TUCoPS :: Privacy :: priv_512.txt

Privacy Digest 5.12 6/15/96

PRIVACY Forum Digest        Saturday, 15 June 1996        Volume 05 : Issue 12

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
	
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
	PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator)
	Caller ID in California may be active now (plus Newsflash)
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Publishing on the net and old usenet postings (ReindeR Rustema)
	Re: Publishing on the net and old usenet postings 
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	Re: Protection and Parental Empowerment Act (Mary Ann Davidson)
	P-TRAK on LEXIS-NEXIS (Charles Trew)
	Genetic screening and privacy (Phil Agre)
	Access to psychiatric records (Bob Frankston)
	HTTP cookie privacy risk (Howard Goldstein)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 05, ISSUE 12

   Quote for the day:

	"You'll make a tasty morsel for my dragon!"

			-- Lodac (Basil Rathbone)
			   "The Magic Sword" (United Artists; 1962)

----------------------------------------------------------------------

PRIVACY Briefs (from the Moderator)

---

In a move widely reported as a landmark decision affecting "Constitutional
rights in cyberspace", a three judge federal panel turned thumbs down on the
"Communications Decency Act" (CDA) provisions of the new Telecommunications
Act, which would have imposed broadcast-type indecency standards and other
onerous restrictions on the Internet and similar systems.  No immediate
impact from this decision is likely, since the provisions of the law were
not being enforced during the panel's deliberations.  The judges have now
granted a formal injunction against enforcement of the provisions.

However, these issues are far from resolved.  The Act is now nearly certain
to move onward directly to the Supreme Court.  If it is similarly rejected
there, which many observers feel is likely, the legislation's sponsors have
promised to enact new Internet legislation that would be crafted to pass
judicial scrutiny the next time around, a possibility that experts consider
to not be unfeasible.

The CDA was, in the opinion of many, poorly written and overly broad, and
those parties who fought successfully against it to the current level are to
be congratulated.  We should keep in mind however, that the CDA aside, there
are aspects of the Internet that are causing concerns (some of them
justified!) around the world, and we have but scratched the surface of these
issues.  Lots more to come...

---

California air quality officials are considering a formal study of tiny
transmitters that could be installed in automobile engines to automatically
"report" polluting vehicles to authorities.  Other potential possibilities
for such transmitters are left as an exercise to the reader.

---

Law enforcement officials have expressed interest in the possibility of
mandated "kill" systems in future autos which would permit authorities (or
presumably anyone else with the appropriate equipment) to remotely disable a
vehicle's electrical system.  Such a mechanism is promoted as a means to reduce
the need for dangerous high speed chases, which annually result in both
property damage and innocent lives lost.  

------------------------------

Date:    Fri, 14 Jun 96 15:20 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Caller ID in California may be active now (plus Newsflash)

Greetings.  According to information contained in a Pacific Bell
press release, and other sources, it is possible that Pacific Bell
has begun passing CNID information by today.  In any case, it
could be activated at any time, and some of the smaller telcos
have already begun passing the data.  The issue for Pacific and GTE
continues to be the backlog of blocking status notifications that
they're trying to clear.  Since they're starting to catch up it appears
that they may not be needing the full 30 day (to July 1) delay they
were originally granted, and can proceed when ready.  

According to some reports, in one 72 hour period Pacific Bell
received 2 million requests for "complete" (per-line) CNID blocking,
so a processing backlog is certainly understandable.

--Lauren--

P.S.  Newsflash!  There may be further minor delay in Pacific Bell's
      activation of CNID.  News reports today indicated that Pacific has
      determined that large numbers of their blocking status notification
      status letters were incorrect, informing subscribers that they had the
      opposite blocking status than was actually the case.  Pacific is
      hoping to send out correction letters by July 1.  However, it would
      still be safest to assume that CNID has started now, or could start at
      any time.  I might note that both Pacific Bell's and GTE's notification
      letters did not include any clue as to *which* phone number a given
      letter was referring to, creating a confusing situation for any
      subscribers with more than one telephone line!

--LW--

------------------------------

Date:    Sat, 8 Jun 1996 23:02:30 +0200
From:    rrr@dds.nl (ReindeR Rustema)
Subject: Publishing on the net and old usenet postings

Currently I'm writing something for school about Privacy and the internet.
Most literature on the matter is about encryption of e-mail messages and
similar concerns. Encryption is seen as *the* solution for the protection
of privacy.

For protection of e-mail that might be fine, but what about Usenet or
personal homepages? It's now possible for anybody to publish anything about
anybody else. By doing so, possibly deliberately or undeliberately invading
somebody else's privacy. Journalists and other professionals usually have
some kind of ethical code concering the publishing of information about
individuals. They have a certain accountability to the code to stay in the
profession. For individuals this is not the case, besides netiquette
perhaps.

I explain in my paper that the inherent morale of the digital technique is
that it'll register everything and it won't forget. What will happen with
your 5 year old usenet postings is beyond your reach. With a search engine
like DejaNews it's possible to trace back all old postings from somebody.
While you're in one posting more or less anonimously giving away real
private information, in another 3 year old posting selling a computer you
might have given your phonenumber or more. Besides postings to usenet
people also leave info by signing guestbooks on webpages etc.

The digital technology makes everybody sort of transparent because you can
combine all different data on somebody. While the whole idea of privacy
rests on respect for the autonomy of a humanbeing, that people decide for
themselves what kind of info they pass on and what not.

I can't undo everything I did on the net the last couple of years, but my
future employer will be able to read most of it though...

Off course, you can ask DejaNews to make yourself unlisted completely but I
don't want that. I want people to read my postings (and find them back
using DejaNews perhaps) but it's the fact that everything is presented
combined together what's scary. Besides DejaNews you can also use Altavista
or other devices off course.

Anonymous remailers are not a perfect solution either because you'd have to
use them allways. And you'd allways have to take different identities. Just
one anonymous digital identity won't do since it will be internally
consistent. Only one reference to the real identity would blow it apart and
a missing link is easily typed in the heat of a usenet discussion for
example. Not everybody is such a good actor or would want to bother about
it to keep up the appearances of another identity.

And besides, most of the time you don't want to hide behind an anonymous
identity. This message is a good example.

It seems that some people's dogma:

  * "Our lives will inevitably become visible to others, so the
     real issue is mutual visibility, achieving a balance of power
     by enabling us to watch the people who are watching us."

all ready became true. I don't have a problem really with the fact that all
about me becomes visible to others. It's just that I'd rather not see *all*
available to *everybody*.

Did we create with the internet a sort of Frankenstein that will come back
to haunt us? :-)

vriendelijke groeten,

ReindeR
(student in communications, University of Amsterdam)

------------------------------

Date:    Sat, 08 Jun 96 16:17:21 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Re: Publishing on the net and old usenet postings 

This is an extremly significant topic, and one I discuss frequently.  Having
been writing publicly via ARPANET/Internet since the early 70's, there is a
vast quantity of my writings and public messages now online, going back to my
college days at UCLA.  I don't feel uncomfortable with any of it being out
there, since in general I always figured I was writing to a public audience
and that public meant *public*--forever.  Is availability of the archived
public materials really a problem in and of itself?  I personally I don't so.

It seems likely that persons who don't feel comfortable with their public
writings being permanently archived and available will need to decide if
they want to write publicly on the Internet (or similar venues) in the first
place.  It's much the same as politicians, judges, and others who find their
early speeches and writings scrutinized when they come up for new offices or
appointments.  Such processes have been going on for a very long time,
though without a doubt the vast increases in online storage capacity,
advanced search engines, and similar technological developments have brought
the cost to perform amazingly detailed seaches regarding anyone's public
writings on the Internet (or many other places) down close to zero.

One problem is that many persons new to these systems simply don't realize
that their public writings (and most private email) on the net are routinely
archived (the former for later public access, the latter typically only for
system backup purposes, not for public availability!).  Many new users are
still thinking in terms of personal telephone calls, which normally don't
have a prolonged existence.  Education of users as to the possible
ramifications of public statements on the network is key to helping resolve
these concerns.

Issues of misinformation, propaganda, libel, etc. (and the ability of any
misinformation or other lies to stay around "forever" on the net) are a
different matter and a terribly serious one, but no non-draconian solutions
are obvious.  The essential character of the Internet, allowing individuals
to potentially reach masses of persons (very cheaply--or free) without
intervening truthfulness, sanity, reality, editorial, or other checks, is
something the world has never seen before. 

I am not convinced that truth will necessarily overcome lies in this
regard.  Persons whose goal is to spread misinformation are usually much
more willing to saturate the net with their materials in an abusive manner
than would be the target of such actions with a rebuttal.  The result--the
original misinformation is much more widespread, probably more memorable for
being inflammatory in the first place, and may well show up in later
searches without any rebuttal attached.  But are there solutions that
wouldn't entail egregious free speech limitations?  I hope so.  Probably the
worst scenarios involve "anonymous" attacks, where existing libel laws--one
of the few legal remedies available, can be rendered impotent.

Many of us who were on the net starting in the earliest ARPANET days
recognized the potential power of the medium even then, even with the
relatively tiny and highly skewed (toward high-level technical individuals
at a very limited number of locations) user community of the time.  But it
*was* a very small community by today's standards, and we knew that with
very few exceptions nobody in the community would be abusive.

I don't think that any of us really anticipated the explosive growth and
infrastructural changes that would very suddenly place these tools, grown by
orders of magnitude in their reach, speed, and influence, but still
much the same as our original designs in many fundamental aspects, in
the hands of essentially the entire world's population.  But the genie is
most certainly out of the bottle, and our goal now must be to do our utmost
to try steer the almost unimaginable forces unleashed towards good, however
challenging the task, and however many setbacks we might endure.  There are
no guarantees of success by any means.  But it should be interesting.

--Lauren--

------------------------------

Date:    03 Jun 96 11:00:22 -0700
From:    "MADAVIDS.US.ORACLE.COM" <MADAVIDS@us.oracle.com>
Subject: Re: Protection and Parental Empowerment Act
 
At the risk of opposing motherhood and apple pie, the Children's Privacy 
Protection and Parental Empowerment Act, IMHO, appears to value 'children' and 
'children's privacy'  more than 'adults' and 'adults' privacy.' The argument 
that pedophiles can use direct marketing databases to stalk children can also 
be made of con artists looking for the moneyed elderly, or serial rapists 
looking for vulnerable women living alone. Are these demographic groups less 
deserving of protection from harm than children?   
 
I believe it is a worthy goal to protect the privacy of *all* demographic 
information and limit resale by direct marketers, but to propose a bill like 
this on the grounds that children are 'more valuable' or 'more in need of 
protection' is spurious to other groups (i.e. all the rest of us) who can make 
similar claims of potential endangerment and violation of privacy. Either we 
all warrant this sort of legislative protection, or none do.  
 
Mary Ann Davidson 
madavids@us.oracle.com  
 
The opinions expressed above are mine alone.

------------------------------

Date:    Thu, 6 Jun 1996 14:49:11 -0400 (EDT)
From:    Charles Trew <ctrew@CapAccess.org>
Subject: P-TRAK on LEXIS-NEXIS

     I recently heard about a service being offered by LEXIS-NEXIS in 
their "Finder Library." It is called P-TRAK (as in people tracker).
     The information for this searchable database is apparently being 
provided by our friends at TransUnion, one of the big credit services 
companies.
     Using the database one can search for people by using name, address, 
phone number, and *social security number* (as well as some other avenues).
     This is second-hand information for me and I was wondering if anyone 
has heard about this. The person I heard this from said that one could 
call TransUnion at (312) 466-7812 and have their name removed from the 
database.
     Any takers?

     Charlie Trew
     Washington, DC

------------------------------

Date:    Sun, 9 Jun 1996 15:21:03 -0700 (PDT)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: genetic screening and privacy

The June 9 issue of the London Sunday Times includes an article entitled
"Mass screening for 'delinquency' gene planned".  It reports that the
UK Department of Health has commissioned a study to investigate ways
of testing potential carriers of a genetic defect called "Fragile X
Syndrome".  People born with the syndrome, it is said, are mentally
handicapped and aggressive.

Whether the syndrome really exists has been controversial.  But if
the problem were framed as a "retardation gene" or a "genetic brain
disease" then it would probably not be as controversial as all that.
What really makes it controversial is the suggestion, cited in the
article's title, that the gene constitutes a "delinquency gene".
Fragile X Syndrome is exhibit A for a scientific movement to identify
genetic bases of criminality.  The very idea has caused immense upset
because of the long history of pseudoscience, much of it dressed up
in the most respectable of clothing in its day, which has interpreted
criminality as a genetic defect linked to a person's race or class.
Such theories have served as a pretext for all kinds of regressive
policies and cultural attitudes, and as arguments against ameliorative
social programs.  Even in very recent times, arguments have been made
for the genetic basis of mental illnesses and then later retracted.

The research behind such theories is generally highly problematic.
A common method is to correlate parents' traits with childrens', and
to present any significant correlation as evidence of inheritance.
Another method is to correlate traits of twins separated at birth.
Although such studies are convincing to many people, in fact twins
are rarely literally separated at birth, so that the average age of
separation in a given study may be as high as two years.  Besides,
twins are born at the same time into the same society, and so they
will be raised in the same cultural atmosphere, economic conditions,
media, and so forth.  At least the "Fragile X Syndrome" relates to
a specific, testable property of the genome, even if the syndrome
itself is somewhat vague in definition.

The privacy issue here concerns labeling.  Someone who has been
diagnosed as possessing certain genetic traits is at risk of being
stereotyped as a potential aggressor (or whatever the gene is
supposed to code for) even if no such traits have been exhibited.
Such a diagnosis could easily stigmatize a person for life.

Phil Agre

------------------------------

Date: Sat, 18 May 1996 14:11 -0400
From: Bob_Frankston@frankston.com
Subject: Access to psychiatric records

    [  From Risks-Forum Digest; Volume 18 : Issue 16  -- MODERATOR ]

There is an article in *The Boston Globe* 18 May 1996 entitled "AG to probe
access to psychiatric records". As usual, one has to guess what is really
going on and who is confused about what.

Apparently a local HMO has been including psychiatric records in its medical
history database. The first problem cited was the lack of effective access
control on that portion of the records. The HMO claims to have "..installed
software that limits access to the detailed notes ...".

The other problem is that, apparently, by placing the psychiatric history in 
the medical record it becomes available to insurance agencies once the 
patient has signed a release.

This seems to be a typical case of the computer forcing an issue that was
already lurking. Medical records are medical records. It seems that it was
an implicit (or even explicit) artifact of the paper system that the access
was controlled and, perhaps, the insurance companies did not get access. And
this was probably a good policy. But it might not have been legal if the
insurance companies have access to all records.

As an aside, I think that under Massachusetts law that patient has access to 
all records which would presumably including the psychiatric transcripts. And 
records mean any scribbles. Am I wrong on this?

Is this a matter of an issue being forced by the computerization? Does that 
mean we must go back to shoeboxes so that records can be "lost" in order 
protect privacy?

------------------------------

Date: 8 Jun 1996 01:38:13 GMT
From: hgoldste@bbs.mpcs.com (Howard Goldstein)
Subject: HTTP cookie privacy risk

   [ From Risks-Forum Digest; Volume 18 : Issue 19  -- MODERATOR ]

I recently installed Netscape 3.0b4, a beta version, to try out the new
(compared to 1.1N) features and see how well FreeBSD runs foreign binaries.

One of the new features, a security feature strangely categorized as a
'network' feature, queries the user before allowing "cookies" to be set.
Out of curiousity I set it so as to find out how often this feature was
invoked.  Cookies (discussed in earlier RISKS volumes, I seem to recall)
[YES: RISKS-14.36, 17.89.  PGN] are documented at
http://www.netscape.com/newsref/std/cookie_spec.html .

I was surprised to find that every night for the last two weeks after
enabling this I've been handed a "cookie" by a site I never knowingly
visited, at http://ad.doubleclick.net .

Upon visiting this site I discovered they engage in attempts to collect
various data about web users including their o/s.  Why they feel it
necessary to 'ping' me each night to set a cookie I do not know, but it
seems they are also collecting data about browser usage.  Such a statistic
regarding times online while in a browser would seem valuable from a
marketing standpoint.

While cookies may be useful when voluntary and insofar as they may be
helpful to the user (as I feel the cookie I'm handed that avoids an access
validator for a particular newspaper's site).  Cookies from marketing
companies benefit me not.

Categorize this as a risk to users of older netscapes lacking the
conditional-cookie setting?  Or to advertisers who will find their targets
are hidden behind "mini" HTTP firewalls that hide the users from cookies
along with advertisement filter such as the one being tested by a North
Carolina startup?

Howard Goldstein   <hg@n2wx.ampr.org>

------------------------------

End of PRIVACY Forum Digest 05.12
************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH