TUCoPS :: Privacy :: priv_211.txt

Privacy Digest 2.11 4/6/93

PRIVACY Forum Digest     Tuesday, 6 April 1993     Volume 02 : Issue 11

         Moderated by Lauren Weinstein (lauren@cv.vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	About the database business (Larry Seiler)
	Personal letters (Steven Hodas)
	Junking the Junk-Mailers (Chaz Heritage)
	Legal Net Monthly Newsletter (Paul Ferguson)
	Chicago DEA Surveillance of Gardeners (Sarah M. Elkins)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The PRIVACY Forum is a moderated digest for the discussion and analysis of
issues relating to the general topic of privacy (both personal and
collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@cv.vortex.com" and must have
RELEVANT "Subject:" lines.  Submissions without appropriate and relevant
"Subject:" lines may be ignored.  Subscriptions are by an automatic
"listserv" system; for subscription information, please send a message
consisting of the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in this
digest represent the views of the individual authors and all submissions
will be considered to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "cv.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "cv.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 11

   Quotes for the day:

	"If we think really hard, maybe we can stop this rain!"

	"There is always a little bit of heaven in a disaster area!"

   	      -- Announcements at the Woodstock Rock Festival; 1969

----------------------------------------------------------------------

Date:    Sun, 28 Mar 93 04:33:54 EST
From:    "Larry Seiler, x223-0588, MLO5-2" <seiler@rgb.enet.dec.com>
Subject: About the database business

John, [ referring to jpettitt@well.sf.ca.us -- MODERATOR ]

There are several things in your message that I agree with wholeheartedly,
e.g. that the data collection/distribution business should be brought into
the light so that everyone knows what is going on.  However, there are
several issues in your last message that I wish to comment on.  I'll
summarize them with the following statements:

    1)  Who is hurt by free flow of accurate information?

    2)  Inaccurate information is worse than none and has no value.

    3)  Data collection and trading will happen no matter what.

    4)  Should there be a required consent law for data collection?

    5)  Paying for 800 service gives you a right to people's names.

    6)  Your norms for the collection and sharing of information.

Let me take those one at a time.


    1)  Who is hurt by free flow of accurate information?

Many people who test HIV positive have lost their jobs through fear of 
infection.  It is now known that it is virtually impossible to give someone
AIDS by normal workplace activities (unless one works in a brothel), but
it isn't surprizing that fears persist.  Let's suppose an employer learns
the accurate information that someone tests HIV positive and chooses to
fire that person (stating some other reason, of course).  The free flow of
information has unfairly harmed that person.

I have a friend who woke up one night (during a messy divorce) to find
her car on fire.  The fire department told her that it was arson and if
she hadn't woken up so promptly, the whole house would have burned down.
Her response was to announce that she was moving, to change her address
to a P.O. box, and to put someone else's name on her mailbox.  However,
the phone company still knew where she lived -- and would have tracked
her to her new address even if she had really moved.  I submit that if
accurate information about her address were available, she would have
been subject to a significant risk of harm.  I should mention that her
ex-husband had a history of torching cars.

Wasn't it Judge Bork whose videotape rentals were publicized?  I think
that harmed him, to some extent.  Many people (most people) have things
we do that are legal and even ethical, but which might harm us if they
were publicized -- especially if they are taken out of context.  It's
really easy to cite cases where people can be harmed by the distribution
of dead-on accurate information about them, e.g. the British Royal family.


    2)  Inaccurate information is worse than none and has no value.

An individual piece of inaccurate information is worse than none, but
a database that is 95% accurate is obviously still very valuable.  
For example, if an untargeted hit rate is 1/100 and a targeted hit 
rate is 1/20 then even 50% inaccurate data will improve the hit rate.  
The database companies have no economic reason to try to be perfectly 
accurate -- and even if they are 95% accurate about 100M people, that's 
5M people who can get screwed.  Reality is even worse, because there 
are multiple entries per person, any one of which might be inaccurate.  
And in fact, even credit information has been shown to be *far* less 
accurate (e.g., 30% to 50% error rate).  And yet, they still make a lot 
of money by selling it.

I believe current law shields most database purveyors from liability
for errors in their database, unless it can be shown that the error
was deliberately introduced.  This is yet another reason why high
accuracy isn't important to the database industry.  There's no way
to correct most databases, since we are not allowed to find out what's
being said about us.  And even for credit data, there are numerous
examples of people who've made almost a career out of trying to get
their records fixed, only to see the false data keep reappearing because
the credit card companies share data and do not do any verification.
So long as any database anywhere still has the bad data, it can keep
reappearing, no matter how often you've proved that it is false.


    3)  Data collection and trading will happen no matter what.

So will theft.  So will sweatshop labor.  The fact that some people
will find ways to do it (offshore if necessary), or even a claim that 
"everybody does it" has no bearing on whether it should be allowed.

The proper question is, how can a law regarding data privacy be made
such that it actually protects privacy and is actually enforcable?
That's a good question, deserving of more thought in later messages.
However, I think it's necessary to generally agree on where we are 
going before we can agree on (or usefully discuss) how to get there.  
I do have a few suggestions that I'd like to share later.  


    4)  Should there be a required consent law for data collection?

It looks like we agree on this one.  I would be happy with a law that
defaulted to allowing information distribution but provides a clearly
understandable option for privacy.  But that would not be a "neutral
law" -- it would be a law biased toward disclosure.  However, if you
mean by "neutral" that it is a law that balances the desires of 
businesses for information and the desires of individuals for privacy,
then I agree.  Democracy is all about balancing competing interests.
At present, the laws are massively in favor of the information sellers.
I don't want to put the information sellers out of business -- I want
to require them to be responsive to privacy concerns and responsible
for what they do with the data.


    5)  Paying for 800 service give you a right to people's names.

Ask your customers why they think you have an 800 number.  I bet 99.94%
will say that you pay for that to convince them to call you, which they
wouldn't do if they had to pay for the call.  I'll bet hardly any know
that you get their number when they call an 800 number -- I've never seen
that mentioned except in the RISKS forum, not even in a phone company ad
for 800 service!  So I don't agree that paying for the service gives
you a right to know who's calling.  Also, as has been pointed out, if the 
purose of caller ID were to let you know *who* is calling, it would provide 
a name, not a number.  The phone company has explicitly said that they 
provide numbers because that is what their *database customers* want.  

I submit that caller ID blocking should be extended to apply to *all* 
phone services -- if you enable blocking, then *nobody* you call gets
your number.  You in your turn would be free to not answer any call 
that is blocked, as you are free to not open your door to a person on
your doorstep whom you cannot recognize.  I believe that would provide
a fair compromise between the competing interests.  Note that ANI is like
looking through the peephole into your caller's pocket and seeing their 
driver's license number, without their knowing you are doing so.  In a
free world, people should have a right to refuse to identify themselves,
just as you have a right to refuse to speak with an anonymous person.

Hmm...  maybe what the phone company should be required to provide is 
a block for caller ID blocking.  If you enable this on your 800 line, then
anyone who calls you with caller ID blocking enabled would be informed
that the call cannot get through because they are blocking caller ID.
So you are not bothered by (and do not pay for) any deliberately anonymous 
phone calls, and you'd still get calls from people who still live in areas 
without ANI (if any, I assume there are some).  Does that balance your
desires for caller ID against privacy concerns?


    6)  Your norms for the collection and sharing of information.

I feel I've shown why we should restrict the flow of accurate data --
why it can unfairly harm people to do so.  Beyond that, I don't feel
that you have a right to sell to people the fact that I purchased something
from you (except with my consent), but I know you don't agree with that.

It would be very valuable to establish clear, enforced methods of
tracking data.  To start with, databases should be required to specify
where each piece of data came from -- the source and the date it was
obtained.  Beyond what you suggest, methods should be established to
allow people to review data that is held about them -- both to uncover
potentially inaccurate data and to uncover data that is considered
private and that they did not consent to have distributed.

Under the category of reasonable penalties for selling inaccurate or
private data, I think it's important to take it out of the tort system.
It is unfair both to the public and to the database providers to have
the sole redress be a lawsuit.  It's unfair to the public because this
is a form of redress available to very few.  It's unfair to the database
providers because there is no limit to the damages a jury might award in
the rare cases where a claim does go to trial and is found for the
plaintiff (and for which an appeal doesn't gut the damage award).  BTW, 
I'd be interested to hear what you have to say about the tort system.

Database sellers should be required to respond to claims that their
databases contain inaccurate data.  There should be some established
procedure, like the procedure for contesting a credit card charge.
There should also be a standard fine of some kind for cases where the
database company does not respond to a proper request to investigate
alledgedly innacurate or private data in their database.  That's one
way to avoid the tort system while also establishing a financial value
for keeping the records accurate.  There are more possibilities here,
but I think they belong in a later message.


	Enjoy,
	Larry

------------------------------

Date:    Mon, 29 Mar 1993 13:24:37 -0800 (PST)
From:    Steven Hodas <hhll@u.washington.edu>
Subject: Personal letters

If I send a personal letter to someone do they have the right to disclose
it to others without my consent? Does this vary state by state? If it's
prohibited, is it a civil or a criminal issue? If it is permitted doesn't
that suggest that we have greater privacy protection for electronic
communciation because the ECPA would prohibit that kind of disclosure?

Thanks,

Steven

===========================================================================
 	Steven Hodas			     School of Education
   University of Washington		Leadership and Policy Studies
 	206.285.5734			    hhll@u.washington.edu
===========================================================================
------------------------------

Date:    Wed, 31 Mar 1993 08:04:03 PST
From:    chaz_heritage.wgc1@rx.xerox.com
Subject: Junking the Junk-Mailers

In PRIVACY Forum Digest, Friday, 26 March 1993, Volume 02 : Issue 10, Alan
(Gesture Man) Wexelblat writes:

>When asked for "identifying" information which is probably going to be used to
compile marketing databases, I cheerfully supply *wrong* information.  I make
it as bogus and outlandish as I feel that day<

Two points.

First, there may be a 'rationality check' of some kind applied to data entry,
so names such as Mr. Michael Mouse or Mr. Donald Duck may be rejected out of
hand. When I last did this, some years ago, when I still had enough hair to
consider myself a young tearaway, I had been sent a marketing questionnaire,
which (having checked carefully for code numbers, etc.) I filled out in the
character of a retired gentleman with far more money than sense, very keen to
find out more about double-glazing, stone-cladding and concrete garden gnomes.
I gave his name as Mr. George Smiley and his address as the building in
Mayfair, London, once inhabited by MI5, the British Security Service. Obviously
I don't know if MI5's successors there have actually been pestered by
double-glazing salesmen, but I fancy that a relatively credible spoof has more
chance of working than an overtly surrealist one.

Second, since I did this the British government passed an Act laughably known
as the Data Protection Act, which, while it does nothing concrete to protect
the rights of the individual, and in many cases formalises earlier abuses, does
make it a crime to lie to a junk-mail computer. Whether recent 'anti-hacker'
legislation in the USA might have a similar effect I couldn't say, but I'd
think it prudent to check. As far as I know nobody has yet been prosecuted in
the UK for such an offence, but if any kind of determined spoofing effort were
to be made against this cornerstone of Monetarist culture then I'm sure that it
would receive the customary treatment.

Though spoofing junk mailers is fun it probably motivates them to make greater
efforts to bribe their friends in government to force compliance by legal
means, and to criminalise dissent, as has happened here (though apparently the
revelation that people could be so 'Trotskyite-Anarchist' as to lie to a
marketing company was one of the things that made Thatcher literally foam at
the mouth, thereby reducing the necessary level of bribery).

Though it would be very inconvenient I suspect that the only certain method of
stamping out these parasites would require the maximum possible popular
support, and would involve an absolute boycott of all companies taking any part
whatsoever in organised data abuse.

Regards,

Chaz

Disclaimer: As an individual I speak only for myself. I speak for no other, and
no other speaks for me.

------------------------------

Date:    Wed, 31 Mar 93 16:29:39 EST
From:    fergp@sytex.com (Paul Ferguson)
Subject: Legal Net Monthly Newsletter
 
Opinion, editorial and news worthy submissions are currently being
(sought and) accepted for a new start-up electronic news journal.
This monthly compilation will be called 'The Legal Net Monthly
Newsletter' and will focus on the legal and ethical aspects of
computer networking. Legal Net Monthly will be a non-biased, open
forum electronic newsletter keeping in step with the networking
environment of the '90's and will be availble by E-Mail subscription.
 
Legal Net Monthly is aiming to release it's first issue on May 1st,
1993. Articles on the following topics are especially welcome:
 
        o   Defining "Criminal Mischief" on the Nets
        o   Authoring/Distributing Computer Viruses: Legal Implications
        o   Legislative news around the world
 
 
Send all sumissions, subscription requests and correspondence to:
fergp@sytex.com
 

Paul Ferguson                     |  "Sincerity is fine, but it's no
Network Integration Consultant    |   excuse for stupidity."
Centreville, Virginia USA         |                       -- Anonymous
fergp@sytex.com     (Internet)    |
sytex.com!fergp     (UUNet)       |
1:109/229           (FidoNet)     |
       PGP 2.2 public encryption key available upon request.

------------------------------

Date:    Tue, 6 Apr 1993 14:54:36 PDT
From:    Sarah_M._Elkins.Wbst139@xerox.com
Subject: Chicago DEA Surveillance of Gardeners

Forwarded with permission (from libernet via homebrew).  Steve requests no
follow-ups to him; please ask the store (owner:  Dave Ittel) if you want more
information.  Apparently the camera was removed last week.  The Chicago Tribune
published a couple of articles about the store and the controversy, which I
have not read.

Regards,

Sarah Elkins (elkins.wbst139@xerox.com)

        ----------------------------------------------------------------

Date: Mon, 22 Mar 93 11:43 CST
From: srw@ihlpv.att.com
Subject: Drama, Excitement, Surveillance !

This isn't directly related to brewing per se, but I thought the
readers of this digest might be interested in a little drama that
is unfolding at the Chicago Indoor Garden Supply store, 297 N.
Barrington Rd, Streamwood, IL 60107.

I stopped in this past Saturday (3-20-93) to pick up some liquid yeast
and the owner asked an unusual question, "Would you like to see a
surveillance camera?"  At first I thought it was a trick question, but
he lead me to the door, shoved a pair of binoculars in my hand, and
directed my attention to a utility pole directly across the street.
Strange.  Power transformers don't usually have little windows on the
front and high gain antennas on the top.

The owner went on to allege that the Drug Enforcement Agency placed a
camera there to see who visits the store.  He claimed that they would
send chase cars after the patrons to get the license tag and then in
some cases show up at their door step demanding to search their home.

The store not only sells the necessary supplies for making beer, but
they also sell supplies for growing spices and herbs in your home.
It appears that the DEA assumes all customers of the store are
growing marijuana.  The disturbing part, the owner alleges, is that
the DEA does not have a search warrant when they show up that your
door.

It's been a couple of days now and no one has shown up at my door,
but I can say for a fact that there was a suspicious looking
transformer on the utility pole Saturday afternoon.  I wonder if
they are monitoring Handy Andy, Franks Nursery, K-mart, etc.

I'm sure if you call the store at 708-885-8282 they will be glad to
tell you the latest chapter in this unfolding drama.

The local CBS affiliate, WBBM Channel 2, is going to do a news story
tonight (Monday).  This could be interesting.


Steve Walk -- 708-713-7409 (Voice)   708-713-7963 (FAX)
Room IHP 2F-520
Software Systems and Technologies Department
AT&T Bell Laboratories
263 Shuman Boulevard
Naperville, IL  60566-7050
att!ihlpv!srw or srw@ihlpv.att.com

------------------------------

End of PRIVACY Forum Digest 02.11
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH