TUCoPS :: Privacy :: priv_417.txt

Privacy Digest 4.17 8/6/95

PRIVACY Forum Digest     Sunday, 6 August 1995     Volume 04 : Issue 17

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

   	  The PRIVACY Forum digest is supported in part by the 
	      ACM Committee on Computers and Public Policy,
     		     and the Data Services Division 
	           of MCI Communications Corporation.

	Cameras at work?? Illegal? (Michael Kosmatka)
	Warning on Using Win95 (jbreyer@accel.com)
	Total surveillance on the highway (Phil Agre)
	House Adopts Exon-Like Speech Crimes, Also Adopts Cox/Wyden Amendment
	New InterNIC Domain Dispute Policy (Mark Kosters)
	EC Adopts Privacy Directive (Marc Rotenberg)
	Conferences/Events of Interest to CPSR (Susan Evoy)
	IEEE Symp. on Security and Privacy - Call for papers 
	   (Mary Ellen Zurko)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com".  Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW 
server at the URL: "http://www.vortex.com".


   Quote for the day:

	"Add a phone!
	 Add a lot to living.
	 Add new excitement to your home!

	 Add a phone!
	 Add a lot to living.
	 Add an extension telephone!"

		-- Song from a 1950's era telephone 
		   company promotional film/commercial


Date:    Tue, 25 Jul 1995 23:51:29 -0700
From:    mkismat@teleport.com (Michael Kosmatka)
Subject: Cameras at work?? Illegal?

Hello there.  To begin my story I need to give you a quick background. I
work at a grocery store in Portland, Oregon. Being a high volume store they
are always concerned about theft from customers as well as staff. Recently a
few people were caught drinking brew in the back cooler. After their
termination the owners and managers of the store decided to install a
concelled surveillance camera. They are able to monitor wherever they put
the cameras, but they don't inform us that there is a presence of a
surveillance system.  I was always under the impression that to install such
a system a corporation or company had to inform individuals that it was
there, i.e.  signs...?

My question is this...
Is this illegal to install surveillance without notice?
        -would it be considered a violation of my rights?
        -do signs need to be posted?
If it is where can I get more information on this topic?
        -if so does it only apply to certain states?

Any help on this would be greatly appreciated.

Thank you,

Michael Kosmatka


Date:	 6/26/95 8:44 PM
From:	 jbreyer@accel.com
Subject: Warning on Using Win95 [Update on RISKS-17.13 item]

Believe it or not, this is not Net humor but serious.  It would otherwise
be outstanding satire!

Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week

Microsoft officials confirm that beta versions of Windows 95 include a small
viral routine called Registration Wizard.  It interrogates every system on a
network gathering intelligence on what software is being run on which
machine.  It then creates a complete listing of both Microsoft's and
competitors' products by machine, which it reports to Microsoft when
customers sign up for Microsoft's Network Services, due for launch later
this year.

"In Short" column, page 88, _Information Week_ magazine, May 22, 1995. 
The implications of this action, and the attitude of Microsoft to plan such
action, beggars the imagination.

An update on this. A friend of mine got hold of the beta test CD of Win95,
and set up a packet sniffer between his serial port and the modem. When you
try out the free demo time on The Microsoft Network, it transmits your
entire directory structure in background.

This means that they have a list of every directory (and, potentially every
file) on your machine. It would not be difficult to have something like a
FileRequest from your system to theirs, without you knowing about it. This
way they could get ahold of any juicy routines you've written yourself and
claim them as their own if you don't have them copyrighted.

Needless to say, I'm rather annoyed about this.
So spread the word as far and wide as possible: Steer clear of Windows 95.

There's nothing to say that this "feature" will be removed in the final 

	[ It seems quite unlikely that Microsoft has implemented such a
	  system to steal people's code.  However, the whole issue of
	  collecting and uploading system configuration and filesystem
	  information at that level of detail is quite disturbing, to say
	  the least.  When some of these issues were first raised, Microsoft
	  (or at least, a person at Microsoft) claimed that users would be
	  queried as to whether or not they wished to upload
	  configuration information (however that might be defined) during
	  signup.  I haven't heard whether or not this query has been placed
	  in production versions of Win95, and if so how the question is

	  Perhaps more importantly, I have yet to see any statements from
	  Microsoft about how such information will be *used*.  Is such an
	  upload of detailed configuration information and installed
	  product lists really needed for Microsoft to provide technical
	  support for their online network?  Are users clearly told about
	  the full scope of information that will be uploaded?  Are there any
	  assurances that the info won't be used for other (e.g. marketing)

	  It's small wonder that so many firms have become concerned over
	  the bundling of Microsoft online access features into Win95 when
	  so much important information could (according to the reports being
	  cited) be uploaded with no apparent controls over how such data
	  will be used (there are other reasons for concern about such
	  bundling as well, of course).

	  A definitive statement regarding these important issues by Microsoft
	  would be most welcome.  -- MODERATOR ]


Date:    Tue, 1 Aug 1995 17:51:20 -0700
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: total surveillance on the highway

A controversy is growing around the failure of "Intelligent Transportation
System" programs in the United States to exercise any leadership in the
adoption of technologies for privacy protection.  As deployment of these
systems accelerates, some of the transportation authorities have begun to
recognize the advantages of anonymous toll collection technologies.  For
example, if you don't have any individually identifiable records then you
won't have to respond to a flood of subpoenas for them.  Many, however, have
not seen the point of protecting privacy, and some have expressed an active
hostility to privacy concerns, claiming that only a few fanatics care so
much about privacy that they will decline to participate in surveillance-
oriented systems.  That may in fact be true, for the same reason that only
a few fanatics refuse to use credit cards.  But that does not change the
advantages to nearly everyone of using anonymous technologies wherever they

Let me report two developments, one bright and one dark.  On the bright
side, at least one company is marketing anonymous systems for automatic
toll collection in the United States: AT/Comm Incorporated, America's Cup
Building, Little Harbor, Marblehead MA 01945; phone (617) 631-1721, fax -9721.
Their pitch is that decentralized systems reduce both privacy invasions and
the hassles associated with keeping sensitive records on individual travel
patterns.  Another company has conducted highway-speed trials of an automatic
toll-collection mechanism based on David Chaums digital cash technology:
Amtech Systems Corporation, 17304 Preston Road, Building E-100, Dallas
TX 75252; phone: (214) 733-6600, fax -6699.  Because of the total lack of
leadership on this issue at the national level, though, individuals need
to do what they can to encourage local transportation authorities to use
technologies of anonymity.  It's not that hard: call up your local state
Department of Transportation or regional transportation authority, ask
to talk to the expert on automatic toll collection, find out what their
plans are in that area, and ask whether they are planning to use anonymous
technologies.  Then call up the local newspaper, ask to talk to the reporter
who covers technology and privacy issues, and tell them what you've learned.

On the dark side, here is a quotation from a report prepared for the State of
Washington's Department of Transportation by a nationally prominent consulting
firm called JHK & Associates (page 6-9):

  Cellular Phone Probes.  Cellular phones can be part of the backbone of a
  region-wide surveillance system.  By distributing sensors (receivers) at
  multiple sites (such as cellular telephone mast sites), IVHS technology
  can employ direction finding to locate phones and to identify vehicles
  where appropriate.  Given the growing penetration of cellular phones (i.e.,
  estimated 22% of all cars by 2000), further refinements will permit much
  wider area surveillance of vehicle speeds and origin-destination movements.

This is part of a larger discussion of technologies of surveillance that
can be used to monitor traffic patterns and individual drivers for a wide
variety of purposes, with and without individuals' consent and knowledge.
The report speaks frankly of surveillance as one of three functionalities
of the IVHS infrastructure.  (The others are communications and data
processing.)  The means of surveillance are grouped into "static (roadway-
based)", "mobile (vehicle-based)", and "visual (use of live video cameras)".
The static devices include "in-pavement detectors", "overhead detectors",
"video image processing systems", and "vehicle occupancy detectors".  The
mobile devices include various types of "automatic vehicle identification",
"automatic vehicle location", "smart cards", and the just-mentioned
"cellular phone probes".  The visual devices are based on closed-circuit
television (CCTV) cameras that can seve a wide range of purposes.

The underlying problem here, it seems to me, is an orientation toward
centralized control: gather the data, pull it into regional management
centers, and start manipulating traffic flows by every available means.
Another approach, much more consonant with the times, would be to do things
in a decentralized fashion: protecting privacy through total anonymity and
making aggregate data available over the Internet and wireless networks
so that people can make their own decisions.  Total surveillance and
centralized control has been the implicit philosophy of computer system
design for a long time.  But the technology exists now to change that, and
I can scarcely imagine a more important test case than the public roads.
People need to use roads to participate in the full range of associations
(educational, political, social, religious, labor, charitable, etc etc)
that make up a free society.  If we turn the roads into a zone of total
surveillance then we chill that fundamental right and undermine the very
foundation of freedom.

Phil Agre, UCSD


Date:    Fri, 4 Aug 1995 12:17:48 -0400
From:    ACLUNATL@aol.com
Subject: House Adopts Exon-Like Speech Crimes, Also Adopts Cox/Wyden Amendment

ACLU Cyber-Liberties Alert: 
House Adopts Exon-Like Speech Crimes,
Also Adopts Cox/Wyden Amendment


At 9:10 am today, the House of Representatives voted to adopt an omnibus
"Managers Amendment" to the telecommunications bill (HR 1555), which included
new Exon-like speech crimes that would censor the Internet.   At 11:58 am,
the House of Representatives voted 420 to 4 to adopt the Cox/Wyden amendment
to the telco bill.  The Cox/Wyden amendment, however, was not designed to --
and does not -- affect the Exon-like speech crimes provisions added to the
telco bill by the House.

Speech Crimes Provisions in Managers Amendment:

The  Managers Amendment containing the new speech crimes provisions also
contained some forty other unrelated amendments.  The Exon-like provisions
were not a focus of the debate, and it is likely that most members cast their
votes for reasons unrelated to these provisions.

The Managers Amendment adds an entirely new Exon-like provision to the
existing federal obscenity laws. The provision would make it a crime to
"intentionally communicate by computer ... to any person the communicator
believes has not attained the age of 18 years, any material that, in context,
depicts or describes, in terms patently offensive as measured by contemporary
community standards, sexual or excretory activities or organs."  (18 U.S.C.

This provision, like the Exon amendment passed by the Senate, would
effectively reduce all online content to that which is suitable only for
children.  It also raises the same questions about service provider
liability that were raised by the Exon amendment.

The Managers Amendment would also make it a crime to "receive" prohibited
material "by computer," thereby subjecting both Internet users and service
providers to new prosecutions (18 U.S.C. 1462).

Assuming that the House telco bill (HR 1555) is approved (which is highly
probable by 3 pm today), both the House and Senate versions of the telco bill
will include severe attacks on cyber-liberties.

Cox/Wyden Amendment:

The ACLU has supported the general approach of the Cox/Wyden amendment
because it prohibits FCC regulation of content on the Internet and generally
supports private sector initiatives, not government censorship, on
cyberspace.  As the ACLU has said before, there are several ambiguities and
some real problems with the Cox/Wyden amendment.  The two sponsors have
committed to working with us on resolving the problems.  (See previously
posted ACLU Online Analysis of the Cox/Wyden Bill.)


For the online community to take comfort in what is done in the final telco
bill in the conference committee, at a minimum the following must occur:

1.  The Senate's Exon/Coats amendment (the Communications Decency Act) must
be rejected -- that is, deleted from the bill, not merely modified in some

2.  The House's Exon-like speech crimes amendment must be rejected -- that
is, deleted from the bill, not merely modified in some way.

3.  The ambiguities and problems in the Cox/Wyden amendment must be resolved
and then the Cox/Wyden amendment as modified should be included in the telco

The ACLU urges all those who care about free speech and personal privacy to
focus their energized efforts on all three fronts of the fight.
The ACLU will continue to fight all aspects of the cyber-censorship battle,
including the Exon-like speech crimes provisions just passed by the House,
the Exon/Coats amendment in the Senate, the Dole/Grassley anti-computer
pornography bill, the Grassley anti-electronic racketeering bill, and the
Feinstein anti-explosives information amendment to the counter-terrorism


Date: Fri, 28 Jul 1995 11:31:51 -0400 (EDT)
From: Mark Kosters <markk@internic.net>
Subject: New InterNIC Domain Dispute Policy


The InterNIC Registration Services team has recently put a lot of effort
in trying to solve the legal quandry regarding domain names within the
zones we administer. The result of that effort is the policy below. If there 
are any suggestions for improvements, please send email to Dave Graves 
(daveg@netsol.com) or myself (markk@internic.net). If you are interested
in the press release, the url is 


[ URL ftp://rs.internic.net/policy/internic/internic-domain-1.txt ] [ 07/95 ]


Network Solutions, Inc. ("NSI") is responsible for assigning domain names
on the Internet.  This Policy Statement ("Policy Statement") will clarify
NSI's policies regarding the use and registration of domain names
("Domain Name(s)").

1.  NSI is responsible for the registration of domain names on the Internet.
NSI registers these Domain Names on a "first come, first served" basis. NSI
has neither the resources nor the legal obligation to screen requested Domain
Names to determine if the use of a Domain Name by an Applicant may infringe
upon the right(s) of a third party.  Consequently, as an express condition
and material inducement of the grant of an applicant's ("Applicant") request
to register a Domain Name, Applicant represents and warrants as follows:

(a)  Applicant's statements in the application are true and Applicant has
the right to use the Domain Name as requested in the Application;

(b)  Applicant has a bona fide intention to use the Domain Name on a regular
basis on the Internet; 

(c)  The use or registration of the Domain Name by Applicant does not interfere
with or infringe the right of any third party in any jurisdiction with respect
to trademark, service mark, tradename, company name or any other intellectual
property right;

(d)  Applicant is not seeking to use the Domain Name for any unlawful purpose,
including, without limitation, tortious interference with contract or
prospective business advantage, unfair competition, injuring the reputation
of another, or for the purpose of confusing or misleading a person, whether
natural or incorporated.
2.  Applicant acknowledges and agrees that this Policy Statement on the
registration and use of Domain Names may change from time to time and that,
upon thirty (30) days posting on the Internet at
ftp://rs.internic.net/policy/internic.domain.policy, NSI may modify
or amend the terms of this Policy Statement.

3.  At the time of the initial submission of the Domain Name request, the
Applicant is required to have operational name service from at least two
operational Internet servers for that domain name.  Each server must be
fully connected to the Internet and capable of receiving queries under that
Domain Name and responding thereto. In the event that Applicant does not
make regular use of its assigned Domain Name for any a period of 90 days
or more, Applicant agrees that he or she shall, upon request of NSI,
relinquish that Domain Name to NSI, making that Domain Name available for
registration and use by another party.

4.  Applicant is responsible for its selection of the Domain Name. 
Consequently, Applicant shall defend, indemnify and hold harmless (i)
NSI, its officers, directors, employees and agents, (ii) National Science
Foundation ("NSF"), its officers, directors, employees and agents, (iii) the
Internet Assigned Numbers Authority ("IANA"), its officers, directors,
employees and agents, and (iv) the officers, directors, employees and agents
of NSI's parents and subsidiaries (collectively, the "Indemnified Parties")
for any loss, damage, expense or liability resulting from any claim, action
or demand arising out of or related to the use or registration of the Domain
Name, including reasonable attorneys fees.  Such claims shall include,
without limitation, those based upon trademark or service mark infringement,
tradename infringement, dilution, tortious interference with contract or
prospective business advantage, unfair competition, defamation or injury to
business reputation.  The Indemnified Parties agree to give Applicant written
notice of any such claim, action or demand within a reasonable time.
Applicant agrees that the Indemnified Parties shall be defended by
attorneys of their choice at Applicant's expense, and that Applicant shall
advance the costs of such litigation, in a reasonable fashion, from time
to time. The failure to abide by this provision shall be considered a
material breach of this Agreement and permit NSI to immediately withdraw the
use and registration of Domain Name from Applicant. 

5.  Applicant agrees that NSI shall have the right to withdraw a Domain
Name from use and registration on the Internet upon thirty (30) days prior
written notice (or earlier if ordered by the court) should NSI receive an
order by a United States court or arbitration panel of the American
Arbitration Association (hereinafter "AAA") that the Domain Name in dispute
rightfully belongs to a third party.

6.(a) In the event that the Applicant breaches any of its obligations under
this Policy Statement, NSI may request that Applicant relinquish the
Domain Name in a written notice describing the alleged breach. If Applicant
fails to provide evidence that it has not breached its obligations which is
reasonably satisfactory to NSI within thirty (30) days of the date of receipt
of such notice, then NSI may terminate Applicant's use and registration of
the Domain Name.

(b)  Applicant acknowledges and agrees that NSI cannot act as an arbiter of
disputes arising out of the registration and use of Domain Names.  At the
same time, Applicant acknowledges that NSI may be presented with evidence that
a Domain Name registered by Applicant violates the rights of a third party. 
Such evidence includes, but is not limited to, evidence that  the Domain Name
is identical to a valid and subsisting registration of a trademark or service
mark that is in full force and effect and owned by another person or entity.
In those instances where the basis of the claim is other than a registered
trademark or service mark, Applicant shall be allowed to continue using the
contested Domain Name, unless and until a court order or arbitrator's
judgment to the contrary is received by NSI as provided in Paragraph 5.

(c)  In those instances when the claim is based upon a trademark or service

(1)  Without prejudice to the ultimate determination and with recognition that
trademark or service mark ownership does not automatically extend ownership to
a Domain Name, NSI shall request from the Applicant a certified copy of a
trademark or service mark registration (copies certified in accordance with
37 CFR 2.33(a)(1)(vii) or its successor will meet this standard for
registrations in jurisdictions other than the United States) owned by the
Applicant that is in full force and effect and that is the same as the
Domain Name registered to Applicant.

(2)  In the event that Applicant provides evidence of ownership of a
trademark or service mark as provided in Paragraph 6(b), Applicant shall
be allowed, subject to Paragraph 6(c)(4), to continue using the contested
Domain Name, unless and until a court order or arbitrator's judgment to the
contrary is received by NSI as provided in Paragraph 6(c)(5).  In the event
the Applicant fails to provide evidence of a trademark or service mark
registration to NSI within fourteen (14) days of NSI's request, NSI will
assist Applicant with assignment of a new Domain Name, and will allow
Applicant to maintain both names simultaneously for up to ninety (90) days
to allow an orderly transition to the new Domain Name.  At the end of the
transition period, NSI will place the disputed Domain Name on "Hold"
status, pending resolution of the dispute.  As long as a Domain Name is on
"Hold" status, that Domain Name registered to Applicant shall not be
available for use by any party.

(3)  If Applicant fails to provide evidence of a trademark or service mark
registration to NSI within fourteen (14) days and will neither accept the
assignment of a new Domain Name nor relinquish its use of the Domain Name,
NSI will place the disputed Domain Name on "Hold" status, pending resolution
of the dispute.  As long as a Domain Name is on "Hold" status, that Domain
Name registered to Applicant shall not be available for use by any party.

(4)  If Applicant provides the evidence described in Paragraph 6(b), and
wishes to continue use of the contested Domain Name registered by Applicant,
Applicant agrees to indemnify NSI on the terms stated in Paragraph 4 from any
liability relating to the registration or use of the Domain Name registered by
Applicant and post a bond in an amount sufficient to meet the damages sought,
or if no specific amount of damages is sought, in an amount deemed reasonable
in NSI's sole discretion within fourteen (14) days of NSI's request.  Without
such agreement and the posting of the bond, NSI may, notwithstanding any
trademark or service mark registration presented to it, place the use of the
Domain Name in "Hold" status pending resolution of the dispute.

(5)  NSI will reinstate the use and registration of a Domain Name placed in
"Hold" status when and if it receives an order by a United States court or
arbitration panel of the American Arbitration Association stating which party
to the dispute is entitled to use and register the Domain Name or if NSI
receives satisfactory evidence of the resolution of the dispute.


8.  Any dispute arising out of this Agreement or, at the request of NSI
and upon the agreement of the challenging party, a dispute regarding the
right to register or use Domain Name shall be resolved by binding arbitration
by the AAA under its commercial rules then in effect in San Diego, California. 
A single arbitrator shall be selected according to AAA rules within thirty (30)
days of submission of the dispute to AAA.  The arbitrator shall conduct the
arbitration in accordance with the California Evidence Code and shall apply the
substantive laws of the State of California, without regard for California's
choice of law rules.  Except as expressly provided in the Agreement, no
discovery of any kind shall be taken by either party without the written consent
of the other party, provided, however, that either party may seek the
arbitrator's permission to take any deposition which is necessary to preserve
the testimony of a witness who either is, or may become, outside the subpoena
power of the arbitrator or otherwise unavailable to testify at the arbitration. 
The arbitrator shall have the power to enter any award that could be entered by
a Judge of the Superior Court of the State of California sitting without a
jury, and only such power, except that the arbitrator shall not have the power
to award punitive damages, treble damages, or any other damages which are
not compensatory against NSI, NSF or IANA, even if permitted under the laws
of the State of California or any other applicable law.  Within twenty (20)
days of the close of arbitration hearings, the arbitrator shall submit a
written arbitration award to the parties, stating the basis for each decision
made by the arbitrator and the amount of each arbitration award.  The
arbitrator shall award the prevailing party its costs and its reasonable
attorneys' fees, and the losing party shall bear the entire cost of the
arbitration, including the arbitrator's fee. The arbitration award may be
enforced in any court having jurisdiction over the parties and the subject
matter of the arbitration.  Notwithstanding the forgoing, the parties
irrevocably submit to the non-exclusive jurisdiction of the Superior Court of
the State of California, San Diego County, and the United States District
Court for the Southern District of California, in any action to enforce an
arbitration award.

9.  All notices or reports permitted or required under this Agreement shall
be in writing and shall be delivered by personal delivery, facsimile
transmission or by certified or registered mail, return receipt requested,
and shall be deemed given upon personal delivery, seven (7) days after
deposit in the mail, or upon acknowledgment of receipt of electronic
transmission.  Notices shall be sent to the Domain Administrative Contact
listed in the InterNIC Registration Services database or such other address
as either party may specify in writing.  This Policy Statement can only be
amended by  NSI as provided in Paragraph 2. Nothing contained in this Policy
Statement shall be construed as creating any agency, partnership, or other
form of joint enterprise between the parties.  The failure of either party to
require performance by the other party of any provision hereof shall not
affect the full right to require such performance at any time thereafter;
nor shall the waiver by either party of a breach of any provision hereof be
taken or held to be a waiver of the provision itself.  In the event that any
provision of this Agreement shall be unenforceable or invalid under any
applicable law or be so held by applicable court decision, such
unenforceability or invalidity shall not render this Agreement unenforceable
or invalid as a whole.  The parties agree to amend or replace such provision
with one that is valid and enforceable and which achieves, to the extent
possible, the original economic objectives and contractual intent of NSI as
reflected in the original provision.  This Policy Statement, as amended,
and the Registration Agreement together constitute the complete and exclusive
agreement of the parties regarding Domain Names.  It supersedes and its
terms govern all prior proposals, agreements or other communications between
the parties.

	[ After reading the above, I attempted to receive clarifications
	  regarding various aspects of the described rules.  One obvious
	  omission seems to be any sort of grandfathering or "temporal"
	  aspects to the "granting" of names.  What happens in the case of
	  an entity that has long been using a domain name (perhaps not for
	  commercial purposes or not trademarked for other reasons) when
	  another entity comes along, takes out a trademark, and then
	  demands the rights to that domain name?  One would hope that the
	  "arbitration" rules described would deal with this, but the
	  concepts under which such arbitration would proceed are hazy at

	  It also appears that these rules were formulated without any
	  obvious input from other network entities.  Clearly the InterNIC
	  quite reasonably wishes to protect itself from legal liabilities
	  relating to domain names, but there are additional issues
	  at stake.  In spite of the message's providing addresses
	  to query for additional information, my comments and questions
	  regarding this policy have so far not yielded any response
	  from the InterNIC.
				-- MODERATOR ]

Date:    Wed, 26 Jul 1995 14:56:40 -0700
From:    "Marc Rotenberg" <rotenberg@epic.org>
Subject: EC Adopts Privacy Directive


Apologies for the long message.  If you are not interested in
privacy issues or the development of international standards
for the GII, simply delete this message.  Otherwise, read on.

The European Community has taken a major step this week
to protect the privacy interests of citizens and consumers.
The passage of the Directive on the Protection of Personal 
Data is the culmination of a process that began over a decade 
ago to address growing concerns about the impact of
technology on society.

There are, of course, many questions remaining about the
scope and implementation of the Directive. But there is no 
doubt that this a significant event in the ongoing effort
to preserve human rights in the information age.

The announcement from the European Commission follows.

Marc Rotenberg,  director
Electronic Privacy Information Center


The Directive on the protection of personal data has been formally adopted
by the Council of Ministers. ``I am pleased that this important measure,
which will ensure a high level of protection for the privacy of individuals
in all Member States, has been adopted with a very wide measure of agreement
within the Council and European Parliament'' commented Single Market
Commissioner Mario Monti. ``The Directive will also help to ensure the free
flow of Information Society services in the Single Market by fostering
consumer confidence and minimising differences between Member States' rules.
Moreover, the text agreed includes special provisions for journalists, which
reconcile the right to privacy with freedom of expression,'' he added. ``The
Member States must transpose the Directive within three years, but I
sincerely hope that they will take the necessary measures without waiting for
the deadline to expire so as to encourage the investment required for the
Information Society to become a reality.'' 
The Directive will establish a clear and stable regulatory framework
necessary to guarantee free movement of personal data, while leaving
individual EU countries room for manoeuvre in the way the Directive is
implemented. Free movement of data is particularly important for all services
with a large customer base and depending on processing personal data, such as
distance selling and financial services. In practice, banks and insurance
companies process large quantities of personal data inter alia on such highly
sensitive issues as credit ratings and credit-worthiness. If each Member
State had its own set of rules on data protection, for example on how data
subjects could verify the information held on them, cross-border provision of
services, notably over the information superhighways, would be virtually
impossible and this extremely valuable new market opportunity would be lost.

The Directive aims to narrow divergences between national data protection
laws to the extent necessary to remove obstacles to the free movement of
personal data within the EU. As a result, any person whose data are processed
in the Community will be afforded an equivalent level of protection of his
rights, in particular his right to privacy, irrespective of the Member State
where the processing is carried out. 
Until now, differences between national data protection laws have resulted
in obstacles to transfers of personal data between Member States, even when
these States have ratified the 1981 Council of Europe Convention on personal
data protection. This has been a particular problem, for example, for
multinational companies wishing to transfer data concerning their employees
between their operations in different Member States. 
Such obstacles to data transfers could seriously impede the future growth
of Information Society services. As the Bangemann Group report to the Corfu
European Council remarked: ``Without the legal security of a Union-wide
approach, lack of consumer confidence will certainly undermine the rapid
development of the information society.'' As a result, the Corfu European
Council called for the rapid adoption of the data protection Directive. 
To prevent abuses of personal data and ensure that data subjects are
informed of the existence of processing operations, the Directive lays down
common rules, to be observed by those who collect, hold or transmit personal
data as part of their economic or administrative activities or in the course
of the activities of their association. In particular, there is an obligation
to collect data only for specified, explicit and legitimate purposes, and to
be held only if it is relevant, accurate and up-to-date. 
The Directive also establishes the principle of fairness, so that
collection of data should be as transparent as possible, giving individuals
the option of whether they provide the information or not. Moreover,
individuals will be entitled to be informed at least about the identity of
the organisation intending to process data about them and the main purposes
of such processing. That said, the Directive applies different rules
according to whether information can be easily provided in the normal course
of business activities or whether the data has been collected by third
parties. In the latter case, there is an exemption where the obligation to
provide information is impossible or involves disproportionate effort. 
The Directive requires all data processing to have a proper legal basis.
The six legal grounds defined in the Directive are consent, contract, legal
obligation, vital interest of the data subject or the balance between the
legitimate interests of the people controlling the data and the people on
whom data is held (i.e. data subjects). This balance gives Member States room
for manoeuvre in their implementation and application of the Directive. 
Under the Directive, data subjects are granted a number of important
rights including the right of access to that data, the right to know where
the data originated (if such information is available), the right to have
inaccurate data rectified, a right of recourse in the event of unlawful
processing and the right to withhold permission to use their data in certain
circumstances (for example, individuals will have the right to opt-out free
of charge from being sent direct marketing material, without providing any
specific reason). 
In the case of sensitive data, such as an individual's ethnic or racial
origin, political or religious beliefs, trade union membership or data
concerning health or sexual life, the Directive establishes that it can only
be processed with the explicit consent of the individual, except in specific
cases such as where there is an important public interest (e.g. for medical
or scientific research), where alternative safeguards have to be established.

As the flexibility of the Directive means that some differences between
national data protection regimes may persist, the Directive lays down the
principle that the law of the Member State where a data processor is
established applies in cases where data is transferred between Member States.

The Directive also establishes arrangements for monitoring by independent
data supervisory authorities, where necessary acting in tandem with each
In the specific case of personal data used exclusively for journalistic,
artistic or literary purposes, the Directive requires Member States to ensure
appropriate exemptions and derogations exist which strike a balance between
guaranteeing freedom of expression while protecting the individual's right to
For cases where data is transferred to non-EU countries, the Directive
includes provisions to prevent the EU rules from being circumvented. The
basic rule is that the non-EU country receiving the data should ensure an
adequate level of protection, although a practical system of exemptions and
special conditions also applies. The advantage for non-EU countries who can
provide adequate protection is that the free flow of data from all 15 EU
states will henceforth be assured, whereas up to now each state has decided
on such questions separately. 
For their part, the Council and the Commission have made it clear that
they consider that the European Union institutions and bodies should be
subject to the same protection principles as those laid down in the


Date:    Thu, 3 Aug 1995 13:35:41 -0700
From:    Susan Evoy <evoy@pcd.Stanford.EDU>
Subject: Conferences/Events of Interest to CPSR

CPSR Members and Friends,
	If you are planning to attend one of these conferences, or another
that may be related to CPSR's work, please contact CPSR at cpsr@cpsr.org or
(415) 322-3778 for easy ways for you to be a presence for CPSR.


Good Morning America interview with Beth Givens, Director - Privacy 
Rights Clearinghouse, Aug. 4, 8 a.m.

DEF CON III, Las Vegas, Aug. 4-6.  
Contact:  dtangent@defcon.org     http://dfw.net/~aleph1/defcon

RadioNet Interview with Sylvia Caras, CPSR- Santa Cruz, about using the
Internet for advocacy and support for people with disabilities, Aug 6, 11
a.m.  Listen to KSCO 1080AM Monterey Bay to Silicon Valley or nationally on
Talk America from 11 a.m. to Noon PST

Tenth Annual Conference on Computing and Philosophy (CAP), Pittsburgh, PA, 
Aug. 10-12.  Contact:  Robert Cavalier    rc2z@andrew.cmu.edu   412 268-7643

Conference on Organizational Computing Systems  COOCS '95, Sheraton Silicon 
Valley, Milpitas, Aug. 13-16.    Contact:  kling@ics.uci.edu.

Computers in Context:  Joining Forces in Design, Aarhus, DENMARK, Aug. 14-18.
Contributions for papers, proposals for panels, workshops, and tutorials 
(in 6 copies - not by facsimile or e-mail)):  
Contact:   Computers in Context, Aarhus University, Dept. of Computer Science,
Bldg. 540, Ny Munkegade 116, DK-8000 Aarhus C, DENMARK.

ONE BBSCon '95, Tampa, FL, Aug. 16-20.  Contact:  303 693-5253

Libraries of the Future - IFLA.  Istanbul, TURKEY, Aug. 16-19.
Contact:  mkutup-o@servis.net.tr

AI-ED '95:  7th World Conference on Artificial Intelligence in Education, 
Washington, DC, Aug. 16-19.  Contact:  aace@virginia.edu        804 973-3987

The Future of the Internet:  Privacy, Security, and Parental Control, San Jose 
State University, San Jose, CA, Aug. 17th.
Contact:  acward@sjsuvm1.sjsu.edu         408 924-4523

Equity on the Internet, TELECOMMUNITIES '95, Victoria, BC CANADA, Aug. 19-23.
Contact:  icnc@uvcs.uvic.ca     604 721-8470     604 721 8774 (fax)

Advanced Surveillance Technologies, Copenhagen, DENMARK, Sept. 4.
Contact:  pi@privacy.org    

17th International Conference of Data Protection and Privacy Commissioners,
Copenhagen, DENMARK, Sept. 6-8.  Contact:  45 33 14 38 44 45 33 13 38 43

Information Products, Markets, and Services in a Networked Environment, 
Oslo, NORWAY, Sept. 6-9.  Contact:    44 1 31 3173256 (fax)

InfoWarCon '95, Arlington, VA, Sept. 7-8.  Contact:  winn@infowar.com

Computer: Politisches Medium?  Medium der Politik?, Bremen, GERMANY, 
September 15-16.  
Contact:  res@informatik.uni-bremen.de49 421 218 3308 (fax)  

International Cryptography Institute 1995:  Global Challenges, Washington, DC
Sep. 21-22.    Contact:  denning@cs.georgetown.edu     
		800 301 MIND (US only)     202 962-9494      202 962-9495 (fax)

NPTN's Annual Affilate & Organizing Committee Meeting --1995:  
An International Free-Net Community Computing Conference, Arizona State 
University,                .  
Contact:  pfh@nptn.org       216 498-4050       216 498-4051 (fax)   

Information Competency, Assoc of Information and Dissemination Centers 
(ASIDIC), San Francisco, CA, October 1-3.  
Contact:  jwebb@uga.cc.uga.edu           706 542-6820

The Good, the Bad, and the Internet, A Conference on the Big Issues in
Information Technology, CPSR Annual Meeting, 750 South Halsted, Chicago
Circle Center, University of Illinois - Chicago, IL, Oct. 7-8.  Plenary
sessions on:
   * State of the 'Net 1995:  Commercialization, Access, Censorship, and more
   * Which way for Privacy and Civil Liberties ?
   * Technology and Jobs:  New jobs ?  No jobs? Rethinking work
   * Local Initiatives in Information Access
   * Elections 1996:  Towards a Technology Platform
plus workshops, hands-on demos, and a virtual conference
Contact:  http://www.cs.uchicago.edu/discussions/cpsr/        

Converging Technologies:  Forging New Partnerships in Information, 
ASIS Annual Meeting, Chicago, IL, Oct. 9-12.
Contact:  asis@cni.org    301 495-0900    301 495-0810 (fax)

"Designing for the Global Village," HFES,   Sheraton Harbor Island Hotel, 
Santa Monica, CA, October 9-13.  
Contact:  72133.1474@compuserve.com  310 394-1811     310 394-2410 (fax)

Eco Expo East, World Trade Center, Boston, MA, October 13-15.

People, Networks & Communications '95, The Emergence of Application, 
Information Technology & Policy for the 21st Century, Oahu, Hawaii, Oct 30-
Nov. 3.  Contact:  ekho@uhunix.uhcc.hawaii.edu           808 933-3383

Managing the Privacy Revolution, Washington, DC, Oct. 31-Nov. 1
Contact:  201 996-1154

EDUCOM'95, Portland, OR, Oct. 31-Nov. 3.  Contact:  conf@educom.edu

Management & Network Technology, Trondheim, NORWAY, Nov. 22-24.
Contact:  ifim@ifim.sintef.no     http://duplox.wz-berlin.de/COSTA3/
		47 73 592559       47 73 592570 (fax)

11th Annual Computer Security Applications Conference, New Orleans, LA, 
Dec. 11-15.  Contact:  vreed@mitre.org   205 830-2606   205 830 2608 (fax)

Professional Awareness in Software Engineering (PASE'96), London, ENGLAND,
Feb. 1-2, 1996.  
Contact:  paseconf@westminster.ac.uk    44 171 9115000    44 171 9115089 (fax)

CQL'96:  Symposium on Computers & the Quality of Life (ACM), Philadelphia,
PA, Februrary 14-16, 1996.  Papers, Panels Proposals, Tutorial Proposals by
Sept. 1.  Contact:  liffick@cs.millersv.edu 717 872 3536 717 871-2320 (fax) 

Assoc. for Practical and Professional Ethics, St. Louis, MO, Feb. 29-March 2
Submissions deadline is Oct. 31, 1995.  
Contact:   appe@indiana.edu        812 855-6450        812 855-3315

Technical Conference on Telecommunications R&D in Massachusetts, Lowell, 
MA, March 12, 1996.  
Contact:  http://www.commx.org/mtchom   dana@ultranet.com     617 439-8600  

Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30, 1996.
Proposal Submission deadline:  9/1/95.
Contact:  web.mit.edu/cfp96     cfp96-info@mit.edu

Creating a Library of the Future Without Diminishing the Library of the Past -
A conference for librarians, Cambridge, MA.  March 30-31, 1996.  
Contact:  cmkent@fas.harvard.edu

A Strategic Approach to Globalization Through Technology and Diversity, 
Rockville, MD, April 11-14, 1996.  
Contact       marsha-w@uiuc.edu     217 356-7050 (fax)

Technological Assaults on Privacy, Rochester, NY, April 18-20, 1996.
Paper drafts by Feb. 1, 1996.
Contact:  privacy@rit.edu      716 475-6643      716 475-7120 (fax)

The Digital Revolution:  Assessing the Impact on Business, Education and Social
Structures, San Diego, CA, May 20-22, 1996.  Intents to submit papers deadline:
November 15, 1995.    Contact:  asis96@chestnut.lis.utk.edu

International Symposium on Technology and Society 1996 (ISTAS '96), 
Princeton University, Princeton, NJ, June 21-22, 1996  
Abstract submission deadline:  December 15, 1995.
Contact:  istas@wws.princeton.edu   609 258-1985 (fax)


Date:    Tue, 1 Aug 95 9:30:33 EDT
From:    zurko@osf.org (Mary Ellen Zurko)
Subject: IEEE Symp. on Security and Privacy - Call for papers

                           CALL FOR PAPERS
1996 IEEE Symposium on                              May 6-8, 1996
Security and Privacy                            Oakland, California
                             sponsored by
  IEEE Computer Society Technical Committee on Security and Privacy
                         in cooperation with
    The International Association for Cryptologic Research (IACR)

Since 1980, the Symposium on Security and Privacy has been the premier
forum for presenting developments in computer security and for
bringing together researchers and practitioners in the field.

This year, we seek to build upon this tradition of excellence by
re-emphasizing work on engineering and applications as well as
theoretical advances.  We also seek to broaden the scope of the
Symposium by introducing additional topics.  We want to hear not only
about new theoretical results, but also about work in the design and
implementation of secure systems and work on policy relating to system
security.  We are particularly interested in papers on policy and
technical issues relating to privacy in the context of the Information
Infrastructure, papers on securing unsecure applications and operating
systems, papers that relate software and system engineering technology
to the design of secure systems, and papers on hardware and
architectural support for secure systems.

The symposium will focus on technical aspects of security and privacy
as they arise in commercial and industrial applications, as well in
government and military systems.  It will address advances in the
theory, design, implementation, analysis, and application of secure
computer systems, and in the integration and reconciliation of
security and privacy with other critical system properties such as
reliability, performance, and safety.  Topics in which papers and
panel session proposals are invited include, but are not limited to,
the following:

Secure systems          Privacy Issues          Access controls  
Security verification   Network security        Policy modeling 
Information flow        Authentication          Database security 
Data integrity          Security Protocols      Viruses and worms
Auditing                Biometrics              Smartcards
Commercial and industrial security              Intrusion Detection
Security and other critical system properties   Distributed systems security
Novel applications of cryptography and other security techniques

We will continue the session of very brief (5-minute) talks introduced
last year.  Our goal is to make it possible for us to hear from people
who are advancing the field in the areas of system design and
implementation, and who would like to present their ideas to the
symposium audience but may lack the time and resources needed to
prepare a full paper.  Submissions for this session will be accepted
up to April 2, 1996 to permit us to hear of the most recent
developments. Abstracts of these talks will be distributed at the


Send six copies of your paper and/or proposal for a panel session to
John McHugh, Program Co-Chair, at the address given below.  Papers and
panel proposals must be received by November 6, 1996.  Papers, which
should include an abstract, must not exceed 7500 words.  The names and
affiliations of the authors should appear on a separate cover page
only, as a ``blind'' refereeing process is used.  In addition to the
paper submission, an ASCII copy of the paper title and abstract should
be sent to the Program Co-Chair (mchugh@cs.pdx.edu) by electronic mail.
These will be distributed electronically (without author
identification) to the entire program committee to aid in the
appropriate assignment of referees. Authors must certify prior to
December 25, 1996 that any and all necessary clearances for
publication have been obtained.

Papers must report original work that has not been published
previously, and is not under consideration for publication elsewhere.
Abstracts, overlength papers, electronic submissions, late
submissions, and papers that cannot be published in the proceedings
will be rejected without review.  Authors will be notified of
acceptance by January 16, 1996.  Camera-ready copies are due not later
than March 4, 1996.

Panel proposals should describe, in two pages or less, the objective
of the panel and the topic(s) to be addressed.  Names and addresses of
potential panelists (with position abstracts if possible) and of
the moderator should also be included.  Panels are not intended to
serve as alternate paper sessions and it is expected that, with the
possible exception of an overview of the topic area by the panel
chair, individual presentations by panel members will be limited to
five to ten minutes and that at least one third of the session will be
reserved for discussion.

Submitters of abstracts for the special session of five-minute talks
should submit one page abstracts to John McHugh, Program Co-Chair, at
the address given below.  The abstract should be one page or less;
Email submissions of 30 to 60 lines are preferred. Abstracts must be
received by April 2, 1996.  Authors will be notified of acceptance or
rejection of abstracts by April 16.  Submitted abstracts that are
accepted will be distributed at the conference.  Presenters of
five-minute talks are expected to register for the conference.
Overtly commercial presentations are inappropriate.

The Symposium will also include informal poster sessions where
preliminary or speculative material, and descriptions or
demonstrations of software, may be presented.  Send one copy of your
poster session paper to Dale Johnson, at the address given below, by
January 31, 1996, together with certification that any and all
necessary clearances for presentation have been obtained.

Again this year, we will attempt to counsel prospective authors.  If
you have questions about whether or how to present your work to the
symposium, please send email to the Chair (dmj@mitre.org), and we will
do our best to assist you.

Information about this conference will be also be available by
anonymous ftp from ftp.cs.pdx.edu in directory /pub/SP96, on the web
at http://www.cs.pdx.edu/SP96. The program chairs can be reached by
email at sp96@cs.pdx.edu.


Dave Bailey, Galaxy Computer Services, USA
Terry Vickers Benzel, TIS, USA
Lee A. Benzinger, Loral, USA
Debbie Cooper, DMCooper, USA
Oliver Costich, Independent Consultant, USA
Yves Deswarte, LAAS-CNRS & INRIA, FR
Jim Gray, Hong Kong U. of Sci. and Tech, HK
Lee Gong, SRI, USA
Sushil Jajodia, GMU, USA
Paul Karger, GTE, USA
Carl Landwehr, NRL, USA
John McLean, NRL, USA
Catherine A. Meadows, NRL, USA
Rich Neely, CTA, USA
Sylvan S. Pinsky, DoD, USA
Mike Reiter, AT&T, USA
Sue Rho, TIS, USA
Peter  Ryan, DRA, UK
Tom Schubert, Portland State Univ., USA
Stuart Stubblebine, AT&T, USA 
Elisabeth Sullivan, Sequent, USA
Tom Van Vleck, Taligent, USA
Vijay Varadharajan, Univ. of Western Sydney, AU
Yacov Yacobi, Belcore, USA
Raphael Yahalom, Hebrew University, Israel
Mary Ellen Zurko, OSF, USA

For further information concerning the symposium, contact:

  Dale Johnson, General Chair        John McHugh, Program Co-Chair
  The MITRE Corporation              Computer Science Department 
  Mailstop A156                      Portland State University
  202 Burlington Rd                  P.O. Box 751
  Bedford, MA 01730-1420, USA        Portland OR 97207-0751, USA
  Tel: +1 (617) 271-8894             Tel: +1 (503) 725-5842
  Fax: +1 (617) 271-3816             Fax: +1 (503) 725-3211
  dmj@mitre.org                      mchugh@cs.pdx.edu

  Steve Kent, Vice Chair             George Dinolt, Program Co-Chair
  BBN Systems and Technologies       Loral WDL
  Mailstop 13/2a		     P.O. Box 49041, MS X20
  70 Fawcett Street		     San Jose, CA 95161-9041
  Cambridge, MA 02138                Tel: +1 (408) 473-4150
  Tel: +1 (617) 873-6328             Fax: +1 (408) 473-4272
  Fax: +1 (617) 873-4086             dinolt@wdl.loral.com

  Charles Payne, Treasurer
  Secure Computing Corporation
  2675 Long Lake Road
  Roseville, MN  55113
  Tel: +1 (612) 628-1594
  Fax: +1 (612) 628-2701

  Peter Ryan, European Contact       Jim Gray, Asia/Pacific Contact
  Defence Research Agency            Department of Computer Science
  Room NX17                          Hong Kong Univ. of Science & Technology
  St Andrew's Rd                     Clear Water Bay, Kowloon, Hong Kong
  Malvern                            Tel: +852 358-7012
  Worcs WR14 3PS,UK                  Fax: +852 358-1477
  Tel +44 (0684) 895845              gray@cs.ust.hk
  Fax +44 (0684) 894303


End of PRIVACY Forum Digest 04.17

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH