|
The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 27 June 1998 Volume 07 : Issue 11 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- ******************************************** * PRIVACY Forum Six Year Anniversary Issue * ******************************************** CONTENTS Update on DoubleClick, Inc. (Lauren Weinstein; PRIVACY Forum Moderator) NZ to introduce Photo-ID Drivers' Licenses (Patrick Dunford) FAA to remove airmen's mailing addresses from public databases (William A. Lynn III) Financial privacy (Phil Agre) Inmates process vehicle records (Carl Jester) Information Privacy in Cyberspace Transactions (Jerry Kang) New Guide on Children's Online Privacy (Beth Givens) Local police conduct drug sweep of college dorm (John Meola) Health Information Privacy Alert - May digest (Dennis Melamed) ACLU Condemns Mandatory Blocking Software in Public Libraries (Monty Solomon) ACLU Says New Medical Privacy Legislation Falls Short (Monty Solomon) NSA Declassifies Algos (John Young) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 11 Quote for the day: "I'm getting frightfully healthy you know..." -- Sir Harry Percival (Reginald Denny) "Cat Ballou" (Columbia; 1965) ---------------------------------------------------------------------- Date: Sat, 27 Jun 98 10:24 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Update on DoubleClick, Inc. Greetings. Regular readers of this digest will recall my recent discussion of banner ad practices ("Sex, Crime, and Banner Ads" in Vol 07 #10), and my attempts to reach DoubleClick, Inc. to discuss their particular practices regarding sexually-oriented advertising, ads for online gambling, and related privacy concerns. At that time, the spokeswoman I reached told me they didn't wish to discuss these issues with me. Subsequently to the publication of my article here in the digest, there was a significant change in their attitude. Within 48 hours I received e-mail from DoubleClick's CEO, and shortly thereafter I received separate calls from the original spokeswoman and Kevin Ryan, DoubleClick's president. All were very cordial and expressed a willingness to chat about the issues. I much appreciated this sudden turn of events. I had a long, friendly, and detailed conversation with Mr. Ryan. Unfortunately, my sense at the end of the conversation was that my original analysis was correct, and that we're dealing with wildly divergent world views when it comes to responsibility vs. what I would personally term "exploitation." My interpretation of DoubleClick's view (as expressed to me by Mr. Ryan) is that they are willing to carry ads for essentially anything that "is legal." They say that they attempt to avoid their keyword sales from creating inappropriate responses, and claimed that the case I pointed out where religious searches could yield adult-oriented ads was an aberration that would be fixed (as of today, as I write this some weeks later, it apparently has not been "repaired" and continues as before...) They also say that each of their web site clients must specifically approve the classes of ads that they will carry, so that, for example, adult ads wouldn't appear unless the client said they were willing to accept them. Mr. Ryan insisted that Digital Equipment Corporation's AltaVista site must have approved the provision of adult ads in response to keyword searches, otherwise they wouldn't be appearing. On the overall subject of their ad content (adult, online gambling, etc.), they apparently do not consider themselves to be like ordinary ad agencies (which I pointed out often exercise considerable control over the types of products and services with which they will deal). Mr. Ryan said that since they have exclusive contracts with their client sites, they feel that they "must" make available all sorts of ads, subject only to their not being considered "illegal" according to their research, and with the approval of the ad categories by the client. He feels that they don't provide any "content"--even though all the ads are sitting on their servers for provision to web sites. I pointed out that, if it were desired, DoubleClick could easily have a provision in their contracts to let their clients get ads from elsewhere if DoubleClick didn't want to carry particular types of ads, but by creating "exclusive" contracts DoubleClick seems to have an excuse for an almost total lack of discretion in their ad inventory. I posed a hypothetical to Mr. Ryan that I think goes a long way towards illustrating the attitudes at work in this situation. I asked if they would be willing to carry ads from someone selling books or other information on constructing bombs. He said yes, they would, as long as the information was considered legal. He added that he didn't believe it likely that any of DoubleClick's client web sites would be interested in carrying such ads, however. But what's striking to me is the seeming lack of any apparent attempt to introduce even a minimal social conscience to their ad inventory. A good business policy in the short run? How about in the long run? No matter what your own feelings may be about such issues, it appears that DoubleClick is operating completely legally and within their rights. But does such an attitude play directly into the hands of those who would impose outside censorship upon the Internet? I'm afraid that's indeed the case. It would appear that it's up to the *users* of web sites to express their displeasure (or approval, if that's their feeling) about the ads they see, directly to the operators of those sites. Some users might wish to make it clear that they will choose not to patronize sites which don't attempt to show at least a degree of ethics in their ad inventories. If users choose to silently accept whatever flashes forth on their screens, and don't bother to express their views to the folks making the ad purchase decisions for those sites, it's unlikely that we'll see any improvement, anytime soon. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 22 May 1998 22:11:19 +1200 From: "Patrick Dunford" <pdunford@caverock.net.nz> Subject: NZ to introduce Photo-ID Drivers' Licenses Legislation was introduced to the New Zealand Parliament in late 1997 which proposes the replacement of the present lifetime licenses with 10-year photo-ID license cards. This legislation received little publicity or public attention until 21 April when the report of the Privacy Commissioner, which raised serious concerns about the proposed cards, was publicised (it was issued more than 6 weeks earlier). This legislation is of extreme concern because it grants authority for: * Police to demand drivers' licenses on demand * Police to detain drivers for short periods of time in order to determine their identity * Use of digitised photographs which are stored in a computer, thus permitting their distribution to other interested agencies or parties * Requirement for the holder's date of birth to be displayed on the card * The granting to the LTSA of authority to sell proof of ID cards to any person (not just to licensed drivers). The Privacy Commissioner in his report stated "The main privacy risks of the proposal have little to do with driver licensing but much to do with creating the conditions for a de facto national identification card...". This impression is heightened particularly by the provision of the clause buried in Section 161 of the Bill (almost at its end) which reads: "(3) The Authority may produce, in a form determined by the Authority, a proof of identity card for persons who wish to purchase a card." It is this clause which has raised the Commissioner's hackles because it allows cards to be issued for purposes that have nothing to do with drivers' licensing. This appears to be a sneaky move by the Government to bring in a politically unpopular measure by backdoor means, particularly when its previous secretive attempts to do so were revealed in 1991. It is also disturbing that some submissions on the Land Transport Bill have supported the introduction of the photo-ID on the basis of the need for an ID card. What need? ID card proposals are not new in New Zealand. Several governments have been working on them for at least 11 years. In 1991 a senior public servant revealed State proposals for the introduction of a national identity card called the Kiwicard. That proposal was denied by the then Prime Minister, who was immediately contradicted by his predecessor and a head of a Government department, both of whom confirmed the plans had been underway since 1987. What is, or should be, of serious concern to all New Zealanders is the secretive, undemocratic way in which the Government has attempted to introduce this measure. At a time when a massive publicity campaign and consultation exercise is underway concerning the proposed "Code of Social and Family Responsibility", this can be seen as a smokescreen for allowing far more important measures, such as the Land Transport Bill, the MAI and the OECD's Financial Services Agreement, to be slipped through with minimal publicity and extremely limited public awareness of their ramifications. It is a little known fact that the US Congress slipped through legislation in 1996 which allows that country's President to impose a national identity system at will. (This is an extract from a web page at http:/www.caverock.net.nz/~pdunford/privacy. The site includes links to the report mentioned in the article and other articles of interest) ======================================= Patrick Dunford, Christchurch, NZ Voice: +64 (3) 351 7909, Fax:+64 (3) 351 5087 MailTo:pdunford@caverock.net.nz Home Page: http://www.caverock.net.nz/~pdunford/ ======================================= ------------------------------ Date: Fri, 22 May 1998 10:44:05 -0400 From: w.a.lynn@larc.nasa.gov (William A. Lynn III) Subject: FAA to remove airmen's mailing addresses from public databases AvWeb, an e-mail newsletter on aviation topics (www.avweb.com), recently (5/22/98) broke this shocking news: "PILOTS, PRIVACY AND POLITICS -- GUESS WHICH WINS? The FAA ... stunned the alphabet groups..." (referring to various pilot's and aircraft owners organizations) "...and many aviation businesses with a decision to reverse its years-long policy of making publicly available the mailing addresses of U.S.-certificated pilots." The article goes on to bemoan the fact that "safety may ultimately suffer" because pilots will no longer receive direct mail solicitation of safety seminars, etc. A brief poll of several fellow private pilots indicates that the only safety information we receive in the mail comes from aviation organizations to which we belong, or directly from the FAA. In aviation, genuine safety concerns are always valid, but they may, as in this case, also be a smokescreen for other agendas. There is also an editorial by the AvWeb editor, where he mentions "The most obvious immediate casualties of this policy change are the thousands of aviation associations and businesses that do direct mailings based on the FAA airman file." I'm heartbroken. The FAA, from what I understand, is not removing the existing address data from public access unless one specifically requests it. What thay are doing is not automatically adding new or updated addresses. But, to answer the original question: Guess which wins? Pilots who value their privacy. Bill Lynn ------------------------------ Date: Wed, 10 Jun 1998 21:24:57 -0700 (PDT) From: Phil Agre <pagre@weber.ucsd.edu> Subject: financial privacy In a front-page article in the 6/11/98 Washington Post "Hot High-Tech Trade: Your Financial Facts; Sales of Confidential Data Raise Concerns"), Robert O'Harrow Jr. describes businesses that advertise their ability to obtain personal financial information such as account balances and stock portfolios by making false or misleading "pretext calls" to the banks and brokerage companies that control the information. This is evidently legal in some states, though law enforcement officials are quoted claiming that it is illegal in other states. Jim Leach (R-Iowa), chairman of the House Banking Committee, plans to hold hearings. This article is just one more illustration of a big fact: the traffic in personal information in the United States has grown to monstrous proportion. Because the victims of this practice are unlikely to learn that they have been violated, and the firms whose "security" has been breached may never realize that they have been deceived, market competition is not likely to repair the problem. This kind of invasion -- the simple unauthorized disclosure of personal financial information, with or without any proof of harm -- should be both illegal and a cause of action for a lawsuit. Phil Agre ------------------------------ Date: Tue, 9 Jun 1998 12:43:50 -0500 (CDT) From: Carl Jester <jesterc@cmg.FCNBD.COM> Subject: Inmates process vehicle records Today's (June 9, 1998) Chicago Sun-Times has a cover story entitled "State uses inmates to process vehicle records." According to the article, maximum security prisoners at Joliet update all the vechicle registration data. This little-known arrangement surprised law enforcement groups, crime victim organizations, and at lease one legislator. And many wondered whether criminals should have access to personal data of millions of Illinois residents, including such celebrities as Michael Jordan and Oprah Winfrey. Personally, I'd be more worried about abused spouses who have moved, cops, prosecutors, and judges who helped arrest and convict them, etc. There is no evidence that any convit has used the data to commit a crime or smuggled it out of prison to someone else, state officials said. So, let's wait until somebody really gets hurt? "We've always said we will keep the information from getting out, and we've done that," said Brian Fairchild, a prison spokesman. "The other aspect is what would an inmate do with the information?" 1. How do they know they've been successful? Simply because they have never connected it to a crime? I suppose ignorance is bliss. 2. What would they do with it? I can think of lots of things to do with it, including fraud and revenge. Ryan [the IL secretary of state - cj] also has moved to restrict companies from using vehicle and driver's records to send junk mail, but his spokeswoman Cathy Ritter said those efforts exclude prisoners because "there is no opportunity for any of these records to be used in a mass mailing." Surely the fraud and revenge I imagined above is worse than any junk mail. "If there was a serious public concern, we would re-evaluate the program, but there's never been a public concern in nearly 13 years," she said. ["she" is presumably Cathy Ritter - cj] Surely there was never public concern because there was never public knowledge. "These (convict) come under far greater supervision than any state employee would," Ritter said. "They are searched on the way in, and they're searched on the way out" of the prison computer room, she said. "They have no access to paper or pens or pencils. they have no ability to take any kind of notes." Convicts are "processing hundreds of these on any given shift," Ritter said, so it is doubtful they could memorize names and addresses from the data. OK, they're supervised. OK, it's unlikely that they'll memorize hundreds of addresses so they can do a mass mailing. But I wouldn't bet my life that they couldn't memorize the home address and current car of the judge who passed sentance, or the cop who arrested them, etc. These people didn't end up in maximum security for spamming. The Sun-Times also notes that prisoners in Kentucky handle unemployment data, and Minnesota uses them for vehicle data. There is also a note about prisoners being used in manufacturing, which completely fails to bother me, although using inmates in retail call centers is troublesome (TWA and Swiss Colony are cited as examples). The motivation is, naturally, money. The inmates cost the state 16 cents per record, while having state employees handle it would cost 27 cents per record. Illinois prison officials have sought data entry work for state tax returns, but they have been rejected "three or four times," said Michael Klemens, spokesman for the Illinois Department of Revenue. A prison spokesman responds that: "It's probably better that we do it than the private sector," Fairchild said. "And we also do it cheaper. It keeps these guys busy. . . .At the same time, we're not going to compromise anybody's personal security or privacy." The whole article is also currently available on the web at: http://www.suntimes.com/output/home/data09.htm ------------------------------ Date: Fri, 29 May 1998 15:19:20 PST From: "JERRY KANG" <kang@law.ucla.edu> Subject: Article available: Information Privacy in Cyberspace Transactions An article entitled "Information Privacy in Cyberspace Transactions" will appear shortly in 50 Stan. L.R. 1193 (1998). An Acrobat PDF copy is available at my web site (URL in my signature block). Any reactions are welcome. An abstract follows: --------------------------------------- Cyberspace is the rapidly growing network of computing and communication technologies that have profoundly altered our lives. We already carry out myriad social, economic, and political transactions through cyberspace, and, as the technology improves, so will their quality and quantity. But the very technology that enables these transactions also makes detailed, cumulative, invisible observation of our selves possible. The potential for wide-ranging surveillance of all our cyber-activities presents a serious threat to information privacy. To help readers grasp the nature of this threat, Professor Jerry Kang starts with a general primer on cyberspace privacy. He provides a clarifying structure of philosophical and technological terms, descriptions, and concepts that will help analyze any problem at the nexus of privacy and computing-communication technologies. In the second half of the article, he focuses sharply on the specific problem of personal data generated in cyberspace transactions. The private sector seeks to exploit this data commercially, primarily for database marketing, but many individuals resist. The dominant approach to solving this problem is to view personal information as a commodity that interested parties should contract for in the course of negotiating a cyberspace transaction. But this approach has so far failed to address a critical question: Which default rules should govern the flow of personal information when parties do not explicitly contract about privacy? On economic efficiency and human dignity grounds, Professor Kang argues in favor of a default rule that allows only "functionally necessary" processing of personal information unless the parties expressly agree otherwise. The article concludes with a proposed statute, entitled the Cyberspace Privacy Act, which translates academic theory into legislative practice *************************************************** Privacy Alert: Do not forward without permission. *************************************************** Jerry Kang, Acting Professor UCLA School of Law, Box 951476 Los Angeles, CA 90095-1476 (overnight mail street address: 405 Hilgard Ave.) Voice: 310.206.7298 Fax: 7010 mailto:kang@law.ucla.edu http://www.law.ucla.edu/faculty/kang ------------------------------ Date: Thu, 04 Jun 1998 12:51:41 -0700 From: Beth Givens <bgivens@privacyrights.org> Subject: New Guide on Children's Online Privacy New Guide Alerts Parents to Internet Privacy Perils for Children Contact: Beth Givens, Privacy Rights Clearinghouse E-mail: prc@privacyrights.org Phone: (619) 298-3396 Web: www.privacyrights.org (Fact Sheet 21) It's 10 p.m. Do you know where your children are? In many households, they're surfing the Web. A new consumer guide by the Privacy Rights Clearinghouse, "Children in Cyberspace: A Privacy Resource Guide," (12 pages) offers numerous tips for parents, their children, and policymakers on safeguarding children's privacy while online. The guide lists many Web sites to visit, reports to read, and the names of nonprofit organizations and government agencies that are working on children's privacy issues. It is available on the PRC's web site, www.privacyrights.org. Look for Fact Sheet 21. Privacy Rights Clearinghouse 1717 Kettner Ave. Suite 105 San Diego, CA 92101 Voice: 619-298-3396 Fax: 619-298-5681 bgivens@privacyrights.org http://www.privacyrights.org ------------------------------ Date: Mon, 25 May 1998 16:39:03 -0400 From: John Meola <jmeola@MCIONE.com> Subject: Local police conduct drug sweep of college dorm Our local paper (Akron Beacon Journal) reported yesterday (May 24) that off-campus drug police using drug-sniffing dogs conducted a mass search of an Ohio State University branch campus Wooster, Ohio. The search included all dorm rooms and student vehicles. It was conducted at 8:30pm on Thursday, May 21. Charges ranging from possession of marijuana to underage possession of alcohol were forwarded to the Wayne County, Ohio, prosecutor for possible arrest and prosecution. School disciplinary action is pending against the students found with narcotics or alcohol in their dorms or cars. Greg Ferrell, the campus police chief, was quoted as saying: "With our recent increase in residential housing on the Wooster campus, we want to use all the resources at our disposal to keep illegal drugs out." He then followed this up with: "I believe the majority of the campus community appreciates and supports these efforts." (Emphasis added) Only those who have no regard for the sanctity of their residence, personal privacy, and dignity would "appreciate and support" such an effort. Unfortunately, the US Supreme Court has held that searches of students' lockers and cars is constitutional. However, there is one major element of this case that distinguishes it from court decisions dealing with student privacy: the age of the students. As I understand it, the courts have come down on the side of the schools in student-search cases, but those cases involved students who were not of majority age and, thus, might be thought to have a more limited set of rights than an adult. However, these are grown adults who have entered into a contractual relationship with OSU's housing department for dorm rooms during their studies. In these contracts is a provision allowing the school to conduct a search of student dormitories, but only when there is probable cause that a law or school policy has been broken and only after providing a 24 hour notice of the search. As a state institution, OSU is bound by the Ohio and US constitutions, both of which have provisions limiting mass, warantless searches of residences absent probable cause. Any civil liberties attorneys out there who can shed more light on this? Could the students facing charges raise illegal search as a possible defense? John Meola ------------------------------ Date: Sun, 24 May 1998 18:26:43 -0400 From: Dennis Melamed <blt2go@erols.com> Subject: Health Information Privacy Alert - May digest HEALTH INFORMATION PRIVACY ALERT May 1998 Digest EUROPEAN PRIVACY DIRECTIVE TAKES DEBATE OUT OF THE REALM OF THE PRIVATE The House International Relations Committee sees the European Union's Privacy Directive as a nontariff barrier to trade, but acknowledges that the U.S. must address the issue. Drug companies and others who handle medical records fear that if the E.U. decides the U.S. does not provide adequate privacy in this sector, it will prohibit the swapping of data. The danger may not be imminent regardless of the Oct. 1998 deadline, the Commerce Department told Congress. Many E.U. members have not enacted the required legislation, thus making enforcement against third countries more difficult. NEW HOUSE BILL REVERSES PRESUMPTION ON PATIENT CONSENT The House of Representatives showed signs of life in the medical records confidentiality debate. Rep. Christopher Shays (R-Conn.) introduced a provocative proposal which attempts to identify prohibited uses of protected health information and then carve out exceptions to those prohibitions to health care services can be provided and paid for without the need for individual authorizations. The House Government Reform & Oversight Committee held a hearing in May to examine the proposal, which was received favorably by business groups. However, some groups noted that unless better clarity in what and what was not allowed, health care providers would still seek patient authorizations out of fear of the strong sanctions in the bill. HEALTH CARE LAGS IN ELECTRONIC COMMERCE Electronic commerce will grow at an explosive rate within two years, according to a Deloitte & Touche Consulting Group survey of chief information officers. Health care will not be leading the charge, however. Customer electronic transactions in the health care sector today stand at 6.1% and are predicted to rise to 33.3% in two years. But the survey showed that this lags well behind other industries, such as financial services. Statistical Svengalis will note that this means a 546% increase for the health care sector. CONGRESS URGED TO CLOSE HIPAA LOOPHOLE ON GENETICS Fear of discrimination by insurers based on genetic testing prompted Congress to include a ban on using that information for group coverage under the Health Insurance Portability and Accountability Act, but such prohibitions were not placed on the individual market. This market now is of particular concern to Sen. James Jeffords (R-Vt.), chairman of the Senate Labor & Human Resources Committee. In a May 21 hearing, Jeffords said an upcoming General Accounting Office report will show Americans aged 55-65 will increasingly rely on the individual market. States are not providing adequate protection either as up to 125 million people fall under ERISA plans, which are pre-empted by federal law, the National Breast Cancer Coalition said. Without a fix, research will suffer as well as people will be afraid of the data finding its way to employers and insurers. PHARMACISTS IRATE OVER CVS SUIT Pharmacists have been fuming over the criticism they have received because of the CVS-Elensys-Glaxo Wellcome controversy. Pharmacy groups say the reproofs have been unjustified because the customer data was sold by the owners of the pharmacies, not by the practicing professionals behind the counter. PATIENT CONSENT LAWS THREATEN RETROSPECTIVE RESEARCH The Mayo Clinic warned that retrospective research is being threatened by state patient consent laws. A researcher told Congress that frequently there is no way to statistical adjust for individuals who refuse authorization for use of their medical records. Health Information Privacy Alert is an independent monthly business newsletter. For subscription information, send a message to HIPAlert@aol.com. Due to the sensitivity to spam, please specify that you wish to receive information via e-mail. If you wish to receive a sample issue, e-mail your mailing address. ------------------------------ Date: Tue, 23 Jun 1998 00:43:24 -0400 From: Monty Solomon <monty@roscom.COM> Subject: ACLU Condemns Mandatory Blocking Software in Public Libraries Excerpt from ACLU News 06-19-98 New ACLU Report Condemns Mandatory Blocking Software in Public Libraries FOR IMMEDIATE RELEASE Wednesday, June 17, 1998 NEW YORK -- In a 17-page white paper released today, the American Civil Liberties Union said that the mandatory use of Internet blocking software in libraries is inappropriate and unconstitutional. The new report, Censorship in a Box: Why Blocking Software is Wrong for Public Libraries, continues a line of argument the ACLU first made in a well-received 1997 report and furthers its critique of industry plans to adopt blocking mechanisms and expand them to libraries and schools. The report comes as more and more librarians are being pressured to install the software on library terminals to prevent minors from accessing objectionable materials. But the ACLU said mandatory blocking is not the solution. "Blocking software is clumsy and ineffective," said Ann Beeson, an ACLU national staff attorney who co-wrote the report. "It censors valuable speech and gives parents and educators a false sense of security about what their children are encountering online." Beeson added that while the ACLU supports parents' right to using the software in the home, they warn that no product can effectively screen the vast content of the web, and many companies block sites for ideological reasons that parents may not agree with. The report also criticized a plan to condition Internet funding for schools on the use of blocking software. The "Internet School Filtering Act," introduced by Sen. John McCain (R-AZ), is also supported by lead Democratic sponsors Sen. Patty Murray of Washington, home to Microsoft, and Sen. Dianne Feinstein of California, home to Silicon Valley.p> In a letter sent with the report to the Senate, the ACLU is urging Senators not to support the bill when it comes up for a vote. "We believe that educators, not Congress, should be the ones making decisions about what students can learn on the Internet," said Laura W. Murphy, Director of the ACLU's Washington National Office. Today's report follows up an August 1997 ACLU white paper, Fahrenheit 451.2: Is Cyberspace Burning?, which offered guidelines for Internet Service Providers and other industry groups contemplating ratings schemes. Similarly, Censorship in a Box proposes five guidelines for libraries and schools looking for alternatives to clumsy and ineffective blocking software: -- Acceptable Use Policies. Provide carefully worded instructions for parents, teachers, students and libraries on use of the Internet. -- Time Limits. Establish content-neutral time limits on use of the Internet; request that Internet access in schools be limited to school-related work. -- "Driver's Ed" for Internet Users. Condition Internet access for minors on completion of a Internet seminar similar to a driver's education course. -- Recommended Reading. Publicize and provide link to websites recommended for children and teens. -- Privacy Screens. Install screens to protect users' privacy when viewing sensitive information and avoid unwanted viewing of websites by passers-by. The report also includes a two-page "Q&A" on blocking software and examples of sites that have been blocked by various products. The ACLU emphasized that it did not seek to evaluate any particular product, but rather demonstrate how all blocking software censors speech based on subjective views about what is offensive. Recently, the American Family Association, a conservative religious group, learned this lesson when it found that CyberPatrol, a popular brand of blocking software, had placed AFA on its "Cybernot" list because of the group is considered "intolerant" of homosexuality. "Clearly, the answer to blocking based on ideological viewpoint is not more blocking, any more than the answer to unpopular speech is to prevent everyone from speaking, because then no viewpoint of any kind will be heard," the ACLU's Beeson said. The principal authors of Censorship in a Box are Ann Beeson, ACLU National Staff Attorney and Emily Whitfield, Deputy Media Relations Director of the National ACLU. Censorship in a Box can be found online at http://www.aclu.org/issues/cyber/box.html. ------------------------------ Date: Thu, 28 May 1998 00:11:31 -0400 From: Monty Solomon <monty@roscom.COM> Subject: ACLU Says New Medical Privacy Legislation Falls Short Excerpt from ACLU News 05-27-98 ACLU Says New Medical Privacy Legislation Falls Short FOR IMMEDIATE RELEASE Tuesday, May 19, 1998 WASHINGTON -- The American Civil Liberties Union expressed disappointment today with the latest medical privacy legislation under consideration by the House. The Government Management, Information and Technology Subcommittee of the House Government Reform and Oversight Committee convened today to examine a proposal by Representative Chris Shays (R-CT) intended to protect patient privacy. The ACLU had offered substantive recommendations to Representative Shays regarding the bill, but said this newest legislation still falls short of protecting patients' privacy. "Like most Americans, the ACLU strongly believes that a patient's medical records should not be disclosed to anyone, unless the patient provides specific written informed consent," said Solange Bitol, a Legislative Counsel for the ACLU. "Sadly, the Shays legislation does not give Americans the peace of mind that when we confide in our doctors about extremely private matters, our records will remain protected from prying eyes," Bitol said. The bill would wipe out existing state laws that are more protective of patients' rights, setting a cap on the privacy protections available to patient, according to an analysis by the ACLU of Massachusetts, which has been deeply involved in the medical privacy issue. Equally troubling, the bill allows disclosure of patients' medical records to a host of government and non-government agencies without the patient's knowledge or consent. "While the ACLU has serious concerns with the legislation, we would welcome the opportunity to continue working with Representative Shays and the Committee on revising the bill so that it truly upholds the standards of patient confidentiality that are integral to protecting Americans' privacy and health," Bitol said. The ACLU identified additional major problems in the Shays bill, including: The section on Law Enforcement access to patients' medical records is unclear and over broad. The evolving national network of medical records databases must not become a law enforcement data base. The bill places virtually no restrictions on disclosures within health care entities (no matter how large or geographically widespread). The bill exempts certain research-related medical records from any privacy protections. It creates a new category of "Archival Research," which allows researchers, without patient consent, to access patients' medical records. These records could be obtained from employers, health care providers, health plans, public health authorities, health insurers, life insurers, schools and universities. The current standard of researchers seeking approval from the Institutional Review Board of the hospital holding patient records is undermined -- only a "committee" or other "group" review would be needed. The bill's use of the term "Anonymized" is extremely misleading. In actuality, this information would be Pseudo-Anonymized. It would contain, in encrypted or encoded form, individual patient identification information. The so-called "Anonymized" Information is exempted from any of the bill's privacy protections, opening the door to potential misuse of this information by unsuitable parties. ------------------------------ Date: Tue, 23 Jun 1998 14:37:59 -0400 From: John Young <jya@pipeline.com> Subject: NSA Declassifies Algos DoD Press Release, June 23, 1998: No. 316-78 IMMEDIATE RELEASE June 23, 1998 (703)695-0192(media) (703)697-5737(public/industry) ENCRYPTION FORMULAS DECLASSIFIED The Department of Defense today announced the decision by the National Security Agency to declassify both the Key Exchange Algorithm and the SKIPJACK encryption algorithm used in the FORTEZZA(tm) personal computer card. FORTEZZA(tm) provides security at the desktop in the Defense Message System and other DoD applications. This marks the first time that the NSA has declassified such information and made it commercially available. This declassification is an essential part of the Department of Defense's efforts to work with commercial industry in developing reasonably priced computer protection products. This declassification decision will enable industry to develop software and smartcard based security products, which are interoperable with FORTEZZA(tm). The availability of such products will enhance the protection of DoD's sensitive but unclassified and critical non-mission communications. The decision to release SKIPJACK (an 80 bit encryption algorithm that is not extensible to higher key lengths) and KEA (a 1024 bit key exchange algorithm) is restricted to these particular algorithms, and does not apply to other classified NSA algorithms. The SKIPJACK and KEA algorithms and their source codes have been declassified pursuant to Executive Order 12958. Vendors interested in obtaining more information on this matter should contact the National Security Agency Public Affairs Office at 301-688-6524. [End] ------------------------------ End of PRIVACY Forum Digest 07.11 ************************