TUCoPS :: Privacy :: priv_226.txt

Privacy Digest 2.26 7/24/93

PRIVACY Forum Digest        Saturday, 24 July 1993        Volume 02 : Issue 26

          Moderated by Lauren Weinstein (lauren@vortex.com)
                Vortex Technology, Topanga, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS
	Emerg med records -should- be confidential (Daniel Burstein)
	Re: Data-swapping between EMT and DMV (Jay Maynard)
	Re: Data-swapping between EMT and DMV (J. Scott Weaver)
	Re: Data-swapping between EMT and DMV (Jerry Leichter)
	H.R. 1900 (John W. Pfeifer)
	Car Rentals (Paul Robinson)
	Re: Incident at a Car Rental 800 Number (Gene Spafford)
	Name & Address from Phone Number in Chicago (Bob Reese)
	B of A and Privacy (David Gast)
	"Computers, Freedom & Privacy '94" (Willis Ware)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX
to (310) 455-2364.
-----------------------------------------------------------------------------

VOLUME 02, ISSUE 26

   Quote for the day:

	"Danger is my business."

			-- Cool McCool 
			   "Cool McCool" (1966-1968, 1969)	

----------------------------------------------------------------------

Date:    Sun, 18 Jul 1993 09:08:46 -0400 (EDT)
From:    Daniel Burstein <dannyb@panix.com>
Subject: emerg med records -should- be confidential

In Privacy Forum volume 02, issue 25, Wayne Madsen of NJ (don't have his
email address at hand) described the following incident (paraphrased):

>  A co-worker collapsed at the job, was treated and transported by the
>local emergency medical service. He was diagnosed with a benign brain
>tumor and discharged from the hospital.

> Sometime later he received a letter from the DMV stating that he had to
>re-apply for his drivers license. It seemed that the EMT had shared this
>information with the DMV, and when qustioned later, the EMT claimed it was
>routine procedure to share this information...
 
Mr. Madsen then goes on to point out the very real risks in this.

   to which I add:

 As a NYS EMT-P for twelve years who has worked with NYC-EMS for more than
ten of them, and as someone who is familar with the NYS laws regarding EMS
actions ("Article 30" and "Part 800" and various other bits and pieces), I
can tell you that this is bs (at least in NY and most other states).

  Patient records (in 99% of the cases) are confidential and are NOT to be
transmitted to anyone outside of the medical stream taking care of the
patient. there is -no- valid reason whatsoever (in 99% of cases) for any
handover of such info to the DMV (or anyone else), and an EMT (or any
other medical person) doing so can face some pretty heavy charges. (these
records can, of course, be brought into a court action, but that's the
case with just about anything)

  (The few exceptions are those specifically mandated by law. Your State's
mileage may vary, but generally these include things such as required
reports of child abuse, gunshots, severe burns, and the like. DMV, of
course, -will- get reports of injuries related to auto accidents, but
that's it).

  Now that's not to say it doesn't happen. Every so often stories appear
about lawyers/undertakers/auto repair centers/etc., who have made
"arrangements" with local police/emts/doctors/etc. for referrals, but
that's a human and social engineering issue.

  I've kicked the original article over to one of the State licensing folk
for an official comment. They'll either be posting it directly, or I'll
relay it on receipt.

 danny burstein, NYS-EMT-P
(dannyb@panix.com

------------------------------

Date:    Sun, 18 Jul 1993 13:54:20 -0600 (MDT)
From:    jmaynard@nyx.cs.du.edu (Jay Maynard)
Subject: Re: Data-swapping between EMT and DMV

In the general case, the EMT-patient relationship is protected by the same 
comfidentiality provisions as the doctor-patient relationship. In Texas, not 
only is such information _not_ routinely given to the Department of Public 
Safety (or any other law enforcement agency), but it can only be obtained by 
subpoena. Any EMT who divulged such information without the patient's consent 
would be subject not only to civil liability, but also to revocation of his 
EMT certification. I would expect that the same applies in New Jersey in the 
absence of a specific law requiring its disclosure.

I would suggest that the patient in the cited case seek legal assistance. 
While I do not condone the lawsuit-happy culture that we have built ofer the 
past decade or so, this is one instance where legal relief is 
appropriate...and there's an EMT, and likely an EMS organization, out there 
who needs a stern lesson in patient confidentiality. That confidentiality is 
an integral part of the EMT-patient relationship, and without it, we can't do 
our job.
-- 
Jay Maynard, EMT-P, K5ZC, PP-ASEL | Never ascribe to malice that which can
jmaynard@oac.hsc.uth.tmc.edu      | adequately be explained by stupidity.
                     "iHaTeX." -- Andrew Burt

------------------------------

Date:    Mon, 19 Jul 93 08:18 PDT
From:    fweaver@bigvax.alfred.edu
Subject: Re: Data-swapping between EMT and DMV

In VOLUME 02, ISSUE 25, Wayne Madsen writes:

>It seems that the EMT had shared the medical data with DMV and when
>confronted later, EMT claimed that it was a routine procedure to do so.
	  [remaining quoted text deleted -- MODERATOR]

In New York State, EMTs *are* mandated reporters of suspected child abuse,
etc.  However, this case would probably be considered a serious breach of
patient confidentiality.  In particular, the EMT has no basis for the tumor
diagnosis, although she may have observed and reported a seizure.  If she
was reporting hearsay from the hospital staff, heads should roll.

J. Scott Weaver

------------------------------

Date:    Mon, 19 Jul 93 09:21:34 EDT
From:    Jerry Leichter <leichter@lrw.com>
Subject: re: Data-swapping between EMT and DMV

Wayne Madsen describes an incident in which a person is rushed to a hospital
after collapsing, and is found to have a benign brain tumor.  Later, he is
notified by the NJ Dept. of Motor Vehicles (DMV) that he had to re-apply for
his driver's license, as the EMT shared the medical data with DMV, claiming
that was "routine procedure".

Mr. Madsen describes this as "a draconian privacy measure [which] calls into
question the privacy of medical data in the upcoming National Health Insurance
program...."

Some medical conditions are classified as "reportable".  Any doctor who
detects them is obligated by law to report them to the appropriate
authorities, usually (but I don't think always) the state board of health.
Reportable conditions include (at least) certain communicable diseases and
gunshot wounds.  The reports are used for various things, from simple
calculation of statistics (which can be essential in controlling epidemics)
all the way up to initiating state actions concerning the individuals
involved.  These requirements long pre-date computerization, going back to
at least the nineteenth century.

We live in a society, and the other members of that society have rights, too.
Because of the success of medical science over the past 50 years or so, we've
forgotten painful lessons, that took hundreds of years to learn, about the
control of epidemics.  Recent experience with AIDS and now with drug-resistant
tuberculosis is making it plain that our victory may prove transitory, and
more traditional means of control may again prove necessary.

AIDS was almost made a reportable disease in several states, or even
nationally.  (Ultimate responsibility for coordinating public health measures
rests with the CDC.  I think disease reports reach it through state health
departments, but I'm not certain.)  Debates arose on the public health vs.
privacy issues here, and ultimately the decision was made in the direction of
privacy.  How much of this decision was based on sound medical reasoning (AIDS
isn't easily transmissible; there is no effective treatment, and isolation is
pointless; statistical information can be gotten in other ways - by taking
random, unidentified blood samples of hospital patients and testing them,
which is in fact being done) and how much on the political influence of AIDS
activist organizations one can argue; but the debate was quite real and could
have gone the other way.  A similar debate is under way today concerning
attempts to force treatment on those with drug-resistant tuberculosis, up to
and including holding them prisoner until they complete treatment (which can
take 6 months or more).  At the moment, a small number of people ARE being
treated in this way, and despite some complaints from civil libertarians, the
clear trend is toward more, not less, such treatment.  In the past, carriers
of communicable diseases who could not be rendered non-infective have been
held in isolation for the rest of their lives.  It's by no means out of the
question that such a thing could happen again.

In the case at hand, I suspect that New Jersey may have a reporting require-
ment to the DMV in the case of any medical condition that is thought likely
to cause seizures.  The "public health" implications of a driver having a
seizure on the highway should be obvious.  There have been attempts to impose
similar reporting requirements for conditions that cause deterioration of
vision.  I don't know if these have been accepted; again, there's a strong
political lobby (the AARP) that fights against perceived discrimation against
older people.   They may have objected to such measures.

Privacy is not an absolute right.  Society - that is, every other individual -
has the right to attempt to control threats to public health, even when the
necessary - and they have to be shown to be that - measures are much more
intrusive than simply requiring that a driver show that he can still operate a
vehicle safely.
							-- Jerry
------------------------------

Date:    18 Jul 1993 17:22:37 -0800
From:    JOHN W PFEIFER <DFJWP@acad2.alaska.edu>
Subject: H.R. 1900

I'm trying to find a copy of H.R. 1900, the Privacy for Consumers and
Workers Act, introduced by Rep. Williams this session in the U.S.
House of Representatives.
 
Does anyone know if the full text of the bill is available anywhere
online via FPT?  If so, where?
 
Thanks....John W. Pfeifer <dfjwp@acad2.alaska.edu>

	[ A great deal of information about past and current federal
	  legislation, including legislation in progress, can
	  be obtained from the Library of Congress Information System,
	  available on Internet via telnet at "locis.loc.gov".
	  While full text of all materials may not be available, a 
	  great deal of data, including the current state of pending
	  legislation, is online.  -- MODERATOR ]

------------------------------

Date:    Thu, 22 Jul 93 01:24 GMT
From:    "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Car Rentals [Subject field chosen by MODERATOR]

I wrote a message to Risks Digest about the ability of a Car Rental 
company at Washington DC National Airport in Arlington, Virginia to be
telling me that they will check my driving record for disqualifying 
factors.  My drivers' license is from Maryland, which does not print
the Social Security Number on the license.  I was rather surprised that
a private party - e.g. a car rental company - would be able to do an
interstate verification of someone's license record on a Saturday, which
was a little surprising.  (And because it's the first time after more
than 30 car rentals that I've heard of this practice.)  A reader of
Risks Digest had a comment about my message:

> The Sunday Business section (Wash Post) carried an article about car
> rental companies checking driving records of customers in some states. MD
> was one of them. Soon the system will be extended to all states.
> I'd appreciate hearing your views on what identification should be used
> nationally.  And if the answer is none, how you can reasonably expect to
> be protected from mobile rip-off artists if there is no way for the police
> to tag & identify mobile crooks.

I think my comments may have been misunderstood a little.  All that I
was saying was that I was surprised that a private organization would
have the capability to do an interstate verification of someone's driving
record on a weekend.  I do see this checking as a reasonable protection 
of their rights to protect their property against criminals.  The point
I was making was that a private organization is given the ability to 
make inquiries.

If this is something akin to an inquiry to a privately operated database
of criminal convictions or other activity, where some group collects 
criminal information from the public record to create their own information,
that's one thing.

But giving private parties essentially carte blanche to look through the
drivers' license database for anyone bothers me a little bit.  

And remember, I was talking about the actions of a private organization 
 - a car rental company - to examine a driving record of an applicant for
a rental of an automobile, where the applicant's record is in another
state.  This has nothing to do with the police, whose car computers 
probably have direct access to the NCIC database.

Paul Robinson -- TDARCOS@MCIMAIL.COM

------------------------------

Date:    Sun, 18 Jul 93 12:58:50 -0500
From:    Gene Spafford <spaf@cs.purdue.edu>
Subject: Re: Incident at a Car Rental 800 Number

I can't say that the rental agency is *not* doing a license check
interstate when you show them your license.

However, as someone who as had to rent lots of cars, I can tell you
that they always look at my license.  Even when I have an "express"
reservation and I am on my way out of the parking lot, the person at
the gate checks my license.  They never type the license number into
the computer or do any other check.

So, if they don't run a computer check, why do they check the license?

1) To make sure you have one.  Most states have a policy of
confiscating your license if you commit certain forms of traffic
infraction.  If you can't produce a license, you shouldn't be renting
their cars.

2) To make sure your license hasn't expired.  A colleague of mine
didn't remember to renew her license, and got stranded when she went
to pick up the car.  The clerk said that only holders of valid
licenses are allowed to rent the cars because of legal and insurance
reasons.

3) To verify you are who you say you are.  I could call up the same
car rental agency, give your name, phone, address, place of work, etc.
and try to pick the car up.  They need to verify that I am indeed the
person who reserved the car.

I don't view any of these as invasions of privacy or anything
involving computers.  I think they are sound business sense (for a car
rental company).

Cheers,
--spaf

	[ It is not totally obvious exactly *what* information is being
	  checked in these increasingly frequent database lookups by car
	  rental firms.  I believe I heard that on the basis of these
	  checks, something like 1 out of 8 applicants is rejected.  Whether
	  rejections are based on insurance status, accidents, tickets, etc.
	  is unknown.  Nor do we know that applicants are always told *why*
	  they were rejected.  One obvious concern regarding such systems is
	  that the possible presence of incomplete or inaccurate information
	  in the DMV databases could potentially cause applicants to be
	  rejected for false reasons. 

	  This is not a simple topic, since one's driving record *is* of
	  reasonable concern to car rental companies--still, the issues
	  regarding access to those records, and the accuracy of those
	  records, should be the subject of considerable scrutiny 
	  and care.  -- MODERATOR ]

------------------------------

Date:    21 Jul 93 16:31:34-0400
From:    ROBERT.REESE@sprint.sprint.com
Subject: Name & Address from Phone Number in Chicago 

Following is a synopsis of a 7/20/93 story in Communications Daily:

    Chicago-area customers will soon have access to Automated Customer
    Name and Address service provided by Ameritech.  The service
    provides a "reverse directory", which allows callers to hear the
    name, address and zip code associated with any listed telephone
    number in the 312 or 708 area codes.  The service will cost 35 cents
    per call and provides information on two listings.

I haven't seen the entire story but this definitely raises several
privacy issues.  Does a customer of Ameritech get to choose whether
he/she is included in this listing?  If you don't want to be listed do
you have to pay an additional charge?  How are unlisted numbers handled?

The price is cheap enough that anyone with call detail information from
a PBX, pen recorder, etc. wouldn't hesitate to use it for investigative
purposes.

Regards,

Bob Reese
(robert.reese@sprint.sprint.com)

	[ I believe you can rest assured that unlisted numbers will
	  not show up in that system.  (Beware, however, that in 
	  some areas there is a difference between "unlisted" and
	  "non-published" numbers, and they may not be handled
	  identically!)  Reverse telephone directories (known in the
	  trade as "criss-cross directories") have long been available
	  to businesses--the difference with an automated CNA system
	  is the ease of access by "the masses."  By the way, there are
	  also directories organized by street address designed to
	  ease solicitations.

	  Outside of the usual exclusion of unlisted numbers from such
	  directories and systems, many telcos allow subscribers to opt-out
	  of at least some reverse directory systems upon request.

	  Your best bet would be to query your local telco regarding
	  their specific policies, or contact your state's Public
	  Utilities Commission if you're dissatisfied with the telco's
	  response.  -- MODERATOR ]

------------------------------

Date:    Tue, 20 Jul 93 16:26:42 -0700
From:    gast@CS.UCLA.EDU (David Gast)
Subject: B of A and Privacy

B of A also has a telephone system for getting information, such as checking
account balances.  You don't even have to know a phone number as every
branch seems to have a phone that is hardwired to the system.  Essentially,
at the first level prompt you have to decide if you are an individual or
a business.  If you are an individual, then you also have to provide a
password, probably the last four digits of your SSN.  If you are business,
it lets you type in an account number, and then a balance.  It will tell
you if the account has that much money.  Presumably this "service" is for
merchants so they can see if a check will clear.  While there are problems 
even with its seemingly intended purpose, the system can also be used via
binary search to determine the account balance in an account.  Worse, the
system also provides to "business" users a rating without the need for any
password.  It always seemed to me that this rating service should have been
subject to the Fair Credit Reporting Act, but I guess the lawyers found a
loophole.

They may have changed the system in the last few years, but this is my best
recollection of how it worked.

David Gast

------------------------------

Date: Thu, 22 Jul 93 12:48:34 PDT
From: Willis Ware <Willis_Ware@rand.org>
Subject: "Computers, Freedom & Privacy '94"

  *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
                  "Computers, Freedom & Privacy '94"

                   George B. Trubow, General Chair
               Timothy R. Rabel, Conference Coordinator

                       John Marshall Law School
                       315 South Plymouth Court
                          Chicago, IL 60604

   e-mail = cfp94@jmls.edu                        voice = (312) 987-1419
                         fax = (312) 427-8307
  *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

             Conference Announcement and Call for Papers
                 Computers, Freedom, and Privacy 1994
                           23-26 March 1994

Announcement

     The fourth annual conference, "Computers, Freedom, and
Privacy," will be held in Chicago, Il., March 23-26, 1994.  This
conference will be jointly sponsored by the Association for
Computing Machinery (ACM) and The John Marshall Law School. 
George B. Trubow, professor of law and director of the Center for
Informatics Law at The John Marshall Law School, is general
chairman of the conference.  

     The series began in 1991 with a conference in San
Francisco\Burlingame, and subsequent meetings took place in
Washington, D.C. and again in San Francisco\Burlingame, in
successive years.  Each conference has addressed a broad range of
issues confronting the "information society" in this era of the
computer revolution.

     The advance of computer and communications technologies
holds great promise for individuals and society.  From
conveniences for consumers and efficiencies in commerce to
improved public health and safety and increased knowledge of and
participation in government and community, these technologies 
are fundamentally transforming our environment and our lives.

     At the same time, these technologies present challenges to
the idea of a free and open society.  Personal privacy is
increasingly at risk from invasions by high-tech surveillance and
monitoring; a myriad of personal information data bases expose
private life to constant scrutiny; new forms of illegal activity
may threaten the traditional barriers between citizen and state
and present new tests of Constitutional protection; geographic
boundaries of state and nation may be recast by information
exchange that knows no boundaries as governments and economies
are caught up in global data networks.

     Computers, Freedom, and Privacy '94 will present an
assemblage of experts, advocates and interested parties from
diverse perspectives and disciplines to consider the effects on
freedom and privacy resulting from the rapid technological
advances in computer and telecommunication science.  Participants
come from fields of computer science, communications, law,
business and commerce, research, government, education, the
media, health, public advocacy and consumer affairs, and a
variety of other backgrounds. A series of pre-conference
tutorials will be offered on March 23, 1994, with the conference
program beginning on Thursday, March 24, and running through
Saturday, March 26, 1994.

     The Palmer House, a Hilton hotel located at the corner of
State Street and Washington Ave. in Chicago's "loop," and only
about a block from The John Marshall Law School buildings, will
be the conference headquarters.  Room reservations should be made
directly with the hotel, mentioning The John Marshall Law School
or "CFP'94" to get the special conference rate of $99.00, plus
tax.

                     The Palmer House Hilton
               17 E. Monroe., Chicago, Il., 60603
      Tel: 312-726-7500;  1-800-HILTONS;  Fax 312-263-2556  

Call for Papers and Program Suggestions

     The emphasis at CFP'94 will be on examining the many
potential uses of new technology and considering recommendations
for dealing with them.  Specific suggestions to harness the new
technologies so society can enjoy the benefits while avoiding
negative implications are solicited.

     Proposals are requested from anyone working on a relevant
paper, or who has an idea for a program presentation that will
demonstrate new computer or communications technology and suggest
what can be done with it.  Any proposal must:  state the title of
the paper or program; describe the theme and content in a short
paragraph; set out the credentials and experience of the author
or suggested speakers; and should not exceed two pages.  If an
already completed paper is being proposed for presentation, then
a copy should be included with the proposal.

Student Papers and Scholarships

     It is anticipated that announcement of a student writing
competition for CFP'94 will be made soon, together with
information regarding the availability of a limited number of
student scholarships for the conference.   

Timetables

     Proposals for papers and programs are being accepted at this
time.  It is intended that program committees will be finalized
by August 1, 1993.  Proposals must be received by October 1,
1993.

Communications

Conference communications should be sent to:

                             CFP'94
                    The John Marshall Law School
                       315 S. Plymouth Ct.
                        Chicago, IL 60604

(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu)

------------------------------

End of PRIVACY Forum Digest 02.26
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH