|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Friday, 5 April 1996 Volume 05 : Issue 08
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by the
ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation), and Cisco Systems, Inc.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Re: Netscape cookies linked to demographic database
(Martin Roscheisen)
Re: Garage Door openers (Marc Carrel)
House Approves Immigration Bill, Rejects National
ID Card [From EPIC Alert] (Marc Rotenberg)
Medical Privacy Coalition Releases Draft Medical
Privacy Bill [From EPIC Alert] (Marc Rotenberg)
ACM/IEEE Letter on Crypto (Dave Banisar)
Minnesota Online privacy bill in conference committee
(Sheldon Mains)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 05, ISSUE 08
Quote for the day:
"I think we have a challenge."
-- Number 2 (Guy Doleman)
"The Prisoner" [Episode one: "Arrival"]
June 1968 - September 1968, May 1969 - September 1969
----------------------------------------------------------------------
Date: Sat, 23 Mar 1996 22:47:18 -0800
From: "Martin Roscheisen" <rmr@cs.stanford.edu>
Subject: Re: Netscape cookies linked to demographic database
The concern expressed by Andrew Hagen <ah@rrnet.com> (Privacy Digest
05:07) about the use of Netscape cookies as sort of a universal
identifier combined with the speculation that Netscape might sell a
corresponding database which links demographic information to such an
identifier seems unjustified in the light of the simple fact that the
technical mechanism does not provide for this.
The cookie protocol is described at
http://www.netscape.com/newsref/std/cookie_spec.html
To quote the crucial part here:
BEGIN QUOTE
Only hosts within the specified domain can set a cookie for a
domain and domains must have at least two (2) or three (3)
periods in them to prevent domains of the form: ".com", ".edu",
and "va.us"
END QUOTE
In other words, it is not possible to set a cookie from one server and
have the browser send it to all the servers to which a user might be
going. It therefore does not make any sense to sell a database in the
presumed form. [Also, since the cookie size is limited, it would also
not work to register in the browser all those servers to which such a
hypothetical database had been sold.]
Cheers, - Martin
Martin Roscheisen
Integrated Digital Libraries Project
Computer Science Department, Stanford University
------------------------------
Date: Tue, 26 Mar 1996 10:22:27 -0700 (PDT)
From: ML.Carrel@SEN.CA.GOV
Subject: Re: Garage Door openers
Everyone who has contributed to this topic has mentioned high tech methods of
opening garage doors. Last year, however, I saw a story on the local news in
San Francisco which dealt with a rash of burglaries there. The thieves looted
these homes after entering through their garage doors. Apparently all of the
homes had older garage door openers which could also be opened by a key switch
mounted outside to the side of the garage door. These switches were installed
to provide a way to open the garage if you did not have an electronic opener
(e.g. for kids when they came home from school, etc.). The thieves would open
the garage by spraying a "common household liquid" into the key hole to
activate the opening device. All the burglaries had evidence of this liquid in
the garage door's keyhole. The television reporter would not disclose what the
liquid was, but he used it on camera and showed how it worked. The liquid was
colored so it could be anything from anti-freeze to cleaning liquid. Police
advised deactivating the wiring inside the key switch so that thieves couldn't
enter your house using this very low-tech method.
Marc Carrel
Sacramento, CA
ML.Carrel@sen.ca.gov
------------------------------
Date: 28 Mar 1996 17:08:23 -0500
From: "Marc Rotenberg" <rotenberg@epic.org>
Subject: House Approves Immigration Bill, Rejects National
ID Card [From EPIC Alert]
[ From EPIC Alert 3.07; March 28, 1996 ]
The House of Representatives rejected proposals for a national ID card
and a mandatory national database of all workers in the United States.
The vote came on March 22 when the House approved a far reaching
immigration reform bill.
A manager's amendment submitted by Rep. Lamar Smith (R-TX) made the
employment verification provisions voluntary in at least five of the
seven states with the highest levels of illegal immigration. To
encourage companies to use the voluntary system, firms would be
provided various incentives.
By a vote of 221 to 191, the House rejected a proposal from Rep. Bill
McCollum (R-FL) to create a "tamperproof social security account card."
Previous proposals by McCollum would have required that all individuals
over the age of 16 obtain such a card, which would include the person's
photograph, name, address, social security number, and some form of
biometric identification such as a fingerprint or retinal scan.
An amendment by Rep. Steve Chabot (R-OH) to eliminate all
identification provisions was defeated by a vote of 260 to 159. The
final bill passed on a vote of 333 to 87. The Senate is expected to
take up the Immigration bill starting this week.
------------------------------
Date: 28 Mar 1996 17:08:23 -0500
From: "Marc Rotenberg" <rotenberg@epic.org>
Subject: Medical Privacy Coalition Releases Draft Medical
Privacy Bill [From EPIC Alert]
[ From EPIC Alert 3.07; March 28, 1996 ]
The Medical Privacy Coalition, an ad hoc group of privacy, medical,
consumer and patient rights groups has prepared a draft medical
privacy bill. Dr. Denise Nagel, chair of the Privacy Coalition and
the head of the Coalition for Patient's Rights, said that the draft bill
addresses privacy concerns that have been raised about Senate
measure S. 1360. (The American Medical Association recently wrote to
Senator Kassebaum to express concern about S. 1360. See EPIC Alert 3.06)
The new draft bill is based on a patient-centered view of medical record
privacy and strictly limits disclosure of medical information for other
purposes. It is based on five principles:
o Individuals posses a right to privacy with respect to their
personally identifiable health information;
o This right to privacy may not be waived in the absence of
meaningful notice and informed (not coerced) consent;
o In the absence of an express waiver, the right to privacy
may not be eliminated or limited, except as expressly provided
under this legislation;
o The private patient/physician relationship must be facilitated
and protected; and
o Information that is disclosed must be limited in amount,
duration, and use, thus prohibiting secondary, unauthorized
uses or disclosures, as well as fishing expeditions.
The proposed bill gives each patient the right to access, copy and
correct health information, limits third party access, prohibits the
use of the SSN as a health care identifier, and prohibits the creation
of longitudinal health records without the consent of the patient.
Activity in Washington on medical privacy is likely to accelerate in the
next few months. The Consumer Project on Technology is expected to
host a workshop in Washington, DC in early May on medical record
privacy.
A copy of the Medical Privacy Coalition's draft bill and more
information on medical privacy is available at:
http://www.epic.org/privacy/medical/
------------------------------
Date: 1 Apr 1996 16:26:22 -0500
From: "Dave Banisar" <banisar@epic.org>
Subject: ACM/IEEE Letter on Crypto
Association For Computing Machinery
Office of US Public Policy
666 Pennsylvania Avenue SE
Suite 301
Washington, DC 20003 USA
(tel) 202/298-0842 (fax) 202/547-5482
Institute of Electronics and Electrical Engineers
United States Activities
1828 L Street NW
Suite 1202
Washington, DC 20036-5104 USA
(tel) 202/785-0017 (fax) 202/785-0835
April 2, 1996
Honorable Conrad Burns
Chairman, Subcommittee on Science, Technology and Space
Senate Commerce, Science and Transportation Committee
US Senate SD-508
Washington, DC 20510
Dear Chairman Burns:
On behalf of the nation's two leading computing and engineering
associations, we are writing to support your efforts, and the efforts of
the other cosponsors of the Encrypted Communications Privacy Act, to
remove unnecessarily restrictive controls on the export of encryption
technology. The Encrypted Communications Privacy Act sets out the
minimum changes that are necessary to the current export controls on
encryption technology. However, we believe that the inclusion of issues
that are tangential to export, such as key escrow and encryption in
domestic criminal activities, is not necessary. The relaxation of
export controls is of great economic importance to industry and users,
and should not become entangled in more controversial matters.
Current restrictions on the export of encryption technology harm
the interests of the United States in three ways: they handicap American
producers of software & hardware, prevent the development of a secure
information infrastructure, and limit the ability of Americans using new
online services to protect their privacy. The proposed legislation will
help mitigate all of these problems, though more will need to be done to
assure continued US leadership in this important hi-tech sector.
Technological progress has moved encryption from the realm of
national security into the commercial sphere. Current policies, as well
as the policy-making processes, should reflect this new reality. The
legislation takes a necessary first step in shifting authority to the
Commerce Department and removing restrictions on certain encryption
products. Future liberalization of export controls will allow Americans
to excel in this market.
The removal of out-dated restrictions on exports will also enable
the creation of a Global Information Infrastructure sufficiently secure
to provide seamless connectivity to customers previously unreachable by
American companies. The United States is a leader in Internet
commerce. However, Internet commerce requires cryptography. Thus
American systems have been hindered by cold-war restraints on the
necessary cryptography as these systems have moved from the laboratory
to the marketplace. This legislation would open the market to secure,
private, ubiquitous electronic commerce. The cost of not opening the
market may include the loss of leadership in computer security
technologies, just at the time when Internet users around the world will
need good security to launch commercial applications.
For this legislation to fulfill its promise the final approval of
export regulations must be based on analysis of financial and commercial
requirements and opportunities, not simply on the views of experts in
national security cryptography. Therefore, we urge you to look at ways
to further relax restrictive barriers.
Finally, the legislation will serve all users of electronic
information systems by supporting the development of a truly global
market for secure desktop communications. This will help establish
private and secure spaces for the work of users, which is of particular
interest to the members of the IEEE/USA and the USACM.
On behalf of the both the USACM and the IEEE/USA we look forward
to working with you on this important legislation to relax export
controls and promote the development of a robust, secure, and reliable
communications infrastructure for the twenty-first century.
Please contact Deborah Rudolph in the IEEE Washington Office at
(202) 785-0017 or Lauren Gelman in the ACM Public Policy Office at (202)
298-0842 for any additional information.
Sincerely,
Barbara Simons, Ph.D.3
Chair, U.S. Public Policy
Committee of ACM
Joel B. Snyder, P.E.
Vice President, Professional Activities and
Chair, United States Activities Board
cc: Members of the Subcommittee on
Science, Technology and Space
------------------------------
Date: Wed, 27 Mar 1996 22:50:24 -0600
From: shel@MTN.Org (Sheldon Mains)
Subject: Minnesota Online privacy bill in conference committee
The following online privacy option bill passed the full Minnesota State
House and is now in conference committee with a "study" passed
today by the State Senate. The various interests, including major
commercial on-line services, woke up to the bill and found Senate members
to amend their version which was similar to the House's on the floor with
a short bill that would instead require study.
It is a pretty incredible story that the House bill (following after this
intro) has gotten so far without major attention.
Sheldon Mains
shel@mtn.org
You can track the legislation via the legislative WWW at:
http://www.leg.state.mn.us
Here is the House bill:
H.F. No. 2816, 3rd Engrossment
1.1 A bill for an act
1.2 relating to consumer privacy; regulating the use and
1.3 dissemination of personally identifiable information
1.4 on consumers of computer information services;
1.5 amending Minnesota Statutes 1994, section 13.99, by
1.6 adding a subdivision; proposing coding for new law as
1.7 Minnesota Statutes, chapter 13D.
1.8 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
1.9 Section 1. Minnesota Statutes 1994, section 13.99, is
1.10 amended by adding a subdivision to read:
1.11 Subd. 116. [CONSUMERS OF COMPUTER INFORMATION
1.12 SERVICES.] Personally identifiable information on consumers of
1.13 computer information services is governed by chapter 13D.
1.14 Sec. 2. [13D.01] [DEFINITIONS.]
1.15 Subdivision 1. [SCOPE.] The definitions in this section
1.16 apply to this chapter.
1.17 Subd. 2. [CONSUMER.] "Consumer" means a person who agrees
1.18 to pay a fee for access to an information service for personal,
1.19 family, or household purposes.
1.20 Subd. 3. [ORDINARY COURSE OF BUSINESS.] "Ordinary course
1.21 of business" means debt collection activities, order
1.22 fulfillment, request processing, or the transfer of ownership.
1.23 Subd. 4. [PERSONALLY IDENTIFIABLE INFORMATION.]
1.24 "Personally identifiable information" means information that:
1.25 (1) identifies a person by physical or electronic address
1.26 or telephone number;
2.1 (2) identifies a person as having requested or obtained
2.2 specific materials or services from an information service;
2.3 (3) identifies internet sites visited by a person; or
2.4 (4) identifies any of the contents of a subscriber's data
2.5 storage devices.
2.6 Subd. 5. [INFORMATION SERVICE.] "Information service"
2.7 means any person in the primary business of offering a
2.8 capability for generating, acquiring, storing, transforming,
2.9 processing, retrieving, utilizing, or making available
2.10 information directly to or for a consumer via
2.11 telecommunications, and includes electronic publishing, but does
2.12 not include:
2.13 (1) any service which is provided to business,
2.14 professional, or commercial users;
2.15 (2) any use of any such capability for the management,
2.16 control, or operation of a telecommunications system or the
2.17 management of a telecommunications service; or
2.18 (3) any governmental entity.
2.19 Subd. 6. [TELECOMMUNICATIONS SERVICE.] "Telecommunications
2.20 service" means the offering, on a common carrier basis, of
2.21 telecommunications facilities, or of telecommunications by means
2.22 of such facilities. It does not include an information service.
2.23 Sec. 3. [13D.02] [LIMITS ON ACCESS TO CONSUMER'S
2.24 PERSONALLY IDENTIFIABLE INFORMATION.]
2.25 The information service may require from the consumer the
2.26 following personally identifiable information for purposes of
2.27 its ordinary course of business: name, home telephone number,
2.28 home address, and electronic address. Any further consumer
2.29 information provided shall be optional at the discretion of the
2.30 consumer.
2.31 Sec. 4. [13D.03] [DISCLOSURE OF CONSUMER'S PERSONALLY
2.32 IDENTIFIABLE INFORMATION.]
2.33 Subdivision 1. [DISCLOSURE PROHIBITED.] Except as provided
2.34 in subdivisions 3 and 4, an information service who knowingly
2.35 discloses, to any person other than the consumer, personally
2.36 identifiable information concerning any consumer of the
3.10 sections 2510 to 2521;
3.11 (3) pursuant to a court order in a civil proceeding upon a
3.12 showing of compelling need for the information that cannot be
3.13 accommodated by other means; or
3.14 (4) to a court in a civil action for conversion commenced
3.15 by the information service or in a civil action to enforce
3.16 collection of unpaid subscription fees or purchase amounts; and
3.17 then only to the extent necessary to establish the fact of the
3.18 subscription delinquency or purchase agreement, and with
3.19 appropriate safeguards against unauthorized disclosure.
3.20 Subd. 3. [DISCLOSURE PERMITTED.] (a) An information
3.21 service may disclose personally identifiable information
3.22 concerning any consumer:
3.23 (1) to the consumer;
3.24 (2) to any person with the informed, documented consent of
3.25 the consumer as provided in subdivision 4; or
3.26 (3) to any person if the disclosure is incident to the
3.27 ordinary course of business of the information service.
3.28 (b) A telecommunications service may disclose published
3.29 telephone numbers and physical addresses without the informed,
3.30 documented consent of the consumer, if the telecommunications
3.31 service provides consumers the alternative of an unpublished
3.32 listing.
3.33 Subd. 4. [PROCEDURE FOR INFORMED, DOCUMENTED CONSENT OF
3.34 CONSUMER.] (a) For purposes of subdivision 3, paragraph (a),
3.35 clause (2), in order to obtain the informed documented consent
3.36 of the consumer, the information service, before furnishing any
4.1 information services, must offer the consumer an opportunity
4.2 substantially conforming to the notice contained in this
4.3 subdivision to refuse to have personally identifiable
4.4 information disclosed. The notice must be in an introductory
4.5 portion of the information service's subscriber section with the
4.6 title "Privacy Policy" or a title which conveys a similar
4.7 meaning. This notice applies to any membership, subscription,
4.8 rental, or purchase agreement between the consumer and the
4.9 information service and, must be completed by the consumer
4.10 before service can be provided. The notice must convey the
4.11 substance of the following:
4.12 Privacy Policy
4.13 This information service occasionally provides to marketers
4.14 of goods and services, or organizations with similar goals,
4.15 lists of the names, physical addresses, telephone numbers, and
4.16 electronic addresses of consumers and material accessed or
4.17 purchased by the consumer. We respect the consumer's right not
4.18 to have name, physical address, electronic address, or
4.19 information regarding material accessed or purchased included in
4.20 these lists. This election may be changed by you the consumer
4.21 at any time.
4.22 -I do/do not object to the release of my name, telephone number,
4.23 and physical address.
4.24 -I do/do not object to the release of my name and electronic
4.25 address.
4.26 -I do/do not object to the release of my name and information
4.27 about services I use, including internet sites visited, or
4.28 information obtained or purchased by me.
4.29 -I do/do not object to the release of my name and information
4.30 about the contents of my computer's electronic storage device or
4.31 devices, such as a hard disk drive.
4.32 Full name:
4.33 Account name:
4.34 Electronic verification:
4.35 Repeat electronic verification:
4.36 (b) The information service shall provide the consumer or
5.1 subscriber with a secured, verifiable account. The information
5.2 service shall be responsible for maintaining the security and
5.3 privacy of a consumer's personally identifiable information
5.4 concerning this account.
5.5 Subd. 5. [EXCLUSION FROM EVIDENCE.] Personally
5.6 identifiable information obtained in any manner other than as
5.7 provided in this section may not be received in evidence in any
5.8 trial, hearing, arbitration, or other proceeding before any
5.9 court, grand jury, officer, agency, regulatory body, legislative
5.10 committee, or other authority of the state or any political
5.11 subdivision.
5.12 Subd. 6. [DESTRUCTION OF INFORMATION.] A person subject to
5.13 this section shall destroy personally identifiable information
5.14 relating to the product, services, or information obtained or
5.15 requested by a consumer, internet sites visited by the consumer,
5.16 and the contents of the consumer's computer's electronic storage
5.17 devices as soon as practicable, but no later than six months
5.18 from the date the information is no longer necessary for the
5.19 purpose for which it was collected, except that requests or
5.20 orders for access to the information under this section pending
5.21 at that time shall be completed before the information is
5.22 destroyed. Destruction of personally identifiable information
5.23 includes electronic erasing or expungement.
5.24 Sec. 5. [13D.04] [ENFORCEMENT; CIVIL LIABILITY.]
5.25 A consumer who prevails or substantially prevails in an
5.26 action brought under sections 13D.01 to 13D.04 is entitled to a
5.27 minimum of $500 in damages, regardless of the amount of actual
5.28 damage provided, plus costs, disbursements, and reasonable
5.29 attorney fees.
5.30 Sec. 6. [13D.05] [OTHER LAW.]
5.31 This chapter does not limit any greater protection of the
5.32 privacy of individual medical records or financial records
5.33 provided by any other state or federal law.
5.34 Sec. 7. [13D.06] [APPLICATION.]
5.35 This chapter applies to information services in the
5.36 provision of services to customers in this state.
The Senate file as amended is SF 2454 (only pre-amended version is
currently online). It should soon be available from:
http://www.leg.state.mn.us/
sheldon mains coordinator, Minnesota E-Democracy
shel@mtn.org URL: http://freenet.msp.mn.us/govt/e-democracy
------------------------------
End of PRIVACY Forum Digest 05.08
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.