PRIVACY Forum Digest Sunday, 6 August 1995 Volume 04 : Issue 17 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy, and the Data Services Division of MCI Communications Corporation. CONTENTS Cameras at work?? Illegal? (Michael Kosmatka) Warning on Using Win95 (jbreyer@accel.com) Total surveillance on the highway (Phil Agre) House Adopts Exon-Like Speech Crimes, Also Adopts Cox/Wyden Amendment (ACLUNATL@aol.com) New InterNIC Domain Dispute Policy (Mark Kosters) EC Adopts Privacy Directive (Marc Rotenberg) Conferences/Events of Interest to CPSR (Susan Evoy) IEEE Symp. on Security and Privacy - Call for papers (Mary Ellen Zurko) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 17 Quote for the day: "Add a phone! Add a lot to living. Add new excitement to your home! Add a phone! Add a lot to living. Add an extension telephone!" -- Song from a 1950's era telephone company promotional film/commercial ---------------------------------------------------------------------- Date: Tue, 25 Jul 1995 23:51:29 -0700 From: mkismat@teleport.com (Michael Kosmatka) Subject: Cameras at work?? Illegal? Hello there. To begin my story I need to give you a quick background. I work at a grocery store in Portland, Oregon. Being a high volume store they are always concerned about theft from customers as well as staff. Recently a few people were caught drinking brew in the back cooler. After their termination the owners and managers of the store decided to install a concelled surveillance camera. They are able to monitor wherever they put the cameras, but they don't inform us that there is a presence of a surveillance system. I was always under the impression that to install such a system a corporation or company had to inform individuals that it was there, i.e. signs...? My question is this... Is this illegal to install surveillance without notice? -would it be considered a violation of my rights? -do signs need to be posted? If it is where can I get more information on this topic? -if so does it only apply to certain states? Any help on this would be greatly appreciated. Thank you, Michael Kosmatka ------------------------------ Date: 6/26/95 8:44 PM From: jbreyer@accel.com Subject: Warning on Using Win95 [Update on RISKS-17.13 item] Believe it or not, this is not Net humor but serious. It would otherwise be outstanding satire! Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22, 1995. The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background. This means that they have a list of every directory (and, potentially every file) on your machine. It would not be difficult to have something like a FileRequest from your system to theirs, without you knowing about it. This way they could get ahold of any juicy routines you've written yourself and claim them as their own if you don't have them copyrighted. Needless to say, I'm rather annoyed about this. So spread the word as far and wide as possible: Steer clear of Windows 95. There's nothing to say that this "feature" will be removed in the final release. [ It seems quite unlikely that Microsoft has implemented such a system to steal people's code. However, the whole issue of collecting and uploading system configuration and filesystem information at that level of detail is quite disturbing, to say the least. When some of these issues were first raised, Microsoft (or at least, a person at Microsoft) claimed that users would be queried as to whether or not they wished to upload configuration information (however that might be defined) during signup. I haven't heard whether or not this query has been placed in production versions of Win95, and if so how the question is phrased. Perhaps more importantly, I have yet to see any statements from Microsoft about how such information will be *used*. Is such an upload of detailed configuration information and installed product lists really needed for Microsoft to provide technical support for their online network? Are users clearly told about the full scope of information that will be uploaded? Are there any assurances that the info won't be used for other (e.g. marketing) purposes? It's small wonder that so many firms have become concerned over the bundling of Microsoft online access features into Win95 when so much important information could (according to the reports being cited) be uploaded with no apparent controls over how such data will be used (there are other reasons for concern about such bundling as well, of course). A definitive statement regarding these important issues by Microsoft would be most welcome. -- MODERATOR ] ------------------------------ Date: Tue, 1 Aug 1995 17:51:20 -0700 From: Phil Agre Subject: total surveillance on the highway A controversy is growing around the failure of "Intelligent Transportation System" programs in the United States to exercise any leadership in the adoption of technologies for privacy protection. As deployment of these systems accelerates, some of the transportation authorities have begun to recognize the advantages of anonymous toll collection technologies. For example, if you don't have any individually identifiable records then you won't have to respond to a flood of subpoenas for them. Many, however, have not seen the point of protecting privacy, and some have expressed an active hostility to privacy concerns, claiming that only a few fanatics care so much about privacy that they will decline to participate in surveillance- oriented systems. That may in fact be true, for the same reason that only a few fanatics refuse to use credit cards. But that does not change the advantages to nearly everyone of using anonymous technologies wherever they exist. Let me report two developments, one bright and one dark. On the bright side, at least one company is marketing anonymous systems for automatic toll collection in the United States: AT/Comm Incorporated, America's Cup Building, Little Harbor, Marblehead MA 01945; phone (617) 631-1721, fax -9721. Their pitch is that decentralized systems reduce both privacy invasions and the hassles associated with keeping sensitive records on individual travel patterns. Another company has conducted highway-speed trials of an automatic toll-collection mechanism based on David Chaums digital cash technology: Amtech Systems Corporation, 17304 Preston Road, Building E-100, Dallas TX 75252; phone: (214) 733-6600, fax -6699. Because of the total lack of leadership on this issue at the national level, though, individuals need to do what they can to encourage local transportation authorities to use technologies of anonymity. It's not that hard: call up your local state Department of Transportation or regional transportation authority, ask to talk to the expert on automatic toll collection, find out what their plans are in that area, and ask whether they are planning to use anonymous technologies. Then call up the local newspaper, ask to talk to the reporter who covers technology and privacy issues, and tell them what you've learned. On the dark side, here is a quotation from a report prepared for the State of Washington's Department of Transportation by a nationally prominent consulting firm called JHK & Associates (page 6-9): Cellular Phone Probes. Cellular phones can be part of the backbone of a region-wide surveillance system. By distributing sensors (receivers) at multiple sites (such as cellular telephone mast sites), IVHS technology can employ direction finding to locate phones and to identify vehicles where appropriate. Given the growing penetration of cellular phones (i.e., estimated 22% of all cars by 2000), further refinements will permit much wider area surveillance of vehicle speeds and origin-destination movements. This is part of a larger discussion of technologies of surveillance that can be used to monitor traffic patterns and individual drivers for a wide variety of purposes, with and without individuals' consent and knowledge. The report speaks frankly of surveillance as one of three functionalities of the IVHS infrastructure. (The others are communications and data processing.) The means of surveillance are grouped into "static (roadway- based)", "mobile (vehicle-based)", and "visual (use of live video cameras)". The static devices include "in-pavement detectors", "overhead detectors", "video image processing systems", and "vehicle occupancy detectors". The mobile devices include various types of "automatic vehicle identification", "automatic vehicle location", "smart cards", and the just-mentioned "cellular phone probes". The visual devices are based on closed-circuit television (CCTV) cameras that can seve a wide range of purposes. The underlying problem here, it seems to me, is an orientation toward centralized control: gather the data, pull it into regional management centers, and start manipulating traffic flows by every available means. Another approach, much more consonant with the times, would be to do things in a decentralized fashion: protecting privacy through total anonymity and making aggregate data available over the Internet and wireless networks so that people can make their own decisions. Total surveillance and centralized control has been the implicit philosophy of computer system design for a long time. But the technology exists now to change that, and I can scarcely imagine a more important test case than the public roads. People need to use roads to participate in the full range of associations (educational, political, social, religious, labor, charitable, etc etc) that make up a free society. If we turn the roads into a zone of total surveillance then we chill that fundamental right and undermine the very foundation of freedom. Phil Agre, UCSD ------------------------------ Date: Fri, 4 Aug 1995 12:17:48 -0400 From: ACLUNATL@aol.com Subject: House Adopts Exon-Like Speech Crimes, Also Adopts Cox/Wyden Amendment 8/4/95 ACLU Cyber-Liberties Alert: House Adopts Exon-Like Speech Crimes, Also Adopts Cox/Wyden Amendment --------------------------------------------------------- At 9:10 am today, the House of Representatives voted to adopt an omnibus "Managers Amendment" to the telecommunications bill (HR 1555), which included new Exon-like speech crimes that would censor the Internet. At 11:58 am, the House of Representatives voted 420 to 4 to adopt the Cox/Wyden amendment to the telco bill. The Cox/Wyden amendment, however, was not designed to -- and does not -- affect the Exon-like speech crimes provisions added to the telco bill by the House. Speech Crimes Provisions in Managers Amendment: The Managers Amendment containing the new speech crimes provisions also contained some forty other unrelated amendments. The Exon-like provisions were not a focus of the debate, and it is likely that most members cast their votes for reasons unrelated to these provisions. The Managers Amendment adds an entirely new Exon-like provision to the existing federal obscenity laws. The provision would make it a crime to "intentionally communicate by computer ... to any person the communicator believes has not attained the age of 18 years, any material that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs." (18 U.S.C. 1465) This provision, like the Exon amendment passed by the Senate, would effectively reduce all online content to that which is suitable only for children. It also raises the same questions about service provider liability that were raised by the Exon amendment. The Managers Amendment would also make it a crime to "receive" prohibited material "by computer," thereby subjecting both Internet users and service providers to new prosecutions (18 U.S.C. 1462). Assuming that the House telco bill (HR 1555) is approved (which is highly probable by 3 pm today), both the House and Senate versions of the telco bill will include severe attacks on cyber-liberties. Cox/Wyden Amendment: The ACLU has supported the general approach of the Cox/Wyden amendment because it prohibits FCC regulation of content on the Internet and generally supports private sector initiatives, not government censorship, on cyberspace. As the ACLU has said before, there are several ambiguities and some real problems with the Cox/Wyden amendment. The two sponsors have committed to working with us on resolving the problems. (See previously posted ACLU Online Analysis of the Cox/Wyden Bill.) ----------------------------------------------------------- For the online community to take comfort in what is done in the final telco bill in the conference committee, at a minimum the following must occur: 1. The Senate's Exon/Coats amendment (the Communications Decency Act) must be rejected -- that is, deleted from the bill, not merely modified in some way. 2. The House's Exon-like speech crimes amendment must be rejected -- that is, deleted from the bill, not merely modified in some way. 3. The ambiguities and problems in the Cox/Wyden amendment must be resolved and then the Cox/Wyden amendment as modified should be included in the telco bill. The ACLU urges all those who care about free speech and personal privacy to focus their energized efforts on all three fronts of the fight. The ACLU will continue to fight all aspects of the cyber-censorship battle, including the Exon-like speech crimes provisions just passed by the House, the Exon/Coats amendment in the Senate, the Dole/Grassley anti-computer pornography bill, the Grassley anti-electronic racketeering bill, and the Feinstein anti-explosives information amendment to the counter-terrorism bill. ------------------------------ Date: Fri, 28 Jul 1995 11:31:51 -0400 (EDT) From: Mark Kosters Subject: New InterNIC Domain Dispute Policy Hi The InterNIC Registration Services team has recently put a lot of effort in trying to solve the legal quandry regarding domain names within the zones we administer. The result of that effort is the policy below. If there are any suggestions for improvements, please send email to Dave Graves (daveg@netsol.com) or myself (markk@internic.net). If you are interested in the press release, the url is ftp://rs.internic.net/policy/internic/internic-domain-2.txt. Regards, Mark [ URL ftp://rs.internic.net/policy/internic/internic-domain-1.txt ] [ 07/95 ] NSI DOMAIN DISPUTE RESOLUTION POLICY STATEMENT Network Solutions, Inc. ("NSI") is responsible for assigning domain names on the Internet. This Policy Statement ("Policy Statement") will clarify NSI's policies regarding the use and registration of domain names ("Domain Name(s)"). 1. NSI is responsible for the registration of domain names on the Internet. NSI registers these Domain Names on a "first come, first served" basis. NSI has neither the resources nor the legal obligation to screen requested Domain Names to determine if the use of a Domain Name by an Applicant may infringe upon the right(s) of a third party. Consequently, as an express condition and material inducement of the grant of an applicant's ("Applicant") request to register a Domain Name, Applicant represents and warrants as follows: (a) Applicant's statements in the application are true and Applicant has the right to use the Domain Name as requested in the Application; (b) Applicant has a bona fide intention to use the Domain Name on a regular basis on the Internet; (c) The use or registration of the Domain Name by Applicant does not interfere with or infringe the right of any third party in any jurisdiction with respect to trademark, service mark, tradename, company name or any other intellectual property right; (d) Applicant is not seeking to use the Domain Name for any unlawful purpose, including, without limitation, tortious interference with contract or prospective business advantage, unfair competition, injuring the reputation of another, or for the purpose of confusing or misleading a person, whether natural or incorporated. 2. Applicant acknowledges and agrees that this Policy Statement on the registration and use of Domain Names may change from time to time and that, upon thirty (30) days posting on the Internet at ftp://rs.internic.net/policy/internic.domain.policy, NSI may modify or amend the terms of this Policy Statement. 3. At the time of the initial submission of the Domain Name request, the Applicant is required to have operational name service from at least two operational Internet servers for that domain name. Each server must be fully connected to the Internet and capable of receiving queries under that Domain Name and responding thereto. In the event that Applicant does not make regular use of its assigned Domain Name for any a period of 90 days or more, Applicant agrees that he or she shall, upon request of NSI, relinquish that Domain Name to NSI, making that Domain Name available for registration and use by another party. 4. Applicant is responsible for its selection of the Domain Name. Consequently, Applicant shall defend, indemnify and hold harmless (i) NSI, its officers, directors, employees and agents, (ii) National Science Foundation ("NSF"), its officers, directors, employees and agents, (iii) the Internet Assigned Numbers Authority ("IANA"), its officers, directors, employees and agents, and (iv) the officers, directors, employees and agents of NSI's parents and subsidiaries (collectively, the "Indemnified Parties") for any loss, damage, expense or liability resulting from any claim, action or demand arising out of or related to the use or registration of the Domain Name, including reasonable attorneys fees. Such claims shall include, without limitation, those based upon trademark or service mark infringement, tradename infringement, dilution, tortious interference with contract or prospective business advantage, unfair competition, defamation or injury to business reputation. The Indemnified Parties agree to give Applicant written notice of any such claim, action or demand within a reasonable time. Applicant agrees that the Indemnified Parties shall be defended by attorneys of their choice at Applicant's expense, and that Applicant shall advance the costs of such litigation, in a reasonable fashion, from time to time. The failure to abide by this provision shall be considered a material breach of this Agreement and permit NSI to immediately withdraw the use and registration of Domain Name from Applicant. 5. Applicant agrees that NSI shall have the right to withdraw a Domain Name from use and registration on the Internet upon thirty (30) days prior written notice (or earlier if ordered by the court) should NSI receive an order by a United States court or arbitration panel of the American Arbitration Association (hereinafter "AAA") that the Domain Name in dispute rightfully belongs to a third party. 6.(a) In the event that the Applicant breaches any of its obligations under this Policy Statement, NSI may request that Applicant relinquish the Domain Name in a written notice describing the alleged breach. If Applicant fails to provide evidence that it has not breached its obligations which is reasonably satisfactory to NSI within thirty (30) days of the date of receipt of such notice, then NSI may terminate Applicant's use and registration of the Domain Name. (b) Applicant acknowledges and agrees that NSI cannot act as an arbiter of disputes arising out of the registration and use of Domain Names. At the same time, Applicant acknowledges that NSI may be presented with evidence that a Domain Name registered by Applicant violates the rights of a third party. Such evidence includes, but is not limited to, evidence that the Domain Name is identical to a valid and subsisting registration of a trademark or service mark that is in full force and effect and owned by another person or entity. In those instances where the basis of the claim is other than a registered trademark or service mark, Applicant shall be allowed to continue using the contested Domain Name, unless and until a court order or arbitrator's judgment to the contrary is received by NSI as provided in Paragraph 5. (c) In those instances when the claim is based upon a trademark or service mark: (1) Without prejudice to the ultimate determination and with recognition that trademark or service mark ownership does not automatically extend ownership to a Domain Name, NSI shall request from the Applicant a certified copy of a trademark or service mark registration (copies certified in accordance with 37 CFR 2.33(a)(1)(vii) or its successor will meet this standard for registrations in jurisdictions other than the United States) owned by the Applicant that is in full force and effect and that is the same as the Domain Name registered to Applicant. (2) In the event that Applicant provides evidence of ownership of a trademark or service mark as provided in Paragraph 6(b), Applicant shall be allowed, subject to Paragraph 6(c)(4), to continue using the contested Domain Name, unless and until a court order or arbitrator's judgment to the contrary is received by NSI as provided in Paragraph 6(c)(5). In the event the Applicant fails to provide evidence of a trademark or service mark registration to NSI within fourteen (14) days of NSI's request, NSI will assist Applicant with assignment of a new Domain Name, and will allow Applicant to maintain both names simultaneously for up to ninety (90) days to allow an orderly transition to the new Domain Name. At the end of the transition period, NSI will place the disputed Domain Name on "Hold" status, pending resolution of the dispute. As long as a Domain Name is on "Hold" status, that Domain Name registered to Applicant shall not be available for use by any party. (3) If Applicant fails to provide evidence of a trademark or service mark registration to NSI within fourteen (14) days and will neither accept the assignment of a new Domain Name nor relinquish its use of the Domain Name, NSI will place the disputed Domain Name on "Hold" status, pending resolution of the dispute. As long as a Domain Name is on "Hold" status, that Domain Name registered to Applicant shall not be available for use by any party. (4) If Applicant provides the evidence described in Paragraph 6(b), and wishes to continue use of the contested Domain Name registered by Applicant, Applicant agrees to indemnify NSI on the terms stated in Paragraph 4 from any liability relating to the registration or use of the Domain Name registered by Applicant and post a bond in an amount sufficient to meet the damages sought, or if no specific amount of damages is sought, in an amount deemed reasonable in NSI's sole discretion within fourteen (14) days of NSI's request. Without such agreement and the posting of the bond, NSI may, notwithstanding any trademark or service mark registration presented to it, place the use of the Domain Name in "Hold" status pending resolution of the dispute. (5) NSI will reinstate the use and registration of a Domain Name placed in "Hold" status when and if it receives an order by a United States court or arbitration panel of the American Arbitration Association stating which party to the dispute is entitled to use and register the Domain Name or if NSI receives satisfactory evidence of the resolution of the dispute. 7. NSI WILL NOT BE LIABLE FOR ANY LOSS OF USE, INTERRUPTION OF BUSINESS, OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS). REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF NSI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL NSI'S MAXIMUM LIABILITY UNDER THE POLICY EXCEED FIVE HUNDRED ($500.00) DOLLARS. 8. Any dispute arising out of this Agreement or, at the request of NSI and upon the agreement of the challenging party, a dispute regarding the right to register or use Domain Name shall be resolved by binding arbitration by the AAA under its commercial rules then in effect in San Diego, California. A single arbitrator shall be selected according to AAA rules within thirty (30) days of submission of the dispute to AAA. The arbitrator shall conduct the arbitration in accordance with the California Evidence Code and shall apply the substantive laws of the State of California, without regard for California's choice of law rules. Except as expressly provided in the Agreement, no discovery of any kind shall be taken by either party without the written consent of the other party, provided, however, that either party may seek the arbitrator's permission to take any deposition which is necessary to preserve the testimony of a witness who either is, or may become, outside the subpoena power of the arbitrator or otherwise unavailable to testify at the arbitration. The arbitrator shall have the power to enter any award that could be entered by a Judge of the Superior Court of the State of California sitting without a jury, and only such power, except that the arbitrator shall not have the power to award punitive damages, treble damages, or any other damages which are not compensatory against NSI, NSF or IANA, even if permitted under the laws of the State of California or any other applicable law. Within twenty (20) days of the close of arbitration hearings, the arbitrator shall submit a written arbitration award to the parties, stating the basis for each decision made by the arbitrator and the amount of each arbitration award. The arbitrator shall award the prevailing party its costs and its reasonable attorneys' fees, and the losing party shall bear the entire cost of the arbitration, including the arbitrator's fee. The arbitration award may be enforced in any court having jurisdiction over the parties and the subject matter of the arbitration. Notwithstanding the forgoing, the parties irrevocably submit to the non-exclusive jurisdiction of the Superior Court of the State of California, San Diego County, and the United States District Court for the Southern District of California, in any action to enforce an arbitration award. 9. All notices or reports permitted or required under this Agreement shall be in writing and shall be delivered by personal delivery, facsimile transmission or by certified or registered mail, return receipt requested, and shall be deemed given upon personal delivery, seven (7) days after deposit in the mail, or upon acknowledgment of receipt of electronic transmission. Notices shall be sent to the Domain Administrative Contact listed in the InterNIC Registration Services database or such other address as either party may specify in writing. This Policy Statement can only be amended by NSI as provided in Paragraph 2. Nothing contained in this Policy Statement shall be construed as creating any agency, partnership, or other form of joint enterprise between the parties. The failure of either party to require performance by the other party of any provision hereof shall not affect the full right to require such performance at any time thereafter; nor shall the waiver by either party of a breach of any provision hereof be taken or held to be a waiver of the provision itself. In the event that any provision of this Agreement shall be unenforceable or invalid under any applicable law or be so held by applicable court decision, such unenforceability or invalidity shall not render this Agreement unenforceable or invalid as a whole. The parties agree to amend or replace such provision with one that is valid and enforceable and which achieves, to the extent possible, the original economic objectives and contractual intent of NSI as reflected in the original provision. This Policy Statement, as amended, and the Registration Agreement together constitute the complete and exclusive agreement of the parties regarding Domain Names. It supersedes and its terms govern all prior proposals, agreements or other communications between the parties. [ After reading the above, I attempted to receive clarifications regarding various aspects of the described rules. One obvious omission seems to be any sort of grandfathering or "temporal" aspects to the "granting" of names. What happens in the case of an entity that has long been using a domain name (perhaps not for commercial purposes or not trademarked for other reasons) when another entity comes along, takes out a trademark, and then demands the rights to that domain name? One would hope that the "arbitration" rules described would deal with this, but the concepts under which such arbitration would proceed are hazy at best. It also appears that these rules were formulated without any obvious input from other network entities. Clearly the InterNIC quite reasonably wishes to protect itself from legal liabilities relating to domain names, but there are additional issues at stake. In spite of the message's providing addresses to query for additional information, my comments and questions regarding this policy have so far not yielded any response from the InterNIC. -- MODERATOR ] ------------------------------ Date: Wed, 26 Jul 1995 14:56:40 -0700 From: "Marc Rotenberg" Subject: EC Adopts Privacy Directive Friends, Apologies for the long message. If you are not interested in privacy issues or the development of international standards for the GII, simply delete this message. Otherwise, read on. The European Community has taken a major step this week to protect the privacy interests of citizens and consumers. The passage of the Directive on the Protection of Personal Data is the culmination of a process that began over a decade ago to address growing concerns about the impact of technology on society. There are, of course, many questions remaining about the scope and implementation of the Directive. But there is no doubt that this a significant event in the ongoing effort to preserve human rights in the information age. The announcement from the European Commission follows. Marc Rotenberg, director Electronic Privacy Information Center (www.epic.org) -------- EUROPEAN COMMISSION PRESS RELEASE: IP/95/822 DOCUMENT DATE: JULY 25, 1995 COUNCIL DEFINITIVELY ADOPTS DIRECTIVE ON PROTECTION OF PERSONAL DATA The Directive on the protection of personal data has been formally adopted by the Council of Ministers. ``I am pleased that this important measure, which will ensure a high level of protection for the privacy of individuals in all Member States, has been adopted with a very wide measure of agreement within the Council and European Parliament'' commented Single Market Commissioner Mario Monti. ``The Directive will also help to ensure the free flow of Information Society services in the Single Market by fostering consumer confidence and minimising differences between Member States' rules. Moreover, the text agreed includes special provisions for journalists, which reconcile the right to privacy with freedom of expression,'' he added. ``The Member States must transpose the Directive within three years, but I sincerely hope that they will take the necessary measures without waiting for the deadline to expire so as to encourage the investment required for the Information Society to become a reality.'' The Directive will establish a clear and stable regulatory framework necessary to guarantee free movement of personal data, while leaving individual EU countries room for manoeuvre in the way the Directive is implemented. Free movement of data is particularly important for all services with a large customer base and depending on processing personal data, such as distance selling and financial services. In practice, banks and insurance companies process large quantities of personal data inter alia on such highly sensitive issues as credit ratings and credit-worthiness. If each Member State had its own set of rules on data protection, for example on how data subjects could verify the information held on them, cross-border provision of services, notably over the information superhighways, would be virtually impossible and this extremely valuable new market opportunity would be lost. The Directive aims to narrow divergences between national data protection laws to the extent necessary to remove obstacles to the free movement of personal data within the EU. As a result, any person whose data are processed in the Community will be afforded an equivalent level of protection of his rights, in particular his right to privacy, irrespective of the Member State where the processing is carried out. Until now, differences between national data protection laws have resulted in obstacles to transfers of personal data between Member States, even when these States have ratified the 1981 Council of Europe Convention on personal data protection. This has been a particular problem, for example, for multinational companies wishing to transfer data concerning their employees between their operations in different Member States. Such obstacles to data transfers could seriously impede the future growth of Information Society services. As the Bangemann Group report to the Corfu European Council remarked: ``Without the legal security of a Union-wide approach, lack of consumer confidence will certainly undermine the rapid development of the information society.'' As a result, the Corfu European Council called for the rapid adoption of the data protection Directive. To prevent abuses of personal data and ensure that data subjects are informed of the existence of processing operations, the Directive lays down common rules, to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. In particular, there is an obligation to collect data only for specified, explicit and legitimate purposes, and to be held only if it is relevant, accurate and up-to-date. The Directive also establishes the principle of fairness, so that collection of data should be as transparent as possible, giving individuals the option of whether they provide the information or not. Moreover, individuals will be entitled to be informed at least about the identity of the organisation intending to process data about them and the main purposes of such processing. That said, the Directive applies different rules according to whether information can be easily provided in the normal course of business activities or whether the data has been collected by third parties. In the latter case, there is an exemption where the obligation to provide information is impossible or involves disproportionate effort. The Directive requires all data processing to have a proper legal basis. The six legal grounds defined in the Directive are consent, contract, legal obligation, vital interest of the data subject or the balance between the legitimate interests of the people controlling the data and the people on whom data is held (i.e. data subjects). This balance gives Member States room for manoeuvre in their implementation and application of the Directive. Under the Directive, data subjects are granted a number of important rights including the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances (for example, individuals will have the right to opt-out free of charge from being sent direct marketing material, without providing any specific reason). In the case of sensitive data, such as an individual's ethnic or racial origin, political or religious beliefs, trade union membership or data concerning health or sexual life, the Directive establishes that it can only be processed with the explicit consent of the individual, except in specific cases such as where there is an important public interest (e.g. for medical or scientific research), where alternative safeguards have to be established. As the flexibility of the Directive means that some differences between national data protection regimes may persist, the Directive lays down the principle that the law of the Member State where a data processor is established applies in cases where data is transferred between Member States. The Directive also establishes arrangements for monitoring by independent data supervisory authorities, where necessary acting in tandem with each other. In the specific case of personal data used exclusively for journalistic, artistic or literary purposes, the Directive requires Member States to ensure appropriate exemptions and derogations exist which strike a balance between guaranteeing freedom of expression while protecting the individual's right to privacy. For cases where data is transferred to non-EU countries, the Directive includes provisions to prevent the EU rules from being circumvented. The basic rule is that the non-EU country receiving the data should ensure an adequate level of protection, although a practical system of exemptions and special conditions also applies. The advantage for non-EU countries who can provide adequate protection is that the free flow of data from all 15 EU states will henceforth be assured, whereas up to now each state has decided on such questions separately. For their part, the Council and the Commission have made it clear that they consider that the European Union institutions and bodies should be subject to the same protection principles as those laid down in the Directive. END OF DOCUMENT ------------------------------ Date: Thu, 3 Aug 1995 13:35:41 -0700 From: Susan Evoy Subject: Conferences/Events of Interest to CPSR CPSR Members and Friends, If you are planning to attend one of these conferences, or another that may be related to CPSR's work, please contact CPSR at cpsr@cpsr.org or (415) 322-3778 for easy ways for you to be a presence for CPSR. CONFERENCE /EVENT SCHEDULE Good Morning America interview with Beth Givens, Director - Privacy Rights Clearinghouse, Aug. 4, 8 a.m. DEF CON III, Las Vegas, Aug. 4-6. Contact: dtangent@defcon.org http://dfw.net/~aleph1/defcon RadioNet Interview with Sylvia Caras, CPSR- Santa Cruz, about using the Internet for advocacy and support for people with disabilities, Aug 6, 11 a.m. Listen to KSCO 1080AM Monterey Bay to Silicon Valley or nationally on Talk America from 11 a.m. to Noon PST Tenth Annual Conference on Computing and Philosophy (CAP), Pittsburgh, PA, Aug. 10-12. Contact: Robert Cavalier rc2z@andrew.cmu.edu 412 268-7643 Conference on Organizational Computing Systems COOCS '95, Sheraton Silicon Valley, Milpitas, Aug. 13-16. Contact: kling@ics.uci.edu. Computers in Context: Joining Forces in Design, Aarhus, DENMARK, Aug. 14-18. Contributions for papers, proposals for panels, workshops, and tutorials (in 6 copies - not by facsimile or e-mail)): Contact: Computers in Context, Aarhus University, Dept. of Computer Science, Bldg. 540, Ny Munkegade 116, DK-8000 Aarhus C, DENMARK. ONE BBSCon '95, Tampa, FL, Aug. 16-20. Contact: 303 693-5253 Libraries of the Future - IFLA. Istanbul, TURKEY, Aug. 16-19. Contact: mkutup-o@servis.net.tr AI-ED '95: 7th World Conference on Artificial Intelligence in Education, Washington, DC, Aug. 16-19. Contact: aace@virginia.edu 804 973-3987 The Future of the Internet: Privacy, Security, and Parental Control, San Jose State University, San Jose, CA, Aug. 17th. Contact: acward@sjsuvm1.sjsu.edu 408 924-4523 Equity on the Internet, TELECOMMUNITIES '95, Victoria, BC CANADA, Aug. 19-23. Contact: icnc@uvcs.uvic.ca 604 721-8470 604 721 8774 (fax) Advanced Surveillance Technologies, Copenhagen, DENMARK, Sept. 4. Contact: pi@privacy.org http://cpsr.org/cpsr/privacy/privacy_international/pi.html 17th International Conference of Data Protection and Privacy Commissioners, Copenhagen, DENMARK, Sept. 6-8. Contact: 45 33 14 38 44 45 33 13 38 43 (fax) Information Products, Markets, and Services in a Networked Environment, Oslo, NORWAY, Sept. 6-9. Contact: 44 1 31 3173256 (fax) InfoWarCon '95, Arlington, VA, Sept. 7-8. Contact: winn@infowar.com Computer: Politisches Medium? Medium der Politik?, Bremen, GERMANY, September 15-16. Contact: res@informatik.uni-bremen.de49 421 218 3308 (fax) International Cryptography Institute 1995: Global Challenges, Washington, DC Sep. 21-22. Contact: denning@cs.georgetown.edu 800 301 MIND (US only) 202 962-9494 202 962-9495 (fax) NPTN's Annual Affilate & Organizing Committee Meeting --1995: An International Free-Net Community Computing Conference, Arizona State University, . Contact: pfh@nptn.org 216 498-4050 216 498-4051 (fax) http://www.nptn.org/ Information Competency, Assoc of Information and Dissemination Centers (ASIDIC), San Francisco, CA, October 1-3. Contact: jwebb@uga.cc.uga.edu 706 542-6820 The Good, the Bad, and the Internet, A Conference on the Big Issues in Information Technology, CPSR Annual Meeting, 750 South Halsted, Chicago Circle Center, University of Illinois - Chicago, IL, Oct. 7-8. Plenary sessions on: * State of the 'Net 1995: Commercialization, Access, Censorship, and more * Which way for Privacy and Civil Liberties ? * Technology and Jobs: New jobs ? No jobs? Rethinking work * Local Initiatives in Information Access * Elections 1996: Towards a Technology Platform plus workshops, hands-on demos, and a virtual conference Contact: http://www.cs.uchicago.edu/discussions/cpsr/ http://www.cpsr.org/home cpsrannmtg@cpsr.org Converging Technologies: Forging New Partnerships in Information, ASIS Annual Meeting, Chicago, IL, Oct. 9-12. Contact: asis@cni.org 301 495-0900 301 495-0810 (fax) "Designing for the Global Village," HFES, Sheraton Harbor Island Hotel, Santa Monica, CA, October 9-13. Contact: 72133.1474@compuserve.com 310 394-1811 310 394-2410 (fax) Eco Expo East, World Trade Center, Boston, MA, October 13-15. People, Networks & Communications '95, The Emergence of Application, Information Technology & Policy for the 21st Century, Oahu, Hawaii, Oct 30- Nov. 3. Contact: ekho@uhunix.uhcc.hawaii.edu 808 933-3383 Managing the Privacy Revolution, Washington, DC, Oct. 31-Nov. 1 Contact: 201 996-1154 EDUCOM'95, Portland, OR, Oct. 31-Nov. 3. Contact: conf@educom.edu Management & Network Technology, Trondheim, NORWAY, Nov. 22-24. Contact: ifim@ifim.sintef.no http://duplox.wz-berlin.de/COSTA3/ 47 73 592559 47 73 592570 (fax) 11th Annual Computer Security Applications Conference, New Orleans, LA, Dec. 11-15. Contact: vreed@mitre.org 205 830-2606 205 830 2608 (fax) Professional Awareness in Software Engineering (PASE'96), London, ENGLAND, Feb. 1-2, 1996. Contact: paseconf@westminster.ac.uk 44 171 9115000 44 171 9115089 (fax) CQL'96: Symposium on Computers & the Quality of Life (ACM), Philadelphia, PA, Februrary 14-16, 1996. Papers, Panels Proposals, Tutorial Proposals by Sept. 1. Contact: liffick@cs.millersv.edu 717 872 3536 717 871-2320 (fax) Assoc. for Practical and Professional Ethics, St. Louis, MO, Feb. 29-March 2 Submissions deadline is Oct. 31, 1995. Contact: appe@indiana.edu 812 855-6450 812 855-3315 Technical Conference on Telecommunications R&D in Massachusetts, Lowell, MA, March 12, 1996. Contact: http://www.commx.org/mtchom dana@ultranet.com 617 439-8600 Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30, 1996. Proposal Submission deadline: 9/1/95. Contact: web.mit.edu/cfp96 cfp96-info@mit.edu Creating a Library of the Future Without Diminishing the Library of the Past - A conference for librarians, Cambridge, MA. March 30-31, 1996. Contact: cmkent@fas.harvard.edu A Strategic Approach to Globalization Through Technology and Diversity, Rockville, MD, April 11-14, 1996. Contact marsha-w@uiuc.edu 217 356-7050 (fax) Technological Assaults on Privacy, Rochester, NY, April 18-20, 1996. Paper drafts by Feb. 1, 1996. Contact: privacy@rit.edu 716 475-6643 716 475-7120 (fax) The Digital Revolution: Assessing the Impact on Business, Education and Social Structures, San Diego, CA, May 20-22, 1996. Intents to submit papers deadline: November 15, 1995. Contact: asis96@chestnut.lis.utk.edu International Symposium on Technology and Society 1996 (ISTAS '96), Princeton University, Princeton, NJ, June 21-22, 1996 Abstract submission deadline: December 15, 1995. Contact: istas@wws.princeton.edu 609 258-1985 (fax) ------------------------------ Date: Tue, 1 Aug 95 9:30:33 EDT From: zurko@osf.org (Mary Ellen Zurko) Subject: IEEE Symp. on Security and Privacy - Call for papers CALL FOR PAPERS 1996 IEEE Symposium on May 6-8, 1996 Security and Privacy Oakland, California sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Since 1980, the Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and for bringing together researchers and practitioners in the field. This year, we seek to build upon this tradition of excellence by re-emphasizing work on engineering and applications as well as theoretical advances. We also seek to broaden the scope of the Symposium by introducing additional topics. We want to hear not only about new theoretical results, but also about work in the design and implementation of secure systems and work on policy relating to system security. We are particularly interested in papers on policy and technical issues relating to privacy in the context of the Information Infrastructure, papers on securing unsecure applications and operating systems, papers that relate software and system engineering technology to the design of secure systems, and papers on hardware and architectural support for secure systems. The symposium will focus on technical aspects of security and privacy as they arise in commercial and industrial applications, as well in government and military systems. It will address advances in the theory, design, implementation, analysis, and application of secure computer systems, and in the integration and reconciliation of security and privacy with other critical system properties such as reliability, performance, and safety. Topics in which papers and panel session proposals are invited include, but are not limited to, the following: Secure systems Privacy Issues Access controls Security verification Network security Policy modeling Information flow Authentication Database security Data integrity Security Protocols Viruses and worms Auditing Biometrics Smartcards Commercial and industrial security Intrusion Detection Security and other critical system properties Distributed systems security Novel applications of cryptography and other security techniques We will continue the session of very brief (5-minute) talks introduced last year. Our goal is to make it possible for us to hear from people who are advancing the field in the areas of system design and implementation, and who would like to present their ideas to the symposium audience but may lack the time and resources needed to prepare a full paper. Submissions for this session will be accepted up to April 2, 1996 to permit us to hear of the most recent developments. Abstracts of these talks will be distributed at the conference. INSTRUCTIONS TO AUTHORS: Send six copies of your paper and/or proposal for a panel session to John McHugh, Program Co-Chair, at the address given below. Papers and panel proposals must be received by November 6, 1996. Papers, which should include an abstract, must not exceed 7500 words. The names and affiliations of the authors should appear on a separate cover page only, as a ``blind'' refereeing process is used. In addition to the paper submission, an ASCII copy of the paper title and abstract should be sent to the Program Co-Chair (mchugh@cs.pdx.edu) by electronic mail. These will be distributed electronically (without author identification) to the entire program committee to aid in the appropriate assignment of referees. Authors must certify prior to December 25, 1996 that any and all necessary clearances for publication have been obtained. Papers must report original work that has not been published previously, and is not under consideration for publication elsewhere. Abstracts, overlength papers, electronic submissions, late submissions, and papers that cannot be published in the proceedings will be rejected without review. Authors will be notified of acceptance by January 16, 1996. Camera-ready copies are due not later than March 4, 1996. Panel proposals should describe, in two pages or less, the objective of the panel and the topic(s) to be addressed. Names and addresses of potential panelists (with position abstracts if possible) and of the moderator should also be included. Panels are not intended to serve as alternate paper sessions and it is expected that, with the possible exception of an overview of the topic area by the panel chair, individual presentations by panel members will be limited to five to ten minutes and that at least one third of the session will be reserved for discussion. Submitters of abstracts for the special session of five-minute talks should submit one page abstracts to John McHugh, Program Co-Chair, at the address given below. The abstract should be one page or less; Email submissions of 30 to 60 lines are preferred. Abstracts must be received by April 2, 1996. Authors will be notified of acceptance or rejection of abstracts by April 16. Submitted abstracts that are accepted will be distributed at the conference. Presenters of five-minute talks are expected to register for the conference. Overtly commercial presentations are inappropriate. The Symposium will also include informal poster sessions where preliminary or speculative material, and descriptions or demonstrations of software, may be presented. Send one copy of your poster session paper to Dale Johnson, at the address given below, by January 31, 1996, together with certification that any and all necessary clearances for presentation have been obtained. Again this year, we will attempt to counsel prospective authors. If you have questions about whether or how to present your work to the symposium, please send email to the Chair (dmj@mitre.org), and we will do our best to assist you. Information about this conference will be also be available by anonymous ftp from ftp.cs.pdx.edu in directory /pub/SP96, on the web at http://www.cs.pdx.edu/SP96. The program chairs can be reached by email at sp96@cs.pdx.edu. PROGRAM COMMITTEE Dave Bailey, Galaxy Computer Services, USA Terry Vickers Benzel, TIS, USA Lee A. Benzinger, Loral, USA Debbie Cooper, DMCooper, USA Oliver Costich, Independent Consultant, USA Yves Deswarte, LAAS-CNRS & INRIA, FR Jim Gray, Hong Kong U. of Sci. and Tech, HK Lee Gong, SRI, USA Sushil Jajodia, GMU, USA Paul Karger, GTE, USA Carl Landwehr, NRL, USA John McLean, NRL, USA Catherine A. Meadows, NRL, USA Rich Neely, CTA, USA Sylvan S. Pinsky, DoD, USA Mike Reiter, AT&T, USA Sue Rho, TIS, USA Peter Ryan, DRA, UK Tom Schubert, Portland State Univ., USA Stuart Stubblebine, AT&T, USA Elisabeth Sullivan, Sequent, USA Tom Van Vleck, Taligent, USA Vijay Varadharajan, Univ. of Western Sydney, AU Yacov Yacobi, Belcore, USA Raphael Yahalom, Hebrew University, Israel Mary Ellen Zurko, OSF, USA For further information concerning the symposium, contact: Dale Johnson, General Chair John McHugh, Program Co-Chair The MITRE Corporation Computer Science Department Mailstop A156 Portland State University 202 Burlington Rd P.O. Box 751 Bedford, MA 01730-1420, USA Portland OR 97207-0751, USA Tel: +1 (617) 271-8894 Tel: +1 (503) 725-5842 Fax: +1 (617) 271-3816 Fax: +1 (503) 725-3211 dmj@mitre.org mchugh@cs.pdx.edu Steve Kent, Vice Chair George Dinolt, Program Co-Chair BBN Systems and Technologies Loral WDL Mailstop 13/2a P.O. Box 49041, MS X20 70 Fawcett Street San Jose, CA 95161-9041 Cambridge, MA 02138 Tel: +1 (408) 473-4150 Tel: +1 (617) 873-6328 Fax: +1 (408) 473-4272 Fax: +1 (617) 873-4086 dinolt@wdl.loral.com kent@bbn.com Charles Payne, Treasurer Secure Computing Corporation 2675 Long Lake Road Roseville, MN 55113 Tel: +1 (612) 628-1594 Fax: +1 (612) 628-2701 cpayne@sctc.com Peter Ryan, European Contact Jim Gray, Asia/Pacific Contact Defence Research Agency Department of Computer Science Room NX17 Hong Kong Univ. of Science & Technology St Andrew's Rd Clear Water Bay, Kowloon, Hong Kong Malvern Tel: +852 358-7012 Worcs WR14 3PS,UK Fax: +852 358-1477 Tel +44 (0684) 895845 gray@cs.ust.hk Fax +44 (0684) 894303 ryan@rivers.dra.hmg.gb ------------------------------ End of PRIVACY Forum Digest 04.17 ************************