PRIVACY Forum Digest Saturday, 28 January 1995 Volume 04 : Issue 03 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Blood Tests and AIDS disclosure (dgh@BIX.com) Mandatory HIV disclosure (Joe Bates) Re: Phone bill balance by phone - no security? (Philip H. Smith III) Chips (well, smart cards) with everything? (Stella Page) DOJ Computer Seizure Guidelines (Dave Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW home page at the URL: "http://www.vortex.com/". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 03 Quotes for the day: "God doesn't play dice with the universe." -- Popularized translation to English of a quote attributed to Albert Einstein. This quote is often mentioned in connection with Einstein's not embracing aspects of quantum mechanics theories. "One problem with working on quantum mechanics is that you can't buy the socket sets at Sears." -- Anonymous quantum mechanics researcher ---------------------------------------------------------------------- Date: Sat, 14 Jan 1995 23:23:13 -0500 (EST) From: dgh@BIX.com Subject: Blood Tests and AIDS disclosure Christopher Zguris ends his reply to a number of responders with: >and _everyone_ you may have passed it on to has a _right_ to know. That was >the point I was trying to make, and I honestly cannot see how that can be >debated. If the Red Cross sends the name of a person who donated HIV-positive blood to the CDC, what is the CDC going to do with the information? They don't know who that person has had sex with, so how does providing the name to the CDC protect anyone? The CDC won't have a clue as to who to contact, so the only way the information could be useful is if people could use a computer to see if a prospective, or past, partner is on the list. But that means that *anybody* could access the information, which is *not* acceptable to privacy advocates. ------------------------------ Date: Sun, 15 Jan 1995 16:52:27 -0500 From: Joebates@aol.com Subject: Mandatory HIV disclosure I would suggest that we split this topic into three seperate discussions. 1) Once testing (for whatever reason) has revealed that the test subject has HIV infected blood, should it be required by law that the previous partners be found, notified (partner tracking) and be required to be tested with possible further notification and treatment for their partners? (This is currently required by law for other venereal diseases.) 2) Whether the results of HIV and/or other STD (Sexually transmitted disease) tests should be made available to persons or organizations other than the health professionals directly involved in the notification, testing and treatment procedures. If the results are disseminated, should it be in statistical form only or should some persons from government, industry, research or other fields be able to obtain the identities of those tested and the results of the individual tests? 3.) Whether blood collection agencies have the right to collect lifestyle information and test donor blood for contagious diseases of any type in an attempt to screen out potentially unacceptable donors. Additionally, are the results of these screens the property of the blood collection agency for further use as they see fit, or does the "screenee" have the right to control the use of the information (or somewhere inbetween)? Joe Bates ------------------------------ Date: Mon, 16 Jan 95 07:21:40 EST From: PHILS@RELAY.RELAY.COM (Philip H. Smith III, (703) 506-0500) Subject: Re: Phone bill balance by phone - no security? "Michael W. Gardiner" wrote about calling the phone company and being able to get a phone bill balance. I'm not that sure myself what someone else could do with this information, though clearly it's none of their business. In any case, a more interesting -- and perverse -- case is that of my wife's VISA. I tend to write the checks for our bills, and was calling recently to check on whether a large charge that had been reversed but had shown up on the latest bill had, indeed, been reversed. Since it was by far the largest charge she'd had on the card in recent months, all I needed to know was the current balance to know whether the reversal had taken place. So I called the 800 number and got a human, and explained that I needed the balance on the account. The response was to ask if I was the cardholder; I explained that no, my wife was, but that I was writing the check now and just needed the balance. They responded that they could only disclose the balance to the cardholder. I asked for a supervisor and for a justification for this, given that I had the bill in my hand, and could provide them with any information they would like to verify this. No go. OK, fair enough, privacy. Then I got a wild hare and called back, using the ACD instead of a human being, and got the balance by providing one Highly Secret Datum: our zipcode! Called back, talked to supervisor, of course no comprehension of why this was a problem. For that matter, had I simply said I was the cardholder, they would have been hard-pressed to say otherwise: my wife happens to have a very deep voice, and has constantly been mistaken for a man on the phone throughout her career. ...phsiii ------------------------------ Date: Thu, 19 Jan 95 11:45:15 GMT From: Stella Page Subject: Chips (well, smart cards) with everything? Articles in the Guardian newspaper (UK broadsheet, serious) on Monday 16th January and Tuesday January 17th 1995 have been discussing a 17-page report from the Government Centre for Information Systems (a Whitehall agency under the control of the Cabinet Office). The fact that the copy of the confidential report which was obtained by the paper came, with other Cabinet papers, from a drawer in a government-surplus filing cabinet bought in a second-hand shop in north London, has itself a privacy interest! At first, according to the Guardian, spokespeople for the Government were sceptical of the find, but later ministers confirmed that a `green paper' announcing proposals for national identity cards would be published in the spring, and would contain options described in the document. The main Guardian article "Whitehall looks at smart card ID by year 2000" (January 16th) reported that the UK Government has 22 pilot studies into an identity programme. The government report apparently shows a big research programme for introducing smart cards for identity purposes by the turn of the century. According to the Guardian, the report contains the proposed design of the card, including the fact that ministers believe they can produce a three-year renewable identity smart card at a cost of \pounds 5 for each citizen. The government report indicates that the card, which it says would be voluntary, could replace the current driving licence, passport, pension book and medical card of everyone who wanted to buy one. The estimate is that for a cost of \pounds 400 million (recoverable if a charge was made) 50 million people in Britain could receive their first smart cards now. [Note: although the report states that the card would be voluntary there are many supporters of compulsory ID cards. As I recall, the first public mootings were about compulsory cards - the concept of the "voluntary" card came later. However, I would not like to bet on how long before "voluntary" becomes "volunteered". In fact one of the Guardian's articles confirms that the Prime Minister is backing identity cards, and is aiming to include proposals in the next Conservative manifesto. The current Home Secretary (Michael Howard) is also a supporter. On the other hand the Foreign Secretary (Douglas Hurd) is said to be less keen.] Apparently there are plans for smart cards from the following government departments and UK industries:- * The Department of Transport (in the lead). Seven pilot studies, including road tolls (expected to be introduced after the next general election), driving licences (which are already due to be replaced with a photo identity card), and monitoring of vehicles and taxation discs. Co-operating with them, the transport industry has plans to introduce smart cards to replace bus and train tickets, to protect car radios and to reduce car theft. * The Department of Health (the second largest programme). They are looking at applications to replace organ donor cards, and to store prescription information and medical records. * The Home Office (with the Passport Agency and Immigration Service). They are looking at: electronic photographic recognition for passports; replacing the British visitor's passport with a smart card; automatic passenger processing at ports and airports; replacing residents' permits with a smart card. * Social Security. Considering electronic benefit payments and the use of smart cards to identify claimints at Post Offices and reduce fraud. * Departments of Employment and Education. Electronic benefit payment for training schemes; a card that could store a student's training credits, and security cards for the payment of grants. The Guardian went on to say that the report says that fraudulent casual use of smart cards could be contained at a very low level and quoted the following from the report. "The addition of photographs to credit and debit cards has shown how a simple expedient using physical characteristics can markedly lower the level of casual fraud. The use of this, other biometrics, and passwords will make it virtually impossible for lost or casually stolen cards to be misused." The proposed measures to counter fraud include using handwriting and fingerprint identities. Apparently some of the `more exotic' recognition methods, such as hand geometry and the voice, were rejected on the grounds of insufficient reliability, According to the Guardian the report suggests that the driving licence [as indicated, a photo-card replacement is already planned] would be ideal for the first cards, with people voluntarily [the `magic' word again! S.P.] adding information to cover other uses. Another quote from the report:- "The cardholder would obtain the `primary use' card ... and subsequently have it validated for its secondary use or uses by appropriate authorities. "The cards would need to be reissued every three to five years, to cope with wear and tear and to provide up-to-date photographs, which would have the dual advantage of allowing fraud to be forestalled by changing encryption mechanisms, and allowing greater capacity to be provided at each change." The report expects that the underlying technology will continue to expand capacity for at least a decade (stating it believes it is approximately doubling capacity every two years) and concludes: "This would stimulate growth in the infrastructure ... and provide UK companies with the opportunity to demonstrate world-leading capabilities in an important new technology." ---- Stella Page email: s.page@csr.city.ac.uk Centre for Software Reliability, City University, Northampton Square, London EC1V OHB, England. ------------------------------ Date: Fri, 20 Jan 1995 21:08:18 EST From: Dave Banisar Subject: DOJ Computer Seizure Guidelines EPIC Analysis of New Justice Department Draft Guidelines on Searching and Seizing Computers Dave Banisar Electronic Privacy Information Center The Electronic Privacy Information Center (EPIC) has obtained the Department of Justice's recently issued draft "Federal Guidelines for Searching and Seizing Computers." EPIC obtained the document under the Freedom of Information Act. The guidelines provide an overview of the law surrounding searches, seizures and uses of computer systems and electronic information in criminal and civil cases. They discuss current law and suggest how it may apply to situations involving computers. The draft guidelines were developed by the Justice Department's Computer Crime Division and an informal group of federal agencies known as the Computer Search and Seizure Working Group. Seizing Computers A major portion of the document deals with the seizure of computers. The draft recommends the use of the "independent component doctrine" to determine if a reason can be articulated to seize each separate piece of hardware. Prosecutors are urged to "seize only those pieces of equipment necessary for basic input/output so that the government can successfully execute the warrant." The guidelines reject the theory that because a device is connected to a target computer, it should be seized, stating that "[i]n an era of increased networking, this kind of approach can lead to absurd results." However, the guidelines also note that computers and accessories are frequently incompatible or booby trapped, thus recommending that equipment generally should be seized to ensure that it will work. They recommend that irrelevant material should be returned quickly. "[O]nce the analyst has examined the computer system and data and decided that some items or information need not be kept, the government should return this property as soon as possible." The guidelines suggest that it may be possible to make exact copies of the information on the storage devices and return the computers and data to the suspects if they sign waivers stating that the copy is an exact replica of the original data. On the issue of warrantless seizure and "no-knock warrants," the guidelines note the ease of destroying data. If a suspect is observed destroying data, a warrantless seizure may occur, provided that a warrant is obtained before an actual search can proceed. For "no-knock" warrants, the guidelines caution that more than the mere fact that the evidence can be easily destroyed is required before such a warrant can be issued. "These problems . . . are not, standing alone, sufficient to justify dispensing with the knock-and-announce rule." Searching Computers Generally, warrants are required for searches of computers unless there is a recognized exception to the warrant requirement. The guidelines recommend that law enforcement agents use utility programs to conduct limited searches for specific information, both because the law prefers warrants that are narrowly tailored and for reasons of economy. "The power of the computer allows analysts to design a limited search in other ways as well . . . by specific name, words, places. . . ." For computer systems used by more than one person, the guidelines state that the consent of one user is enough to authorize a search of the entire system, even if each user has a different directory. However, if users have taken "special steps" to protect their privacy, such as using passwords or encryption, a search warrant is necessary. The guidelines suggest that users do not have an expectation of privacy on commercial services and large mainframe systems because users should know that system operators have the technical ability to read all files on such systems. They recommend that the most prudent course is to obtain a warrant, but suggest that in the absence of a warrant prosecutors should argue that "reasonable users will also expect system administrators to be able to access all data on the system." Employees may also have an expectation of privacy in their computers that would prohibit employers from consenting to police searches. Public employees are protected by the Fourth Amendment and searches of their computers are prohibited except for ""non-investigatory, work related intrusions" and "investigatory searches for evidence of suspected work-related employee misfeasance." The guidelines discuss the Privacy Protection Act of 1980, which was successfully used in the Steve Jackson Games case against federal agents. They recommend that "before searching any BBS, agents must carefully consider the restrictions of the PPA." Citing the Jackson case, they leave open the question of whether BBS's by themselves are subject to the PPA and state that "the scope of the PPA has been greatly expanded as a practical consequence of the revolution in information technology -- a result which was probably not envisioned by the Act's drafters." Under several DOJ memos issued in 1993, all applications for warrants under the Privacy Protection Act must be approved by a Deputy Assistant Attorney General of the Criminal Division or the supervising DOJ attorney. For computers that contain private electronic mail protected by the Electronic Communications Privacy Act of 1986, prosecutors are advised to inform the judge that private email may be present and avoid reading communications not covered in the warrant. Under the ECPA, a warrant is required for email on a public system that is stored for less than 180 days. If the mail is stored for more than 180 days, law enforcement agents can obtain it either by using a subpoena (if they inform the target beforehand) or by using a warrant without notice. For computers that contain confidential information, the guidelines recommend that forensic experts minimize their examination of irrelevant files. It may also be possible to appoint a special master to search systems containing privileged information. One important section deals with issues relating to encryption and the Fifth Amendment's protection against self-incrimination. The guidelines caution that a grant of limited immunity may be necessary before investigators can compel disclosure of an encryption key from a suspect. This suggestion is significant given recent debates over the Clipper Chip and the possibility of mandatory key escrow. Computer Evidence The draft guidelines also address issues relating to the use of computerized information as evidence. The guidelines note that "this area may become a new battleground for technical experts." They recognize the unique problems of electronic evidence: "it can be created, altered, stored, copied, and moved with unprecedented ease, which creates both problems and opportunities for advocates." The guidelines discuss scenarios where digital photographs can be easily altered without a trace and the potential use of digital signatures to create electronic seals. They also raise questions about the use of computer generated evidence, such as the results of a search failing to locate an electronic tax return in a computer system. An evaluation of the technical processes used will be necessary: "proponents must be prepared to show that the process is reliable." Experts The DOJ guidelines recommend that experts be used in all computer seizures and searches -- "when in doubt, rely on experts." They provide a list of experts from within government agencies, such as the Electronic Crimes Special Agent program in the Secret Service (with 12 agents at the time of the writing of the guidelines), the Computer Analysis and Response Team of the FBI, and the seized recovery specialists (SERC) in the IRS. The guidelines reveal that "[m]any companies such as IBM and Data General employ some experts solely to assist various law enforcement agencies on search warrants." Other potential experts include local universities and the victims of crimes themselves, although the guidelines caution that there may be potential problems of bias when victims act as experts. Obtaining a Copy of the Guidelines EPIC, with the cooperation of the Bureau of National Affairs, is making the guidelines available electronically. The document is available via FTP/Gopher/WAIS/listserv from the EPIC online archive at cpsr.org /cpsr/privacy/epic/fed_computer_seizure_guidelines.txt. A printed version appears in the Bureau of National Affairs publication, Criminal Law Reporter, Vol. 56, No. 12 (December 21 1994). About EPIC The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., S.E., Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org. Tax-deductible contributions to support the work of EPIC should be made payable to the Fund for Constitutional Government. _________________________________________________________________________ David Banisar (Banisar@epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * ftp/gopher/wais cpsr.org Washington, DC 20003 * HTTP://epic.digicash.com/epic ------------------------------ End of PRIVACY Forum Digest 04.03 ************************