From privacy@cv.vortex.com Mon Sep 28 02:06:07 1992 Return-Path: Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST) id AA12444; Mon, 28 Sep 92 02:03:16 EDT Posted-Date: Sun, 27 Sep 92 22:28 PDT Received-Date: Mon, 28 Sep 92 02:03:16 EDT Received: by cv.vortex.com (Smail3.1.26.7 #2) id m0mZDes-0001hAC; Sun, 27 Sep 92 22:28 PDT Message-Id: Date: Sun, 27 Sep 92 22:28 PDT From: privacy@cv.vortex.com (PRIVACY Forum) Subject: PRIVACY Forum Digest V01 #20 To: PRIVACY-Forum-List@cv.vortex.com Status: R PRIVACY Forum Digest Sunday, 27 September 1992 Volume 01 : Issue 20 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS PRIVACY Briefs (Moderator--Lauren Weinstein) Scientific American article, 'Achieving Electronic Privacy' (Dan Huber) Credit reports, phone bills, credit card bills for sale (Dan Ellis) SG Debate Centers on ACCESS Card Issue (John G. Otto) Tracking mail (Allen Smith) Comments on draft ACM whitepaper (Craig Partridge) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 20 Quote for the day: "I'm wearing a cardboard belt!" -- Max Bialystock (Zero Mostel) "The Producers" (1968) ---------------------------------------------------------------------- PRIVACY Briefs (from the Moderator) --- Last week's edition of CBS's "48 Hours" program centered on the issues of technological invasions of privacy. The emphasis was on the ease with which information could be collected on particular "targeted" individuals by "private detectives" via legal and illegal means (databases, public photography and tracking, cellular phone interception, etc.) The program was not primarily concerned with the broader issues of privacy as they affect the population at large, and was rather disappointing. However, any program that gets people thinking about privacy issues has value. Some Internet readers may recall a message circulating around the net months ago when CBS was attempting to find someone to demonstrate the (illegal) practice of cellular interception for that program. Obviously they found their man--his disguise, consisting of dark sunglasses and a fake "Castro" beard, was definitely worth a few chuckles. --- Regular readers of the PRIVACY Forum will already be familiar with the "FBI Wiretap Bill" (a.k.a. "Dial-A-Wiretap"). This proposed legislation would mandate direct, remote monitoring access to virtually all domestic telecommunications networks and systems for court-approved wiretaps. Many privacy advocates have expressed grave concerns regarding the potential for abuse and misuse of such a system, among other serious problems. Rumors are now circulating that due to perceived potential difficulties in obtaining approval for the bill as separate legislation, an attempt may be made to attach essentially the complete language of the bill as an ammendment to some other legislation with a higher probability of "low-scrutiny" passage (e.g. federal omnibus crime legislation). ------------------------------ Date: Thu, 24 Sep 92 09:51 EDT From: DMHuber@DOCKMASTER.NCSC.MIL Subject: Scientific American article, 'Achieving Electronic Privacy' I read an interesting article in the Aug 92 issue of 'Scientific American' by David Chaum that discussed using what he called 'blind signatures' in electronic cash and credential verification applications. I'm relatively new to this topic and would like to get reaction/opinions of others on this idea. Perhaps someone could review it in the Privacy Forum digest. thanks, Dan Huber ------------------------------ Date: Thu, 24 Sep 92 10:07:41 -0400 From: "Dan Ellis" Subject: Credit reports, phone bills, credit card bills for sale I heard an alarming interview on NPR's "Fresh Air" on Tuesday night. Unfortunately I didn't take notes, but the gist was that a journalist who works for Business Week (?) called something that sounded like Geoffrey Rothvader has written a book called "Privacy for sale"(?) based on his research in accessing private records via 'legitimate' information-pooling businesses. He described a class of organization he called 'superbureaus' which gather and merge information from better known sources such as the credit reporting agencies but also phone companies and credit card companies. He was able to buy an account with apparently complete access to these databases on the grounds that he worked for a reputable publishing company (McGraw Hill) and that he wanted to check up on some potential employees. He was then able to inspect the credit report for J Danforth Quale (without knowing anything more than an old address from a Who's Who), but more alarmingly, was able to see Dan Rather's credit card bill for the past month - showing stores and amounts etc. He said that phone records were similarly available, and it had cost him $300 to get the information. He suggested that the credit card bill and phone bill information must be being supplied by unauthorized sources within the appropriate companies, and that such companies should give more thought to audit trails and access restrictions in their internal information systems. Perhaps this is old hat, but I was shocked by the amount of information that was, in practice, available. The author emphasized that these are above-board businesses and there was nothing illegal or even particularly exotic in what he did. Apologies for anything I have distorted or misremembered in the two days since the program. Dan Ellis, MIT Media Lab ------------------------------ Date: Thu, 24 Sep 92 12:55:41 EDT From: John G. Otto Subject: SG Debate Centers on ACCESS Card Issue Wednesday, 1992-09-23 Florida Flambeau (Box 29287; Tallahassee, FL 32316; 904-681-6692) (distributed with permission of the editor) SG Debate Centers on ACCESS Card Issue by Matt Grimison The Seminole ACCESS card is a fascist pariah that keeps a Big Brother-like watch on students - or it's a high-tech Godsend that will make the Florida State University campus safer. Those were the 2 sides to just 1 of many issues discussed Tuesday during a debate a the student Union between 3 parties vying for student senate seats in today's elections. Representatives of the Monarchy, Osceola and Alliance parties, as well as 4 independent candidates, argued about the ACCESS card and a controversial constitutional amendment on the ballot when they squared off in what turned out as more of a question and answer session than a head to head debate. Opinions turned bilateral when Osceola and Monarchy agreed to disagree with Alliance on the 2 issues. Jeanne Campbell of Monarchy and Joe Gillespie of Osceola united in condemning the ACCESS program, saying it takes advantage of students by keeping the money earned in interest from their accounts. They also said it's too expensive to implement and contains too much personal information. "It infringes on students' privacy.", Gillespie said. "They have students' biographical information, credit history and social[ist in]security numbers and can track students' movement on campus. It is dangerous as an information source. But Fred Maglione of Alliance said that while the system is not trouble free, it's still worth while because it will help make FSU a cash free campus. [That's worth while?!?!?!?!?...jgo] "After the problems are worked out, it will run smoothly.", Maglione said. "We are very pleased with the ACCESS card. Once the bugs are worked out it will make for a better and safer campus environment."... jgo John G. Otto otto@systems.cc.fsu.edu ------------------------------ Date: Thu, 24 Sep 1992 22:32 EST From: ALLEN SMITH Subject: Tracking mail In regards to the privacy issue of automated mail tracking, it occurs to me that that sort of system is rather easily disrupted by simply sending fake mailings to various "interesting" locations. That admittedly won't cure the problem that various interfering agencies, etc., can tell that you're doing _something_ they're interested in, but it can confuse them (until they get a warrant/whatever to actually open the mail) on _what_ you're doing. It does also cost a bit, admittedly. -Allen ------------------------------ Date: Fri, 25 Sep 92 10:11:58 -0700 From: Craig Partridge Subject: comments on draft ACM whitepaper Hi: I read through the draft and felt it had an important limitation. It does not discuss when data gathering is beneficial (to the public or even to individuals). The overall tone of the first half of the document left the impression that data gathering, in and of itself, may be bad. Yet when I read the principles of the Code of Fair Information Practices, it was clear that it was carefully designed to permit data collection, subject to some basic safeguards. It seems to me that a professional body such as ACM has an obligation to recognize and try to understand all sides of the issue, even if ACM favors a particular perspective. I do not claim to be an expert in this area, but let me try a couple of points suggesting where data collection is useful: * Better business bureaus and other organizations which track complaints against business. Consumers, in general, benefit from being able to check on the perceived quality of a business they propose to deal with. * Credit bureaus. We can (and should) make much of the failure of credit bureaus to keep accurate information and sufficiently protect it (indeed, their propensity to sell it). However, just as it is useful for consumers to check on businesses, it is beneficial to business to be able to check on the creditworthness of individuals who are asking for credit. * Utility records. There's been some fuss here in Northern California about access to utility bills. Some newspapers have been printing lists of people and organizations whose water bills indicate exceptionally high consumption (we're in the midst of a drought). There have been benefits to this information. For example, we've learned that utilities are giving odd preferential billing schemes (such as special water rates to golf courses) which are probably not in the public interest. There are arguably harmful effects too: a reputedly hard-of-hearing individual who had not heard water running from a broken pipe under his home ran up a large bill one month and was distressed by the publicity his bill got. But there's a powerful argument that the greater public interest in seeing careful water use during the drought was served by publishing the list. * Legal decisions. Our legal system is based on precedent. Collecting legal opinions on-line makes it easier for lawyers to locate relevant prior decisions. However, decisions also often contain personal information about parties in the case, so there's a privacy risk here (though I believe rather small). Perhaps one may disagree with this particular list. That's fine, but I think some discussion of cases where data collection is beneficial is needed if the ACM white paper is to fully present the issues around privacy. I hope this is useful. Craig Partridge past editor, ACM Computer Communication Review E-mail: craig@aland.bbn.com or craig@bbn.com ------------------------------ End of PRIVACY Forum Digest 01.20 ************************