PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest     Tuesday, 30 November 1999     Volume 08 : Issue 17

                (http://www.vortex.com/privacy/priv.08.17)  

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Animated Cursors Silently Collecting User Browsing Data
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Big Brother Wants Your Medical Records (Dawn Richardson)
        Group formed to oppose supermarket "loyalty" cards 
           (Katherine Albrecht)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 17

     Quote for the day:

        "You know better than to trust a strange computer!"

                -- C-3PO (Anthony Daniels)
                   "The Empire Strikes Back" (Lucasfilm/Fox; 1980)

----------------------------------------------------------------------

Date:    Tue, 30 Nov 99 12:32 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Animated Cursors Silently Collecting User Browsing Data

Greetings.  The "Spies in Your Software" saga continues onward, as analysis
of various software's network activities in various quarters continue to
reveal new (but unfortunately not really unexpected) surprises.  

In the latest chapter, users of the popular Comet Systems' animated cursors
(for Microsoft Windows systems) have learned that the cursors (reportedly in
use by many millions of persons) have silently been feeding information
concerning the sites they visit back to Comet for the firm's analysis and
use.  Unlike the more common situations where Global Identifiers and related
data are passed only to the particular server to which a user connects, in
this case the information is being fed back to Comet itself, whenever the
user visits any of the many 10's of 1000's of affiliated sites.  The vast
array of sites involved include many oriented towards children, as well as
popular comic-strip sites (such as "Dilbert" and others).

I spoke at length today with Comet's marketing director, who defended their
practices.  He contends that the information collected is "anonymous" since
they do not collect names, e-mail addresses, or other personally-identifiable
information, and that the information they do collect is maintained only in
aggregate form for their paying clients, and is purged of other data before
distribution to those clients.  He stated that he feels concerns about
possible abuse of collected data in the future (say, after an acquisition,
or other policy change) are purely theoretical and are not realistic.  

One of my main concerns is that it would not seem obvious to most users that
an animated cursor should or would be sending any information back to a
central point.  His reaction to my suggestion that the software clearly
inform users that there would be information flowing back to Comet was
fascinating.  He expressed the opinion that there was no need for this since
the information was "anonymous"--and that since most people just "click
through" license agreements anyway without reading them, there wasn't any
point to bothering people with lots of stuff to read through before
installation.  He also suggested that forcing vendors or sites to provide
such information on a routine basis would create a "police state" (his exact
words) environment.  He did however agree that the lack of regulation
creates a situation where each company has to make these determinations on
their own, and admitted that it would be a lot easier if it were clearly
spelled out what they could or couldn't do.

In response to the current furor, Comet has posted a new privacy policy,
with links that appear on the main download pages for the cursors and at
other points.  However, they have chosen not to provide information on those
pages to clue people in to the fact that there is anything about the cursors
which might relate specifically to privacy concerns, so how many people will
choose to read the privacy links is unclear.  Also, depending on Javascript
and browser security settings (particularly of concern with Microsoft
Internet Explorer), it is possible that the cursors might be downloaded
automatically without the user ever seeing the privacy link information.

Comet has also posted instructions regarding removal of the cursors
from your system.  The main information is at:

http://www.cometsystems.com/download/cleaner.shtml

Microsoft IE users would need to take some additional steps 
detailed at:

http://download.cometsystems.com/no_nag/nonag.asp

to avoid having sites continue to bug them about downloading the cursors.
Unfortunately and ironically, you apparently must have cookies enabled to
activate this latter function, so you may want to think twice before 
using it.

The saga continues...

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy

------------------------------

Date:    Wed, 3 Nov 1999 02:30:37 -0600
From:    "Dawn Richardson" <prove@swbell.net>
Subject: Big Brother Wants Your Medical Records 

The Medical Privacy Scam: Big Brother Wants Your Medical Records

by Dawn Richardson

On Friday, Oct. 29th, President Clinton announced U.S. Department of Health
and Human Services Secretary Donna E. Shalala's proposed rules which claim
to protect the privacy of Americans' personal health records that are either
transmitted or maintained electronically.  These rules were published in the
Federal Register today, November 3rd.

America is being scammed by HHS initiated press releases into thinking that
these proposed rules, if adopted, will keep us in control of our intimate
medical details. While HHS's rules spell out clear regulatory restrictions
for how doctors and health plans use our personal medical data, they also
dangerously grant federal, state, and local government health bureaucrats
broad unrestricted access and control of our private medical information
without our consent for anything that can be linked to the self-defined
"national priority purposes" of research, public health, government health
data systems, law enforcement and oversight of the health care system. (see
summary http://aspe.hhs.gov/admnsimp/pvcsumm.htm )

The section of greatest concern in the rules is "Uses and disclosures
permitted without individual authorization."

Unconsented disclosures are rationalized for "public health surveillance,
investigations and interventions."  Immunization and cancer registries are
also cited as beneficiaries of this governmental information grab.  HHS
states in the rules, "We considered requiring individual authorization for
certain public health disclosures, but rejected this approach because many
important public health activities would not be possible if individual
authorization were required."

Specific government agencies listed as being granted access to individual
identifiable medical records under the pretext of "oversight" include "State
insurance commissions, State health professional licensure agencies, Offices
of Inspectors General of federal agencies, the Department of Justice, State
Medicaid fraud control units, Defense Criminal Investigative Services, the
Pension and Welfare Benefit Administration, the HHS Office for Civil Rights,
the FDA, the Social Security Administration, the Department of Education,
the Occupational Health and Safety Administration and the Environmental
Protection Agency."

HHS also proposes "to permit covered entities to disclose protected health
information to a law enforcement official without individual authorization
for the conduct of lawful intelligence activities."

HHS will accept public comment on the proposed rules for 60 days from the
publication date of November 3rd. Public comments can be submitted
electronically to http://aspe.hhs.gov/admnsimp/, and all 631 pages of the
proposed rules are posted at this same location.  We are working on our
formal comments/objections to the proposed rules and will be distributing
them to our email lists and posting them on our web site for reference soon.
                                -----------------
Dawn Richardson, President
PROVE(Parents Requesting Open Vaccine Education)
P.O. Box 1071
Cedar Park, TX  78630-1071
(512) 918-8760
prove@vaccineinfo.net (email)
http://vaccineinfo.net (web site)

                [ I would urge PRIVACY Forum readers with opposing
                  points of view, particularly concerning the public
                  health aspects of this issue, to e-mail submissions
                  expressing the details to the PRIVACY Forum.  This
                  is a complex area where meaningful debate would
                  be particularly useful.
                  
                        -- PRIVACY Forum Moderator  ]

------------------------------

Date:    Wed, 17 Nov 1999 14:20:28 -0500
From:    Katherine Albrecht <kma@virtue.org>
Subject: Group formed to oppose supermarket "loyalty" cards

Hi, 

I am the founder of CASPIAN, a consumer group dedicated to fighting
supermarket "loyalty cards" or "club cards."  Since your organization is
concerned with consumer privacy issues, I invite you to visit the CAPSIAN
website, at www.nocards.org, and to let your readers know of the movement to
fight these invasive registration and monitoring programs.  

The CASPIAN website contains a comprehensive set of arguments against shopper
cards and provides evidence that these programs do not save shoppers money. 
Also, to the best of my knowledge, the CASPIAN site contains the most
comprehensive listing of United States grocery retailers on the Web. It lists
the URL, locations, and card status of over 400 stores and supermarket chains.
In the four weeks since it was publicly released, the CASPIAN website has
received thousands of visits from shoppers around the world in addition to
being featured on NBC news and the Seattle Times.  

I applaud you for your efforts to protect consumer privacy.  
Keep up the good work!

Sincerely, 

Katherine Albrecht 
Founder/Editor 
CASPIAN - Consumers Against Supermarket Privacy Invasion and Numbering 
www.nocards.org 

------------------------------

End of PRIVACY Forum Digest 08.17
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.