PRIVACY Forum Digest Friday, 21 April 1995 Volume 04 : Issue 09 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy, and the Data Services Division of MCI Communications Corporation. CONTENTS Privacy in a Complex World (Lauren Weinstein; PRIVACY Forum Moderator) Data Destruction-hire a carpenter (Kelly Bert Manning) "Trip" report: USPS Advanced Technology presentation (Jacob Levy) Playboy Endorses E-Mail Encryption (Tom Zmudzinski) Family Privacy Protection Act of 1995 (Robert Gellman) "Computer Privacy Handbook" Now Available (Andre Bacard) Re: Medical Records Access (John Levine) Decree on encryption in Russia [fwd] (Charles R. Trew) Privacy and ITS (Phil Agre) ACLU Files Amicus Brief in U.S. v Thomas (ACLU Information) Databases and privacy (Barry Gold) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 09 Quote for the day: "It is criminal, and it is evil." -- President Clinton describing the bombing of the Federal Building in Oklahoma City, Oklahoma on 4/19/95. ---------------------------------------------------------------------- Date: Fri, 21 Apr 95 21:26 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy in a Complex World Greetings. I trust I'm speaking for the entire readership when I express my sadness over this week's horrific event in Oklahoma. The deepest of condolences for those who lost loved ones, and the best possible wishes for recovery to the survivors--and unending respect and gratitude for the rescue workers, local, state, and federal officials, and others who have been (and still are) dealing with the continuing aftermath. In coming weeks and months it seems likely that this event will again pull into sharp focus the many conflicts in the U.S. (and the rest of the world) over the boundaries, categories, and interactions of privacy with other aspects of free societies. It will take stalwart determination and careful consideration to be sure that the results strike a proper balance between sometimes conflicting goals and needs. So long as we react with our heads (and not solely with our emotions) with a view towards the future as well as the past, we stand a good chance of continuing down a path that leads neither to anarchy nor totalitarianism, but rather to the continuing delicate balance between individual rights and the operational necessities of civilized, democratic societies. --Lauren-- ------------------------------ Date: Sun, 9 Apr 1995 23:13:57 -0700 (PDT) From: Kelly Bert Manning Subject: Data Destruction-hire a carpenter The data center my application runs on converted from round reels to 3480 type cartridges several years ago. When they did so anyone driving along the 6 lane arterial highway that runs past it could see a radial arm saw set up by the loading dock. The carpenter who was hired quartered each round reel before tossing it into a steel container for offsite destruction. He seemed to have some sort of jig set up to keep the cut pieces flat for the second pass. How does this rate on the scale of data destruction? I supposed that someone could have taken strips of tape and reread them, but it probably would be very time consuming and difficult to seive thorugh all this data for a particular item. ------------------------------ Date: Fri, 7 Apr 1995 11:12:21 -0700 From: jyl@riesling (Jacob Levy) Subject: "Trip" report: USPS Advanced Technology presentation INTRO ----- This is a "trip report" of sorts. Thursday (4/6/95) evening I attended a Smart Valley sponsored talk at Rickey's Hyatt by the VP of Advanced Technology at the US Postal Service, Bob Reissler (sp?) and by the technical architect, Richard Rothwell. The purpose of the talk was to give USPS an opportunity to present their plans for "electronic mail and electronic commerce for the general population". I was the only one from Sun there as far as I could tell. There was a big contingent of people from HP, Apple and some IBMers, many one-person companies and startups, some trainers and educators and many unaffiliated individuals - a total of about 150 people attended, standing room only. OVERVIEW -------- Mr Rothwell's talk was the more substantive and interesting among the two. He presented USPS's plans for offering electronic access to their email delivery system to the 80 million US households and businesses that are currently not reached by online service providers or the Internet. After his talk, Mr Rothwell presented a short video on how they intend to educate their customers on the new product, and another USPS employee demoed the client side of their system online. Their client side system works under Windows 3.1 with MS Mail and Lotus Notes. Overall points to note: They are very concerned about privacy. They do not want to be in the business of managing or issuing escrowed key-pairs. They are very concerned about the new possibilities for abuse of privacy that become available when public keys and identity certificates are widely used (I didn't understand this part - what would these oppties be?). They are interested in working with whoever cares to make the US Govt and legislative branch relax the rules about using crypto and the export controls. They are working on a system that works globally, and active collaboration with other postal services is high on their agenda. Canada and European services were mentioned several times. TECHNICAL POINTS ---------------- The system they are building is based on a transliteration of the basic principles that make hardcopy mail work today, into the electronic world: Stamp -> Digital Signature+digital money Privace (envelope) -> Encryption Dating+location -> Per-client digital time stamp (dts) Identity (signature) -> Digital signature (ds) In regular hardcopy mail, the stamp proves that you paid and provides a guarantee that the postal service will deliver your hardcopy. The envelope provides privacy and is protected by privacy laws from tampering. The dating is provided by the cancellation on the stamp. The location is provided by each post office having its own cancellation label with its name and serial number listed. The identity is provided by the signature of the sender on the hardcopy stored within the sealed envelope carrying the cancelled stamp. The postal service will offer: - An electronic mechanism for stamping a message and adding a dts so that it proves payment and dates the message - Registered mail equivalent where the message gets signed by the USPS private key and the signature is returned to sender - Mechanisms for managing public keys (see below - no escrow) - Certificate mechanisms (see below - no escrow) - Archival services for both messages, certificates and message signatures In their new system, the "stamp" will be replaced by a digital signature on a receipt returned to the sender and archived by the service. The receipt will contain "enough bits to track the message through the system" (his words). The service replaces the traditional envelope with encryption: it accepts messages that are already encrypted and it will also offer RSA public key encryption as a service. Dating is achieved by adding a dts plus a digital signature identifying the client from which the message was received (if desire) or a more generic signature. Finally the service offers extensive mechanisms for corporate and individual public key management and certification with various levels of identity checking, all the way from biometrics based to a simple send-in-by-mail "under penalty of perjury I hereby certify that I am Jacob Levy and this key is my public key". The service also offers a certificate and public key lookup service based on an ISO 509 standard (?) without a publishing database, i.e. modelled after the "Moscow city phonebook" (his words). The idea is you can get anyone's public key if you know who they are but you cannot harvest the phone book for, e.g., all postal employees living in San Mateo (apparently they are concerned about e-mail bombs :). Some new services that he talked about: - Receipt notification through the equivalent of "sign here to receive your package" and delivery of the signed receipt back to the sender - "Bonded mail" which as far as I could tell includes archival and delivery upon the occurrence of an event specified by the sender. He called this "Forever mail", i.e. you send something which is potentially never delivered, and he noted that this is already a service offered by the current USPS (many laughs..) and so it should be offered in the new system, in the interest of preserving their current product offerings (more laughs). - Automatic tamper-proofing through the addition of a USPS generated signature that notarizes the text of your message. --JYL ------------------------------ Date: Mon, 10 Apr 95 10:01:13 EST From: "Tom Zmudzinski" Subject: Playboy Endorses E-Mail Encryption Playboy has endorsed the use of private encryption and the use of remailers for e-mail privacy [March 1995 edition (the Nancy Sinatra issue), on page 37, "Playboy Advisor", third letter]. I would have captured both the letter and the response, but unfortunately Playboy has a fairly draconian warning against electronic transmission of any part of the magazine (which logically includes even the copyright indicia -- which is why I've paraphrased the heck out of everything). What is interesting is that the need for e-mail encryption is obvious now even to the guy in the third stall on the left in the men's room. ------------------------------ Date: Fri, 14 Apr 1995 09:40:27 -0400 (EDT) From: Robert Gellman Subject: Family Privacy Protection Act of 1995 A privacy bill was approved by the House of Representatives on April 4, 1995. The bill is the Family Privacy Protection Act of 1995 (H.R. 1271). The Committee report is House Report 104- 94. The floor debate can be found in the Congressional Record of April 4, 1995, at pages H 4125 to H 4141. The Act was part of the Republican Contract With America. The legislation requires the written consent of a parent before a minor can be asked to respond to any survey or questionnaire from a person funded in whole or in part by the federal government if the survey or questionnaire is intended to elicit information about -- 1) parental political affiliations or beliefs 2) mental or psychological problems 3) sexual behavior or attitudes 4) illegal, antisocial, or self-incriminating behavior 5) appraisals of other individuals with whom the minor has a familial relationship 6) relationships that are legally recognized as privileged, including those with lawyers, physicians, and the clergy 7) religious affiliations or beliefs There must be written consent before this information can be solicited, and there must be advance public availability of the questionnaire or survey. There is an exclusion for tests intended to measure academic performance. There are also four exceptions covering-- 1) the seeking of information for the purpose of a criminal investigation or adjudication 2) any inquiry made pursuant to a good faith concern for the health, safety, or welfare of an individual minor 3) administration of the immigration, internal revenue, or customs laws of the United States 4) the seeking of information required by law to determine eligibility for participation in a program or for receiving financial assistance These rules would apply equally to surveys and questionnaires that are anonymous and to those that are identifiable. I offer a few observations about the bill. First, it appears that this is part of the agenda of the new right. Buried in the Committee report is this sentence which may explain the principal purpose of the bill: In some cases, survey questions have been phrased in a manner that suggests neutrality or even tacit approval of behavior or attitudes which may be contrary to the values held by parents. Second, none of the key terms in the bill is defined. "Sexual behavior" could arguably range from mating activities of earthworms to fashion trends for seventh graders. Also, a survey could arguably include a question asked by one teacher to one student. It is also not clear what constitutes "antisocial" behavior. Drinking? Rock concerts? Baseball strikes? Poorly drafted legislation? Third, the exclusion for tests of academic performance is based on the intent of the test. Thus, prohibited questions might be permissible in a test whose principal intent is the measurement of academic performance. This may be true even if the test is non-identifiable. On the other side, a sharp student might argue that a biology test violates the rules without parental consent and advance availability by questioning the intent. This is not necessarily a winning argument, but it might buy a postponement of an exam while the lawyers argue about things. Finally, the exceptions are worthy of note. You may not ask a minor about sexual experiences without written parental permission unless your purpose is to put the student or the parent in jail or to collect taxes. This turns privacy legislation on its head by denying anonymous and recourseless use of information but permitting use of the information to harm the provider. Thus, it is okay to ask children if their parents have committed a crime if it is part of a criminal investigation but not as part of a research project. This legislation now goes to the Senate. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ Date: Fri, 14 Apr 1995 11:54:42 -0700 From: Andre Bacard Subject: "Computer Privacy Handbook" Now Available!! I promised you that I'd tell you when "The Computer Privacy Handbook" was released. I'm happy to say that the book is now available! The book is already causing a stir, and Internet posters have started calling me the "The Indiana Jones of Cyberspace." You can now order "The Computer Privacy Handbook" directly from Peachpit Press at (800) 283-9444. The book is also available in some bookstores and in route to many more stores. Just about any local bookstore can order the book for you. [Many databases list the book under ISBN # 1-56609-171-3]. Peachpit Press is a subsidiary of Addison-Wesley, a global book publisher. If you're outside the States, please contact your local Addison-Wesley distributor, or ask me for a local address. Attached is a press release with full details. By the way, I'll be speaking at Computer Literacy Bookshop in San Jose on May 3rd and at Stanford Bookstore on May 11. If you like my book, please tell your friends. Of course, I'd value your comments and suggestions. Thanks for your interest. See you in the future, Andre Bacard ------------------------------ Date: Mon, 17 Apr 1995 01:02:41 -0400 From: johnl@iecc.com (John Levine) Subject: Re: MEDICAL RECORDS ACCESS >Did you know that there is a leading credit information warehouser >(Equifax) that is now proposing to create a mega-database comprised of >your/our medical records? ... >I don't know about you, but I want my medical information kept highly >confidential. People can and will refuse you insurance should they have >information about you that is not positive. This particular battle is already lost. There is already an outfit in suburban Boston called the Medical Information Bureau which insurance companies routinely use to exchange claim information. The last time I applied for medical insurance, in 1987, I had to fill out a form listing all of the doctors I'd seen for the previous five years, and the insurance company found a few I forgot, presumably from the MIB. Oddly, a few years later when I wrote to the MIB and asked for a copy of my file, they claimed they never heard of me. (I'm a wee bit sceptical. It's not like I was hard to find, having been at the same address for 10 years.) Nonetheless, it's still worth fighting Equifax's medical database proposal, because Equifax has demonstrated that they have the morals of a slime mold. The MIB, as far as I can tell, really only releases info to insurance companies so they can decide whether they want to insure people. Equifax, on the other hand, has shown that they'll cheerfully sell any info to anyone, often in spite of laws to the contrary. Regards, John Levine, johnl@iecc.com ------------------------------ Date: Thu, 20 Apr 1995 13:59:57 -0400 (EDT) From: "Charles R. Trew" Subject: Decree on encryption in Russia (fwd) ---------- Forwarded message ---------- Date: Thu, 20 Apr 1995 17:54:00 +0400 From: Igor V. Semenyuk To: ctre@loc.gov Subject: Decree on encryption in Russia Gentle readers! I want to bring your attention to the recent Yeltsin's decree entitled "On the measures of law enforcement in design, production, implementation and use of encrypting tools, and also in offering services of information encyption". The decree has been issued on April, 3, 1995 and is in force from the publication date (April, 6, 1995, "Rossijskaja gazeta", N68). I have no English translation available, volunteers are welcome to do the translation (I can provide Russian KOI8 text). It is the worst re-incarnation of "Clipper"'s case, with the following pecularities: - unlike Clipper the decree explicitly prohibits use of *any* encryption technology that doesn't have a certificate from FAPSI (Federal Agency of State Communications and Information - former KGB department). - unlike Clipper there's no information about encryption technology designed and implemented by FAPSI, which is supposed to be the only allowed encryption technology - unlike Clipper there are no provisions for securing the procedure of (possible) "backdoor" decryption of data by law-enforcement bodies (under court warrant or whatever) - the decree prohibits import of non-certified encryption tools The ground for all these points is "fighting organized crime". The net result of the decree is that right now *any* encryption tool/method but the one offered by FAPSI is illegal and individuals and oragnizations using it may be prosecuted. With liberate interpretation of the decree unix password encryption may be found illegal, not mentioning zip and arj encryption. This may have a disastrous impact on all information/communicaton. I doubt anything similar to anti-Clipper movement can be done in Russia... It's a difference between Democracy and "democracy". Anyway may be media can bring attention to this problem. PS. I'm crossposting this to FSUMedia and IPRussia lists. Feel free to re-distribute the message. -- Igor V. Semenyuk Internet: iga@sovam.com SOVAM Teleport Phone: +7 095 956 3008 Moscow, Russia ------------------------------ Date: Thu, 20 Apr 1995 19:40:28 -0700 From: Phil Agre Subject: Privacy and ITS The Santa Clara Computer and High Technology Law Journal has just published an excellent special issue on privacy issues in Intelligent Transportation Systems (volume 11, number 1, March 1995). It derives from a symposium on this topic that Dorothy Glancy organized at Santa Clara University in July, 1994. Here are some of the contents: Norman Y. Mineta Transportation, technology, and privacy Jeffrey H. Reiman Driving to the Panopticon Sheldon W. Halpern The traffic in souls Robert Weisberg IVHS, legal privacy, and the legacy of Dr. Faustus Sheri A. Alpert Privacy and intelligent highways: Finding the right of way Ronald D. Rotunda Computerized highways and the search for privacy in the case law Philip E. Agre Reasoning about the future Dorothy J. Glancy Privacy and intelligent transportation technology According to the order form in the journal, single issues may be purchased for US$20 (or US$25 for foreign addresses) from: Computer and High Technology Law Journal School of Law Santa Clara University Santa Clara, California 95053 (408) 554-4197 scchtlj@scuacc.scu.edu I urge you to find out about these issues soon. ITS has the potential to deliver a wide range of useful transportation-related services, but it also has the potential to bring serious, systematic invasions of personal privacy. Important decisions about ITS architecture and privacy policy are being made now. The situation is hopeful in the sense that the major players in ITS have little structural interest in invading your privacy; privacy-invasive implementations of ITS are being planned more from inertia than from bad intent. Still, once a critical mass of systems is implemented and ITS system standards are set (whether de jure or simply de facto), it will be very difficult to change existing systems -- or even new systems that must be compatible with the existing ones -- to a more privacy-friendly architecture. For more information, see http://weber.ucsd.edu/~pagre/its-issues.html Phil Agre, UCSD (This message represents my own views and not those of the University of California, Santa Clara University, or any other organization.) ------------------------------ Date: Fri, 21 Apr 1995 16:29:11 -0400 From: ACLU Information Subject: ACLU Files Amicus Brief in U.S. v Thomas (AABBC Case) For Immediate Release April 17, 1995 ACLU Files In Groundbreaking Computer Obscenity Case; Friend-of-the-Court Brief Seeks to Overturn Tennessee Conviction NEW YORK, April 17 -- The American Civil Liberties Union, seeking to secure the future of free communication on the Internet, has filed a friend-of-the-court brief in what is believed to be the first case involving the cross-country prosecution and conviction of computer bulletin board operators. In its brief, filed with the U.S. Court of Appeals for the Sixth Circuit in Tennessee, the ACLU urges the court to overturn the conviction of Robert Thomas and Carleen Thomas of Milpitas, California. The Thomases own and operate a computer bulletin board that specializes in the posting of sexually explicit words and pictures. The couple was indicted and convicted in the U.S. District Court in Tennessee because a U.S. postal inspector learned of their bulletin board and filed a fake application seeking access to its contents. Once he obtained access, the postal inspector downloaded several pictures from the California-based bulletin board, which a U.S. Attorney then deemed to be ~obscene~ under the "local community standards" of Tennessee. In its brief, which was also filed on behalf of the ACLU affiliates in Tennessee and Northern California and the National Writers Union, Feminists for Free Expression and the Thomas Jefferson Center for the Protection of Free Expression, the ACLU charges that the government is engaged in a "clumsy attempt to censor communications in cyberspace through application of an obscenity law and standards wholly inappropriate for this new medium." "Computer networks have created vast new fora for the exchange of ideas," the ACLU's brief said. "They have created new communities with new opportunities for people with similar interests to communicate with each other. "Until now," the brief continues, "computer networks have been faithful to the values of the First Amendment. They have fostered, encouraged and even nurtured the robust exchange of ideas.In this case the government seeks to use a criminal law never intended to apply to computer communications, to put a brake on that development, to stifle the explosive creativity and breadth of expression occuring on computer networks." The full text of the ACLU~s brief in Thomas vs. United States of America is available in the ACLU's Free Reading Room, a gopher site (address below) in the Court section, under National Office litigation. -- ACLU Free Reading Room | American Civil Liberties Union gopher://aclu.org:6601 | 132 W. 43rd Street, NY, NY 10036 mailto:infoaclu@aclu.org| "Eternal vigilance is the ftp://ftp.pipeline.com | price of liberty" ------------------------------ Date: Fri, 21 Apr 95 16:54:48 PDT From: Barry Gold Subject: Databases and privacy I think that the ability of large databases to cross-correlate data about individuals is one of the top 3 current threats to privacy. It seems likely that Congress will enact some sort of privacy legislation in a few years, but it will probably be half-baked and bass-ackward, given the history of government attempts to define privacy. (For example, they frequently exempt themselves!) I believe that AT&T GIS should be ahead of the curve on this one, instead of waiting until privacy legislation looks likely to pass and then trying to mold it into something we can live with. I think we should already have privacy standards in place that we can point to and say: Look, we're already doing something about this. Why don't you try our solution? I believe that we should do the following: 1. Establish a policy, defining how database users should protect user's privacy. 2. Apply that policy to our own databases, with respect to both associates and customers. 3. Offer a discount to customers who contract to use the Database in accordance with that policy. (If we were still the *only* provider of terabyte-sized database products -- as TDAT was in the '80s -- I would suggest we make appropriate privacy agreements a *condition* of sale, but I think we no longer have the market strength to do that.) Just to get the ball rolling, here are some suggestions towards a privacy policy: . Information about individuals shall be used only for the purpose it was gathered for. Information about associates will not be used for marketing or sold to outside organizations; information gathered from purchases will be used only for marketing other products the customers may be interested in -- and in particular not be used to deny a customer access to a product or service. Exceptions shall require the written permission of the subject to whom the information applies. . Individuals shall be given the option to stop receiving mailed marketing offers. This "opt out" shall be handled either by a call to a toll-free number or by sending in a prepaid or business-reply notice. . Invididuals shall be given the option to have their names deleted from any lists sold outside the organization that collected it, with the same "opt out" possibilities. . Individuals shall not be contacted for telemarketing purposes unless they have either: a) given their permission to be so contacted b) been given an "opt out" (as above) and sufficient time has elapsed to be reasonably sure they have not exercised it. . When information about individuals is sold outside the organization, or used for any purpose other than the one given the individual when the information was collected, the subject shall be notified of this sale/use. To reduce the transaction cost of such notification, subjects may be sent a "batch" of notifications once a year. . Taxpayer ID # shall not be used as an identifying key; it is neither unique nor universal and such use is very far outside the purpose for which it was created. ------------------------------ End of PRIVACY Forum Digest 04.09 ************************