|
The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Sunday, 20 December 1998 Volume 07 : Issue 21 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy Discussions Classified as a "Criminal Skill" (Lauren Weinstein; PRIVACY Forum Moderator) New Proposed Bank Account Monitoring Regulations (Lauren Weinstein; PRIVACY Forum Moderator) A Dangerous New Problem with Supermarket Banking (Lauren Weinstein; PRIVACY Forum Moderator) Arrest puts jury-selection form on trial (Bill Fason) High Court Strikes Down Iowa's Traffic Stop-and-Search Law (Monty Solomon) Call for Proposals - CFP 99 (David Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 21 Quote for the day: "I never joke about my work, 007!" -- 'Q' (Desmond Llewelyn) "Goldfinger" (United Artists; 1964) ---------------------------------------------------------------------- Date: Wed, 16 Dec 98 12:25 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy Discussions Classified as a "Criminal Skill" Greetings. Is discussing privacy in the PRIVACY Forum a criminal skill? According to one widely used commercial web filtering tool, the answer was yes! The controversy over software to block access to particular sites, based on perceived content, has been continuing to rage. Attempts to mandate the use of such software in environments such as libraries and schools have raised a variety of serious concerns. In addition to fairly straightforward freedom of speech issues, another factor revolves around how accurate (or inaccurate) these filtering systems really are. I've now seen firsthand that errors by a filtering system can indeed be quite serious, an event that seems to certainly validate some of these concerns. But there is something of a silver lining to the story, as we'll see later. I recently was contacted by someone at a large corporation, who was trying to reach the PRIVACY Forum web site, which is constantly being referenced by individuals and commercial, educational, government, and other sites around the world. This person was upset since whenever they attempted to reach the http://www.vortex.com site and domain that hosts the PRIVACY Forum, their web software blocked them, informing them that the block was in place due to the site being categorized as containing "criminal skills." As the webmaster for the vortex.com domain, this certainly came as news to me. The message they received didn't give additional information--they didn't even know exactly where it came from. It was apparent though, that the entire organization was probably blocked from reaching the PRIVACY Forum, since the filtering software in question was affecting a main firewall system. After a number of phone calls and discussions with the system administrator for that organization, the details began to emerge. The company was running a filtering software package from Secure Computing Corporation of San Jose, California. This package received weekly updates of blocked sites in a wide variety of categories, one of which was "criminal skills." The administrator had no idea what rationale was used for these decisions, they just pulled in the list each week and applied it. He immediately placed vortex.com on a local exception list so that it would no longer be blocked to their users. I then turned my attention to Secure Computing. After a number of calls, I found myself speaking with Ken Montgomery, director of corporate communications for that firm. He confirmed the information I had already received. The filtering product in question ("SmartFilter") was apparently not being marketed to individuals, rather, it was sold to institutions, corporations, etc. to enforce filtering policies across entire entities. The product covers a wide range of information categories that users of the software can choose to block. He said that the majority of blocked sites were in categories involving pornography, where there was (in his opinion) no question of their not belonging there. The "criminal skills" category reportedly was broadly defined to cover information that might be "of use" to criminals (e.g. how to build bombs). He had no explanation as to why my domain had been placed in that list, since by no stretch could any materials that are or have ever been there fall into such a categorization. He did discover that the classification of my domain had occurred over a year ago (meaning other sites could have been receiving similar blocking messages for that period of time when trying to access the PRIVACY Forum) and that the parties who had made the original classification were no longer with their firm--so there was no way to ask them for their rationale. (All of their classifications are apparently made by people, not by an automated system.) However, it seems likely that the mere mentioning of encryption may have been enough to trigger the classification. The administrator at the organization that had originally contacted me about the blocked access, told me that the main reason they included the "criminal skills" category in their site blocking list was to try prevent their users from downloading "unapproved" encryption software. This was a type of information that he believed to be included under the Secure Computing "criminal skills" category (the "logic" being, obviously, that since criminals can use encryption to further their efforts, encryption is a criminal skill). He also admitted that he knew that their users could still easily obtain whatever encryption software they wanted anyway, but he had to enforce the company policy to include that category in their blocking list. As PRIVACY Forum readers may know, no encryption software is or ever has been distributed from here. The topic of encryption issues does certainly come up from time to time, as would be expected. For the mere *mention* of encryption in a discussion forum to trigger such a negative categorization would seem to suggest the fallacy of blindly trusting such classification efforts. Mr. Montgomery of Secure Computing initially suggested that it was up to their customers to decide which categories they wanted to use in their own blocking lists--he also stated that as a company they were opposed to mandatory filtering regulations. I suggested that such determinations by their customers were meaningless if the quality of the entries in those categories could not be trusted and if errors of this severity could so easily be made. I felt that this was particularly true of a category with an obviously derogatory nature such as "criminal skills"--the ramifications of being incorrectly placed into such a category, and then to not even *know* about it for an extended period of time, could be extreme and very serious. To their credit, my argument apparently triggered a serious discussion within Secure Computing about these issues. I had numerous subsequent e-mail and some additional phone contacts with Mr. Montgomery and others in their firm concerning these matters. First off, they apologized for the miscategorization of vortex.com, and removed it from the "criminal skills" category (it was apparently never listed in any other of their categories). Secondly, they have agreed with my concerns about the dangers of such miscategorizations occurring without any mechanism being present for sites to learn of such problems or having a way to deal with them. So, they will shortly be announcing a web-based method for sites to interrogate the Secure Computing database to determine which categories (if any) they've been listed under, and will provide a means for sites to complain if they feel that they have been misclassified. They've also suggested that their hope is to provide a rapid turnaround on consideration of such complaints. While by no means perfect, this is a step forward. I would prefer a more active notification system, where sites would be notified directly when categorizations are made. This would avoid their having to check to see whether or not they've been listed, and needing to keep checking back to watch for any changes or new categorizations. If more filtering software companies adopt the Secure Computing approach, there would be a lot of checking for sites to do if they wanted to stay on top of these matters. Secure Computing feels that such notifications are not practical at this time. However, their move to provide some accountability to their filtering classifications is certainly preferable to the filtering systems which continue to provide no such facilities and operate in a completely closed environment. So, we make a little progress. The PRIVACY Forum and vortex.com are no longer miscategorized and have been removed from all Secure Computing block lists. Secure Computing was polite and responsive in their communications with me, and will establish the system discussed above in reaction to my concerns. Web filtering of course remains a highly controversial topic with many serious negative aspects, but we see that when it comes to dealing with the complex issues involved, it would be a mistake to assume that all such filters all created equal. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Wed, 16 Dec 98 12:19 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: New Proposed Bank Account Monitoring Regulations Greetings. The FDIC (Federal Deposit Insurance Corporation) has opened a comment period for newly proposed rules concerning collection of information regarding banking customers and monitoring of their account activities. Called "Know Your Customer," the program would require financial institutions to gather data on customer sources of income, and monitor accounts for suspicious activities which would be reported to the appropriate authorities. The FDIC says that there is a two-fold reason for this program. First, to protect financial institutions from frauds or other activities which could put them at financial risk, and secondly, to detect criminal activity. Rather than establish a detailed set of rules concerning exactly what information is to be collected, how account monitoring would be carried out, or what sorts of activities would be reported, the FDIC has rather proposed an initial set of general guidelines. Under this plan, financial institutions themselves would make the detailed determinations regarding information collection, account monitoring, and reporting. The proposal also mentions that there are privacy issues involved with these functions, but does not propose any specific privacy guidelines or standards. Parties interested in reading the full text of the proposal, whose comment period runs through March 8, 1999, can see it at the FDIC website, via: http://www.fdic.gov/lawsregs/fedr/98knocus.txt --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 18 Dec 98 11:19 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: A Dangerous New Problem with Supermarket Banking Greetings. In my report "Privacy Goes Bananas at Wells Fargo Bank" (PRIVACY Forum Digest V06 #7; http://www.vortex.com/privacy/priv.06.07), I reported on my concerns over privacy problems at supermarket bank branches, which are rapidly replacing conventional bank branches in many areas. It has now become apparent that there is a new problem developing with such branches--they're becoming the favored target of bank robbers. Here in Los Angeles, as traditional bank branches have become vastly fewer in number and more greatly fortified to protect bank employees (via bulletproof shields and other security measures), bank robberies at those branches have declined greatly, after years of growth. However, at the same time, what authorities now term "shop 'n' rob" attacks are becoming increasingly common at supermarket branches, which by their very nature usually have minimal security. The risk to shoppers (who often of course include parents accompanied by children) from this new style of armed robbery may potentially be very great. So it appears that as a consequence of the moves by the financial industry to convert banking into a phase of food shopping, customers might sometimes end up losing a lot more than their privacy. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Mon, 23 Nov 1998 10:38:08 -0600 From: Bill Fason <syr@netropolis.net> Subject: Arrest puts jury-selection form on trial On November 10, 1998, a potential juror in a capital murder case in was held in contempt, jailed for 30 days, and fined $500.00 for refusing to answer a jury questionnaire. When Harold Crouch was summoned to jury duty, he did not realize that he would be required to fill out a statewide-standard juror questionnaire used in capital murder cases. (Houston Chronicle, November 22, 1998, p. 6C) The form asked, no, demanded his full name, aliases, social security number, driver license number, name of employer, supervisor's name, names of children, current schools/current employers of children, and other questions. Question 28 inquired whether the potential juror was honorably discharged from the military. Questions 32 and 25 requested criminal histories of relatives and acquaintances, including whether they have even been arrested or even <italic>accused</italic> of a crime. Question 40 asked for the titles of magazines the subject subscribes to or buys off the rack. Question 42 asked for the name of the last movie seen. In questions 53 and 57, the potential juror was required to detail all consultations by him or any relatives with any psychiatrists or psychologists and list all medications now prescribed. In question 64, the potential juror was to describe how he knows anyone who has even been incarcerated. Supposedly all answers are to be kept in strictest confidence of the court, and that only the judge, lawyers, court reporters, and clerks will have access to them. One observer asked, "What's the court reporter doing in the loop if the information is not going into the record?") Of course, the lawyers can share the information with their paralegals, investigators, and jury consultants, who are pledged to keep it confidential as they analyze the jury pool. There is no assurance that a potential juror's answers won't come up when the lawyers question the jury pool in open court. One can easily imagine a lawyer asking, "Potential juror number 23, you stated that you are taking thorazine and were hospitalized five years ago. Please elaborate." Everyone in the courtroom would turn to hear the story, including the two bike messengers who are filing documents with the clerk in unrelated cases and the spectators who are just watching until their case is called across the hall. Other questions probe the potential juror's attitude towards the death penalty. Not only does the State of Texas embrace the death penalty, it wishes to screen out jurors who oppose it. As the fully informed jury movement picks up steam, I am willing to bet that in the coming years we will see more and more jury questionnaires designed to help prosecutors ferret out citizens who understand the true power of juries to judge both the facts and the law. Bill Fason Fason and Associates Investigations & Judgment Enforcement 1436 W. Gray #272 Houston Texas 77019-4946 vox 713.524.4767 fax 713.942.8165 GMT -5 ICQ 22595834 PGP public key available at www.netropolis.net/syr/ ------------------------------ Date: Wed, 16 Dec 1998 02:29:26 -0500 From: Monty Solomon <monty@roscom.COM> Subject: High Court Strikes Down Iowa's Traffic Stop-and-Search Law Excerpt from ACLU News 12-12-98 High Court Strikes Down Iowa's Traffic Stop-and-Search Law FOR IMMEDIATE RELEASE Tuesday, December 8, 1998 DES MOINES -- In a solid victory for the freedom and privacy of all Iowans, the United States Supreme Court today put an end to the police practice of arbitrarily searching people stopped for minor traffic violations. The Iowa Civil Liberties Union, one of several groups that filed a "friend-of-the-court" brief in the case, hailed the unanimous ruling in Knowles v. Iowa authored by Chief Justice Rehnquist. "Iowa's brief experiment with a police state is now, thankfully, over," said Ben Stone, Executive Director of the Iowa Civil Liberties Union, a vocal foe of the tactic. "Iowans can once again enjoy the freedom of knowing they can drive down the street and not fear being searched by a police officer if they make an illegal turn or forget to use their turn signal." Today's decision overturns a 5-4 ruling by the Iowa Supreme Court in 1997, upholding the police practice known as "search incident to citation." Normally, police must either physically arrest someone or have "probable cause" before they can conduct a search. The Iowa court in the Knowles case had said the code of Iowa authorized police to search people cited with for traffic violations even if they were not taken into custody, and that such searches were not in violation of the Fourth Amendment to the United States Constitution. The State of Iowa had argued that concerns for officer safety and the preservation of evidence justified the search tactic. The Court found both rationales lacking. "Even without the search authority Iowa urges, officers have other, independent bases to search for weapons and protect themselves from danger," wrote Chief Justice William Rehnquist. "Nor has Iowa shown . . . the need to discover and preserve evidence. Once Knowles was stopped for speeding and issued a citation, all the evidence necessary to prosecute that offense had been obtained." Stone noted that the Court could have waited until June to rule on the case, but instead issued its decision less than five weeks after oral arguments. "The Justices' extremely swift reversal reveals both how easy it was for the Court to find this outrageous affront to liberty unconstitutional, and how important it was to protect Iowans from any further violations of their privacy by the police," he said. The ICLU, along with the American Civil Liberties Union and the National Association of Criminal Defense Lawyers vigorously opposed the police practice in a friend-of-the-court brief authored by Professor Jim Tomkovicz of the University of Iowa Law School. Attorneys Paul Rosenberg and Maria Ruhtenberg of Des Moines argued the case on behalf of Patrick Knowles, a Newton man stopped for speeding in 1996 and subsequently searched simply because he was receiving a traffic ticket. He was arrested and sentenced to 90 days in jail after police found marijuana under his seat. ------------------------------ Date: Tue, 15 Dec 1998 15:11:19 -0500 From: David Banisar <banisar@epic.org> Subject: Call for Proposals - CFP 99 Computers, Freedom + Privacy 1999 THE GLOBAL INTERNET Omni Shoreham Hotel Washington, DC April 6-8, 1999 CALL FOR PROPOSALS The Program Committee of the conference on Computers, Freedom, and Privacy (CFP99) is seeking proposals for the ninth annual CFP, which will be held in Washington DC between April 6th and April 8th 1999 at the Omni Sheraton Hotel. CFP is the leading Internet policy conference. For almost a decade, CFP has shaped the public debate on the future of privacy and freedom in the online world. The CFP audience is diverse with representatives from government, business, education, non-profits and the media. The themes are broad and forward-looking. CFP explores what will be, not what has been. It is the place where the future is mapped. The theme of the 1999 CFP conference is "The Global Internet." Proposals are welcomed on all aspects of privacy and freedom. The 1999 Program Committee is particularly interested in receiving proposals that deal with: ACCESS TO THE INTERNET, particularly those relating to globalization and governance. Of particular interest are issues of privacy, censorship, free speech and access. INTERNATIONAL ISSUES, especially the emerging issues of global privacy protection, encryption policy, international principles of human rights, regulation, legislation, and copyright. ELECTRONIC COMMERCE, including the impact of payment systems, regulations, and technical standards on personal freedom and privacy. CULTURE AND LANGUAGE ON THE INTERNET, such as the significance of diversity, multilingualism, and cultural representation We strongly encourage proposals that involve leading experts, innovators, policymakers, and thinkers. The CFP99 Program Committee will finalize the selection of proposals by February 1, 1999, and all proposals must be received by January 15, 1999 Please follow the submission guidelines below. CFP99 PROPOSAL SUBMISSION GUIDELINES Proposals should be sent by email to proposals@cfp99.org before January 15, 1999. Proposals should include the following information: 1. Presentation Title 2. Presentation Type (Panel discussion, Luncheon meeting, Tutorial, "BOF" Session) 3. Proposed Length of Presentation (typical CFP sessions are 1 hour) 4. Name(s) of Speaker(s), plus brief background description for each speaker. 5. A one to two paragraph description of the Topic and Format, suitable for conference brochure and press release. 6. Complete contact information (email, phone, and mailing address). For presentations with more than one speaker, please provide contact information for all of the proposed speakers. For more information on the Computers, Freedom, and Privacy Conferences, please visit the conference Web page http://www.cfp99.org. If your have further questions about CFP, please feel free to contact a member of the Program Committee. PROGRAM COMMITTEE Marc Rotenberg, EPIC and ACM, Washington, DC, CFP99 Chair; Carlos Afonso, Alliance for Progressive Computing, Rio de Janeiro, BRAZIL; Phil Agre, University of California, San Diego, California; Yaman Akdeniz, Centre for Criminal Justice Studies, Leeds University, London, UNITED KINGDOM; Roger Clarke, Australian National University, Canberra, AUSTRALIA; Tracey Cohen, Centre For Applied Legal Studies, SOUTH AFRICA; Lorrie Faith Cranor, AT&T Labs-Research, Florham Park, New Jersey; Simon Davies, London School of Economics, London, UNITED KINGDOM; David Flaherty, Office of the Privacy and Information Commissioner, British Columbia, CANADA; Oscar Gandy, Annenburg School of Communication, Philadelphia, Pennsylvania; Deborah Hurley, Harvard Information Infrastructure Project, Kennedy School of Government, Cambridge, Massachusetts; Joichi Ito, Digital Garage, Tokyo, JAPAN; Stephen Lau, Privacy Commission, HONG KONG; Paul McMasters, Freedom Forum, Rosslyn, Virginia; Peter Neumann, SRI, Menlo Park. California; Eli Noam, Columbia University, New York, New York; Jonathan Peizer, Open Society Institute, New York, New York; Bruce Schneier, Counterpane Systems, Minneapolis, Minnesota; Keith Sears, Creative Artists, Los Angeles, California; Barbara Simon, ACM, Palo Alto, California; Ross Stapleton-Gray, Electronic Embassy Program, Arlington, Virginia; Barry Steinhardt, American Civil Liberties Union, New York; Nadine Strossen, American Civil Liberties Union, New York, New York; Frank Tuerkheimer, University of Wisconsin, Madison, Wisconsin FUNDRAISING COMMITTEE Rob Kushen, Open Society Institute, New York, New York PREVIOUS CFP CHAIRS Jim Warren, Woodside, California (CFP91); Lance Hoffman, George Washington University, Washington, DC (CFP92); Bruce Koball, Berkeley, California (CFP93); George Trubow, John Marshall School of Law, Chicago, Illinois (CFP94); Carey Heckman, Stanford Law School, Stanford, California (CFP95); Hal Abelson, MIT, Cambridge, Massachusetts (CFP96); Kent Walker, Netscape Communication, Mountain View, California (CFP97); Mark Lemley, University of Texas School of Law, Austin, Texas (CFP98) MORE INFORMATION proposals@cfp99.org info@cfp99.org http://www.cfp99.org/ ------------------------------ End of PRIVACY Forum Digest 07.21 ************************