PRIVACY Forum Digest Friday, 2 June 1995 Volume 04 : Issue 12 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy, and the Data Services Division of MCI Communications Corporation. ********************************************** * PRIVACY Forum Three Year Anniversary Issue * ********************************************** CONTENTS Thermal Imagery Used To Search Homes (A. Padgett Peterson) Re: Privacy, cellular telephones, and 911 (Jay Ashworth) Re: Family Privacy Protection Act (Robert Gellman) Paper of potential interest (Alan Wexelblat) ACLU's Analysis of Revised Exon (ACLUNATL@aol.com) Comments on California Digital Signature Bill (Phil Karn) Positioning potential of CDMA cellular (Phil Karn) Why can't I see Equifax medical records? (G. Martin) Telecom (NON)-Privacy at Ameritech (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 12 Quote for the day: "I don't care *what* these computers say!" -- Mr. Cramden (Lee J. Cobb) "Our Man Flint" (1966) ---------------------------------------------------------------------- Date: Sat, 20 May 95 09:21:13 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Thermal Imagery Used To Search Homes From: hingson@teleport.com >I am a criminal defense lawyer. I am litigating the issue of whether the >use of a thermal imaging device on a home to detect heat emissions >constitutes a "search" under the Fourth Amendment. Obviously this guy will not use but IMNSHO, thermal imagery via heat emissions is just that: analysis of emissions which radiate. If the analysis is done from off the property then it is no more an invasion than what a sighted person sees or a passerby who is not "audibly challenged" hears. Further, while there might be an "expectation" of privacy, if based on ignorance, is that a "right" or merely a "failure to use due care"? Consider a cordless telphone conversation. A ham tuning across the bands has two obligations: 1) not to listen 2) if discussion of a crime is heard, to report it Do these two obligations conflict? To me (am an engineer, not a lawyer), the question is of "illegal search and seizure" is one of property rights. At what point does an emanation, be it aural, visible, thermal, or RF cease to be "property"? Was it ever? To me, if something is to be kept private, or even to be considered private, there must be some action taken to ensure that privacy and ignorance of the possibility of listening in would not seem to be an excuse. Rights must be asserted and protected. If one is walking down a street and overhears a conversation through a window, is that "search"? If I need my hearing aids to do so, is that different? If using my hearing aids I detect a passenger on an airplane using a computer in violation of regs, is that? (Computers have a characteristic whine when I am set to inductive pickup - assuming of course that I could hear it though all that 400 hz noise). The question being, if the average person is deaf/blind/stupid to a certain portion of the spectrum, do they have the "right" to expect that everyone is? When in the jungle, adversaries more frequently that ever mentioned could be detected by their specifically bad breath (was different from Amurrcn bad breath) and is something a non-smoker often just has to live with today - personally am not a militant non-smoker, believe people may commit suicide if they want, but can detect the habit from several feet away. Do know that smokers do not realize how bad they smell to nons. The relevant part: is *that* an invasion? If a person with "that smell" applies for a non-smoker's insurance policy, would the agent have performed an "illegal search" if the policy were rejected or further examination required for that reason? So no, I do not think that detection of radiant energy is an illegal search any more than listening to speech through a window from a sidewalk is so long as trespass is not required to do so. Impolite maybe, but not illegal. To me "freedom of speech" and "freedom of assembly" must imply "freedom to listen" and those are "rights" in this country. Warmly, Padgett usual disclaimers apply ------------------------------ Date: Sat, 20 May 1995 15:23:08 -0400 From: jra@IntNet.net (Jay Ashworth) Subject: Re: Privacy, cellular telephones, and 911 Jerry Leichter writes, in #4/11: > There are technical arguments about whether the FCC's proposed 150 meter > resolution can be achieved without changes to cellphones - it's probably > pretty easy in a microcell system - and both industry and the FCC agree that > if it can't be achieved, it'll be the FCC that backs off. (Even if the FCC > *didn't* agree, there's no way Congress would let the FCC impose that kind of > cost on "consumers" - or industry, which in the end would come down to the > same thing.) Unfortunately, I'm forced to say that this doesn't at all seem unlikely. After all, just this year we seen the Congress pass Digital Telephony, which "imposes that kind of cost"--I don't personally consider $500M small change, how about you?--on industry, or consumers, which amounts to the same thing. And the cost here would be orders of magnitude greater. Putting a GPS receiver in _every_ phone? C'mon... Cheers, -- jra ------------------------------ Date: Sun, 21 May 1995 22:32:44 -0400 (EDT) From: Robert Gellman Subject: Re: Family Privacy Protection Act On Fri, 19 May 1995, Faye Hsini Ku asked this about the Family Protection Act of 1995: > It seems to me that the Family Protection Act of 1995 (H.R. 1271) would > limit any type of counseling or guidance that is offered outside of the > family setting to teens that are becoming sexually active. That would be > a grave mistake, because we would be restricting our ability to take > preventative measures and thus have to rely on correctional ones. Why > should we wait until a problem has happened to deal with it? The Act has its problems, but this is not one of them. The act applies to federally funded surveys and questionnaires. It does not apply to counseling. And to make it clear, the Act includes an exception for good faith inquiries made out of concern for the health, safety, or welfare of an INDIVIDUAL. If the concern is focused on a specific individual, then there should not be a problem. The language of the bill is inartfully drafted, but the intent is mostly clear. Bob Gellman rgellman@cais.com ------------------------------ Date: Wed, 24 May 95 09:59:10 -0400 From: "Alan (Trainable Ant) Wexelblat" Subject: paper of potential interest I wrote a paper, titled "Why is the NII Like a Prison?" It is based on issues raised by a book called "The Panoptic Sort" by Oscar Gandy and deals with personal information privacy in the present and near-future in a tele-capitalist society. The paper is available at: http://wex.www.media.mit.edu/people/wex/panoptic-paper.html A paper version can be made, but the on-line one is richly linked to relevant net resources, so I recommend you read it with your Web browser. I welcome comments and feedback; my email address is in a mailto: link at the top of the paper. ------------------------------ Date: Thu, 25 May 1995 16:49:42 -0400 From: ACLUNATL@aol.com Subject: ACLU's Analysis of Revised Exon ACLU Cyber-Liberties Analysis: Revised Exon Amendment May 25, 1995 The American Civil Liberties Union has previously expressed its strong opposition to the "Communications Decency Act," introduced by Senator Exon as S. 314 and adopted by the Senate Commerce Committee as an amendment to the Telecommunications Competition and Deregulation Act of 1995. Yesterday, we obtained a revised version of the Exon Amendment, which was apparently written by members of Senator Exon's staff in consultation with representatives of online service providers, the Department of Justice, and pro-censorship lobbying groups. The following analysis presents the ACLU's objections to the revised draft and clarifies the ACLU's continuing concern that the Exon amendment, in its existing or revised form, violates both free speech and privacy rights. I. Interactive Cyberspace Must Not Be Constricted by Old Media Models The most fundamental flaw of the revised Exon amendment is that it still wrongly attempts to force the new interactive environment of cyberspace and online services into the censorship straitjacket foisted on old media. In fact, the Exon amendment even uses as its model the most restrictive of the old media. This is wrong-headed policy. It is also a violation of the Free Speech and Privacy guarantees of the Constitution and therefore unconstitutional. The Exon amendment would make the interactive environment one of the most censored segments of communications media when logic dictates that cyberspace, with its emphasis on user-choice and user-control, should make it the least censored. At a minimum, the extremely limited rules of content-regulation for print media, and the safeguards against censorship for print materials, should be applied to online communications. The ACLU, moreover, believes that the characteristics of cyberspace, including the private and interactive nature of the communication, dictates that cyberspace should be even more free than print. We stress that there is no revision of the Exon amendment -- no tinkering of its censorship provisions -- that eliminates this problem. The Exon amendment cannot be "fixed." It must be rejected. II. The Exon Amendment Would Still Restrict Online Communications to Those Appropriate for Children Section (d) of the revised Exon amendment would still unconstitutionally restrict all online content to that which is suitable for children. Even under existing case law, non-obscene speech that is deemed "indecent" is protected by the First Amendment. _Sable Communications v. FCC_, 492 U.S. 115 (1989). The Government may only regulate indecent speech if it establishes a compelling governmental interest in the regulation AND narrowly tailors the restriction to achieve that interest. _Id._ at 125. See also _Pacifica Foundation v. FCC_, 438 U.S. 726 (1978); _Carlin Communications v. FCC_, 749 F.2d 113 (2d Cir. 1984) (Carlin I); _Carlin Communications v. FCC_, 787 F.2d 846 (2d Cir. 1986) (Carlin II); _Dial Information Services v. Thornburg_, 938 F.2d 1535 (2d Cir. 1991). Indeed, much of what consenting adults prize about some of their personal communications could well be deemed by outsiders as "indecent" if addressed to a child. The revised draft, like the original Exon amendment, is unconstitutional because requiring users and content providers to reduce their content to what is suitable for children is not the least restrictive means for protecting minors from indecent material. The "justifications" for regulation of indecency in broadcasting and telephone audiotext services do not apply to interactive communications, in which users - including parents - have much more control over the content of the messages they receive. We are also prepared to argue that the "justifications" asserted for censorship in any of the old media, including print, do not apply to cyberspace. III. Some Specific Problems in the Revised Exon Draft Again, the ACLU strongly believes that the anti-cyberliberty Exon amendment cannot be "fixed." It needs to be defeated. So, even if all of these specific problems were solved, the Exon amendment would still be a terrible idea. Still, it may be useful to consider briefly some of the specific problems in the revised Exon draft. *Revised section (d) outlaws the online transmission of obscene materials without defining "obscenity." Using the test for obscenity articulated in Miller v. California, 413 U.S. 1 (1973), the federal government has chosen to stage prosecutions of online obscenity cases in conservative jurisdictions in order to take advantage of more restrictive "community standards." See Thomas v. United States, U.S. Court of Appeals for the Sixth Circuit, No. 94-6648 and No. 94-6649. This trend poses a severe threat that online users and providers will be forced to reduce content to that which would be acceptable under the "community standards" of the most conservative jurisdiction. The ACLU has filed an amicus brief in the Thomas case strongly opposing the government's misuse of the censorship laws. *Revised sections (d) and (e) extend liability for transmission of obscene or indecent communications to non-commercial in addition to commercial providers. This change would render the revised draft more restrictive of free speech than the original Exon amendment. *While revised section (f) provides some defenses for online service providers, these defenses place smaller system operators at risk because they cannot afford to assert the defenses in court. Moreover, the defenses are incomplete and many larger service providers would likely find themselves in jeopardy at the hands of prosecutors motivated by the political advantages of currying favor with certain pro-censorship groups. *Revised section (f)(2) fails to protect providers who cede editorial control to an entity "which the defendant knows or had reason to know intends to engage in conduct that is likely to violate this section." This could pose serious problems for Internet providers that may have "reason to know" that certain sites are likely to contain communications deemed to be obscene or indecent. *Revised section (f)(3) gives the Federal Communications Commission the power to issue regulations regarding methods in which providers may restrict access in order to avoid liability. Giving federal regulators the authority to determine the rules for distributing online content will radically affect the freedom of cyberspace and will have a severe direct effect and an equally severe chilling effect on online speech. *Revised section (f)(4) could still make it impossible for users or content providers to remedy a violation of rights by an online service provider if the service claimed it was attempting to comply with the Exon amendment. Conclusion The revised Exon draft continues to subject an industry that has blossomed without government control to an unprecedented amount of interference and intrusion over content. It gravely threatens the free flow of information and the diversity of content transmitted over online networks. To achieve the liberating potential of the information superhighway, Congress must ensure that interactive technologies enhance rather than stifle democratic values. The American Civil Liberties Union therefore opposes the Exon amendment, both in its original form and as revised. ------------------------------ Date: Sun, 28 May 1995 01:56:34 -0700 From: Phil Karn Subject: Comments on California Digital Signature Bill I only just read this item in the May 5 Privacy Digest, so I don't know if anyone else has already commented on this, but here goes. It seems to me that the authors of that bill, while well-meaning, do not fully grok public key cryptography. One of public key's underappreciated benefits is the elimination of the need for big centralized databases of users, such as the one proposed in this bill. Once a certification authority is sufficiently convinced of a key's authenticity, the resulting certificate can be given to the user without having to record it in a central database. Since a user cannot tamper with his own certificate without being detected, there's no problem with letting him convey it to anyone who needs it to check a signature. If the party checking the signature already has the public key of the certifying authority -- which can be widely published -- then he has everything he needs to verify the signature without reference to any centralized databases. This lets the users reserve the right to give out their certificates only on a need-to-know basis. There will, of course, still be the problem of businesses collecting and reselling their customers' certificates, much as they do now with mailing lists and purchasing records. The only countermeasure I can think of is to maintain a large list of pseudonymous certificates, one for each business. Phil ------------------------------ Date: Tue, 30 May 1995 10:25:05 -0700 From: Phil Karn Subject: Positioning potential of CDMA cellular The recent discussion on tracking cell phones has not considered the potential of the new cellular technologies currently being developed. Specifically, Qualcomm's CDMA. IS-95 CDMA uses spread spectrum with a bandwidth of 1.25 MHz. This is comparable to the bandwidth of the GPS C/A (Clear Access or Coarse Acquisition) code available for civilian use. In fact, IS-95 uses GPS to synchronize the spreading sequences in each cell to make "soft handoffs" work. IS-95 CDMA was not designed with positioning in mind. In fact it would have to be modified quite a bit to provide positioning with any degree of reliability. Simple round-trip timing measurements from the serving cell can be done now, but this only locates the user somewhere on a circle centered on the cell. Resolving this ambiguity requires simultaneous communications with multiple cells, such as simultaneous round trip delay measurements by several cells to form intersecting circles of position, and/or mobile reports of the time offsets observed between the pilots of multiple cells to form hyperbolae of position. At present, the ability to make these observations occurs only in a handoff situation; a mobile near one cell can only communicate with that cell because of the near-far problem (but then again, his circle of position would be that much smaller). The potential is certainly there, though. Phil ------------------------------ Date: Tue, 30 May 1995 23:34:27 -0400 (EDT) From: G Martin Subject: Why can't I see Equifax medical records? We recently received notice that interest on our charge card was going from 17% to 24%. A form enclosed with the notice said something interesting that I'm hoping some of you can help us to understand. Here is an exceprt from what it said: This change for your Account was based in whole or in part on information obtained in a report from the consumer credit reporting agency listed below. You have a right under the Fair Credit Reporting Act to know the information contained in your credit file at that agency. The reporting agency played no part in our decision and is unable to supply specific reasons why we made this change to your Account. Equifax Creidt Information Services P.O. Box 105873 Atlanta, GA 30348 1-800-685-1111 You have the right to a full disclosure of the nature and substance of all information (except medical) in the agency's files. Should you desire to obtain additional information pertaining to this file, please contact the consumer credit reporting agency directly. I have a few questions/concerns about this: 1. Why won't Equifax let me see my medical files? If all the information they have was obtained by signed medical releases why should they be concerned about whether or not I see it? 2. Does this imply that my credit card company is also getting copies of my medical records? I thought they only were concerned with financial records? 3. I heard once that places like Equifax try to predict who will be good credit risks based on info they have on file about people. I heard that they create a report that you aren't allowed to see about yourself that they share with potential creditors. Is our credit card company being somewhat misleading when they say Equifax had nothing to do with the decision to jack up our interest rates? 4. Is there any pending legislation that would force Equifax to give full disclosure of ALL information they have about me to me, including medical? Thanks. ------------------------------ Date: Wed, 31 May 95 01:52 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Telecom (NON)-Privacy at Ameritech Greetings. In a recent issue of the TELECOM digest, it was reported that Ameritech now allows anyone to obtain bill payment information for any Ameritech line (unless blocked by specific subscriber request)--a true bonanza for snoops in general and for folks trolling for big bill customers to target for marketing. Obviously, this is a terrible policy. It is unfortunately not a unique situation. Ameritech's explanation (as reported in TELECOM) has been spouted by numerous other utilities, banks, and other entities. If a subscriber complains, they are frequently told that "hardly anyone else has complained about the system". If 1000 people complain, they may each individually be told that they're essentially the "lone wolf". It is also common for these entities to say that they're just trying to make things easier for their customers. This is the logic used for simple passcodes (e.g. zipcode, which anyone can determine), ill-advised passcodes (e.g. use of the SS#), or as in the case of Ameritech, no passcode at all. It is unfortunately nearly always the case that "most" people won't complain about such a system until something happens that impacts them negatively as a result of the poor security on the system. The entities with these poor security policies are simply trading off the hassles and disruptions caused to subscribers about whom information from the system is misused, against having to deal with callers who can't remember their passcode. The "solution" is obvious. Ameritech should return to a "random" passcode system, and allow customers who have a problem remembering the code to either choose something simple ("0000") or opt for no code at all. But such a choice of no security should be made by the individual customer--to make it the default condition for all customers is very bad policy. Experience has shown that the only effective way to deal with these types of situations is to complain loudly to the highest level you can reach. In the case of Ameritech, complaints (and suggestions for "fixing" the problem, as mentioned above) should be made to the billing supervisor level at least--better yet, speak to the managers. And while it means taking the time to put it down in written form, letters to state PUCs are *extremely* important with such matters. I'm sure there are just a *few* Ameritech subscribers reading this now. If each of you expressed your opinion (one way or another) to the PUC and Ameritech regarding their system, I suspect you could have considerable impact. --Lauren-- ------------------------------ End of PRIVACY Forum Digest 04.12 ************************