TUCoPS :: Privacy :: priv_412.txt

Privacy Digest 4.12 6/2/95

PRIVACY Forum Digest     Friday, 2 June 1995     Volume 04 : Issue 12

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
	
                       ===== PRIVACY FORUM =====              

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy,
     		     and the Data Services Division 
	           of MCI Communications Corporation.

	     **********************************************
    	     * PRIVACY Forum Three Year Anniversary Issue *
	     **********************************************

CONTENTS 
	Thermal Imagery Used To Search Homes (A. Padgett Peterson)
	Re: Privacy, cellular telephones, and 911 (Jay Ashworth)
	Re: Family Privacy Protection Act (Robert Gellman)
	Paper of potential interest (Alan Wexelblat)
	ACLU's Analysis of Revised Exon (ACLUNATL@aol.com)
	Comments on California Digital Signature Bill (Phil Karn)
	Positioning potential of CDMA cellular (Phil Karn)
	Why can't I see Equifax medical records? (G. Martin)
	Telecom (NON)-Privacy at Ameritech
           (Lauren Weinstein; PRIVACY Forum Moderator)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com".  Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW 
server at the URL: "http://www.vortex.com".
-----------------------------------------------------------------------------

VOLUME 04, ISSUE 12

   Quote for the day:

	"I don't care *what* these computers say!"

			-- Mr. Cramden (Lee J. Cobb)
			   "Our Man Flint" (1966)

----------------------------------------------------------------------

Date:    Sat, 20 May 95 09:21:13 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson,
	 P.E. Information Security)
Subject: Thermal Imagery Used To Search Homes

From:    hingson@teleport.com
>I am a criminal defense lawyer.  I am litigating the issue of whether the
>use of a thermal imaging device on a home to detect heat emissions
>constitutes a "search" under the Fourth Amendment. 

Obviously this guy will not use but IMNSHO, thermal imagery via heat
emissions is just that: analysis of emissions which radiate. If the
analysis is done from off the property then it is no more an invasion
than what a sighted person sees or a passerby who is not "audibly challenged"
hears.

Further, while there might be an "expectation" of privacy, if based on 
ignorance, is that a "right" or merely a "failure to use due care"?

Consider a cordless telphone conversation. A ham tuning across the bands
has two obligations:
1) not to listen
2) if discussion of a crime is heard, to report it

Do these two obligations conflict?

To me (am an engineer, not a lawyer), the question is of "illegal search and
seizure" is one of property rights. At what point does an emanation, be it
aural, visible, thermal, or RF cease to be "property"?  Was it ever? To me,
if something is to be kept private, or even to be considered private, there
must be some action taken to ensure that privacy and ignorance of the
possibility of listening in would not seem to be an excuse. Rights must be
asserted and protected.

If one is walking down a street and overhears a conversation through a
window, is that "search"? If I need my hearing aids to do so, is that
different?  If using my hearing aids I detect a passenger on an airplane
using a computer in violation of regs, is that? (Computers have a
characteristic whine when I am set to inductive pickup - assuming of course
that I could hear it though all that 400 hz noise).

The question being, if the average person is deaf/blind/stupid to a certain
portion of the spectrum, do they have the "right" to expect that everyone is?

When in the jungle, adversaries more frequently that ever mentioned could be
detected by their specifically bad breath (was different from Amurrcn bad
breath) and is something a non-smoker often just has to live with today -
personally am not a militant non-smoker, believe people may commit suicide
if they want, but can detect the habit from several feet away. Do know that
smokers do not realize how bad they smell to nons. 

The relevant part: is *that* an invasion? If a person with "that smell" 
applies for a non-smoker's insurance policy, would the agent have performed
an "illegal search" if the policy were rejected or further examination 
required for that reason?

So no, I do not think that detection of radiant energy is an illegal search
any more than listening to speech through a window from a sidewalk is so
long as trespass is not required to do so. Impolite maybe, but not illegal.
To me "freedom of speech" and "freedom of assembly" must imply "freedom to
listen" and those are "rights" in this country.

					Warmly,
						Padgett

usual disclaimers apply

------------------------------

Date:    Sat, 20 May 1995 15:23:08 -0400
From:    jra@IntNet.net (Jay Ashworth)
Subject: Re: Privacy, cellular telephones, and 911

Jerry Leichter <leichter@lrw.com> writes, in #4/11:
> There are technical arguments about whether the FCC's proposed 150 meter
> resolution can be achieved without changes to cellphones - it's probably
> pretty easy in a microcell system - and both industry and the FCC agree that
> if it can't be achieved, it'll be the FCC that backs off.  (Even if the FCC
> *didn't* agree, there's no way Congress would let the FCC impose that kind of
> cost on "consumers" - or industry, which in the end would come down to the
> same thing.)

Unfortunately, I'm forced to say that this doesn't at all seem unlikely.
After all, just this year we seen the Congress pass Digital Telephony,
which "imposes that kind of cost"--I don't personally consider $500M small
change, how about you?--on industry, or consumers, which amounts to the
same thing.

And the cost here would be orders of magnitude greater.

Putting a GPS receiver in _every_ phone?  C'mon...

Cheers,
-- jra

------------------------------

Date:    Sun, 21 May 1995 22:32:44 -0400 (EDT)
From:    Robert Gellman <rgellman@cais.cais.com>
Subject: Re: Family Privacy Protection Act

   On Fri, 19 May 1995, Faye Hsini Ku <fayeku@uclink3.berkeley.edu>
   asked this about the Family Protection Act of 1995:

> It seems to me that the Family Protection Act of 1995 (H.R. 1271) would 
> limit any type of counseling or guidance that is offered outside of the 
> family setting to teens that are becoming sexually active.  That would be 
> a grave mistake, because we would be restricting our ability to take 
> preventative measures and thus have to rely on correctional ones.  Why 
> should we wait until a problem has happened to deal with it?
 
    The Act has its problems, but this is not one of them.  The act 
applies to federally funded surveys and questionnaires.  It does not 
apply to counseling.  And to make it clear, the Act includes an exception 
for good faith inquiries made out of concern for the health, safety, or 
welfare of an INDIVIDUAL.  If the concern is focused on a specific 
individual, then there should not be a problem.  The language of the bill 
is inartfully drafted, but the intent is mostly clear.

Bob Gellman   rgellman@cais.com

------------------------------

Date:    Wed, 24 May 95 09:59:10 -0400
From:    "Alan (Trainable Ant) Wexelblat" <wex@media.mit.edu>
Subject: paper of potential interest

I wrote a paper, titled "Why is the NII Like a Prison?"  It is based on
issues raised by a book called "The Panoptic Sort" by Oscar Gandy and deals
with personal information privacy in the present and near-future in a
tele-capitalist society.  The paper is available at:
	http://wex.www.media.mit.edu/people/wex/panoptic-paper.html

A paper version can be made, but the on-line one is richly linked to
relevant net resources, so I recommend you read it with your Web browser.

I welcome comments and feedback; my email address is in a mailto: link at
the top of the paper.

------------------------------

Date:    Thu, 25 May 1995 16:49:42 -0400
From:    ACLUNATL@aol.com
Subject: ACLU's Analysis of Revised Exon

ACLU Cyber-Liberties Analysis:
Revised Exon Amendment
May 25, 1995

The American Civil Liberties Union has previously expressed its strong
opposition to the "Communications Decency Act," introduced by Senator Exon as
S. 314 and adopted by the Senate Commerce Committee as an amendment to the
Telecommunications Competition and Deregulation Act of 1995.

Yesterday, we obtained a revised version of the Exon Amendment, which was
apparently written by members of Senator Exon's staff in consultation with
representatives of online service providers, the Department of Justice, and
pro-censorship lobbying groups.  The following analysis presents the ACLU's
objections to the revised draft and clarifies the ACLU's continuing concern
that the Exon amendment, in its existing or revised form, violates both free
speech and privacy rights.

I. Interactive Cyberspace Must Not Be Constricted by Old Media Models

The most fundamental flaw of the revised Exon amendment is that it still
wrongly attempts to force the new interactive environment of cyberspace and
online services into the censorship straitjacket foisted on old media.  In
fact, the Exon amendment even uses as its model the most restrictive of the
old media.  

This is wrong-headed policy. It is also a violation of the Free Speech and
Privacy guarantees of the Constitution and therefore unconstitutional.

The Exon amendment would make the interactive environment one of the most
censored segments of communications media when logic dictates that
cyberspace, with its emphasis on user-choice and user-control, should make it
the least censored.  At a minimum, the extremely limited rules of
content-regulation for print media, and the safeguards against censorship for
print materials, should be applied to online communications.  The ACLU,
moreover, believes that the characteristics of cyberspace, including the
private and interactive nature of the communication, dictates that cyberspace
should be even more free than print.

We stress that there is no revision of the Exon amendment -- no tinkering of
its censorship provisions -- that eliminates this problem.  The Exon
amendment cannot be "fixed."  It must be rejected.

II.  The Exon Amendment Would Still Restrict Online Communications to Those
Appropriate for Children   

Section (d) of the revised Exon amendment would still unconstitutionally
restrict all online content to that which is suitable for children.

Even under existing case law, non-obscene speech that is deemed "indecent" is
protected by the First Amendment.  _Sable Communications v. FCC_, 492 U.S.
115 (1989).  The Government may only regulate indecent speech if it
establishes a compelling governmental interest in the regulation AND narrowly
tailors the restriction to achieve that interest.  _Id._ at 125.  See also
_Pacifica Foundation v. FCC_, 438 U.S. 726 (1978); _Carlin Communications v.
FCC_, 749 F.2d 113 (2d Cir. 1984) (Carlin I); _Carlin Communications v. FCC_,
787 F.2d 846 (2d Cir. 1986) (Carlin II); _Dial Information Services v.
Thornburg_, 938 F.2d 1535 (2d Cir. 1991).

Indeed, much of what consenting adults prize about some of their personal
communications could well be deemed by outsiders as "indecent" if addressed
to a child. 

The revised draft, like the original Exon amendment, is unconstitutional
because requiring users and content providers to reduce their content to what
is suitable for children is not the least restrictive means for protecting
minors from indecent material.  The "justifications" for regulation of
indecency in broadcasting and telephone audiotext services do not apply to
interactive communications, in which users - including parents - have much
more control over the content of the messages they receive.  We are also
prepared to argue that the "justifications" asserted for censorship in any of
the old media, including print, do not apply to cyberspace.

III. Some Specific Problems in the Revised Exon Draft

Again, the ACLU strongly believes that the anti-cyberliberty Exon amendment
cannot be "fixed."  It needs to be defeated.  So, even if all of these
specific problems were solved, the Exon amendment would still be a terrible
idea.  Still, it may be useful to consider briefly some of the specific
problems in the revised Exon draft.

     *Revised section (d) outlaws the online transmission of obscene
materials without defining "obscenity."  Using the test for obscenity
articulated in Miller v. California, 413 U.S. 1 (1973), the federal
government has chosen to stage prosecutions of online obscenity cases in
conservative jurisdictions in order to take advantage of more restrictive
"community standards."  See Thomas v. United States, U.S. Court of Appeals
for the Sixth Circuit, No. 94-6648 and No. 94-6649.  This trend poses a
severe threat that online users and providers will be forced to reduce
content to that which would be acceptable under the "community standards" of
the most conservative jurisdiction.  The ACLU has filed an amicus brief in
the Thomas case strongly opposing the government's misuse of the censorship
laws.  

     *Revised sections (d) and (e) extend liability for transmission of
obscene or indecent communications to non-commercial in addition to
commercial providers.  This change would render the revised draft more
restrictive of free speech than the original Exon amendment.

     *While revised section (f) provides some defenses for online service
providers, these defenses place smaller system operators at risk because they
cannot afford to assert the defenses in court.  Moreover, the defenses are
incomplete and many larger service providers would likely find themselves in
jeopardy at the hands of prosecutors motivated by the political advantages of
currying favor with certain pro-censorship groups.

     *Revised section (f)(2) fails to protect providers who cede editorial
control to an entity "which the defendant knows or had reason to know intends
to engage in conduct that is likely to violate this section."  This could
pose serious problems for Internet providers that may have "reason to know"
that certain sites are likely to contain communications deemed to be obscene
or indecent.

     *Revised section (f)(3) gives the Federal Communications Commission the
power to issue regulations regarding methods in which providers may restrict
access in order to avoid liability. Giving federal regulators the authority
to determine the rules for distributing online content will radically affect
the freedom of cyberspace and will have a severe direct effect and an equally
severe chilling effect on online
speech.

     *Revised section (f)(4) could still make it impossible for users or
content providers to remedy a violation of rights by an online service
provider if the service claimed it was attempting to comply with the Exon
amendment.

Conclusion

The revised Exon draft continues to subject an industry that has blossomed
without government control to an unprecedented amount of interference and
intrusion over content.  It gravely threatens the free flow of information
and the diversity of content transmitted over online networks.

To achieve the liberating potential of the information superhighway, Congress
must ensure that interactive technologies enhance rather than stifle
democratic values.  

The American Civil Liberties Union therefore opposes the Exon amendment, both
in its original form and as revised.

------------------------------

Date:    Sun, 28 May 1995 01:56:34 -0700
From:    Phil Karn <karn@unix.ka9q.ampr.org>
Subject: Comments on California Digital Signature Bill

I only just read this item in the May 5 Privacy Digest, so I don't know
if anyone else has already commented on this, but here goes.

It seems to me that the authors of that bill, while well-meaning, do
not fully grok public key cryptography.

One of public key's underappreciated benefits is the elimination of
the need for big centralized databases of users, such as the one
proposed in this bill.  Once a certification authority is sufficiently
convinced of a key's authenticity, the resulting certificate can be
given to the user without having to record it in a central database.

Since a user cannot tamper with his own certificate without being
detected, there's no problem with letting him convey it to anyone who
needs it to check a signature. If the party checking the signature
already has the public key of the certifying authority -- which can be
widely published -- then he has everything he needs to verify the
signature without reference to any centralized databases.

This lets the users reserve the right to give out their certificates
only on a need-to-know basis.

There will, of course, still be the problem of businesses collecting
and reselling their customers' certificates, much as they do now with
mailing lists and purchasing records. The only countermeasure I can
think of is to maintain a large list of pseudonymous certificates, one
for each business.

Phil

------------------------------

Date:    Tue, 30 May 1995 10:25:05 -0700
From:    Phil Karn <karn@unix.ka9q.ampr.org>
Subject: Positioning potential of CDMA cellular

The recent discussion on tracking cell phones has not considered the
potential of the new cellular technologies currently being developed.
Specifically, Qualcomm's CDMA.
 
IS-95 CDMA uses spread spectrum with a bandwidth of 1.25 MHz. This is
comparable to the bandwidth of the GPS C/A (Clear Access or Coarse
Acquisition) code available for civilian use. In fact, IS-95 uses GPS
to synchronize the spreading sequences in each cell to make "soft
handoffs" work.
 
IS-95 CDMA was not designed with positioning in mind. In fact it would
have to be modified quite a bit to provide positioning with any degree
of reliability. Simple round-trip timing measurements from the serving
cell can be done now, but this only locates the user somewhere on a
circle centered on the cell. Resolving this ambiguity requires
simultaneous communications with multiple cells, such as simultaneous
round trip delay measurements by several cells to form intersecting
circles of position, and/or mobile reports of the time offsets
observed between the pilots of multiple cells to form hyperbolae of
position.
 
At present, the ability to make these observations occurs only in a
handoff situation; a mobile near one cell can only communicate with
that cell because of the near-far problem (but then again, his circle
of position would be that much smaller).
 
The potential is certainly there, though.

Phil

------------------------------

Date:    Tue, 30 May 1995 23:34:27 -0400 (EDT)
From:    G Martin <gmartin@freenet.columbus.oh.us>
Subject: Why can't I see Equifax medical records?

We recently received notice that interest on our charge card was going
from 17% to 24%.  A form enclosed with the notice said something
interesting that I'm hoping some of you can help us to understand.  Here
is an exceprt from what it said:

This change for your Account was based in whole or in part on information
obtained in a report from the consumer credit reporting agency listed
below.  You have a right under the Fair Credit Reporting Act to know the
information contained in your credit file at that agency.  The reporting
agency played no part in our decision and is unable to supply specific
reasons why we made this change to your Account.

  Equifax Creidt Information Services
  P.O. Box 105873
  Atlanta, GA  30348
  1-800-685-1111

You have the right to a full disclosure of the nature and substance of all
information (except medical) in the agency's files.  Should you desire to
obtain additional information pertaining to this file, please contact the
consumer credit reporting agency directly.

I have a few questions/concerns about this:

1.  Why won't Equifax let me see my medical files?  If all the information
    they have was obtained by signed medical releases why should they be
    concerned about whether or not I see it?

2.  Does this imply that my credit card company is also getting copies of
    my medical records?  I thought they only were concerned with financial
    records?

3.  I heard once that places like Equifax try to predict who will be good
    credit risks based on info they have on file about people.  I heard that
    they create a report that you aren't allowed to see about yourself that
    they share with potential creditors.  Is our credit card company being
    somewhat misleading when they say Equifax had nothing to do with the
    decision to jack up our interest rates?

4.  Is there any pending legislation that would force Equifax to give full
    disclosure of ALL information they have about me to me, including medical?

Thanks.

------------------------------

Date: Wed, 31 May 95 01:52 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Telecom (NON)-Privacy at Ameritech

Greetings.  In a recent issue of the TELECOM digest, it was reported that
Ameritech now allows anyone to obtain bill payment information for any
Ameritech line (unless blocked by specific subscriber request)--a true
bonanza for snoops in general and for folks trolling for big bill customers
to target for marketing.

Obviously, this is a terrible policy.  It is unfortunately not
a unique situation.  Ameritech's explanation (as reported in TELECOM)
has been spouted by numerous other utilities, banks, and other
entities.  If a subscriber complains, they are frequently told that
"hardly anyone else has complained about the system".  If 1000 people
complain, they may each individually be told that they're essentially
the "lone wolf".  

It is also common for these entities to say that they're just trying
to make things easier for their customers.  This is the logic used
for simple passcodes (e.g. zipcode, which anyone can determine),
ill-advised passcodes (e.g. use of the SS#), or as in the case
of Ameritech, no passcode at all.

It is unfortunately nearly always the case that "most" people won't 
complain about such a system until something happens that impacts them
negatively as a result of the poor security on the system.  The entities
with these poor security policies are simply trading off the hassles
and disruptions caused to subscribers about whom information from
the system is misused, against having to deal with callers who
can't remember their passcode.

The "solution" is obvious.  Ameritech should return to a "random"
passcode system, and allow customers who have a problem remembering
the code to either choose something simple ("0000") or opt for
no code at all.  But such a choice of no security should be made by the
individual customer--to make it the default condition for all customers
is very bad policy.

Experience has shown that the only effective way to deal with these types of
situations is to complain loudly to the highest level you can reach.  In the
case of Ameritech, complaints (and suggestions for "fixing" the problem, as
mentioned above) should be made to the billing supervisor level at
least--better yet, speak to the managers.  And while it means taking the
time to put it down in written form, letters to state PUCs are *extremely*
important with such matters.  

I'm sure there are just a *few* Ameritech subscribers reading this
now.  If each of you expressed your opinion (one way or another) 
to the PUC and Ameritech regarding their system, I suspect you could
have considerable impact.

--Lauren--

------------------------------

End of PRIVACY Forum Digest 04.12
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH