PRIVACY Forum Digest Friday, 29 April 1994 Volume 03 : Issue 09 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Re: Internet White Pages (John R. Levine) FCC Issues Decision on Caller ID [Finally] (Monty Solomon) Medical Privacy Bill Introduced in Congress (Dave Banisar) Government-Assisted Housing (Joseph A. Drain) Alt.sex newsgroups.... (Elizabeth Chestney) Preserving Federal Electronic Mail (Barbara Simons) NTIA Privacy Notice of Inquiry - Deadline Extended, Act Now! (Monty Solomon) Data Escape from Prison (Mich Kabay) Singapore IS pro-privacy --- about executions etc ([Name Withheld]) Clipper Petition Delivered to White House (CPSR National Office) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 09 Quote for the day: "Heavenths to Mergatroid!" -- "Snagglepuss"; Animated; Hanna-Barbera (1959-1962) ---------------------------------------------------------------------- Date: Thu, 14 Apr 94 14:18 EDT From: johnl@iecc.com (John R Levine) Subject: Re: Internet White Pages I happen to know the people who published the "Internet White Pages", since it's a branch of the same people who publish my Dummies books, and have had some discussions with them about the book. As far as I can tell, the authors created the list by collecting usenet return addresses, perhaps enriched with addresses collected from people's signature lines. I see two separate issues here: * Should there be listings available of Internet mail addresses? * Is collecting usenet return addresses an appropriate way to make the listings? The answer to the second question is simple: No, and the reason is equally simple: it gives you a lousy list. The book lists six addresses for me, including johnl@iecc.uucp, an address that I don't recall ever using, and that I certainly wouldn't have used any time in the last five years. (It is a valid address, though.) They also list me as both John R Levine and John R. Levine, suggesting their software could still use some work. But listing only usenet addresses gives you a very one-sided list. For example, none of the board members of the Internet Society appear. I have suggested to the publisher some ways they could round out the list by using other public listings of addresses. The more interesting question is what sort of white page listings should exist. Like telephone white pages, on the one hand these listings make it easier for people from whom we'd like to hear to get in touch with us, but they also make it easier for people from who we don't want to hear to get in touch with us. Online white pages have the particular problem that, given the current state of the net, we can expect bozos who have access to large numbers of mail addresses to use them for random junk mail. This is particularly annoying to people on services like Compuserve where incoming Internet mail costs money. I suspect that we'll end up with something roughly parallel to paper mail, with the sender paying all the charges, and a lot of mail being sent that nobody reads. I currently get about 100 messages a day, which I deal with by using a lot of automation, e.g. mail from known mailing lists are filed as pseudo-usenet messages for later perusal. It would be technically simple to arrange for mail from known annoying addresses to be thrown away, although I haven't had to do that yet. It would also be fairly easy to arrange public and private e-mail addresses, with messages to the two addresses handled differently. I happen to be using a Unix box, but facilities like this are quite common. The inexpensive Eudora mail program for the PC and Mac has filtering features at least as nice as these. But to return to the white pages question, to make e-mail useful in the "real world", you've got to have some sort of white pages, probably both on-line (just telnet to 555-1212, however you spell that in X.500) and on paper. Sure, some people may prefer to be listed, just like people have unlisted phone numbers. But if we don't come up with reasonable designs for white pages pretty soon, we'll have a profusion of unreasonable ones thrust upon us. Regards, John Levine, johnl@iecc.com, jlevine@delphi.com, 1037498@mcimail.com ------------------------------ Date: Fri, 15 Apr 1994 02:32:38 -0400 From: Monty Solomon Subject: FCC Issues Decision on Caller ID (Finally) Excerpts from CPSR Alert 3.06 [3] FCC Issues Decision on Caller ID (Finally) After three years of deliberation, the FCC in April finally issued its rules on Caller Number Identification. The FCC mandated that telephone companies that use Signaling System 7 offer Caller ID for interstate calls and that interstate carriers carry the signals at no charge. The FCC ruled that telephone companies provide free per call blocking for interstate calls, preempting the decisions of over 30 states public utility commissions, many of which have opted for greater privacy protections. It adopted a controversial brief by the Department of Justice brief, which decided that Caller ID does not violate the Electronic Communications Privacy Act prohibition of "Trap and Trace Devices," which capture the numbers of incoming telephone calls. Previously, the Congressional Research Service and several states found that Caller ID was a trap and trace device. The FCC rules also require that users of ANI services, such as 800 and 900 number services, which do not currently have a blocking capability, obtain consent from callers before passing on the information. Telephone companies must institute public education campaigns about ANI and Caller ID. A copy of CPSR and the US Privacy Council's brief to the FCC and other materials from CPSR on Caller ID are available at the CPSR Internet Library. [ The full impact and meaning of this decision, especially in regards to states which have already established their own stricter rules for INTRAstate CNID, has yet to be determined. Will we see different forms of blocking applied to in-state vs. out-of-state calls (e.g., per-line for in-state, per-call for out-of-state?) Also, the possibility of actions by state PUCs or other interested groups (including Congress) challenging this decision is still an open question. -- MODERATOR ] ------------------------------ Date: Thu, 14 Apr 1994 23:28:17 -0700 From: Dave Banisar Subject: Medical Privacy Bill Introduced in Congress [ Extracted from CPSR Alert 3.06 by MODERATOR ] [4] Medical Privacy Bill Introduced in Congress Congressmen Gary Condit (D-CA), has introduced a comprehensive bill protecting the privacy of medical records in the House of Representatives. HR 4077, the Fair Health Information Practices Act of 1994, is a free standing bill but is intended to be an amendment to HR 3600, the Clinton Administration's health reform bill and other bills currently pending in Congress. The bill creates fair information practices for the collection and use of personal medical information. It mandates that holders of health information keep that information confidential unless there is authorization for its release by the patient or other limited exceptions. Each person who obtains private medical information becomes a trustee. Patients will also have the right to access, and correct their own personal files. The bill also creates criminal and civil penalties for improper access or disclosure of records. For criminal access, penalties are up to a $250,000 fine and 10 years in jail. Civil penalties are available against any private company, individual or state or local government for damages, including punitive damages in some cases, and attorney fees. One area that has caused some concern is the law enforcement access to medical records. As currently written the bill allows law enforcement access to patient records with only a written certification by a supervisor that access is being obtained for a lawful purpose. Privacy advocates are concerned that a low threshold for obtaining records will encourage "fishing expeditions" for information by law enforcement officials. HR 4077 was also cosponsored by John Conyers (D-MI) and Maria Velazquez (D-NY). Congressional hearings will be held on April 20, 27 and 28. CPSR has been asked to testify on April 28. HR 4077 and supporting materials are available from the CPSR Internet Library. ------------------------------ Date: Sun, 17 Apr 1994 14:37:05 -0400 From: eo891@cleveland.Freenet.Edu (Joseph A. Drain) Subject: Government-Assisted Housing If the Clinton Administration's new proposal, whereby agreeing to unannounced searches of one's residence is to be a condition to obtaining federal housing assistance, does not shock us (as it should), perhaps because (though we'd never admit it) it will principally affect poor minorities, be on guard because we are next. It is predictably ironic that the most determined assaults upon the priniples this country once stood for have come from the left flank more often than not. Apologies to anyone offended by the use of the royal "we" and "us"; I know I don't speak for all of you. Since Clinton lives in public funded housing, anyone care to guess whether he'll agree to unannounced raids? Or does the new policy apply only to people who count for nothing in this world? ------------------------------ Date: Tue, 19 Apr 1994 17:34:34 -0400 (EDT) From: Elizabeth Chestney Subject: alt.sex newsgroups.... Greetings fellow internetwits... I am a grad student at U of Waterloo, in Ontario, Canada. Recently, five newsgroups were banned on campus: alt.sex.bondage, alt.sex.bestiality, alt.sex.stories, alt.sex.stories.d, and alt.tasteless. A resulting flurry of email and newsgroup activity has criticised and discussed the ban's implications. Newsgroups have had a long history of problems at UW. In 1988 "rec.humor was banned for containing racist and sexist jokes, and "alt.sex.bondage," one of the five banned on Feb. 1, was originally banned in 1990. In April of that year, all "alt" newsgroups were banned, allegedly due to the cost of running them. They were later restored after a massive student outcry. Although obscene or offensive subject matter cannot be ignored, this recent directive has heady censorship and privacy protection implications. I am currently working on this story for a "net" assignment. If any RISKS subscriber has criticisms or related info to share (as email or otherwise), I would greatly appreciate it. Thanks, Elizabeth Chestney ecchest@watarts.uwaterloo.ca ------------------------------ Date: Tue, 19 Apr 94 14:00:15 PDT From: "Barbara Simons" Subject: PRESERVING FEDERAL ELECTRONIC MAIL PRESERVING FEDERAL ELECTRONIC MAIL The National Archives and Records Administration has asked for public comment on proposed standards for management of federal records created or received on electronic mail systems. The proposed standards were published in the March 24 _Federal Register_, pp. 13906-10. When finalized, the standards are for all federal agencies on the proper means of identifying, maintaining, and disposing of federal records created or received on an E- mail system. The same standards the federal government applies to managing paper documents would apply to managing records created or received via electronic mail. The guidelines apply to electronic mail sent over networks like the Internet as well as within office systems. NARA has been working with the Executive Office of the President to develop specific records management policies and procedures for their E-mail records to comply with court rulings in _Armstrong v. Executive Office of the President_. In 1989, ALA joined a coalition of researchers and groups, including the National Security Archive, Public Citizen, the American Civil Liberties Union and the American Historical Association, in suing the government when the Reagan Administration tried to remove records from the computers of the National Security Council. The case has been working its way through the legal system during the Bush and Clinton Administrations. NARA's proposed rules are an outgrowth of the settlement negotiations in the case. Comments must be submitted by June 22, 1994 to: Director, Records Appraisal and Disposition Division, National Archives at College Park, 8601 Adelphi Road, College Park MD 20740-6001. Comments may be sent by fax: (301) 713- 6852, or by e-mail: ooa@cu.nih.gov. For further information contact: James Hastings, Director, Records Appraisal and Disposition Division, (301) 713- 7096. ------------------------------ Date: Thu, 21 Apr 1994 11:27:43 -0400 From: Monty Solomon Subject: NTIA Privacy Notice of Inquiry - Deadline Extended, Act Now! Excerpt from EFFector Online Volume 07 No. 07 Subject: NTIA Privacy Notice of Inquiry - Deadline Extended, Act Now! --------------------------------------------------------------------- Earlier this year, NTIA issued a Notice of Inquiry and Request for Comment from the public on "privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure." The comments will have bearing on an upcoming National Telecommunications and Information Administration report "which may make recommendations to the Information Infrastructure Task Force and Congress in the area of telecommunications and information policy". Last week, EFF called NTIA asking when their privacy report would be made, and were told that the scheduling was still somewhat flexible, but that surprisingly few comments had been received before the March 30 deadline. We've worked with NTIA's Carol Mattey to reopen the Request for Comments, with successful results: "Taking into account your expressed interest, and inquiries from several others, we have decided to formally reopen the record in NTIA's inquiry on privacy issues for additional comments. Attached to this message is a statement formally inviting additional comments to be filed on or before May 23, 1994. (This statement will be sent out in a press release and published in the Federal Register sometime next week.) Please disseminate this statement, with the NOI, immediately to all who you think might be interested. We want to hear a wide range of views, but have to rely on groups like yours to spread that message, as we just do not have the resources to personally seek out all potentially interested parties. Carol Mattey, NTIA" ******** CONTACT: Larry Williams NTIA EXTENDS NOTICE OF (202) 482-1551 INQUIRY ON PRIVACY ISSUES TECHNICAL NEWS ADVISORY April 19, 1994 The National Telecommunications and Information Administration (NTIA) has extended the deadline for filing comments in its privacy Notice of Inquiry (NOI) to May 23, 1994. On February 11, 1994, NTIA published a Notice of Inquiry and Request for Comments in the Federal Register entitled "Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Information." 59 FR 6842. NTIA has received comments from 30 parties in this proceeding. Those comments can be reviewed in NTIA's Openness Room, U.S. Department of Commerce, Room 4092, 14th St. and Pennsylvania Ave., N.W., Washington, D.C. 20230, between the hours of 9:00 am - 5:00 pm. For further information about NTIA's Openness Room, contact Norbert Schroeder at (202)482-6207. Since the comment deadline date, NTIA has received several requests for extension of time to file comments. In the interest of fairness to all potentially interested parties, and to provide an additional opportunity to develop the record in this proceeding, NTIA will allow additional time in which to file comments. Additional comments should be filed on or before May 23, 1994, to receive full consideration. Please submit seven copies to the Office of Policy Analysis and Development, NTIA, U.S. Department of Commerce, Room 4725, 14th St. and Pennsylvania Ave., N.W., Washington, D.C. 20230. Comments also may be submitted electronically via Internet to cmattey@ntia.doc.gov. For further information, please contact Carol Mattey or Lisa Leidig, Office of Policy Analysis and Development, NTIA, at (202) 482-1880. ******** In discussion with Ms. Mattey, she advised that NTIA would prefer to receive comments specifically responding the issues raised in the notice, outlined clearly where possible, and that it would be useful for lengthy comments to have a short summary at the top. The easier you make it for them parse your comments the easier it is for them to take your comments into consideration. This holds true for any submission of comments to goverment agencies or legislators. A selection from the original Notice of Inquiry is below: ******** DEPARTMENT OF COMMERCE National Telecommunications and Information Administration [Docket No. 940104-4004] Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Personal Information mation Administration (NTIA), Commerce ACTION: Notice of Inquiry; Request for Comments SUMMARY: NTIA is conducting a comprehensive review of privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure. Public comment is requested on issues relevant to such a review. After analyzing the comments, NTIA intends to issue a report, which may make recommendations to the Information Infrastructure Task Force and Congress in the area of telecommunications and information policy, as appropriate. DATES: Comments should be filed on or before March 30, 1994, to receive full consideration. [This has now been extended to May 23, 1994] AUTHORITY: National Telecommunications and Information Administration Organization Act of 1992, Pub. L. No. 102- 538, 106 Stat. 3533 (1992) (to be codified at 47 U.S.C. ^U 901 et seq.). SUPPLEMENTARY INFORMATION: For detailed and important information detailing the specifics of the issues, see full copy of NOI at end of file: ftp.eff.org, /pub/Alerts/ntia_privacy.noi gopher.eff.org, 1/pub/Alerts, ntia_privacy.noi file://www.eff.org/pub/Alerts/ntia_privacy.noi Outpost--EFF Online, BBS +1 202 628 6120, "Alerts" file area, NTIAPRIV.NOI which will include the updated information.] ------------------------------ Date: 26 Apr 94 12:13:52 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Data Escape from Prison [ From RISKS-FORUM Digest; Volume 15 : Issue 79 -- MODERATOR ] >From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe: Inmates-Computers, By MARIA S. FISHER, Associated Press Writer KANSAS CITY, Kan. (AP, 18 Apr 1994) -- The letter startled Nick Tomasic. It was from a prison inmate; other fellow prisoners, assigned to computerize records, had taken a Social Security number from an accident report and tried to sell it. Tomasic is the district attorney for Wyandotte County. It was his number. The author makes the following key points: o 29 states and the federal government use prisoners for data entry. o The National Correctional Industries Association in Belle Mead, NJ scoffed at the potential risk of misuse, saying that in 12 years, there have been no cases of abuse. o Tomasic warned that criminals could determine addresses and phone numbers of witnesses and victims during data entry. o In Johnson City, KS, Sheriff Kent P. Willnauer is looking into allegations that a prisoner passed Social Security numbers and other data to a confederate who opened fraudulent bank accounts. o Kansas State government officials insist that the data entry program saves taxpayers hundreds of thousands of dollars and that there is no danger to privacy or safety of residents. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc. ------------------------------ Date: Wed, 27 Apr 1994 From: [Name Withheld] Subject: Singapore IS pro-privacy --- about executions etc [ The party sending this message expressed concern that if they were identified publicly, their ability to conduct future business in Singapore might be severely impacted. -- MODERATOR ] The following information was gathered from the news media and personal contacts while working in Singapore. It's not true that the government of Singapore is always against privacy; they are quite private about executions and official info. In mid-August 1993, it came out that 2 people had been executed at the end of July. There was nothing in the English-language papers at the time. The government was quite annoyed at the suggestion that the executions had been secret. They'd told the prisoners' families and embassies, and there'd been a small story in a Chinese-language paper. It wasn't their fault that it took 2 weeks for the English press to find out. There is the death penalty for many crimes, such as using a gun during a felony with intent to wound. It was felt too hard to prove intent, so last year death was proposed for being part of a group committing a felony where anyone fired a gun, unless you tried to stop it. That is, you could get death for being the getaway driver in a bank robbery if someone inside fired once into the ceiling. Singapore is also very pro-privacy concerning secret info. When the leading business paper printed some official economic stats a little early, everyone involved was charged (leaker, reporter, editor). It's not even claimed that the government official even intended to leak; he just left the papers on his desk while the reporters were in the room. The trial just finished, and they were lucky not to be imprisoned, only fined. Singapore is also pro personal rights when the right is the good name of the PAP (governing party). If you publish what the government considers to be a libelous story about the government, or the governing party, or about politicians' relatives, then you can be charged with libel. For example, last July someone was arrested for distributing libelous handbills and given 2 weeks in jail. If a paper, such as the Asian Wall Street Journal, Time, or Economist, to pick three examples, should publish what the government considers to be a slanted story about such a case, not presenting the government's side in as much detail as the government requires, then the publication can be fined, sanctioned, or banned, since publications must be licensed. In July 1993, the Economist magazine reported on one libel case, in a fashion that suggested that the libel was correct. Singapore invoked a law giving it the right of reply. The Economist printed 1/2 the reply, but said that the rest was just repetitive. Singapore threatened to limit the Economist's circulation, and also to require a deposit amounting to about $20US per Singaporean subscriber in case of a future judgement against the Economist. Singapore then added a new demand that the Economist publish a letter replying to another story. The Economist caved in completely, while, the last I heard of this story, Singapore was still proposing to apply the penalties. The justification is that a small country is more vulnerable than a large one to defamatory lies about the government. The anti-graffitti law was apparently established more to stop political graffitti than general vandalism. Some government decisions are interesting. Pornography, even Cosmo, is illegal. However prostitution is said to be ok, and rich people are said to have mistresses with second families across in Malaysia. As they say in Singapore, "It's a fine, fine society, fines for everything." The government is always right. If you get a fine in the mail because a camera said that you ran a red light, you pay it. There's a fee for getting a copy of the photo, which is not refunded even if the photo shows you innocent. If the photo shows you guilty, then, besides the fee, the fine is increased. Finally, note that most Singaporeans seem to support all this, although more educated people may feel claustrophobic. It's hard accurately to gauge, however, since you need permission to run in at least some elections, and unfit candidates are refused. In last fall's Presidential election, the two leading opposition figures were not allowed to run. The PAP selected the official candidate, and also the official opposition candidate (you couldn't have a 1-man election, it wouldn't be democratic). The official opposition candidate did not campaign, since, as he said, the official candidate would make a fine president. Still, the opposition guy won about 45% of the vote. ------------------------------ Date: Fri, 29 Apr 1994 17:12:07 +0000 From: CPSR National Office Subject: Clipper Petition Delivered to White House CPSR PRESS RELEASE Computer Professionals for Social Responsibility P.O. Box 717 Palo Alto, CA 94301 415-322-3778 (voice) 415-322-4748 (fax) cpsr@cpsr.org "CLIPPER" PETITION DELIVERED TO WHITE HOUSE COMPUTER USERS CALL ON ADMINISTRATION TO DROP ENCODING PLAN NEW PRIVACY CENTER ESTABLISHED Washington, DC -- A national public interest organization today delivered to the White House a petition asking for withdrawal of the controversial Clipper cryptography proposal. The Clipper plan would provide government agents with copies of the keys used to encoded electronic messages. The petition was signed by more than 47,000 users of the nation's data highway. The petition drive occurred entirely across the Internet. It is the largest electronic petition to date. Earlier this year, the White House announced support for the Clipper proposal. But the plan has received almost unanimous criticism from the public. A Time/CNN found that 80% of the American public opposed Clipper. Computer Professionals for Social Responsibility began the petition drive in January. In the letter addressed to the President, the organization said that if Clipper goes forward, "privacy protection will be diminished, innovation will be slowed, government accountability will be lessened, and the openness necessary to ensure the successful development of the nation's communications infrastructure will be threatened." The petition asks for the withdrawal of Clipper. It is signed by many of the nation's leading cryptographers including Whitfield Diffie, Martin Hellman, and Ronald Rivest. Users from nearly 3,000 different sites across the Internet are represented. Responses came from more than 1300 companies including Microsoft, IBM, Apple, DEC, GE, Cray, Tandem, Sun, SGI, Mead Data Central, AT&T, and Stratus. Signatures also came from more than 850 colleges and universities and 150 non-profit organizations. Many responses came from public networks such as America Online and Compuserve. Nearly a thousand came from government and military sites including NASA, the Army and the Navy. Next week hearings will be held in Congress on the controversial cryptography proposal, an initiative developed by the FBI and the National Security Agency. Most of the witnesses are expected to testify against the plan. In a related development, the establishment of the Electronic Privacy Information Center was announced today. EPIC is jointly sponsored by CPSR and the Fund for Constitutional Government. It will focus on emerging privacy issues surrounding the information data highway. [see accompanying release]. CPSR is national membership organization, based in Palo Alto, California. For more information about CPSR, contact CPSR, P.O. Box 717, Palo Alto, CA 94302. 415 322 3778 (tel) 415 322 4748 (fax) cpsr@cpsr.org (email). ------------------------------ End of PRIVACY Forum Digest 03.09 ************************