TUCoPS :: Privacy :: priv_317.txt

Privacy Digest 3.17 9/20/94

PRIVACY Forum Digest      Tuesday, 20 September 1994      Volume 03 : Issue 17

          Moderated by Lauren Weinstein (lauren@vortex.com)
            Vortex Technology, Woodland Hills, CA, U.S.A.
	
                     ===== PRIVACY FORUM =====

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy.


CONTENTS 
	PRIVACY Forum materials now available via WWW
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Electronic signatures (Bill Hensley)
	Access surveillance (Diane Henderson)
	Some privacy notes (Phil Agre)
	Database Marketing (Mark Stalzer)
	ACTION: Fight US bills: SB 2375 & HR 4922 (Shabbir J. Safdar)
	Patient Privacy at Risk (FWD) (David Banisar)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com".  Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW home
page at the URL: "http://www.vortex.com/".

For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------

VOLUME 03, ISSUE 17

   Quote for the day:

	"There's going to be a fire!"

		-- Young boy watching fire truck go by.
		   "Fahrenheit 451" (1966)

----------------------------------------------------------------------

Date:    Tue, 20 Sep 94 23:37 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: PRIVACY Forum materials now available via WWW

Greetings.  I'm pleased to announce that all PRIVACY Forum materials
are now available via the Internet World Wide Web (WWW).  This includes
the introductory information writeup file and all archive materials,
including papers, all back issues of the digest, and other files.
Egads, there even seems to be a picture of the moderator in the
information file--how the blazes did that get in there?

WWW access to the PRIVACY Forum materials (along with other eclectic
topics) is via the Vortex Technology home page at the URL:

	http://www.vortex.com/

--Lauren--
	
------------------------------

Date:    Sun, 4 Sep 94 00:10:30 -0500
From:    bhensley@ocdis01.tinker.af.mil (Contractor Bill Hensley)
Subject: Electronic signatures

Am item I thought might be of interest to readers of both the Privacy
and Risks forums.  Apologies in advance to dual subscribers who get it
twice.

At a local store called Service Merchanise today, my wife and I bought
a new watch band with our trusty AX card.  The clerk brought it to us
to sign on a nifty pad with attached pen.  She *dropped* it on the
counter, it landed upside down, and the the nifty pad had an FCC Class
A sticker on it.  Turns out that when you sign the two-part credit
card form, you also get your signature recorded "for our records", as
the clerk explained.  No, it was not stored, she said, but it was sent
to HQ.  We signed the credit card form without using the nifty pad.

Why get worked up about this?  There is RISK in compromise of your
signature, I would imagine.  I also feel that this is a classic case
of someone collecting and storing information about us that there is
really no reason for them to collect.  Are they planning to create a
way to compare the digitized signatures to credit card signers in real
time?  Why not wait a few years for crypo-based signatures?  Of
course, this does not even address Service collecting this information
on the sly (I think that might be for a posting to a business ethics
forum... :).

Regards,

Bill Hensley
TRW Military Electronics and Avionics Division
bhensley@ocdis01.tinker.af.mil
bhensley@oceo.trw.com

Usual disclaimers:  Not TRW's opinion, etc.

------------------------------

Date:    Tue, 6 Sep 1994 07:27:58 -0400
From:    <HENDER@fis.utoronto.ca>
Subject: Access surveillance

I hope some members of the list will be able to give us assistance
on this question.

We would like to find examples of institutional policies
relating to privacy/confidentiality issues with respect to electronic
(transaction) records created by the use of building access cards
which contain personal ID on their magnetic strip. This seems to be a
topic which has not received much attention in the literature. We are
also interested in examples of institutional policies dealing with
privacy issues related to other aspects of electronic surveillance
especially dealing with transaction records.

If your institution has such policies, we would appreciate
receiving a copy or information on how we could get a copy.

PLEASE REPLY TO ME NOT THE LIST (I am not a current subscriber).

Thanks,

Diane Henderson

Diane Henderson
Faculty of Information Studies
University of Toronto
140 St. George St.
Toronto, Ont. Canada M5S lAl
Phone (416) 978-7071
Fax   (416) 978-5762
hender@fis.utoronto.ca

	[ This topic is of general interest to PRIVACY Forum as well.
	  I'd appreciate it if persons responding to this item also
	  send copies to the Forum.  -- MODERATOR ]

------------------------------

Date: Mon, 5 Sep 1994 18:37:31 -0700
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Some privacy notes

	[ From RISKS DIGEST 16.39  -- MODERATOR ]

The September issue of *Smithsonian* magazine includes a long article on
"ubiquitous computing" research at Xerox, with some attention to the moral
issues relating to tracking and monitoring.

The 5 Sep 1994 issue of *Business Week* has a cover story on database
marketing.  Like most *Business Week* cover stories it's a superficial rehash
of items you might have seen elsewhere.  But it might be useful as a summary.

Finally, here is a wonderful quotation from a much longer article by Edwin
McDowell, ``The scrambling is on for off-season tourism'' (*The New York
Times*, 5 Sep 1994, business section, pp. 17-18) on off-season tourism
marketing:

  "Another reason for the growing success of off-season strategies is that
  "states have become a lot more sophisticated with their data bases", said
  James V. Cammisa Jr., a travel industry consultant in Miami.  "They know
  where the peaks and valleys in their tourism operations are, and they know
  how to market the off-season effectively.

  "Kentucky's data base showed that only 350,000 of the 2.5 million Canadians
  who drove through the state last year stayed overnight.

  "Our research showed that 83 percent of them come from January to 
  June, headed for Florida, South Carolina and the beaches of Alabama and
  Mississippi", said Robert Stewart, the Commissioner of Travel Development
  for Kentucky.  To entice more of them, Kentucky officials will soon hold 
  a press conference in Toronto and Canadians will be offered a card giving
  them discounts at hotels, restaurants and attractions along three of
  Kentucky's interstate highways.

  "Also for the first time, Kentucky is using direct mail to bolster anemic
  winter occupancy rates in its 15 resort parks that offer overnight
  accommodations year-round."  (page 18)

This kind of database marketing is worth thinking about in the context of
rapidly advancing proposals for thoroughgoing instrumentation of cars and
roads under the rubric of "intelligent vehicle-highway systems", particularly
given that most of the marketing organizations mentioned in the article are in
fact government agencies using commercial methods for the benefit of private
businesses.  

Phil Agre, UCSD

------------------------------

Date: Tue, 6 Sep 1994 13:44:22 +0800
From: stalzer@macaw.hrl.hac.com
Subject: Database Marketing

	[ From RISKS DIGEST 16.39  -- MODERATOR ]

The cover story of the current issue of Business Week (5 Sep 1994), a
conservative business magazine (sorry, Phil), is on Database Marketing.  The
goal of Database Marketing is to build detailed customer profiles so that a
company can target advertisements to specific customers for products and
services. This approach is highly successful: response rates are double digit
as opposed to 2%--3% for junk mail.

The data collection process starts with a customer's past purchases.  Other
sources include surveys, rebate requests, and warranty cards.  American
Express scans a customer's individual transactions to find patterns and to
suggest local places that take the card.  Many hospitals sell the names and
addresses of families with newborns.  The data is then combined with public
records, such as drivers' licenses, auto registrations, and property tax
rolls.  Ohio sold its drivers' license and car registration lists for $375,000
to TRW.  What results is a detailed profile of each customer.

The computing technology used to mine a database for prospects includes
parallel processing and neural networks. Neural nets are trained to look for
people likely to buy a product or service given the parameters in the
database, e.g.,

  what combination of income level, investment activity, and credit-card
  spending is most likely to be seen among people who are in the market for 
  mortgages?

The net is applied against each profile in a process called "drilling down."
This is a compute intensive operation and companies are starting to resort to
parallel processing or workstation clusters.  Indeed, it's estimated that a
large portion of the projected growth in commercial parallel processing, from
$400M today to $5B in 98, will be for database marketing applications.

When asked about the privacy issues, one marketer responded that the loss of
privacy is offset by the convenience to the customer of highly selective
advertising. I'll forgo the commentary and simply refer the interested reader
to the original source for more details and anecdotes.

Mark Stalzer, mas@acm.org


	[ I have a copy of a recent editorial from a direct marketing
	  industry trade publication.  The author of the piece literally
	  characterizes privacy advocates as crazy.  He lists a number
	  of examples of database matching for marketing, all of which
	  many readers of this digest would consider to be serious problems,
	  and does his best to make fun of anyone who could possibly 
	  consider them to be actual problems.  This attitude tends 
	  to reinforce the view that self-regulation of direct marketing
	  database operations may be a hopelessly naive idea.
							-- MODERATOR ]

------------------------------

Date:    11 Sep 1994 23:44:50 -0400
From:    shabbir@panix.com (Shabbir J. Safdar)
Subject: ACTION: Fight US bills: SB 2375 & HR 4922

**********************************************************
 
     DISTRIBUTE WIDELY (though no later than October 1, 1994)
 
**********************************************************
[If you've only got 2 minutes, skip down to the "What You Can Do"
 section.]

[Washington insiders say the phone calls and faxes (especially to
 Rep Jack Brooks) are starting to attract significant attention, and
 many people prophesize that the bill won't even have time to pass
 this session.  Thanks for your efforts!]

The FBI's Wiretap bills (also known as the DT - Digital Telephony bills)
mandate that *all* communications carriers must provide wiretap-ready
equipment so that the FBI can more easily implement their court-ordered
wiretaps more easily.  The costs of re-engineering all communications
equipment will be borne by the government, industry and consumers.

The bill is vague and the standards defining "wiretap ready" do not
exist.  Furthermore, the FBI has yet to make a case which demonstrates
that they have been unable to implement a wiretap.

There are fewer than 1,000 court ordered surveillances per year.  Even if
all of them are wiretaps, and even if all of them require the changes
mandated by this legisation, are we as a nation prepared to build
eavesdropping features into the phones of 250 million people, in order
to justify these wiretaps?  None of these wiretaps has been demonstrated
to be unimplementable, nor has it been proven that the cases could not
be made with other methods of electronic surveillance.

The Voters Telecomm Watch (VTW) does not believe the FBI has made a
compelling case to justify that all Americans give up their privacy.
Furthermore, the VTW does not believe the case has been made to justify
spending 500 million Federal dollars over the next 4 years to
re-engineer equipment to compromise privacy, interfere with
telecommunications privacy, and fulfill an unproven government need.


WHAT YOU CAN DO
===============
You can help stop this legislation before it is too late!
Phone/Fax/Write to each of the people below.  It should take
about two minutes a piece.


	. Rep. Jack Brooks (his Judiciary Committee must approve the bill
			    before it can be voted upon by the full House)
	  DC Phone: (202) 225-6565, TX Phone: (409) 839-2508
	  DC Fax: (202) 225-1584
	  Also try Judiciary Comm. fax at (202) 225-3951
	  US Mail: RHOB 2449, Washington DC 20515

	. Senator Patrick Leahy (the Senate sponsor of the bill)
	  DC Phone: (202) 224-4242, VT Phone: (802) 863-2525
	  DC Fax: (202) 224-3595
	  US Mail: SR 433, Washington DC 20510
	  email: senator_leahy@leahy.senate.gov

	. Rep. Don Edwards (the House sponsor of the bill)
	  DC Phone: (202) 225-3072, CA Phone: (408) 345-1711
	  DC Fax: (202) 225-9460
	  US Mail: 2307 RHOB, Washington DC 20515

	. Your two Senators

	. Your Representative

Tell them you are opposed to the FBI's Wiretap legislation.  Feel
free to use the sample communique below:

SAMPLE COMMUNIQUE
=================

   Dear __________,

   The recent Digital Telephony bills (HR 4922 & SB 2375) disturb me
   greatly.  The FBI has not yet made their case to the public that we
   need to build wiretap functionality into the telephones of 250
   million people to justify wiretaps which have not yet been proven to
   be difficult to implement.

   The bills would clearly compromise the privacy of all Americans with
   no counterbalancing benefit to either law enforcement or the public.
   The FBI has not demonstrated the need, and the cost is uncalculated,
   but is known to be at least 500 million tax dollars.

   Furthermore, the standards are undefined, as are the bodies that
   would enact these standards.

   For these reasons, I am opposed to the Digital Telephony bills
   (HR 4922 & SB 2375).

   Sincerely,

   _______________________

If you get a response from your legislator, drop us a note at
vtw@vtw.org.  We track legislator positions on privacy-related issues
such as this one.

For more information about the Digital Telephony bills, check the
Voters Telecomm Watch gopher site (gopher.panix.com) or contact Steven
Cherry, VTW Press Contact at (718) 596-2851 or stc@vtw.org.

VTW posts a Digital Telephony FAQ monthly to several Usenet newsgroups
including comp.org.cpsr.talk and comp.org.eff.talk.  Look for it or
contact us at vtw@vtw.org for a copy.


	[ In general, I am not enthusiastic about the use of "form" letters
	  to try influence legislation.  Whether or not they actually have
	  an effect through sheer bulk is of course an issue, but letters
	  which are not immediately characterized as being part of organized
	  campaigns may be more useful regardless of the cause.  Persons who
	  are in *favor* of HR 4922 & SB 2375 are of course invited to respond
	  to items such as the one above, right here in PRIVACY Forum.  A
	  discussion including all sides of complex issues is always best,
	  but depends on persons with the alternate points of view to come
	  forward.  -- MODERATOR ]

------------------------------

Date:    Tue, 20 Sep 1994 09:30:07 -0500
From:    David Banisar <cpsr@access.digex.net>
Subject: Patient Privacy at Risk (FWD)

Fwd from the Coalition for Patient Rights (CPRMA@aol.com)

                                 Alert
                          
                         Patient Privacy at Risk
                            Contact the ACLU


The ACLU appears on a list of endorsers of the Wofford/Dodd amendment
which amends one of the Senate health care reform bills.  Major
portions of W/D would have a severely adverse impact on the
confidentiality of medical records.  Although W/D has been rendered
partly obsolete as newer health care reform bills are advanced under
new names and new coalitions, many of its principal features remain
intact in the new bills.  It has become a reference point.  It is for
this reason that the signature of the ACLU on a list of endorsers of
W/D (on a document entitled "Wofford/Dodd Fact Sheet") is so
troubling and so damaging.

The amendment creates federal standards for the disclosure of
personally identifiable health care information and establishes a
framework for a national health care data network.  On the surface,
the goals seem good. Who wouldn't be for establishing strict federal
guidelines to ensure privacy where none existed before?  For that
matter, why not support a data network that would allow a treating
physician to have immediate access to all pertinent medical
information?

Clearly we have to look beyond the advertisement and into the details
of the bills for the answers to these questions.  For example, in
Sec. 508(a) of Mitchell 3 (the bill offered by the Senate majority
leader), the "health information network service" is made the agent
of the provider.  This means that once a third party bureaucratic
agency receives the information electronically, it is deemed the same
as the health care provider in making decisions about the release of
the information.  Sensitive medical information, including intimate
psychological information, would be available electronically to an
increasing number of people legally--not to mention the
well-documented risks of illegal access.  Among those with enhanced
access would be law enforcement officials and government agencies.
Even researchers could access personally identifiable health
information, if an institutional review board holds that the project
is "of sufficient importance to outweigh the intrusion into the
privacy of the person who is the subject of the information."  The
patient has no right to refuse such disclosure even though it
includes his or her name.

There are many examples of person-identified medical information,
including sensitive personal information, that have been shared with
health care providers with the expectation of privacy that would now
be legally accessible to many third parties.  The argument is made
that this kind of access already exists, so why not codify it.  The
logic is faulty.  It is true we already have serious problems
protecting the privacy of medical records in this country.  Legally
sanctioning medical access to an ever enlarging list of third parties
is not the solution.  It will only compound an already serious
problem.

A compelling argument has been made that the establishment of a
national health care data network that requires all providers to
disclose information about every patient contact would violate the
Fourth Amendment's prohibition of "unreasonable searches and
seizures" of the person.  Many organizations have raised serious
concerns about Wofford/Dodd, including the American Psychiatric
Association, the American Psychoanalytic Association, Coalition for
Patient Rights, National Organization of Women, and the AIDS Action 
Council.

We hope that the ACLU joins us in support of genuine privacy
legislation. We hope that there was an error when it appeared on a
short list of supporters of Wofford/Dodd (June 10, 1994)

Call your state chapter of the ACLU.  It is listed as Civil Liberties
Union of (your state) in the white pages.  Let them know of your
concern.If possible, also fax Laura Murphy Lee at the ACLU in
Washington (202-546-0738) and let her know your concern regarding the
position of the ACLU in supporting W/D.

This alert is provided by the Coalition for Patient Rights,
Massachusetts (617, 433-0114).

------------------------------

End of PRIVACY Forum Digest 03.17
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH