PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Sunday, 1 November 1998      Volume 07 : Issue 18

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
                  of MCI Telecommunications Corporation), 
                  Cisco Systems, Inc., and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        On the Passing of Jon Postel 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Netscape, WebTV, "Backchannels" Update
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator)
        Auto theft (Phil Agre)
        CCTV (Keith Parkins)
        Bill C-54: Personal Information Protection and Electronic 
           Documents Act (M Taylor)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 07, ISSUE 18

     Quote for the day:
         
        "In our family, we don't divorce our men--we bury them."

                -- Stella Bernard (Ruth Gordon)
                   "Lord Love a Duck" (United Artists; 1966)

----------------------------------------------------------------------

Date:    Sun, 1 Nov 98 09:53 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: On the passing of Jon Postel

As you probably know by now, ARPANET/Internet pioneer Jon Postel died
recently, during recovery from heart surgery.  He was only 55.  While 
few recent users of the Internet knew of his work, Jon's efforts relating 
to the creation and continued development of the net are almost impossible 
to overstate.

Jon hailed from the same UCLA basement computer lab, the first site on the
ARPANET, where I began in the early 1970's.  It was Jon who almost
singlehandedly prevented chaos from overtaking the net through his IANA
(Internet Assigned Numbers Authority).  His name is associated with countless
projects and documents relating to the development of the net over the last
three decades.  The whole structure of Internet addresses and domain names
we now take for granted was largely the result of his work.  He was a force
for stability in the ongoing controversies over the "privatization" of the
Internet and would have had a leading role in the effort.

He will be sorely missed.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sun, 1 Nov 98 09:43 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Netscape, WebTV, "Backchannels" Update

Greetings.  I just wanted to update the readership regarding my current
inquiries into "backchannels" of personal information potentially
being collected via Netscape Communicator (and now, other systems).
Please see PRIVACY Forum Digest Vol. 07 #17 for the previous summary
( http://www.vortex.com/privacy/priv.07.17 ).  

I've had a variety of interesting communications since my last report.  I
was contacted by the Netscape engineer who implemented the client side
portion of Netscape's "What's Related" system--he confirmed the technical
accuracy of the PRIVACY Forum reports regarding the system.  I've also had
continuing communications with Netscape managers, who apparently are in the
process of revising their FAQs to at least provide users with a bit more
information regarding the sorts of data that can be collected by their
system at this time.  Frankly, judging from the preliminary material they've
sent me, I don't think they go anywhere near far enough.  They've told me
that they expect outside sources (like the PRIVACY Forum) to be the venues
for discussion of potential risks that go beyond what the system does right
now.  I expect additional communications on these topics with both Netscape
engineering and management, so I'll have more to report on this in the near
future.

Press reports recently carried stories regarding concerns over information
backchanneling and distribution by Microsoft's WebTV, supposedly including
both user web URL and television channel viewing data.  Reports also
suggested that plans were in place to localize the data down to the
individual level to allow for targeted advertising.  There have also been
concerns expressed in some newsgroups regarding possible use of what some
believed to be cryptographic "signatures" on WebTV messages.  After some
comments of mine on these topics were quoted in the mainstream press, I
received a call from Steve Perlman, president of WebTV. 

We had a long, detailed, and cordial chat.  The bottom line appears to be
pretty similar to that of Netscape.  WebTV's privacy policy notwithstanding,
I don't feel that it is made clear to users exactly what sorts of data are
or can be collected.  At the moment, WebTV is apparently only distributing
"aggregate" data, but of course you have to collect specific data before you
can create aggregate summaries!  Mr. Perlman did readily admit that the
potential for abuse existed in these systems, but insisted that they're as
concerned about this as anyone else.  He said that their policy requires a
search warrant before any information they consider private (such as e-mail)
is released--he says that this has occurred in a case relating to a child
porn investigation.  There will be more info regarding WebTV issues in the
digest coming up in the future.

Meanwhile, the trend towards search engines wanting to keep track of the
links you select seems to be spreading.  As reported earlier, the Netscape
"What's Related" system already does this.  Now it appears that "Hotbot" has
begun doing something similar.  The link choices returned are clearly
routing back through Hotbot, even though the plain text versions of the URLs
in the displayed summary information show direct addresses without the
Hotbot redirection.

Regardless of the web sites you visit, users concerned about these issues
should keep an eye on the actual links their browsers display
before selecting a new link to follow.

On a general note, my own feelings are that it would be far better if these
information collection systems weren't built into these infrastructures in
the first place, or that at the very least users be fully informed about
the operations, policies, and potential for data abuse, and be required to
give a positive opt-in response, before anything resembling personally
identifiable information is collected, even for aggregate use.

In related news, a new "free" net access service, called "NetZero,"
is basing their business plan on a system of advertising windows
which "follow" the user from site to site.  The NetZero CEO reportedly
has commented that they can target a user down to a 12-mile
radius through their software that tracks users' browsing habits.
My calls to NetZero to obtain more information about these issues
have so far not been returned.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sun, 1 Nov 98 10:31 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Privacy Briefs

   - Son of CDA
   - Cell Phone Location Tracking
   - New European Union Privacy Rules

Son of CDA
----------

As expected, Congress passed new restrictions relating to children and the
Internet, popularly being referred to as "Communications Decency Act II."
Court challenges have already begun.  Most attention has revolved around the
requirements concerning verifying the age of persons accessing certain broad
categories of information deemed "harmful to minors" (the precise rules
apparently must be formulated by the Federal Trade Commission).  Other
aspects involve the collection of information from children by web sites
(again, specifics apparently under the auspices of the FTC).

However, a less noticed aspect of the bill with privacy implications could
force ISPs to provide information regarding their subscribers to
law enforcement, even without a search warrant.  Under the new law, when an
ISP "obtains knowledge of facts or circumstances" in which a child
pornography law is thought to be violated, it must report the information to
a law enforcement agency.  There are fines of up to $50,000 for the first
infraction and $100,000 for subsequent infractions.

Since the law doesn't establish a standard of truth, and the fines are so
severe, there are concerns that ISPs will "over-report," providing data on
innocent subscribers upon any accusation, from nearly any source.  The law
reportedly does not limit the type of information ISPs can turn over to law
enforcement or provide legal recourse for subscribers whose personal
information is improperly disclosed, since ISPs are specifically protected 
from liability for actions they take under the act.

Cell Phone Location Tracking
----------------------------

The Federal Communications Commission (FCC) is apparently moving forward
with plans to require cellular carriers to provide detailed user location
data (originally implemented for 911 emergency use) to law enforcement,
subject to a court order indicating that the person in question is "under
investigation."  This is a much lower standard than that required to obtain a
search warrant.  Such data could presumably be used in realtime or
retrospectively.  Of course, since cell phones can only be tracked when they
are turned on (either awaiting a call or in a call) the continuity of such
data can vary widely.  Pre-paid cellular services, which can be obtained
without verifiable identification, also would appear to present some
additional complexities for such applications.

New European Union Privacy Rules
--------------------------------

A series of wide-ranging and detailed rules regarding privacy have come into
force in the EU, with a range of complex implications for firms around the
world.  Even within the EU itself, not all countries are currently in
compliance with the new regulations.  The direct impact of the rules, which
would make many common information collection and use practices illegal, on
firms that do not do direct business with the EU is unclear due to obvious
jurisdictional issues.  But in an age of multinational organizations and
virtual, web-based businesses, the overall situation is far from clear.  At
the very least, it is likely that the EU regulations may inspire similar
rules in other parts of the world.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sun, 25 Oct 1998 16:36:51 -0800 (PST)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: auto theft

A story in last Friday's LA Times describes a new form of auto theft:

  Scott Glover, Grand theft auto enters the computer age, Los Angeles
  Times, 23 October 1998, pages B1, B6.

According to the LA sheriff's office, car thieves have begin stealing cars
by impersonating other people using information obtained from their credit
reports.  The thief shows up at a new car dealer, claims to be John Smith
(or whoever), fills out paperwork with information obtained from John's
credit report, completes the purchase, drives off the lot, and quickly
exports the car to a buyer overseas.  In one case a thief got a report by
paying a Georgia jeweler to run a credit check, and in another case a thief
established a dummy real estate company.  In one case, police believe that
one group of thieves stole nearly fifty -- that's five zero -- cars by this
method.  "They go for Mercedeses, BMWs, Lexuses, you name it", a sheriff's
captain says.

Right toward the end, the article mentions as if in passing that the
people whose names are stolen are not liable for the losses, although
they must typically put up with long-lasting bureaucratic nightmares as
they put their credit record back together.  (I have to say that I can
sympathize.  Equifax seems to have lost my credit record sometime in the
last couple of years, and they absolutely insist that it does not exist,
even after I have mailed them exhaustive documentation of every single
item of information that their record ought to contain.)

We treat consumers' lack of liability in such cases as if it were a law
of nature, but we forget that the risk allocation rules for credit cards
and other kinds of payment systems are created by legislatures and courts,
and could easily change.  These questions are open again in the context
of electronic payment systems.  As Jane Winn explains in her legal
articles on the subject (http://www.smu.edu/~jwinn), common law tradition
and economic analysis both argue that the law should allocate liability
in proportion to each party's ability to take actions to reduce the
risk.  That is why credit card holders have a limited liability, usually
on the order of $50 in the US, and credit card companies should have
the remaining liability: allocating the risks in that way creates an
incentive for the companies to manage the risks by improving technologies,
communicating with cardholders and other parties, and taking the risks
into account when deciding whether to invest in particular payment
schemes.  That precedent was not followed, Winn explains, in the notorious
Utah digital signature bill, and it is not at all clear that other
legislatures will do better as these issues mature over the next several
years.

Phil Agre

------------------------------

Date:    Thu, 29 Oct 1998 17:32:13 +0000
From:    Keith Parkins <keith@redkbs.com>
Subject: CCTV

The CCTV in London that has built in pattern recognition has now
gone live.

The system can be pre-programmed to look for known people.  When
the target is 'framed' an alarm is sounded, the 'victim'
highlighted, and the local police alerted.  The police then take 
over the monitoring.  Built into the system is the ability to
override disguises.

CCTV does not deter crime, it simply displaces it to another
area.  This area in turn then clamours for CCTV.

Schools are installing CCTV.  If nothing else this conditions the
future generation to accept CCTV as the norm.

In Aldershot, stationary CCTV affixed to buildings, lamp posts is
not enough, they are now installing mobile cameras.

The experiment in Newham, known as Mandrake, is to last for six
months.  Newham has already spent 1.6 million pounds on
installing CCTV.  Mandrake will cost a further 60,000 pounds and
bring the number of cameras within the borough up to 240.

There are an estimated 150,000 cameras on the streets of Britain.

        http://www.heureka.clara.net/sunrise/spooks2.htm
        http://www.heureka.clara.net/surrey-hants/ald-shot.htm
        
Richard Thomas, Police switch on the candid camera that knows
your face, The Observer, 11 October 1998

Bill Mouland, Big Brother is Watching You, Daily Mail, 15 October 1998

Keith Parkins

        [ While I tend to doubt the ability of such existing systems
          to operate in typical urban environments without a 
          high error rate (even if the person isn't "disguised"),
          it is certainly true that the deployment of such 
          technologies has major implications.

                -- PRIVACY Forum Moderator ]

------------------------------

Date: Fri, 9 Oct 1998 00:54:37 -0300 (ADT)
From: M Taylor <mctaylor@privacy.nb.ca>
Subject: Bill C-54: Personal Information Protection and 
         Electronic Documents Act

Bill C-54 has been introduced in Parliament (Canada), back on Oct 1, 1998.
"Personal Information Protection and Electronic Documents Act"

Bill C-54 - online copy, first reading, from Parliamentary web site
<http://www.parl.gc.ca/36/1/parlbus/chambus/house/bills/
government/C-54/C-54_1/C-54_cover-E.html>

"An Act to support and promote electronic commerce by protecting personal
information that is collected, used or disclosed in certain circumstances,
by providing for the use of electronic means to communicate or record
information or transactions and by amending the Canada Evidence Act, the
Statutory Instruments Act and the Statute Revision Act."

This contains a lot of amendments including clarifying the role of digital
signatures in Canada's legal landscape, electronic 'evidence' - such a
strong word for something so mutable, personal privacy of information -
in private industry, "framework for electronic commerce", and I'm certain
a few other goodies.

I haven't had time to review it entirely, it appears posed to greatly
influence how digital signatures will be used by the government of Canada,
including for Notary purposes and electronic commerce. So digital
signature might clearly become binding within the year - I'm sure this is
a good sign. I haven't checked, but the protection of personal information
might include requirements of security which lend themselves to suggesting
that encryption is necessary for the protection of confidential personal
information in the hands of the private and public sectors in Canada.

--
M Taylor mctaylor@ / glyphmetrics.ca | privacy.nb.ca/

------------------------------

End of PRIVACY Forum Digest 07.18
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.