|
PRIVACY Forum Digest Saturday, 15 June 1996 Volume 05 : Issue 12 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator) Caller ID in California may be active now (plus Newsflash) (Lauren Weinstein; PRIVACY Forum Moderator) Publishing on the net and old usenet postings (ReindeR Rustema) Re: Publishing on the net and old usenet postings (Lauren Weinstein; PRIVACY Forum Moderator) Re: Protection and Parental Empowerment Act (Mary Ann Davidson) P-TRAK on LEXIS-NEXIS (Charles Trew) Genetic screening and privacy (Phil Agre) Access to psychiatric records (Bob Frankston) HTTP cookie privacy risk (Howard Goldstein) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 12 Quote for the day: "You'll make a tasty morsel for my dragon!" -- Lodac (Basil Rathbone) "The Magic Sword" (United Artists; 1962) ---------------------------------------------------------------------- PRIVACY Briefs (from the Moderator) --- In a move widely reported as a landmark decision affecting "Constitutional rights in cyberspace", a three judge federal panel turned thumbs down on the "Communications Decency Act" (CDA) provisions of the new Telecommunications Act, which would have imposed broadcast-type indecency standards and other onerous restrictions on the Internet and similar systems. No immediate impact from this decision is likely, since the provisions of the law were not being enforced during the panel's deliberations. The judges have now granted a formal injunction against enforcement of the provisions. However, these issues are far from resolved. The Act is now nearly certain to move onward directly to the Supreme Court. If it is similarly rejected there, which many observers feel is likely, the legislation's sponsors have promised to enact new Internet legislation that would be crafted to pass judicial scrutiny the next time around, a possibility that experts consider to not be unfeasible. The CDA was, in the opinion of many, poorly written and overly broad, and those parties who fought successfully against it to the current level are to be congratulated. We should keep in mind however, that the CDA aside, there are aspects of the Internet that are causing concerns (some of them justified!) around the world, and we have but scratched the surface of these issues. Lots more to come... --- California air quality officials are considering a formal study of tiny transmitters that could be installed in automobile engines to automatically "report" polluting vehicles to authorities. Other potential possibilities for such transmitters are left as an exercise to the reader. --- Law enforcement officials have expressed interest in the possibility of mandated "kill" systems in future autos which would permit authorities (or presumably anyone else with the appropriate equipment) to remotely disable a vehicle's electrical system. Such a mechanism is promoted as a means to reduce the need for dangerous high speed chases, which annually result in both property damage and innocent lives lost. ------------------------------ Date: Fri, 14 Jun 96 15:20 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Caller ID in California may be active now (plus Newsflash) Greetings. According to information contained in a Pacific Bell press release, and other sources, it is possible that Pacific Bell has begun passing CNID information by today. In any case, it could be activated at any time, and some of the smaller telcos have already begun passing the data. The issue for Pacific and GTE continues to be the backlog of blocking status notifications that they're trying to clear. Since they're starting to catch up it appears that they may not be needing the full 30 day (to July 1) delay they were originally granted, and can proceed when ready. According to some reports, in one 72 hour period Pacific Bell received 2 million requests for "complete" (per-line) CNID blocking, so a processing backlog is certainly understandable. --Lauren-- P.S. Newsflash! There may be further minor delay in Pacific Bell's activation of CNID. News reports today indicated that Pacific has determined that large numbers of their blocking status notification status letters were incorrect, informing subscribers that they had the opposite blocking status than was actually the case. Pacific is hoping to send out correction letters by July 1. However, it would still be safest to assume that CNID has started now, or could start at any time. I might note that both Pacific Bell's and GTE's notification letters did not include any clue as to *which* phone number a given letter was referring to, creating a confusing situation for any subscribers with more than one telephone line! --LW-- ------------------------------ Date: Sat, 8 Jun 1996 23:02:30 +0200 From: rrr@dds.nl (ReindeR Rustema) Subject: Publishing on the net and old usenet postings Currently I'm writing something for school about Privacy and the internet. Most literature on the matter is about encryption of e-mail messages and similar concerns. Encryption is seen as *the* solution for the protection of privacy. For protection of e-mail that might be fine, but what about Usenet or personal homepages? It's now possible for anybody to publish anything about anybody else. By doing so, possibly deliberately or undeliberately invading somebody else's privacy. Journalists and other professionals usually have some kind of ethical code concering the publishing of information about individuals. They have a certain accountability to the code to stay in the profession. For individuals this is not the case, besides netiquette perhaps. I explain in my paper that the inherent morale of the digital technique is that it'll register everything and it won't forget. What will happen with your 5 year old usenet postings is beyond your reach. With a search engine like DejaNews it's possible to trace back all old postings from somebody. While you're in one posting more or less anonimously giving away real private information, in another 3 year old posting selling a computer you might have given your phonenumber or more. Besides postings to usenet people also leave info by signing guestbooks on webpages etc. The digital technology makes everybody sort of transparent because you can combine all different data on somebody. While the whole idea of privacy rests on respect for the autonomy of a humanbeing, that people decide for themselves what kind of info they pass on and what not. I can't undo everything I did on the net the last couple of years, but my future employer will be able to read most of it though... Off course, you can ask DejaNews to make yourself unlisted completely but I don't want that. I want people to read my postings (and find them back using DejaNews perhaps) but it's the fact that everything is presented combined together what's scary. Besides DejaNews you can also use Altavista or other devices off course. Anonymous remailers are not a perfect solution either because you'd have to use them allways. And you'd allways have to take different identities. Just one anonymous digital identity won't do since it will be internally consistent. Only one reference to the real identity would blow it apart and a missing link is easily typed in the heat of a usenet discussion for example. Not everybody is such a good actor or would want to bother about it to keep up the appearances of another identity. And besides, most of the time you don't want to hide behind an anonymous identity. This message is a good example. It seems that some people's dogma: * "Our lives will inevitably become visible to others, so the real issue is mutual visibility, achieving a balance of power by enabling us to watch the people who are watching us." all ready became true. I don't have a problem really with the fact that all about me becomes visible to others. It's just that I'd rather not see *all* available to *everybody*. Did we create with the internet a sort of Frankenstein that will come back to haunt us? :-) vriendelijke groeten, ReindeR (student in communications, University of Amsterdam) ------------------------------ Date: Sat, 08 Jun 96 16:17:21 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Re: Publishing on the net and old usenet postings This is an extremly significant topic, and one I discuss frequently. Having been writing publicly via ARPANET/Internet since the early 70's, there is a vast quantity of my writings and public messages now online, going back to my college days at UCLA. I don't feel uncomfortable with any of it being out there, since in general I always figured I was writing to a public audience and that public meant *public*--forever. Is availability of the archived public materials really a problem in and of itself? I personally I don't so. It seems likely that persons who don't feel comfortable with their public writings being permanently archived and available will need to decide if they want to write publicly on the Internet (or similar venues) in the first place. It's much the same as politicians, judges, and others who find their early speeches and writings scrutinized when they come up for new offices or appointments. Such processes have been going on for a very long time, though without a doubt the vast increases in online storage capacity, advanced search engines, and similar technological developments have brought the cost to perform amazingly detailed seaches regarding anyone's public writings on the Internet (or many other places) down close to zero. One problem is that many persons new to these systems simply don't realize that their public writings (and most private email) on the net are routinely archived (the former for later public access, the latter typically only for system backup purposes, not for public availability!). Many new users are still thinking in terms of personal telephone calls, which normally don't have a prolonged existence. Education of users as to the possible ramifications of public statements on the network is key to helping resolve these concerns. Issues of misinformation, propaganda, libel, etc. (and the ability of any misinformation or other lies to stay around "forever" on the net) are a different matter and a terribly serious one, but no non-draconian solutions are obvious. The essential character of the Internet, allowing individuals to potentially reach masses of persons (very cheaply--or free) without intervening truthfulness, sanity, reality, editorial, or other checks, is something the world has never seen before. I am not convinced that truth will necessarily overcome lies in this regard. Persons whose goal is to spread misinformation are usually much more willing to saturate the net with their materials in an abusive manner than would be the target of such actions with a rebuttal. The result--the original misinformation is much more widespread, probably more memorable for being inflammatory in the first place, and may well show up in later searches without any rebuttal attached. But are there solutions that wouldn't entail egregious free speech limitations? I hope so. Probably the worst scenarios involve "anonymous" attacks, where existing libel laws--one of the few legal remedies available, can be rendered impotent. Many of us who were on the net starting in the earliest ARPANET days recognized the potential power of the medium even then, even with the relatively tiny and highly skewed (toward high-level technical individuals at a very limited number of locations) user community of the time. But it *was* a very small community by today's standards, and we knew that with very few exceptions nobody in the community would be abusive. I don't think that any of us really anticipated the explosive growth and infrastructural changes that would very suddenly place these tools, grown by orders of magnitude in their reach, speed, and influence, but still much the same as our original designs in many fundamental aspects, in the hands of essentially the entire world's population. But the genie is most certainly out of the bottle, and our goal now must be to do our utmost to try steer the almost unimaginable forces unleashed towards good, however challenging the task, and however many setbacks we might endure. There are no guarantees of success by any means. But it should be interesting. --Lauren-- ------------------------------ Date: 03 Jun 96 11:00:22 -0700 From: "MADAVIDS.US.ORACLE.COM" <MADAVIDS@us.oracle.com> Subject: Re: Protection and Parental Empowerment Act At the risk of opposing motherhood and apple pie, the Children's Privacy Protection and Parental Empowerment Act, IMHO, appears to value 'children' and 'children's privacy' more than 'adults' and 'adults' privacy.' The argument that pedophiles can use direct marketing databases to stalk children can also be made of con artists looking for the moneyed elderly, or serial rapists looking for vulnerable women living alone. Are these demographic groups less deserving of protection from harm than children? I believe it is a worthy goal to protect the privacy of *all* demographic information and limit resale by direct marketers, but to propose a bill like this on the grounds that children are 'more valuable' or 'more in need of protection' is spurious to other groups (i.e. all the rest of us) who can make similar claims of potential endangerment and violation of privacy. Either we all warrant this sort of legislative protection, or none do. Mary Ann Davidson madavids@us.oracle.com The opinions expressed above are mine alone. ------------------------------ Date: Thu, 6 Jun 1996 14:49:11 -0400 (EDT) From: Charles Trew <ctrew@CapAccess.org> Subject: P-TRAK on LEXIS-NEXIS I recently heard about a service being offered by LEXIS-NEXIS in their "Finder Library." It is called P-TRAK (as in people tracker). The information for this searchable database is apparently being provided by our friends at TransUnion, one of the big credit services companies. Using the database one can search for people by using name, address, phone number, and *social security number* (as well as some other avenues). This is second-hand information for me and I was wondering if anyone has heard about this. The person I heard this from said that one could call TransUnion at (312) 466-7812 and have their name removed from the database. Any takers? Charlie Trew Washington, DC ------------------------------ Date: Sun, 9 Jun 1996 15:21:03 -0700 (PDT) From: Phil Agre <pagre@weber.ucsd.edu> Subject: genetic screening and privacy The June 9 issue of the London Sunday Times includes an article entitled "Mass screening for 'delinquency' gene planned". It reports that the UK Department of Health has commissioned a study to investigate ways of testing potential carriers of a genetic defect called "Fragile X Syndrome". People born with the syndrome, it is said, are mentally handicapped and aggressive. Whether the syndrome really exists has been controversial. But if the problem were framed as a "retardation gene" or a "genetic brain disease" then it would probably not be as controversial as all that. What really makes it controversial is the suggestion, cited in the article's title, that the gene constitutes a "delinquency gene". Fragile X Syndrome is exhibit A for a scientific movement to identify genetic bases of criminality. The very idea has caused immense upset because of the long history of pseudoscience, much of it dressed up in the most respectable of clothing in its day, which has interpreted criminality as a genetic defect linked to a person's race or class. Such theories have served as a pretext for all kinds of regressive policies and cultural attitudes, and as arguments against ameliorative social programs. Even in very recent times, arguments have been made for the genetic basis of mental illnesses and then later retracted. The research behind such theories is generally highly problematic. A common method is to correlate parents' traits with childrens', and to present any significant correlation as evidence of inheritance. Another method is to correlate traits of twins separated at birth. Although such studies are convincing to many people, in fact twins are rarely literally separated at birth, so that the average age of separation in a given study may be as high as two years. Besides, twins are born at the same time into the same society, and so they will be raised in the same cultural atmosphere, economic conditions, media, and so forth. At least the "Fragile X Syndrome" relates to a specific, testable property of the genome, even if the syndrome itself is somewhat vague in definition. The privacy issue here concerns labeling. Someone who has been diagnosed as possessing certain genetic traits is at risk of being stereotyped as a potential aggressor (or whatever the gene is supposed to code for) even if no such traits have been exhibited. Such a diagnosis could easily stigmatize a person for life. Phil Agre ------------------------------ Date: Sat, 18 May 1996 14:11 -0400 From: Bob_Frankston@frankston.com Subject: Access to psychiatric records [ From Risks-Forum Digest; Volume 18 : Issue 16 -- MODERATOR ] There is an article in *The Boston Globe* 18 May 1996 entitled "AG to probe access to psychiatric records". As usual, one has to guess what is really going on and who is confused about what. Apparently a local HMO has been including psychiatric records in its medical history database. The first problem cited was the lack of effective access control on that portion of the records. The HMO claims to have "..installed software that limits access to the detailed notes ...". The other problem is that, apparently, by placing the psychiatric history in the medical record it becomes available to insurance agencies once the patient has signed a release. This seems to be a typical case of the computer forcing an issue that was already lurking. Medical records are medical records. It seems that it was an implicit (or even explicit) artifact of the paper system that the access was controlled and, perhaps, the insurance companies did not get access. And this was probably a good policy. But it might not have been legal if the insurance companies have access to all records. As an aside, I think that under Massachusetts law that patient has access to all records which would presumably including the psychiatric transcripts. And records mean any scribbles. Am I wrong on this? Is this a matter of an issue being forced by the computerization? Does that mean we must go back to shoeboxes so that records can be "lost" in order protect privacy? ------------------------------ Date: 8 Jun 1996 01:38:13 GMT From: hgoldste@bbs.mpcs.com (Howard Goldstein) Subject: HTTP cookie privacy risk [ From Risks-Forum Digest; Volume 18 : Issue 19 -- MODERATOR ] I recently installed Netscape 3.0b4, a beta version, to try out the new (compared to 1.1N) features and see how well FreeBSD runs foreign binaries. One of the new features, a security feature strangely categorized as a 'network' feature, queries the user before allowing "cookies" to be set. Out of curiousity I set it so as to find out how often this feature was invoked. Cookies (discussed in earlier RISKS volumes, I seem to recall) [YES: RISKS-14.36, 17.89. PGN] are documented at http://www.netscape.com/newsref/std/cookie_spec.html . I was surprised to find that every night for the last two weeks after enabling this I've been handed a "cookie" by a site I never knowingly visited, at http://ad.doubleclick.net . Upon visiting this site I discovered they engage in attempts to collect various data about web users including their o/s. Why they feel it necessary to 'ping' me each night to set a cookie I do not know, but it seems they are also collecting data about browser usage. Such a statistic regarding times online while in a browser would seem valuable from a marketing standpoint. While cookies may be useful when voluntary and insofar as they may be helpful to the user (as I feel the cookie I'm handed that avoids an access validator for a particular newspaper's site). Cookies from marketing companies benefit me not. Categorize this as a risk to users of older netscapes lacking the conditional-cookie setting? Or to advertisers who will find their targets are hidden behind "mini" HTTP firewalls that hide the users from cookies along with advertisement filter such as the one being tested by a North Carolina startup? Howard Goldstein <hg@n2wx.ampr.org> ------------------------------ End of PRIVACY Forum Digest 05.12 ************************