PRIVACY Forum Digest Sunday, 1 August 1993 Volume 02 : Issue 27 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS CPSR Urges Revision of Secrecy System (David Sobel) Credit Reports and National Security (Dave Banisar) Medical privacy and the DMV (Brett Glass) Re: Name & Address from Phone Number in Chicago (Chris Johnston) Call for Papers: Computer Network Use and Abuse Conference (Paul Higgins) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 02, ISSUE 27 Quote for the day: "Book him, Dano." -- Steve McGarrett (Jack Lord) "Hawaii Five-O" (1968-1980) ---------------------------------------------------------------------- Date: Thu, 15 Jul 1993 16:58:33 EST From: David Sobel Subject: CPSR Urges Revision of Secrecy System Computer Professionals for Social Responsibility (CPSR) has called for a complete overhaul in the federal government's information classification system, including the removal of cryptography from the categories of information automatically deemed to be secret. In a letter to a special Presidential task force examining the classification system, CPSR said that the current system -- embodied in an Executive Order issued by President Reagan in 1982 -- "has limited informed public debate on technological issues and has restricted scientific innovation and technological development." The CPSR statement, which was submitted in response to a task force request for public comments, strongly criticizes a provision in the Reagan secrecy directive that presumptively classifies any information that "concerns cryptology." CPSR notes that "while cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research and personal correspondence." With the end of the Cold War and the growth of widely available computer network services, the outdated view of cryptography reflected in the Reagan order must change, according to the statement. CPSR's call for revision of the classification system is based upon the organization's experience in attempting to obtain government information relating to cryptography and computer security issues. CPSR is currently litigating Freedom of Information Act lawsuits against the National Security Agency (NSA) seeking the disclosure of technical data concerning the digital signature standard (DSS) and the administration's recent "Clipper Chip" proposal. NSA has relied on the Reagan Executive Order as authority for withholding the information from the public. In its submission to the classification task force, CPSR also called for the following changes to the current secrecy directive: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be considered before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. The task force is scheduled to submit a draft revision of the Executive Order to President Clinton on November 30. The full text of the CPSR statement can be obtained via ftp, wais and gopher from cpsr.org, under the filename cpsr\crypto\secrecy_statement.txt. CPSR is a national organization of professionals in the computing field. Membership is open to the public. For more information on CPSR, contact . ------------------------------ Date: Sat, 24 Jul 1993 14:13:08 EST From: Dave Banisar Subject: Credit Reports and National Security Last week, the Senate Intelligence Committee approved a provision that allows for FBI access to credit reports using only a letter instead of a judical warrant in cases that they say involved national security. There is concern that this will be subject to abuse and that the necessity has not been proven. Several privacy and consumer groups sent this letter opposing the provision. I was unable to easily find the actual text but will get it after I come back from vacation. Dave Banisar CPSR Washington Office July 12, 1993 The Honorable Dennis Deconcini Chairman Senate Select Committee on Intelligence United States Senate SH-211 Hart Senate Office Building Washington, DC 20510-6475 Dear Chairman DeConcini; We are writing to voice our strong opposition to the Administration's legislative proposal to amend the Fair Credit Reporting Act (FCRA) to allow the Federal Bureau of Investigation (FBI) to obtain consumer credit reports in foreign counterintelligence cases. The FBI seeks a national security letter exemption to the FCRA to obtain personal information from consumer reporting agencies without a subpoena or court order. A national security letter gives the FBI the authority to obtain records without judicial approval and without providing notice to the individual that his or her records have been obtained by the Bureau. Similar FBI proposals were rejected in previous years after Congressional leaders expressed concern over the civil liberties issues raised. Although the current draft proposal is more comprehensive than those circulated in previous years, the changes and additions do not alter significantly the central character of the proposal. The Administration's 1993 proposal includes explicit limits to'dissemination of obtained information within the goverrment, penalties for violations including punitive damages, and reporting requirements. These provisions are positive changes from the legislation put forward in previous years, but they do not save the proposal from its intrinsic flaws. Therefore, the reasons for our fundamental opposition to the current proposal remain the same: 1) the FBI has not demonstrated a compelling need for access to consumer credit reports; and 2) legislation that implicates civil liberties should be addressed separately and not as part of the authorization process. There are only two instances in which Congress has authorized the FBI, in counterintelligence investigations, to obtain information about individuals pursuant to a national security letter but without a subpoena, search warrant or court order. First, the Electronic Communications Privacy Act (ECPA) of 1986 included a provision requiring common carriers to disclose subscriber information and long distance toll records to the FBI in response to a national security letter. Second, congress included in the 1987 Intelligence Authorization Act an amendment to the Right to Financial Privacy Act (RFPA) that requires banks to provide customer records to the FBI in response to a similar letter. In that case, the FBI presented to Congress its case for obtaining financial records in foreign counter- intelligence cases and the difficulty of obtaining those records without a court order. In both instances when congress has previously authorized the national security letter, Congress recognized that the procedure departs dramatically from the procedure necessary to obtain a court order. The FBI's current proposal seeks similar access to individuals' credit records held by consumer reporting companies. The FBI has yet to adequately justify its need to add such highly personal, sensitive information to the narrow category of records subject to the national security letter exemption. The Bureau claims obtaining credit reports will allow it to more easily determine where a subject of an investigation banks -- information the FBI claims will help them effectuate their ability to access bank records under the RFPA. We opposed the national security letter exemption in the RFPA and do not endorse the FBI's slippery slope approach to ensuring that they can more easily obtain financial information in foreign counterintelligence cases. This information can be and is routinely gained without credit reports. We do not believe convenience is a sufficient justification for this significant exception to the law. The FBI further argues that obtaining banking information through a credit report is preferred because it is actually leas intrusive than those investigative methods that would otherwise be used. While we too are frustrated that other information- gathering techniques are frequently too intrusive, our objections to the other techniques do not lead us to endorse yet another technique that is also intrusive and that weakens existing privacy law. Finally, we object to using the authorization process as the vehicle for pursuing this change. The national security latter exemption, because it diminishes the due process and privacy protections for individuals, must be given the most careful consideration. The FBI's proposal should be introduced as separate legislation on which public hearings can be held. only in this way can the Committee test thoroughly the FBI's case for the exemption and hear from witnesses who object to the change. We urge you to reject the FBI's proposal in its current form. We are available to work with you on this issue. Sincerely, Janiori Goldman Michelle Meier Privacy and Technology Project Consumers Union American civil Liberties Union Marc Rotenberg Evan Hendricks Computer Professionals for U.S. Privacy Council Social Responsibility cc: Members, Senate Select Committee on Intelligence The Honorable George J. Mitchell Senate Majority Leader The Honorable Donald W. Riegle, Jr., Chairman Senate Committee on Banking, Housing and Urban Affairs The Honorable Patrick J. Leahy, Chairman Subcommittee on Technology and the Law ------------------------------ Date: Sun, 25 Jul 93 20:30:15 PST From: "Brett Glass" Subject: Medical privacy and the DMV [Subject field chosen by MODERATOR] In a recent PRIVACY Forum Digest, Waybe Madsen describes an incident in which an EMT reported a fainting spell to the DMV. It's lucky for the poor victim (who suffered from a brain tumor) that he didn't live in California, where doctors are required to report ANY loss of consciousness -- no matter what the cause -- to the DMV. After such a report has been made, it is nearly impossible to get a driver's license again -- EVER. It's the law. [ This seems like a rather broad statement. Some specifics regarding this issue, by anyone who knows the details, would be appreciated in this forum. -- MODERATOR ] ------------------------------ Date: Tue, 27 Jul 93 17:03:23 CDT From: Chris Johnston Subject: Re: Name & Address from Phone Number in Chicago I would expect automated Customer Name and Address (CNA) would work like the current CNA service. Call 312-796-9600, tell the operator the telephone number, operator either tells you it is a non-published number or reads the name and address without zipcode, Illinois Bell collects 35 cents. I use it regularly to look up numbers that appear on my pager. Or I could walk to the library and look it up in the criss cross directory. regards, cj 312-786-4889 ------------------------------ Date: Mon, 26 Jul 1993 16:31:36 EDT From: Paul Higgins Subject: Call for Papers: Computer Network Use and Abuse Conference CALL FOR PAPERS The National Conference of Lawyers and Scientists (NCLS) invites proposals for original papers to be presented at a two-and-a- half-day invitational conference on "Legal, Ethical, and Technological Aspects of Computer and Network Use and Abuse." The conference, which will include 40 participants representing a diverse set of perspectives and areas of expertise, will be held in southern California in mid-December 1993. Up to three successful applicants will receive travel expenses and room and board at the conference. Papers will be included in the conference proceedings and may be published subsequently in a book or journal symposium. The conference will focus on the ways in which the law, ethics, and technology can contribute to influencing and enforcing the bounds of acceptable behavior and fostering the development of positive human values in a shared computer environment. Primary attention will be on unwanted intrusions into computer software or networks, including unauthorized entry and dissemination of viruses through networks or shared disks. Discussions will deal with such issues as access to information, privacy, security, and equity; the role of computer users, academic institutions, industry, professional societies, government, and the law in defining and maintaining legal and ethical standards for the use of computer networks; and a policy agenda for implementing these standards. Papers are invited on any aspect of the conference theme. Especially welcome would be papers reporting on empirical research, surveys of computer users, and case studies (other than those that are already well-known). Interested persons should submit a summary or outline of no more than 500 words, together with a brief (one-page) resum and a statement (also brief) of how one's expertise or perspective might contribute to the meeting. Proposals will be reviewed by an advisory committee convened by NCLS and successful applicants will be asked to prepare papers for the meeting. Papers must be the original work of the author, not previously published, in good academic form, and between about 5,000 and 8,000 words (25-30 double-spaced pages) in length. Deadline for receipt of proposals is 5 p.m. Eastern Time, September 15, 1993. Applicants who are selected to prepare papers will be informed by October 1, 1993. Draft papers will be due December 3, 1993. Final versions of the papers, revised in light of conference discussions, will be due approximately two months after the conference. NCLS is an organization sponsored jointly by the American Association for the Advancement of Science and the American Bar Association, dedicated to improving communication between members of the legal and scientific/technical professions and exploring issues at the intersection of law, science, and technology. Funding for this meeting has been provided by the Program on Ethics and Values Studies of the National Science Foundation. For further information please contact Deborah Runkle, Directorate for Science & Policy Programs, American Association for the Advancement of Science, 1333 H Street, NW, Washington, DC 20005. Phone: 202-326-6600. Fax: 202-289-4950. E-mail: values@gwuvm.gwu.edu. ------------------------------ End of PRIVACY Forum Digest 02.27 ************************