PRIVACY Forum Digest Tuesday, 6 April 1993 Volume 02 : Issue 11 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS About the database business (Larry Seiler) Personal letters (Steven Hodas) Junking the Junk-Mailers (Chaz Heritage) Legal Net Monthly Newsletter (Paul Ferguson) Chicago DEA Surveillance of Gardeners (Sarah M. Elkins) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "cv.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 11 Quotes for the day: "If we think really hard, maybe we can stop this rain!" "There is always a little bit of heaven in a disaster area!" -- Announcements at the Woodstock Rock Festival; 1969 ---------------------------------------------------------------------- Date: Sun, 28 Mar 93 04:33:54 EST From: "Larry Seiler, x223-0588, MLO5-2" Subject: About the database business John, [ referring to jpettitt@well.sf.ca.us -- MODERATOR ] There are several things in your message that I agree with wholeheartedly, e.g. that the data collection/distribution business should be brought into the light so that everyone knows what is going on. However, there are several issues in your last message that I wish to comment on. I'll summarize them with the following statements: 1) Who is hurt by free flow of accurate information? 2) Inaccurate information is worse than none and has no value. 3) Data collection and trading will happen no matter what. 4) Should there be a required consent law for data collection? 5) Paying for 800 service gives you a right to people's names. 6) Your norms for the collection and sharing of information. Let me take those one at a time. 1) Who is hurt by free flow of accurate information? Many people who test HIV positive have lost their jobs through fear of infection. It is now known that it is virtually impossible to give someone AIDS by normal workplace activities (unless one works in a brothel), but it isn't surprizing that fears persist. Let's suppose an employer learns the accurate information that someone tests HIV positive and chooses to fire that person (stating some other reason, of course). The free flow of information has unfairly harmed that person. I have a friend who woke up one night (during a messy divorce) to find her car on fire. The fire department told her that it was arson and if she hadn't woken up so promptly, the whole house would have burned down. Her response was to announce that she was moving, to change her address to a P.O. box, and to put someone else's name on her mailbox. However, the phone company still knew where she lived -- and would have tracked her to her new address even if she had really moved. I submit that if accurate information about her address were available, she would have been subject to a significant risk of harm. I should mention that her ex-husband had a history of torching cars. Wasn't it Judge Bork whose videotape rentals were publicized? I think that harmed him, to some extent. Many people (most people) have things we do that are legal and even ethical, but which might harm us if they were publicized -- especially if they are taken out of context. It's really easy to cite cases where people can be harmed by the distribution of dead-on accurate information about them, e.g. the British Royal family. 2) Inaccurate information is worse than none and has no value. An individual piece of inaccurate information is worse than none, but a database that is 95% accurate is obviously still very valuable. For example, if an untargeted hit rate is 1/100 and a targeted hit rate is 1/20 then even 50% inaccurate data will improve the hit rate. The database companies have no economic reason to try to be perfectly accurate -- and even if they are 95% accurate about 100M people, that's 5M people who can get screwed. Reality is even worse, because there are multiple entries per person, any one of which might be inaccurate. And in fact, even credit information has been shown to be *far* less accurate (e.g., 30% to 50% error rate). And yet, they still make a lot of money by selling it. I believe current law shields most database purveyors from liability for errors in their database, unless it can be shown that the error was deliberately introduced. This is yet another reason why high accuracy isn't important to the database industry. There's no way to correct most databases, since we are not allowed to find out what's being said about us. And even for credit data, there are numerous examples of people who've made almost a career out of trying to get their records fixed, only to see the false data keep reappearing because the credit card companies share data and do not do any verification. So long as any database anywhere still has the bad data, it can keep reappearing, no matter how often you've proved that it is false. 3) Data collection and trading will happen no matter what. So will theft. So will sweatshop labor. The fact that some people will find ways to do it (offshore if necessary), or even a claim that "everybody does it" has no bearing on whether it should be allowed. The proper question is, how can a law regarding data privacy be made such that it actually protects privacy and is actually enforcable? That's a good question, deserving of more thought in later messages. However, I think it's necessary to generally agree on where we are going before we can agree on (or usefully discuss) how to get there. I do have a few suggestions that I'd like to share later. 4) Should there be a required consent law for data collection? It looks like we agree on this one. I would be happy with a law that defaulted to allowing information distribution but provides a clearly understandable option for privacy. But that would not be a "neutral law" -- it would be a law biased toward disclosure. However, if you mean by "neutral" that it is a law that balances the desires of businesses for information and the desires of individuals for privacy, then I agree. Democracy is all about balancing competing interests. At present, the laws are massively in favor of the information sellers. I don't want to put the information sellers out of business -- I want to require them to be responsive to privacy concerns and responsible for what they do with the data. 5) Paying for 800 service give you a right to people's names. Ask your customers why they think you have an 800 number. I bet 99.94% will say that you pay for that to convince them to call you, which they wouldn't do if they had to pay for the call. I'll bet hardly any know that you get their number when they call an 800 number -- I've never seen that mentioned except in the RISKS forum, not even in a phone company ad for 800 service! So I don't agree that paying for the service gives you a right to know who's calling. Also, as has been pointed out, if the purose of caller ID were to let you know *who* is calling, it would provide a name, not a number. The phone company has explicitly said that they provide numbers because that is what their *database customers* want. I submit that caller ID blocking should be extended to apply to *all* phone services -- if you enable blocking, then *nobody* you call gets your number. You in your turn would be free to not answer any call that is blocked, as you are free to not open your door to a person on your doorstep whom you cannot recognize. I believe that would provide a fair compromise between the competing interests. Note that ANI is like looking through the peephole into your caller's pocket and seeing their driver's license number, without their knowing you are doing so. In a free world, people should have a right to refuse to identify themselves, just as you have a right to refuse to speak with an anonymous person. Hmm... maybe what the phone company should be required to provide is a block for caller ID blocking. If you enable this on your 800 line, then anyone who calls you with caller ID blocking enabled would be informed that the call cannot get through because they are blocking caller ID. So you are not bothered by (and do not pay for) any deliberately anonymous phone calls, and you'd still get calls from people who still live in areas without ANI (if any, I assume there are some). Does that balance your desires for caller ID against privacy concerns? 6) Your norms for the collection and sharing of information. I feel I've shown why we should restrict the flow of accurate data -- why it can unfairly harm people to do so. Beyond that, I don't feel that you have a right to sell to people the fact that I purchased something from you (except with my consent), but I know you don't agree with that. It would be very valuable to establish clear, enforced methods of tracking data. To start with, databases should be required to specify where each piece of data came from -- the source and the date it was obtained. Beyond what you suggest, methods should be established to allow people to review data that is held about them -- both to uncover potentially inaccurate data and to uncover data that is considered private and that they did not consent to have distributed. Under the category of reasonable penalties for selling inaccurate or private data, I think it's important to take it out of the tort system. It is unfair both to the public and to the database providers to have the sole redress be a lawsuit. It's unfair to the public because this is a form of redress available to very few. It's unfair to the database providers because there is no limit to the damages a jury might award in the rare cases where a claim does go to trial and is found for the plaintiff (and for which an appeal doesn't gut the damage award). BTW, I'd be interested to hear what you have to say about the tort system. Database sellers should be required to respond to claims that their databases contain inaccurate data. There should be some established procedure, like the procedure for contesting a credit card charge. There should also be a standard fine of some kind for cases where the database company does not respond to a proper request to investigate alledgedly innacurate or private data in their database. That's one way to avoid the tort system while also establishing a financial value for keeping the records accurate. There are more possibilities here, but I think they belong in a later message. Enjoy, Larry ------------------------------ Date: Mon, 29 Mar 1993 13:24:37 -0800 (PST) From: Steven Hodas Subject: Personal letters If I send a personal letter to someone do they have the right to disclose it to others without my consent? Does this vary state by state? If it's prohibited, is it a civil or a criminal issue? If it is permitted doesn't that suggest that we have greater privacy protection for electronic communciation because the ECPA would prohibit that kind of disclosure? Thanks, Steven =========================================================================== Steven Hodas School of Education University of Washington Leadership and Policy Studies 206.285.5734 hhll@u.washington.edu =========================================================================== ------------------------------ Date: Wed, 31 Mar 1993 08:04:03 PST From: chaz_heritage.wgc1@rx.xerox.com Subject: Junking the Junk-Mailers In PRIVACY Forum Digest, Friday, 26 March 1993, Volume 02 : Issue 10, Alan (Gesture Man) Wexelblat writes: >When asked for "identifying" information which is probably going to be used to compile marketing databases, I cheerfully supply *wrong* information. I make it as bogus and outlandish as I feel that day< Two points. First, there may be a 'rationality check' of some kind applied to data entry, so names such as Mr. Michael Mouse or Mr. Donald Duck may be rejected out of hand. When I last did this, some years ago, when I still had enough hair to consider myself a young tearaway, I had been sent a marketing questionnaire, which (having checked carefully for code numbers, etc.) I filled out in the character of a retired gentleman with far more money than sense, very keen to find out more about double-glazing, stone-cladding and concrete garden gnomes. I gave his name as Mr. George Smiley and his address as the building in Mayfair, London, once inhabited by MI5, the British Security Service. Obviously I don't know if MI5's successors there have actually been pestered by double-glazing salesmen, but I fancy that a relatively credible spoof has more chance of working than an overtly surrealist one. Second, since I did this the British government passed an Act laughably known as the Data Protection Act, which, while it does nothing concrete to protect the rights of the individual, and in many cases formalises earlier abuses, does make it a crime to lie to a junk-mail computer. Whether recent 'anti-hacker' legislation in the USA might have a similar effect I couldn't say, but I'd think it prudent to check. As far as I know nobody has yet been prosecuted in the UK for such an offence, but if any kind of determined spoofing effort were to be made against this cornerstone of Monetarist culture then I'm sure that it would receive the customary treatment. Though spoofing junk mailers is fun it probably motivates them to make greater efforts to bribe their friends in government to force compliance by legal means, and to criminalise dissent, as has happened here (though apparently the revelation that people could be so 'Trotskyite-Anarchist' as to lie to a marketing company was one of the things that made Thatcher literally foam at the mouth, thereby reducing the necessary level of bribery). Though it would be very inconvenient I suspect that the only certain method of stamping out these parasites would require the maximum possible popular support, and would involve an absolute boycott of all companies taking any part whatsoever in organised data abuse. Regards, Chaz Disclaimer: As an individual I speak only for myself. I speak for no other, and no other speaks for me. ------------------------------ Date: Wed, 31 Mar 93 16:29:39 EST From: fergp@sytex.com (Paul Ferguson) Subject: Legal Net Monthly Newsletter Opinion, editorial and news worthy submissions are currently being (sought and) accepted for a new start-up electronic news journal. This monthly compilation will be called 'The Legal Net Monthly Newsletter' and will focus on the legal and ethical aspects of computer networking. Legal Net Monthly will be a non-biased, open forum electronic newsletter keeping in step with the networking environment of the '90's and will be availble by E-Mail subscription. Legal Net Monthly is aiming to release it's first issue on May 1st, 1993. Articles on the following topics are especially welcome: o Defining "Criminal Mischief" on the Nets o Authoring/Distributing Computer Viruses: Legal Implications o Legislative news around the world Send all sumissions, subscription requests and correspondence to: fergp@sytex.com Paul Ferguson | "Sincerity is fine, but it's no Network Integration Consultant | excuse for stupidity." Centreville, Virginia USA | -- Anonymous fergp@sytex.com (Internet) | sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP 2.2 public encryption key available upon request. ------------------------------ Date: Tue, 6 Apr 1993 14:54:36 PDT From: Sarah_M._Elkins.Wbst139@xerox.com Subject: Chicago DEA Surveillance of Gardeners Forwarded with permission (from libernet via homebrew). Steve requests no follow-ups to him; please ask the store (owner: Dave Ittel) if you want more information. Apparently the camera was removed last week. The Chicago Tribune published a couple of articles about the store and the controversy, which I have not read. Regards, Sarah Elkins (elkins.wbst139@xerox.com) ---------------------------------------------------------------- Date: Mon, 22 Mar 93 11:43 CST From: srw@ihlpv.att.com Subject: Drama, Excitement, Surveillance ! This isn't directly related to brewing per se, but I thought the readers of this digest might be interested in a little drama that is unfolding at the Chicago Indoor Garden Supply store, 297 N. Barrington Rd, Streamwood, IL 60107. I stopped in this past Saturday (3-20-93) to pick up some liquid yeast and the owner asked an unusual question, "Would you like to see a surveillance camera?" At first I thought it was a trick question, but he lead me to the door, shoved a pair of binoculars in my hand, and directed my attention to a utility pole directly across the street. Strange. Power transformers don't usually have little windows on the front and high gain antennas on the top. The owner went on to allege that the Drug Enforcement Agency placed a camera there to see who visits the store. He claimed that they would send chase cars after the patrons to get the license tag and then in some cases show up at their door step demanding to search their home. The store not only sells the necessary supplies for making beer, but they also sell supplies for growing spices and herbs in your home. It appears that the DEA assumes all customers of the store are growing marijuana. The disturbing part, the owner alleges, is that the DEA does not have a search warrant when they show up that your door. It's been a couple of days now and no one has shown up at my door, but I can say for a fact that there was a suspicious looking transformer on the utility pole Saturday afternoon. I wonder if they are monitoring Handy Andy, Franks Nursery, K-mart, etc. I'm sure if you call the store at 708-885-8282 they will be glad to tell you the latest chapter in this unfolding drama. The local CBS affiliate, WBBM Channel 2, is going to do a news story tonight (Monday). This could be interesting. Steve Walk -- 708-713-7409 (Voice) 708-713-7963 (FAX) Room IHP 2F-520 Software Systems and Technologies Department AT&T Bell Laboratories 263 Shuman Boulevard Naperville, IL 60566-7050 att!ihlpv!srw or srw@ihlpv.att.com ------------------------------ End of PRIVACY Forum Digest 02.11 ************************