TUCoPS :: Privacy :: priv_616.txt

Privacy Digest 6.16 11/20/97

The following document is from the PRIVACY Forum Archive at 
Vortex Technology, Woodland Hills, California, U.S.A.

For direct web access to the PRIVACY Forum and PRIVACY Forum Radio,
including detailed information, archives, keyword searching, and 
related facilities, please visit the PRIVACY Forum via the web URL:



PRIVACY Forum Digest      Thursday, 20 November 1997      Volume 06 : Issue 16

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.

                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
                    the ACM (Association for Computing)     
	         Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
                  of MCI Telecommunications Corporation), 
	  	  Cisco Systems, Inc., and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

	The ATM Debit Card Switcheroo 
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	New gadget at Mobil stations, automatic ID? (Mike Gardiner)
	The Hazards of Humour... (Robert Taylor)
	PROFS: Court Decision 10/22/97 (Eddie Becker)
	"Son of CDA" Ignores Supreme Court Ruling, ACLU Says (Emily Whitfield)
	Technology and Privacy: The New Landscape (Phil Agre)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic list handling system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list handling system.  Please follow the instructions above
for getting the "help" information, which includes details regarding the 
"index" and "get" commands, which are used to access the PRIVACY Forum 
archive via the list handling system.

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL:  "http://www.vortex.com"; full
keyword searching of all PRIVACY Forum files is available via WWW access.


   Quote for the day:

	"They're here already!  You're next!"

	    -- Dr. Miles J. Binnell (Kevin McCarthy)
	       "Invasion of the Body Snatchers" (Allied Artists; 1956)


Date:    Thu, 20 Nov 97 19:46 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: The ATM Debit Card Switcheroo

Greetings.  Longtime readers of this digest know that I have rather mixed
feelings about massive Wells Fargo Bank when it comes to security and
privacy issues.  When they were among the first to institute user-selected
passcodes to control telephone access to accounts, I publicly applauded.  On
the other hand, I've condemned their moves to terminate neighborhood bank
branches in favor of noisy, crowded, and privacy-unfriendly 
"supermarket branches".  So it's been a mixed bag.

Unfortunately, that bag just got substantially more moldy.  Wells is
in the process at this time of the unsolicited replacing of apparently
millions of current ATM cards with what they call "ATM and Check Cards".
What these really are is combined ATM and *debit* cards (apparently
Wells doesn't like using the word "debit"--it doesn't appear
anywhere in the literature that accompanies the cards).

These cards, which are branded with the MC credit card logo, replace
customers' current ATM cards, which customers are informed will "expire
shortly".  Customers need to call a toll-free number from their home phone
(obviously for ANI phone number verification--which essentially is a
non-blockable caller-ID) to activate their new cards.  Also buried in the
pile of material accompanying the card, is a number to call if for some
reason the customer would prefer to keep using their old non-debit ATM card
instead.  (This second number is actually just the normal Wells toll-free
customer service number--you need to work your way to an operator to
"cancel" the new card.)

Wells Fargo customers (and customers of other banks) might well want to
consider refusing these sorts of debit cards--or making sure you never use
them except in an ATM.  While the card seems to add convenience at first
glance, in reality it is a big step *backwards* toward PIN-less access by
others to your money, with a range of potential problems--it could actually
be more dangerous than a conventional credit card!

A debit card of the kind Wells is distributing is used like a credit card.
Anywhere a MC would be accepted, the new card can be used.  The banks
promote this as a major value of the card (along with some credit-card like
"purchase protection" programs).  But just like with a real credit card, no
PIN is needed for purchases, only a signature.  And not even the signature
is required for telephone purchases, again, just like a conventional credit

But unlike credit cards, the debit card doesn't result in a bill mailed to
you later, rather, it draws money immediately from your checking account.
Banks love this--it's like instant money with no float (the merchant pays
the same percentage for accepting the debit card as he or she would for a
normal credit card purchase).  But with a "real" credit card, you have a
chance to go over your bill and search for erroneous purchases *before*
paying.  Sure, it's a hassle if someone uses your credit card number for
unauthorized purchases, but a debit card usable without a PIN opens up a
whole new dimension.

The problem of course is that since the debit card draws immediately from
your checking account, without the protection of a PIN, anyone who has ever
seen your debit card, and has the number and expiration date, could use it
for purchases which will immediately draw down your checking account.  When
you get your monthly checking statement, these purchases will be
itemized--but the money has *already* long since been pulled from your
checking account by the time you get the statement.  Folks who check their
account status online every day will be in better shape, but most people
don't do this and shouldn't need to.  

Having your checking account suddenly go dropping down toward zero has an
important side-effect.  The legitimate checks you've written can start
merrily bouncing, unless you're fortunate enough to have plenty of money in
an associated "overdraft" account of some sort.

Wells suggests that there are protections built into their debit card
system.  You're not responsible for purchases made by unauthorized parties
if you notify Wells what's going on.  That's well and good, but hardly
compensates for the hassle of bounced checks with potentially numerous
entities that can result from misuse of your debit card numbers.  Wells also
points out that there is a daily limit on debit card activity.  This is
true, but as far as I can tell that limit has no obvious relationship to the
amount of money in the checking account.  In cases I've seen myself, the
assigned daily limit was up to 10 times the average account balance!

PIN-less access of this sort to checking accounts is full of problems.  The
account can be accessed without a physical check, without a PIN, and without
your immediate knowledge.  For anyone who has "real" credit cards, ones
which bill and are paid conventionally, there seems to be little benefit (for
the customer!) to a debit card of this sort, at least compared with the
negatives and potential hassles that could result.  Even persons without
real credit cards might wish to think long and hard about the wisdom of
using a card that could so easily result in their checking account being
drained and their checks being bounced.

The irony of all this is that at a time when what we really need is some
form of PIN protection on conventional credit cards, the introduction
(especially unsolicited) of a PIN-less financial instrument of this sort
can only be viewed as a very bad idea.  The losses that are certain
to accrue will no doubt be handled like the untold millions in credit
card losses each year, via higher costs and bank fees for merchants and
other customers alike.

Lauren Weinstein
Moderator, PRIVACY Forum


Date:    Wed, 12 Nov 1997 23:39:55 -0500 (EST)
From:    Mike Gardiner <mwg@mail.msen.com>
Subject: New gadget at Mobil stations, automatic ID?

I stopped at a Mobil station the other day, and noticed a new assembly
bolted to the pumps.  Being a gadget-type, I asked the cashier what the
new gear was for.  I suppose by now I should learn to assume stupidity
on the part of new technology, but I was still surprised and unsettled
by the answer I got.

The new gear is an antenna assembly that interacts with a small
transmitter that you carry in your car, they recommend that you stick
it to your dash with velcro.  When you pull up to the pump, it reads
your transmitter (transponder?) and by the time you get out of the car
to pump gas, all the approvals have been done, you just select your
gas grade and go.  The pump is active while you are there, and goes
inactive when you pull away.  You gas is charged to the credit card
you selected when you applied for the transmitter.

The cashier couldn't understand why I thought this was frightening.
My avoidance of credit cards and their Speedpass device (a small plastic
tube that you wave past a sensor on the pump, proximity-card style,
which also charges a credit card selected at signup time)
was likewise a mystery.  The question I got was "what could anyone
do with that information?"  Beyond my standard "You'd be amazed."
I didn't even try to explain it.

I have taken to avoiding credit cards for gas unless I am
tapped out of cash precisely because of the neat little travelog
it leaves on your bill, and I'm making a point of using a small
group of ATMs to avoid the same effect on my bank statements.

Aside from the privacy implications, if you forget about the
transmitter when your car is stolen, you could get an incredible
shock the following month when your credit card bill arrives in
a crate, if your provider does not have fraud-spotting software
(which is a whole 'nother can of worms) to limit the damage.  A
high credit limit in such a situation could be real nasty.

Then there's what low-tolerance fraud-spotting software could
do to an out-of-pattern road trip.

Depending on the range and directionality of the transmitter,
a sufficiently unscrupulous techie might be able to set up a
personal spotting point to trigger the transmitters when cars pass
by.  Want to find someones car?  Buzz the lot with a tranceiver
and wait for your victims' gas pass to trigger, then you only have
to look at a few cars to find it.

I can see cars getting smashed windsheilds just for the gas pass.
Stick it in your pocket and you could fuel several cars in a few hours.

This is quite an opposite to their Go card, essentially a limited
purpose cash card that I get when they have them.  The cards are handy
when I am in a hurry or the weather is rotten, and they preserve privacy
in that I introduce the registration card to Mr. Shredder, so that
the only useful information that can be found is the station that sold
them, and I'm not sure about that.  Drawback: the card is like cash in
that if stolen, remaining value goes with it.  The gas version of the
pre-paid phone card, except that the value spends at actual cost of
materials purchased.  The fact that registration is not forced may
be why the cards are not presently on sale.

The real sad thing is, I expect this to become very popular, in the grand
tradition the public grabbing any small convenience without considering
the price to be paid.  I'll stick to cash and equivalents, thanks.


Date:    Mon, 03 Nov 1997 08:43:48 -0800
From:    Robert Taylor <rtaylor@vanhosp.bc.ca>
Subject: The Hazards of Humour...

A cautionary tale...

Every week, I receive a number of humourous emails from many friends and
associates. These range from jokes you could tell at the family table to
some which are extremely rude. The best of these I pass along to my own
distribution list, which comprises friends both inside and outside my

I recently received a phone call from a friend who is on this list. It
seems that he received from me some politically incorrect humour, which he
found most hilarious. He distributed it on to some folks in his office,
people he thought were of like mind.

Some days later, he received a call from his human resources department,
and was called in to see the director. His union representative was also
there. He was told that one of the recipients (unidentified) had complained

about the content of the email, and that this constituted sexual
harassment. He had to email everyone in the office to whom he had sent on
the material, apologise for it, and promise never to do it again. He also
has an official letter of reprimand in his file, which will stay there for
18 months.

Since he forwarded it on directly, the message header identified me (my
email address) as the source of the material. In this same meeting, the
human resources director said that he was considering contacting MY human
resources department and issuing a complaint against me. The union
representative suggested that it would be inappropriate to extend the
action outside of the corporation, so it has (apparently) been dropped.

When I pass any sort of internet humour along, I always cut and paste it
into a new email window, which strips all source headers from the message.
I also sent an email to people on my distribution list pointing out that
some of the material I forwarded could be considered improper, and asking
them to email me to confirm that they still wanted to receive it. I have
kept copies of the confirmations. So far, there have been no further

Robert Taylor
Senior Support Analyst
Vancouver General Hospital


Date:    Fri, 24 Oct 1997 01:39:06 -0400 (EDT)
From:    Eddie Becker <ebecker@cni.org>
Subject: PROFS: Court Decision 10/22/97

Public Citizen Press Release  10/23/97
For immediate release:             Contact: Michael Tankersley (202)
October 22, 1997                             Brian Dooley (202) 588 7703
National Archivist Criticized for not Preserving Valuable Records

Washington, D.C. -- Researchers won a major victory today when U.S.
District Judge Paul L. Friedman of the District of Columbia ruled the
Archivist of the United States was wrong to allow federal agencies to
routinely destroy the electronic versions of word processing and
electronic mail records.
     The ruling came in a suit initiated by Public Citizen and other
plaintiffs in December, 1996, challenging the National Archives "General
Records Schedule 20."  Archivist John Carlin's General Record Schedule 20
gave blanket approval for all federal agencies to destroy all types of
electronic mail and word processing records if paper copies exist, without
any review of the value of the electronic records.
      In December 1996, the Archivist and the Executive Office of the
President asserted that this Schedule authorized the wholesale destruction
of thousands of electronic mail and word processing documents created on
computers of the Office of the United States Trade Representative and
other agencies.
     Michael Tankersley, an attorney with Public Citizen Litigation Group
and the lead counsel for the plaintiffs, welcomed today's ruling:  "This
decision thwarts the Archivist's effort to abdicate his responsibility to
distinguish between electronic records that are valuable and those that
are not, and will help insure that the historically valuable electronic
records are preserved."
     In today's decision, Judge Friedman held that General Records
Schedule 20, which has "a potential impact on every computer used by the
federal government," is null and void because the Archivist abdicated his
statutory responsibility when he adopted such a sweeping schedule.
     The Archivist's claim that he had the authority to approve the
wholesale destruction of all types of electronic records, regardless of
their content or purpose, was "irrational on its face" and inconsistent
with the Archivist's responsibility "to insure the protection and
preservation of valuable government records," Judge Friedman stated.
     Judge Friedman declared that electronic records often have "unique
and valuable features not found in paper print-outs of the records," and
the Archivist had breached his statutory duty by giving agencies "carte
blanche to destroy" such records without considering their administrative,
legal, research and other value.
     Judge Friedman found that the Archivist's decision to adopt a General
Schedule that not only covered agencies' housekeeping or administrative
records, but also allowed the destruction of program records concerning
each agency's unique mission, was unprecedented and improper.
     Plaintiffs in the suit are Public Citizen, the American Historical
Association, the Organization of American Historians, the National
Security Archive, the American Libraries Association, the Center for
National Security Studies, journalist Scott Armstrong, and researcher
Eddie Becker.  The defendants are Archivist of the United States John
Carlin, the Executive Office of the President, the Office of
Administration and United States Trade Representative.
                           #     #     #
Michael Tankersley
Public Citizen Litigation Group
1600 20th Street, NW
Washington, DC 20009


Date:    Thu, 13 Nov 1997 14:40:23 -0500 (EST)
From:	 Emilyaclu@aol.com
Subject: "Son of CDA" Ignores Supreme Court Ruling, ACLU Says

ACLU Says New Internet Censorship Statute 
Ignores Landmark Supreme Court Ruling

FOR IMMEDIATE RELEASE: Thursday, November 13, 1997
Contact: Emily Whitfield, (212) 549-2566

WASHINGTON--New legislation  aimed at banning online material deemed "harmful
to minors" would run roughshod over the landmark Supreme Court decision
affirming free speech on the Internet, the American Civil Liberties Union
said today.

The ACLU, which led the successful battle to defeat the unconstitutional
Communications Decency Act (CDA), said S. 1482, like the CDA, would restrict
adults from accessing constitutionally protected speech.  The bill was
introduced earlier this week by Sen. Dan Coats, R-IN, an original sponsor of
the ill-fated CDA.

Under the statute, commercial online distributors of material deemed "harmful
to minors" could be punished with up to six months in jail and a $50,000
fine.  The definition could include the virtual bookstore amazon.com or a
promotional site for a Hollywood movie, as well as Internet Service Providers
(ISPs) such as Microsoft and America Online, the ACLU said.  And unlike the
CDA, the statute applies only to web sites, not to chat rooms, e-mail or news

"By claiming that the bill addresses only web sites involved in commercial
distribution, Senator Coats says he is ^Qhunting with a rifle,' but in fact,
he has lobbed another virtual grenade into the heart of the Internet" said
Ann Beeson, an ACLU National Staff Attorney and member of the legal team that
defeated the CDA. 

Any business merely displaying material without first requiring a credit card
or other proof of age could be found liable under the statute, which
criminalizes commercial distribution of words or images that could be deemed
"harmful to minors," even if no actual sale is involved, Beeson said.

"This is the equivalent of having to pay a fee every time you want to browse
in the bookstore or watch a trailer for an R-rated  movie," Beeson said.  "As
the Supreme Court noted in its landmark decision,  requiring a credit card or
other age verification would impose a severe financial and logistical burden,
even on commercial websites."

The ACLU said there were serious constitutional problems as well with the
bill's definition of "harmful to minors."  In addition to using a vague
definition of what constitutes "harmful material,"  the bill does not make
any distinction between material that may be harmful to a six-year-old but
valuable for a 16-year-old, such as safer-sex information, said Chris Hansen,
an ACLU Senior Staff Attorney and member of the Reno v. ACLU legal team.  

Further, Hansen pointed out, unlike other "harmful to minors" statutes that
have been upheld in the courts, the bill does not define whose community
standard will be used to determine what material is harmful.  

"Invariably, those who decide what is harmful to a minor are going to be the
least tolerant members of a given community -- such as the group in Oklahoma
who sought to remove the award-winning film ^QThe Tin Drum' from  local
libraries and video stores," Hansen said.

The Supreme Court's landmark decision striking down the CDA was issued on
June 26 of this year, 16 months after the law was enacted and the ACLU filed
its challenge.  In a ringing affirmation of online free speech, the Court
said that ^Qthe interest in encouraging freedom of expression in a democratic
society outweighs any theoretical but unproven benefit of censorship.'  

"While we rejoiced in the Supreme Court's decision last June, we knew that
the battle was not yet over," said Solange Bitol, legislative counsel on
First Amendment issues for the ACLU's Washington National Office.  "When
Congress returns to session in the New Year, we will be ready for Round Two
in the battle to protect our free speech rights."


Date:    Thu, 6 Nov 1997 07:58:36 -0800 (PST)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: Technology and Privacy: The New Landscape

Technology and Privacy: The New Landscape
  edited by
Philip E. Agre, University of California, San Diego

Marc Rotenberg, Electronic Privacy Information Center

MIT Press, 1997
ISBN: 0-262-01162-X

Available through the EPIC Bookstore:


 Excerpts from the introduction can be found at:


 MIT Press Web site:



Privacy is the capacity to negotiate social relationships by
controlling access to personal information.  As laws, policies,
and technological design increasingly structure people's
relationships with social institutions, individual privacy faces
new threats and new opportunities.  Over the last several years,
the realm of technology and privacy has been transformed, creating
a landscape that is both dangerous and encouraging.  Significant
changes include large increases in communications bandwidths;
the widespread adoption of computer networking and public-key
cryptography; mathematical innovations that promise a vast family
of protocols for protecting identity in complex transactions; new
digital media that support a wide range of social relationships; a
new generation of technologically sophisticated privacy activists;
a massive body of practical experience in the development and
application of data-protection laws; and the rapid globalization
of manufacturing, culture, and policy making.

The essays in this book provide a new conceptual framework for
the analysis and debate of privacy policy and for the design and
development of information systems.  The authors are international
experts in the technical, economic, and political aspects of
privacy; the book's strength is its synthesis of the three.  The
book provides equally strong analyses of privacy issues in the
United States, Canada, and Europe.


End of PRIVACY Forum Digest 06.16

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH