration
hypertext system for browsing materials relevant to privacy law.  My
demonstration area happens to be the Video Privacy Protection Act of 1988.
Although I'm not a lawyer, it seems clear from the wording of the act that
disclosing customer records as part of the transfer of ownership of a business
is within the law.  18 U.S.C. 121 Section 2710(b)(2)(E): "A video tape service
provider may disclose personally identifiable information concerning any
customer... to any person if the disclosure is incident to the ordinary course
of business of the video tape service provider."  Paragraph 2710(a)(2) says
"the term 'ordinary course of business' means only debt collection activities,
order fulfillment, request processing, and the transfer of ownership."  There
is, however, a clause requiring the destruction of records more than a year
old, with certain exceptions.

It is also apparent from the legislative background that the mere names of
customers (not associated with specific rentals) are not protected.  The report
of the Senate Judiciary Committee (Report 100-599, Legislative day Oct 18,
1988) says (p. 18) "[F]or example, a video tape service provider is not
prohibited from responding to a law enforcement agent's inquiry as to whether a
person patronized a video tape service provider at a particular time or on a
particular date."

In my personal opinion, unless you are a potential supreme court justice who
likes to watch porno movies, there isn't a lot of protection for you in the
video privacy act.

By the way, I am interested in hearing from anybody who has suggestions about
how to produce a useful browsing system (say, recommendations of specific
Macintosh hypertext tools) or from a lawyer who has outlined this material.

Larry Hunter
Co-chair, CPSR-DC chapter


Date:    26 AUG 92 20:49   
From:    <MPA15AB!RANDY@TRENGA.tredydev.unisys.com>
Subject: Re: Wells Fargo Bank changes customer security system

> Of some concern is other information that is now available via the automated
> system.  Apparently anybody can now call, enter any account number and an
> amount, and be told whether or not that amount of funds is available in the
> specified account.  With a relatively few calls, it would be possible to
> pretty well range in on the amount in any account using this system.  When I
> questioned them about the wisdom of allowing this information to be
> available in an automated manner with absolutely no security or tracking of
> any kind, they replied that since federal regulations allow it, they're
> doing it.

This is nothing new.  Banks have traditionally allowed anyone to call up and
give an account number and an amount, and be told if a check for that amount
would clear at the moment.  What is new is that this is now automatced.  Other
banks have provided an automated version of this for years.  For example,
anyone can call the Bank of America automated information number, press -2-
for merchant services, an account number, and be told the order of magnitude
of the accout, and the binary position within that magnitude ("high" or "low").
A yes/no on a specific dollar amount is also available.

  = Randy Gellens            randy%mpa15ab@trenga.tredydev.unisys.com =

	[ Yes, I know that such automated systems are now becoming widely
	  available.  However, the question for this Forum is, *should* such
	  information be freely accessible, without any controls by the
	  customer, no recording of who is requesting the information, and no
	  notification to the customer that their account information is
	  being queried?  Also, does the widespread move from "manual" to
	  "automated" systems for dispensing this information possibly
	  encourage abuse through easier repetitive access? -- MODERATOR ]


Date:    Sun, 30 Aug 92 17:00:47 PDT
From:    GlasNet <glasnost@igc.apc.org>
Subject: Vernam Cipher

There is a well-known cryptographic technique - the Vernam
Cipher, also known as the one-time pad - which is secure against
any known form of decryption attack.  The problem with this
technique has always been in key distribution; an amount of key
equal to that of the plaintext is required.

I believe there is a method for allowing a variant of the Vernam
Cipher to be applied to data and perhaps to voice communications. 
I think this is fundementally a good thing; one of the guiding
principles of privacy should be that anyone's communications
should be secure from unauthorized access.

If an inexpensive and quite secure method of encryption were
available to all, would not use of end-to-end encryption go some
distance toward solving the privacy problem ?

This would not be a popular idea with law enforcement agencies,
the NSA, and other spooks. Aside from obvious objections from
this quarter, are there any good arguments against general
availability of such an encryption method ?

Art Zimmermann


End of PRIVACY Forum Digest 01.15

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH