TUCoPS :: Privacy :: priv_505.txt

Privacy Digest 5.05 2/23/96

PRIVACY Forum Digest     Friday, 23 February 1996    Volume 05 : Issue 05

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
	
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
	AT&T Cell Users at Risk: follow-up (dperetz@accessone.com)
	Taping Conversations (Charles R. Trew)
	Alzheimer's, mental defectives, and privacy (Phil Agre)
	"Trancendent" Privacy Legislation (Pierrot Peladeau)
	Netscape Navigator 2.0 exposes user's browsing history
           (John Robert LoVerso)
        Federal Court Enjoins Internet "Indecency" Provision [From EPIC Alert]
	   (Marc Rotenberg)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 05, ISSUE 05

   Quote for the day:

	"An *actor* as President?"

			-- Derek Flint (James Coburn)
			   "In Like Flint" (1967)

----------------------------------------------------------------------

Date:    Sun, 4 Feb 96 14:52:06 PST
From:    dperetz@accessone.com
Subject: AT&T Cell Users at Risk: follow-up.

dperetz@accessone.com wrote:
> Want billing/payment information on someone else?
> Want to run a usage analysis for the best rate plan for
> another?
> ATT Wireless Networks makes this possible with their
> automated INFOEXPRESS (Customer Care) service.
> Simply dial 1-800-782-xxxx or 1-206-389-xxxx (SEA).
> Enter the target cell number and the person's zip code.
>
> ...
>
>		[ Assuming this service operates as described, it
>		  is but another example of the widespread practice
>		  of making customer information available with
>		  minimal or no security provisions by many entities.
>
>		  When questioned, firms implementing such systems usually
>		  claim they can't imagine why anybody would be concerned
>		  about the release of such information (allowing change
>		  orders in such an environment would be *highly* unusual),
>		  and that more "secure" systems (such as the use of PINs)
>		  would be "too inconvenient" for the customer.  Usually the
>		  claim is also made that they've received virtually no
>		  complaints, either!  
>
>		   ...
>
>			-- MODERATOR ]

Follow-up:

You are quite correct.  I spoke with S.B., an INFOEXPRESS specialist.  She
stated they were hoping for a 4:1 'approval ratio.'

Change orders are easy (yes, it was a cold phone):
	A) Simply get the amount of the last payment with the method
		described above.
	B) Enter the option to speak with a CSR.
		D: "I'm calling to see if my check for last month's bill of
			61.62 posted?"
		CSR: "Yes it did, on January twelfth."
		D: "Thanks, and I'd also like to discontinue the
			voice-mail option.  I just never use it."
		CSR: "Okay."
		.
		.
		.
At this point I stopped the CSR and asked her to discontinue INFOEXPRESS
instead.  This can't be done.  I haven't played extensively with the auto-
mated c. o., but the picture is clear.

I questioned the CSR about performing the c.o. without verification.
I was told that because I knew last month's billing amount, it was okay.
Had I not known, I would have been asked for an account number.  I explained
I got the amount from INFOEXPRESS: "I'll let you talk to my supervisor."

Groan.

------------------------------

Date:    13 Feb 1996 15:28:15 EST
From:    "CHARLES R TREW" <CTREW@MAIL.LOC.GOV>
Subject: Taping Conversations

   [ This message is replying to a query regarding taping of teacher/parent
     interviews at a school.  -- MODERATOR ]

Your situation is an all too common one these days. However, the answer is
extremely complex and you should not do any taping until you have checked in
advance with a reliable attorney and the inspector general (or whatever
title is used by the chief legal counsel) for your school system. Next time
you should have another teacher or (preferably) an administrator if you are
going to be meeting this person again.
         As for future situations, you may be limited by the fact that you
are on public property as a public official. If you are at a private school
you would definately have more room to make a recording with the
administration's permission.
        Any calls made to you at your home are fair game and, contrary to
popular belief, you do not have to inform the other party you are recording.
For most practical purposes most phone calls are fair game for either party
on the line, restrictions are primarily against third parties listening in
unbeknownst to the other two. As I said, though you are in a sensitive spot
at the office.
        Finally, if you decide to tape your office, home, phone, etc.
*never* indicate to your subject you are going to tape them.  You will all
but guarantee an unpleasant discussion. If it's legal, it's your business
anyway. If you are unsure you can always play the tape for your lawyer and
then make a determination.

------------------------------

Date:    Wed, 21 Feb 1996 15:01:34 -0800 (PST)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: Alzheimer's, mental defectives, and privacy

Today's paper includes a very disturbing article:

  Gina Kolata, Research links writing style to risk of Alzheimer's, New York
  Times, 21 February 1996, page A7.

It reports a study of autobiographies written by 93 nuns when they entered a
convent early in this century, correlating their writing style with whether
they got Alzheimer's disease sixty years later.  The study claims that one
attribute of their writing correlates very strongly indeed with their later
Alzheimer's status, namely what they called "idea density" -- how many ideas
were present in a given stretch of writing.  It does not at all follow that
people who write with fewer ideas are more likely to get Alzheimer's, since
writing practices differ in different situations, and this is just one sample
of people from very particular social and historical circumstances, writing
in response to a very particular assignment.  A more plausible conclusion,
though, is the one that the scientists emphasize, namely that Alzheimer's
disease is a long-standing, possibly lifelong disorder whose gross effects
only become apparent in old age once the cumulative brain tissue destruction
has become massive.

I hope that this conclusion is false.  Suppose it is true.  Then it seems
altogether plausible that someone will come up with a reliable clinical test
for Alzheimer's that will work on people in their 20's, or even on children.
The consequences of this test would be horrible.  First, a large portion of
the population would be walking around knowing that their brains were being
progressively consumed by this incurable illness.  Second, a large portion
of the population would risk carrying a label -- the 21st century equivalent
of terms like "mental defective" that can consign a person to second-class
social existence.  What employer will abstain from learning a job applicant's
Alzheimer's status, particularly when the job involves training whose payback
will be stretched over a long period?  Will a person's Alzheimer's status
become public knowledge, for example as part of their credit record?   Will
the kind of shallow and ineffectual "medical privacy" legislation that we're
seeing in Congress this year permit Alzheimer's status information to leak
out into offshore databases?

It can get much worse.  What happens if, as many scientists apparently expect,
it turns out that Alzheimer's is inherited, or (more to the point) predictable
from parents' DNA?  Will whole categories of people be dissuaded from having
children who are likely to be susceptible to the disease?  Will those people
be shamed if they do have children?  Will they have to make decisions about
when and how to tell their children of the condition?  Precedents for these
questions do exist in some diseases that affect limited populations, but
Alzheimer's is much more prevalent.  Someone will no doubt argue that society
could vastly improve its economic performance and decrease its medical bills
by discouraging people from giving birth to infants at risk from Alzheimer's.
This will not be a happy day.

Phil Agre, UCSD

------------------------------

Date:    Thu, 22 Feb 1996 12:26:20 -0500 (EST)
From:    Pierrot Peladeau <pierrot.peladeau@PROGESTA.COM>
Subject: "Trancendent" Privacy Legislation

In Privacy Forum Digest V05 #04, the Dick Mills, reacting to a Moderator 
article in V05 #03, asked the following question:

	How can we formulate privacy laws that:

	a)  transcend the inventiveness of new technology?

	b)  are simple and clear enough that the public and business 
	    can understand and apply the law more or less correctly 
	    in their daily lives without consulting a lawyer on 
	    every issue?

A Short Answer:

	Yes, it is possible to formulate "trancendent" data protection
laws (personnally I make a huge conceptual distinction between privacy and
protection of personal information). Well drafted, such laws using generic
and well defined terms could be simple and clear enough for common daily
lives instances. But, because they would use generic terms there will be
always some fuzziness that will call for clarification from a regulatory,
orversight or judicial body. The 'economy of fuzziness' by which a legal
writer tries to make proper balance in the use of generic and more precice
terms is well know by jurists, especially those who are familiar with
roman-german legal systems. The really interesting issue is therefore:
which generic terms? 


The Demonstration:

1. The How:
	Sociologist Jean-Pierre Lemasson addressed that question in
a report to the Quebec government on the problem of the use of personal
information in private sector organization (Groupe de recherche
informatique et droit, 'L'identitee piratee', Montreal, SOQUIJ, 1986). He
proposed that a legislation could "transcend" technological changes if it
was written in such a way that it grasps the LOGIC OF INFORMATION instead
of trying to cope with the specific capability of one technology. So 
laws should deal with information and the generic logical moments of its 
use, not with peticular practices, procedures or technology. Lemasson 
did not discuss in detail his proposal but it can be explained by 
refering to theoretical and practical works.

2. The Why:
	In 'The Logic of Writing and the Organization of Society'
(Cambrige University Press, 1986), social-anthropologist Jack Goody
brilliantly explores the possibility to write a human history according to
modes and means of communication, very much like Marx tried to write a
history according to modes and means of production. His theory is that
humankind has known two main modes of communication: orality and writing.
The term "writing" is used in its widest meaning as to include any kind of
physical supports to knowledge. Of course, many technologies has been
developed to make the best of the many capabilities of writing: printing
machine, computer.  The latter are means that unleash some of the
properties of writing, of its logic. So, following Goody's thesis, it
should be possible to find basic properties of writing that "transcends"
any specific capabilities of peticular means and the even more specific
applications of very peticular technological tools. 

3. Theoretical testing of the idea:
	I did explore the intuition of Lemasson along the lines drawn by
Goody.  First, in the making of an international comparative study of data
protection legislation, I found that some legislation actually were
"transcending" technical changes as other were rapidly becoming obsolete.
For instance, sections dealing with computer matching (a specific
procedure) were easily made inadequate to cope with new communication
procedures (virtual data banks, on demand sharing on a networks, etc.).
Conversely, those that were strictly written with generic terms like
"communication" or "change in purpose" were capable to resist
technological innovations. Another example is the difference in the
writing between the Canadian and some US criminal sections dealing with
wiretapping. The Canadian Criminal Code sections dealt with protection of
private communication in general as their US counterparts dealt with
protection a series of communication supported by specifics media. The
former did not need to be amended to be applicable to every new means of
communications, contrarily to latter. 

The second step was to theoricize a) what are the constant logical
components of personal information processes disrespective of technology
["Esquisse d'une theorie juridique des proces d'information relatifs aux
personnes" (1989) 34 McGill Law Journal 952], and b) what were the
specific impact of informatics on this logic ["L'informatique ordinatrice
du droit et du proces d'information relatif aux personnes" (1989) 1
Technologie de l'information et societe 35]. For our discussion, only a)
is needed. I did find generic (or "transcendent") concepts for drafting
normative texts. For instance, five generic logical moments of the
personal information process were identified (collection, storage,
communication, processing, decision - the last two being usually forgotten
by most data protection schemes) with their related operations and
procedures as well as other basics concepts. But the most interesting part
is, of course, the practical applications. 

4. Field testing
	In 1982, the Quebec National Assembly adopted the Act Respecting 
Access to Documents Held by Public Bodies and the Protection of Personal 
Information that applies to all government agencies, municipal bodies, 
educational bodies as well as health and services institutions. Article 
65 states that:

	  Every person who, on behalf of a public body, collects nominative
	information from the person concerned or from a third person must
	first identify himself and inform him
	  (1) of the name and address of the public body on whose behalf the
	information is being collected;
	  (2) of the use to which the information will be put;
	  (3) of the categories of persons who will have access to the
	information;
	  (4) of the fact that a reply is obligatory, or that it is optional;
	  (5) of the consequences for the person concerned or, as the case
	of a refusal to reply:
	  (6) of the right of access and correction provided by law...

Unfortunately, this laudable section is still not respected by the huge
majority of Quebec public bodies 14 years later. My explanation was that
this section was imposing a specific procedure (communication of
information BEFORE collecting personal information) that was difficult,
and often very costly, to implement in many instances. Technology was a
problem since many transactions that were previously carried out in a face
to face fashion now were carried out by phone or other media that made this
procedure burdensome. When was discussed Bill 68, the Act Respecting the
Protection of Personal Information in the Private Sector (still the only
comprehensive law of the kind in North-America), I put forward the
following solution: get rid of the procedure and stick to the objective
which is mandatory information of the data subjects by using generic
terms: COMMUNICATION of information AROUND the time of COLLECTION. This
solution was adopted, and section 8 of the Act begins as follows: 

	A person who collects personal information form the person
	concerned must, when establishing a file on that person, inform him
	...

The results are that less than two years after enforcement of this Act,
almost all the private organizations that implemented it so far have
respected the notification requirement. For instance, if informing you by
phone is burdensome, you will receive all the information by mail with
your contract, your first billing statement or a specific communication
for this purpose. There is no mandatory procedure. Each organization finds
the most efficient way to inform the data subjects. Of course this is not
the ideal situation where all this notification would have been made prior
to collection of personal information. But this latter procedure is only
easily feasible in some physical contexts and not in others. So, better
have a generic obligation that is implemented that a perfect principle
that is not because it better fits some means of communication than
others. 

	I could go on with other examples but I think the point is clear now.

5. Conclusion
	"Trancendent" data protection laws are possible as it can be
demonstrate by both experience and theoritical work. But such approach is
a rupture from the dominant piecemeal, sectorial, issue specific existing
approach to data protection writing in the USA. In that country, the
problem is certainly not a question of legal writing know-how (there is so
much lawyers, this cannot be a problem) but one of real politics and
legislative tradition. It is far more easier to build enough political
pressures and consensus for a very peticular solution to a very specific
data protection or privacy problem than for a comprehensive universal 
generic solution. 

	Best regards.

				-- P.P.
                 ---------------------------------------------
	Pierrot Peladeau  <pierrot.peladeau@progesta.com>
	Vice President, R & D, PROGESTA Inc.
	Editor/Redacteur en chef, PRIVACY FILES
	P.O.Box/C.P. 42029 Station Jeanne Mance	  tel : +1 (514) 990 2786
	Montreal (Quebec) CANADA   H2W 2T3	  fax : +1 (514) 990 3085

------------------------------

Date: Fri, 23 Feb 96 10:03:49 -0500
From: John Robert LoVerso <loverso@osf.org>
Subject: Netscape Navigator 2.0 exposes user's browsing history

[ From Risks-Forum Digest; Friday 23 February 1996; Vol. 17 : Issue 79 ]

While riding home this past Wednesday (on my accident free commuter-rail
line), I came up with an approach to utilize the JavaScript "feature" of
Netscape 2.0 to track a user's browsing actions.  The tracking happens in
real time with the user's browser dutifully sending results back to a remote
server, starting from the time the user visits a page with the devious
JavaScript embedded in it.  It can thus sniff any passwords or keys the user
might use in a URL.

My example version runs in a browser window that the user can see.  I'm only
demonstrating the vulnerability.  Practically, the window can be made so
small as to be invisible to the casual user.  It also helps that a user
isn't even informed when the HTML page they just loaded has some JavaScript
code within it.

Think about Netscape's new JavaScript-laden home page.  The default action
on startup of Netscape 2.0 is to go to that page.  It could easily start off
tracking your browsing actions.  With the new on-line frontier being driven
by advertising, the value of such a log is immense.  Of course, if Netscape
really wanted to do something like this, they could embed all sorts of
things directly in their browser.  Naturally they don't, but this is
something that people often clamor about (e.g., the recent Microsoft Word
and the never ending AOL controversies).

As it stands, with Netscape 2.0 you cannot disable JavaScript.  You can
disable Java.  This is an interesting choice on their part, since at least
there has been a significant effort on the part of many people to justify
Java's claim of security and safeness.  Thousands of people have pored over
the code and specifications.

But, JavaScript and Java are totally different things.  They share common
names and syntax, but they don't share implementations.  One is a byte
compiled language executing in a restrictive state machine, the other is an
interpreted scripting languages with vastly different properties.  Compared
with the thousands of people have looked at the source to Java, no one has
seen JavaScript.  Its specifications are defined by the implementation,
which to date is solely Netscape 2.0.  We're told it is "Secure. Cannot
write to hard disk", which is how Java is also described.  Is there enough
commonality for such a comparison?  It is hard to determine that a program
is safe or secure after studying it.  It is impossible without.

My particular history tracker is the third (or fourth?) way to steal private
data from a user via JavaScript.  It stands out as the first one that does
it in real time, reporting history as the user is browsing.  In an
interesting bit of irony, as I was writing the code to exploit this hole, a
news article from someone at Netscape appeared noting how they has fixed 2.0
during the "beta-test" period to avoid the latest of the history stealing
approaches.

As it stands, JavaScript adds a viral element to HTML.  I'm not sure why
Netscape doesn't ship JavaScript disabled by default or why they don't alarm
the user before it starts to execute, or opens up new windows.

Finally, it is interesting to note that the Netscape Navigator already has
the building blocks to block the execution of any JavaScript (or Java) code
that doesn't come digitally signed from some trusted source.  This would
help provide a real safeguard against the types of attack downloaded code
opens up.

My JavaScript examples are at http://www.osf.org/~loverso/javascript/.

John Robert LoVerso  OSF Research Institute

  Added note:
    Did you ever try to teach someone the importance of keeping
    their ATM PIN secret, only to find that they never lock the
    doors to their house?
    A non-empty subset of the hosts who have visited my JavaScript
    "tracker" page run an X server with no access control enabled.

	[ This is but the tip of the proverbial iceberg when it comes
	  to programs that may have the potential (either through bugs or
	  design) for the feeding of users' private data or action histories
	  back to remote network points without their permission.  
	  More in future editions of the digest...
						-- PRIVACY Forum MODERATOR ]

------------------------------

Date: 15 Feb 1996 20:12:15 -0500
From: "Marc Rotenberg" <rotenberg@epic.org>
Subject: Federal Court Enjoins Internet "Indecency" Provision [From EPIC Alert]

 [ From EPIC Alert 3.04; February 16, 1996 ]

    FLASH: Federal Court Enjoins Internet "Indecency" Provision --
    ACLU, EPIC, and Others Score Partial Victory in CDA Challenge

A federal judge in Philadelphia has issued a partial temporary 
restraining order prohibiting enforcement of the "indecency" 
provision of the Communications Decency Act (CDA).  The judge 
declined to enjoin those provisions of the Act dealing with 
"patently offensive" communications.

The court agreed with the plaintiffs' claim that the CDA will have 
a chilling effect on free speech on the Internet and found that 
the CDA raises "serious, substantial, difficult and doubtful 
questions."  The court further agreed that the CDA is 
"unconstitutionally vague" as to the prosecution for indecency.  
But the court left open the possibility that the government could 
prosecute under the "patently offensive" provisions

The court has recognized the critical problem with the CDA, which 
is the attempt to apply the indecency standard to on-line 
communications.  Nonetheless, online speech remains at risk 
because of the sweeping nature of the CDA. 

The entry of the court order is a strong indication that the 
"indecency" provision of the legislation that went into effect on 
February 8 will not survive constitutional scrutiny by a three-
judge panel that has been impaneled in Philadelphia.  The panel 
will fully evaluate the constitutional validity of the legislation 
and consider entry of a permanent injunction against enforcement 
of the new law.

The temporary restraining order (TRO) was issued in a lawsuit 
filed by the Electronic Privacy Information Center (EPIC), the 
American Civil Liberties Union and a broad coalition of 
organizations.  EPIC is also participating as co-counsel in the 
litigation.  

The court ruling comes in the wake of widespread denunciation of 
the CDA, which was included in the telecommunications reform bill 
signed into law last week.
According to EPIC Legal Counsel David Sobel, one of the attorneys
representing the coalition, "The court's decision is a partial 
victory for free speech, but expression on the Internet remains at 
risk.  This is destined to become a landmark case that will 
determine the future of the Internet."  Looking ahead to 
proceedings before the three-judge panel, Sobel said "we are 
optimistic that further litigation of this case will demonstrate 
to the court that the CDA, in its entirety, does not pass 
constitutional muster."

EPIC has maintained since its introduction in Congress that the 
ban on "indecent" and "patently offensive" electronic speech is a 
clear violation of the free speech and privacy rights of millions 
of Internet users. 

Comprehensive information on the CDA lawsuit, including 
plaintiffs' brief in support of the TRO, is available at:

     http://www.epic.org/free_speech/censorship/lawsuit/

	[ Any actions relating to the "patently offensive" material portion
	  of the bill are also now on hold, though depending on the results
	  of court decisions, prosecutions under both that and the "indecent
	  material" provisions could later extend back retroactively to the
	  date of the bill's signing. 

			-- PRIVACY Forum MODERATOR ]

------------------------------

End of PRIVACY Forum Digest 05.05
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH