TUCoPS :: Privacy :: priv_316.txt

Privacy Digest 3.16 9/3/94

PRIVACY Forum Digest      Saturday, 3 September 1994      Volume 03 : Issue 16

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.

	Sprint's phone-card stupidity (Alan Wexelblat)
	More problems with Sprint Voice FonCard (Bob Stratton)
	Re: Medical Privacy Dilemma (Joan Eslinger)
	Re: Medical Privacy Dilemma (Chris Hibbert)
	Re: Medical Privacy Dilemma (a_rubin@dsg4.dse.beckman.com)
	EPIC Statement on FBI Wiretap Bill (Dave Banisar)
	New indecency rules proposed for all online services 
	   (Daniel J. Weitzner)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.


   Quote for the day:

	"Hey!  You can't bring a frozen guru into California!"

		-- California agricultural inspector
		   "Candy" (1968)


Date:    Mon, 15 Aug 94 10:37:40 -0400
From:    "Alan (Miburi-san) Wexelblat" <wex@media.mit.edu>
Subject: Sprint's phone-card stupidity

Sigh.  I used to post about this anonymously, but I figure since TI has
declared me persona non grata anyway I may as well tell the story in the

The Sprint phone system was designed and implemented by Texas Instruments,
initially during the time I worked for them.  (I worked for a different
division that was physically and managerially adjacent to the Sprint
implementers.)  I knew that a "voice recognition" project was underway, but
it wasn't until a big branch meeting that I saw the details of the then-
prototyped project.

The project manager put up on a big screen in the cafeteria an overhead of
the prototype card, with his SSN emblazoned on it and described the intended
system.  Apparently, the biggest complaint that Sprint thought it had was
people who couldn't/wouldn't deal with the long (14+ digit) number required
to use other phone card systems.  Their solution was to use a shorter number
which many people have already memorized (the SSN).

Needless to say, I was flabberghasted (a not-uncommon experience for me at
TI).  I pointed out to my coworkers around the table the obvious weaknesses
of the system.  They agreed.

After the meeting, I spoke to the manager personally and privately.  I
pointed out that he had just displayed enough information that any person in
the whole division who had a grudge against him would be able to really mess
his life over.  He expressed severe disbelief that this was possible, or
that anyone would do such a thing.

When I asked if there had been any review of safety or privacy concerns he
noted that I was not involved with the project, that he had over 10 years
with the company compared to my over-10 weeks, and that further questioning
would not be tolerated.

I sat at my desk for a long time after that, wondering if it was really in
me to screw up this guy's life to make a point.  Obviously it wasn't, or I
would not be posting this :)

--Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard
Media Lab - Intelligent Agents Group		wex@media.mit.edu
Voice: 617-253-9601 Page: 617-945-1842		na53607@anon.penet.fi


Date:    Tue, 16 Aug 1994 23:30:39 -0400
From:    Bob Stratton <strat@uunet.uu.net>
Subject: More problems with Sprint Voice FonCard

>>>>> "Willis H Ware"  <Willis_Ware@rand.org> writes:

    Willis> Sprint has thoughtlessly conceived the world's most
    Willis> foolish way to expose one's SSN to illcit acquisition.
    Willis> The well know schemes for stealing conventional telephone
    Willis> credit card numbers is to observe a user key-in his number
    Willis> on the public touch pad, or to listen to the user speak
    Willis> his number.  The scam is reported to be particularly
    Willis> threatening at airports, but now it will be directed at
    Willis> acquiring "SSNs for sale" rather than telephone credit
    Willis> card numbers.

I had planned on releasing this bit of information in a more dramatic
way, as was hoping to gather more information, but in light of your
comments, I'll announce my discoveries which, to thinking people,
should be the nail in the coffin of this particular "service".

I signed up for a Voice FonCard (which, incidentally, requires you to
sign up for the $5/month "Priority Gold" service), and gave them a
number that was not my SSN. I trained the voice recognition system
over several weeks, as their literature claims it becomes more attuned
to your voice the more you use it. 

I then called up a friend who happens not only to be a telephony
engineer, but also a pretty fair imitator of several voices, including
my own. He came over to my house, I handed him the card with the
number that they expect me to shout for identification, and listened
while he authenticated himself as me and was WARMLY ACCEPTED by the
system as the authorized user. 

This wasn't the really galling part. I then began calling around
Sprint to speak to someone about this travesty. Since the Voice
FonCard person wasn't in his office, I called Sprint security, knowing
that Sprint has a full-time corporate security department. When I
finally reached someone who would discuss this with me, I got the

"We never advertised that as a secure service, just a convenient one."

    Willis> ...  But then, the threat in this case is against the
    Willis> consumer, not against the telephone company for having to
    Willis> swallow the cost of fraudulent calls.

It appears to be both. Perhaps if enough customers get used as the
basis for new identities and sue Sprint, they'll catch on.

Bob Stratton					strat@uunet.uu.net
UUNET Technologies, Inc.			uunet!strat
3110 Fairview Park Dr., Suite 570		Voice) +1 703 204 8000
Falls Church, Va 22042				Fax)   +1 703 204 8001


Date:    Fri, 12 Aug 94 22:44:21 -0700
From:    Joan Eslinger <wombat@kilimanjaro.engr.sgi.com>
Subject: re: Medical Privacy Dilemma

* Date:    Wed, 27 Jul 94 09:49:18
* From:    [Name withheld]
* Here's a hypothetical situation for you.
* .....  The official then explains that, to protect
* the hospital's good name, he is prepared to release some of the patient's
* medical history as long as it is strictly off the record.
* 2. How does the paper know that the hospital is telling the truth - obviously
*    it can't check back with the patient because this would reveal that the
*    hospital has disclosed the medical records.

I don't see the "obviously" here at all. The hospital has disclosed
confidential patient information to a newspaper. The public and the
patient have a right to know that this hospital is willing to do that.

Joan Eslinger / wombat@engr.sgi.com


Date:    Sat, 13 Aug 94 10:37:34 -0700
From:    Chris Hibbert <hibbert@netcom.com>
Subject: Re: Medical Privacy Dilemma

[Name withheld] told of a patient complaining about mistreatment by a
hospital to a newspaper.  The hospital was unable to defend itself
because of patient confidentiality laws.

If I represented either the newspaper or the hospital, I would have
suggested that the patient could get the newspaper to print the story
if he is willing to waive his privacy rights in order to allow the
paper to hear the hospital's side.  The newspaper should promise that
the patient's identity would be protected.  If the patient is willing
to let editors and reporters see the confidential records, then they
will listen to both sides and decide what to print.  If the patient
isn't willing to open his records, the paper should refuse to print
unsubstantiated attacks.



Date:    Mon, 15 Aug 94 07:01:06 PST 
From:    a_rubin@dsg4.dse.beckman.com
Subject: Re: Medical Privacy Dilemma


>1. Should the hospital release the information about the patient's psychiatric
>   problems to prevent possible damage to its reputation.

Not without the patient's permission.

>2. How does the paper know that the hospital is telling the truth - obviously
>   it can't check back with the patient because this would reveal that the
>   hospital has disclosed the medical records.

Simple -- the paper should request that the patient request the hospital
release the records to the newspaper.  If the patient and hospital comply,
there's no problem -- the paper can do whatever further research is
required.  If the patient doesn't comply, the paper should probably drop the
story.  If the patient complies and the hospital does not, the paper should
CLEARLY print the story.


Date:    Sun, 22 Aug 1993 16:42:34 +0000
From:    Dave Banisar <banisar@epic.org>
Subject: EPIC Statement on FBI Wiretap Bill

	[ The complete text of the bill discussed below is now available
	  in the PRIVACY Forum archive.  To access:

	    Via Anon FTP: From site "ftp.vortex.com": /privacy/fbi-tel.2.Z
					          or: /privacy/fbi-tel.2

	    Via e-mail: Send mail to "listserv@vortex.com" with
	                the line:

			    get privacy fbi-tel.2

		        as the first text in the BODY of your message.

	    Via gopher: From the gopher server on site "gopher.vortex.com"
		in the "*** PRIVACY Forum ***" area under "fbi-tel.2".

							-- MODERATOR ]

                       *DISTRIBUTE WIDELY*

           EPIC Statement on Digital Telephony Wiretap Bill 

     The digital telephony bill recently introduced in Congress is the
culmination of a process that began more than two years ago, when the
Federal Bureau of Investigation first sought legislation to ensure its
ability to conduct electronic surveillance through mandated design
changes in the nation's information infrastructure.  We have monitored
that process closely and have scrutinized the FBI's claims that
remedial legislation is necessary.  We have sponsored conferences at
which the need for legislation was debated with the participation of
the law enforcement community, the telecommunications industry and
privacy advocates.  We have sought the disclosure of all relevant
information through a series of requests under the Freedom of
Information Act.  Having thus examined the issue, EPIC remains
unconvinced of the necessity or advisability of the pending bill.

     As a threshold matter, we do not believe that a compelling case
has been made that new communications technologies hamper the ability
of law enforcement agencies to execute court orders for electronic
surveillance. For more than two years, we have sought the public
disclosure of any FBI records that might document such a problem.  To
date, no such documentation has been released.  Without public scrutiny
of factual information on the nature and extent of the alleged
technological impediments to surveillance, the FBI's claims remain
anecdotal and speculative.  Indeed, the telecommunications industry
has consistently maintained that it is unaware of any instances in
which a communications carrier has been unable to comply with law
enforcement's requirements.  Under these circumstances, the nation
should not embark upon a costly and potentially dangerous re-design of
its telecommunications network solely to protect the viability of fewer
than 1000 annual surveillances against wholly speculative impediments.

     We also believe that the proposed legislation would establish a
dangerous precedent for the future.  While the FBI claims that the
legislation would not enhance its surveillance powers beyond those
contained in existing law, the pending bill represents a fundamental
change in the law's approach to electronic surveillance and police
powers generally.  The legislation would, for the first time, mandate
that our means of communications must be designed to facilitate
government interception.  While we as a society have always recognized
law enforcement's need to obtain investigative information upon
presentation of a judicial warrant, we have never accepted the notion
that the success of such a search must be guaranteed.  By mandating the
success of police searches through the re-design of the telephone
network, the proposed legislation breaks troubling new ground.  The
principle underlying the bill could easily be applied to all emerging
information technologies and be incorporated into the design of the
National Information Infrastructure.  It could also lead to the
prohibition of encryption techniques other than government-designed
"key escrow" or "Clipper" type systems.

     In short, EPIC believes that the proposed digital telephony bill
raises substantial civil liberties and privacy concerns.  The present
need for the legislation has not been established and its future
implications are frightening.  We therefore call upon all concerned
individuals and organizations to express their views on the legislation
to their Congressional representatives.  We also urge you to contact
Rep. Jack Brooks, Chairman of the House Judiciary Committee, to share
your opinions:

     Rep. Jack Brooks
     Chair, House Judiciary Committee
     2138 Rayburn House Office Bldg.
     Washington, DC 20515
     (202) 225-3951 (voice)
     (202) 225-1958 (fax)

The bill number is H.R. 4922 in the House and S. 2375 in the Senate.  It can 
be referred to as the "FBI Wiretap Bill" in correspondence.

Electronic Privacy Information Center 
666 Pennsylvania Avenue, S.E. 
Suite 301 Washington, DC 20003 
(202) 544-9240 (voice) 
(202) 547-5482 (fax) 

EPIC is a project of the Fund for Constitutional Government and Computer 
Professionals for Social Responsibility.

	[ The PRIVACY Forum also received a mailing from Voter's
	  Telecommunications Watch (VTW) with arguments against the
	  bill, their detailed suggestions for people who wish to oppose
	  the bill, press releases, and other data.  They can be reached at:

		Voice mail:             (718) 596-2851
		General questions:      vtw@vtw.org
		Mailing List Requests:  vtw-list-request@vtw.org
		Press Contact:          stc@vtw.org
		Gopher URL:             gopher://gopher.panix.com:70/11/vtw

	  Interested readers should contact them directly for information.

						-- MODERATOR ]


Date: Thu, 25 Aug 1994 14:32:40 -0600
From: djw@eff.org (Daniel J. Weitzner)
Subject: New indecency rules proposed for all online services 

(900#s in cyberspace)

I.      Overview

        During the final hours before the Senate telecommunications bill
(S.1822) was marked-up by the Senate Commerce Committee, a provision was added
which would expand the current FCC regulation on obscene and indecent
audiotext (900 number) services to virtually all electronic information
services, including commercial online service providers, the Internet, and BBS
operators.  This proposal, introduced by Senator Exon, would require all
information service providers and all other electronic communication service
providers, to take steps to assure that minors do not have access to obscene
or indecent material through the services offered by the service provider.

       Placing the onus, and criminal liability, on the carrier, as opposed to
the originator of the content, threatens to limit the free flow of all kinds
of information in the online world.  If carriers are operating under the
threat of criminal liability for all of the content on their services, they
will be forced to pre-screen all messages and limit both the privacy and free
expression of the users of these services.  Senator Exon's amendment raises
fundamental questions about the locus on liability for harm done from content
in new digital communications media.  These questions must be discussed in a
way that assures the free flow of information and holds content originators
responsible for their actions.

II.     Summary of Exon Amendment

       The Exon amendment which is now part of S.1822, expands section of the
Communications Act to cover anyone who "makes, transmits, or otherwise makes
available" obscene or indecent communication.  It makes no distinction between
those entities which transmit the communications from those which create,
process, or use the communication.  This section of the Communications Act was
originally intended to criminalize harassment accomplished over interstate
telephone lines, and to require telephone companies that offer indecent 900
number services to prevent minors from having access to such services.  The
900 number portions are known as the Helms Amendments, having been championed
by Senator Jesse Helms.  These sections have been the subject of extension
constitutional litigation.

       If enacted into law, these amendments would require that anyone who
"makes, transmits, or otherwise makes available" indecent communication take
prescribed steps to assure that minors are prevented from having access to
these communications.  In the case of 900 numbers, acceptable procedures
include written verification of a subscriber's age, payment by credit card, or
use of a scrambling device given to the subscriber after having verified his
or her age.  Failure to do so would result in up to a $100,000 fine or up to
two years imprisonment.

III.    Carrier Liability and Threats to the Free Flow of Information

       These provisions raise serious First Amendment concerns.  (Note that we
use the term 'carrier' here to refer to a wide range of information and
communication service providers.  This does not suggest that these entities
are, or should be, common carriers in the traditional sense of the term.)

       Overbroad carrier liability forces carriers to stifle the free flow of
information on their systems and to act as private censors

       If carriers are responsible for the content of all information and
communication on their systems, then they will be forced to attempt to screen
all content before it is allowed to enter the system.  In many cases, this
would be simply impossible.  But even where it is possible, such pre-screening
can severely limit the diversity and free flow of information in the online
world.  To be sure, some system operators will want to offer services that
pre-screen content.  However, if all systems were forced to do so, the
usefulness of digital media as communication and information dissemination
systems would be drastically limited.  Where possible, we must avoid legal
structures which force those who merely carry messages to screen their

       Carriers are often legally prohibited from screening messages

       In fact, under the Electronic Communications Privacy Act of 1986,
electronic communication service providers are generally prohibited from
examining the contents of messages or information carrier from one subscriber
to another.

       Extension of the 900 number rules to all electronic information
services may be unconstitutional

       The regulation of indecent 900 number programming was only accomplished
after nearly a decade of constitutional litigation, with rules being
overturned by the Supreme Court.  The regulations were finally found
constitutional only after being substantially narrowed to meet First Amendment
scrutiny.  Since the access methods offered by online service providers are
significantly different than simple telephone access to 900 services, we doubt
that the same constitutional justifications would support the newly expanded
rules.  This issue requires considerable study and analysis.

       Content creators, or those who represent the content as their own,
should be responsible for liability arising out of the content

       In sum, it should be content originators, not carriers, who are
responsible for their content.  Any other approach will stifle the free flow
of information in the new digital media.

IV.     Next Steps

       Having only just received the language offered by Senator Exon, EFF
still needs to do further analysis, and consult with others in the online
community.  We also hope to speak with Senator Exon's staff to understand
their intent.  Another important hearing will be held on S.1822 in
mid-September by the Senate Judiciary Committee.  By that time, we hope to
have this issue resolved.  While we agree that these carrier liability
problems are in need of Congressional consideration, we do not believe that
the time is ripe to act.  Before any action is taken, hearings must be held
and careful evaluation of all the issues, not just indecency, must be

Daniel J. Weitzner, Deputy Policy Director, Electronic Frontier Foundation,
1001 G St. NW Suite 950 East, Washington, DC 20001 +1 202-347-5400(v)

	[ It appears that efforts to restrict electronic distribution of
	  information to minors is being expanded to include both
	  obscene/indecent materials and other information that could be
	  deemed to be hazardous in other ways.  This is being driven by
	  recent events where minors injured themselves after constructing
	  devices based on information from books which had been transcribed
	  onto BBS systems.

	  There are some interesting fundamental questions in this area,
	  that are worthy of discussion and debate.  To what extent does the
	  operator of an electronic distribution system have the same or
	  different responsibilities from that of, for example, a mail-order
	  book distributor?  Can or should the models applied to control of
	  magazines and books (where such controls are present) be applied
	  to electronic information systems which may have millions of
	  individuals submitting information for distribution, with various
	  levels of editorial control ranging from none to quite significant?

	  Are these issues subject to relatively "simple" legislative
	  fixes?  Or will the technology and topologies of these new
	  information systems require a more fundamental shift in 
	  perspective to achieve the desired balances?

	  Comments?   -- MODERATOR ]

End of PRIVACY Forum Digest 03.16

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH