PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest       Friday, 5 April 1996       Volume 05 : Issue 08

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Re: Netscape cookies linked to demographic database
           (Martin Roscheisen)
        Re: Garage Door openers (Marc Carrel)
        House Approves Immigration Bill, Rejects National 
           ID Card [From EPIC Alert] (Marc Rotenberg)
        Medical Privacy Coalition Releases Draft Medical 
           Privacy Bill [From EPIC Alert] (Marc Rotenberg)
        ACM/IEEE Letter on Crypto (Dave Banisar)
        Minnesota Online privacy bill in conference committee 
           (Sheldon Mains)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 05, ISSUE 08

   Quote for the day:

        "I think we have a challenge."

                -- Number 2 (Guy Doleman)
                   "The Prisoner" [Episode one: "Arrival"]
                   June 1968 - September 1968, May 1969 - September 1969

----------------------------------------------------------------------

Date:    Sat, 23 Mar 1996 22:47:18 -0800
From:    "Martin Roscheisen" <rmr@cs.stanford.edu>
Subject: Re: Netscape cookies linked to demographic database

The concern expressed by Andrew Hagen <ah@rrnet.com> (Privacy Digest
05:07) about the use of Netscape cookies as sort of a universal
identifier combined with the speculation that Netscape might sell a
corresponding database which links demographic information to such an
identifier seems unjustified in the light of the simple fact that the
technical mechanism does not provide for this.

The cookie protocol is described at
http://www.netscape.com/newsref/std/cookie_spec.html

To quote the crucial part here:
   BEGIN QUOTE
   Only hosts within the specified domain can set a cookie for a 
   domain and domains must have at least two (2) or three (3) 
   periods in them to prevent domains of the form: ".com", ".edu", 
   and "va.us"
   END QUOTE 

In other words, it is not possible to set a cookie from one server and
have the browser send it to all the servers to which a user might be
going.  It therefore does not make any sense to sell a database in the
presumed form. [Also, since the cookie size is limited, it would also
not work to register in the browser all those servers to which such a
hypothetical database had been sold.]

Cheers, - Martin

Martin Roscheisen
Integrated Digital Libraries Project
Computer Science Department, Stanford University

------------------------------

Date:    Tue, 26 Mar 1996 10:22:27 -0700 (PDT)
From:    ML.Carrel@SEN.CA.GOV
Subject: Re: Garage Door openers

Everyone who has contributed to this topic has mentioned high tech methods of
opening garage doors.  Last year, however, I saw a story on the local news in
San Francisco which dealt with a rash of burglaries there.  The thieves looted
these homes after entering through their garage doors.  Apparently all of the
homes had older garage door openers which could also be opened by a key switch
mounted outside to the side of the garage door.  These switches were installed
to provide a way to open the garage if you did not have an electronic opener
(e.g. for kids when they came home from school, etc.). The thieves would open
the garage by spraying a "common household liquid" into the key hole to
activate the opening device.  All the burglaries had evidence of this liquid in
the garage door's keyhole.  The television reporter would not disclose what the
liquid was, but he used it on camera and showed how it worked.  The liquid was
colored so it could be anything from anti-freeze to cleaning liquid.  Police
advised deactivating the wiring inside the key switch so that thieves couldn't
enter your house using this very low-tech method. 

Marc Carrel
Sacramento, CA
ML.Carrel@sen.ca.gov 

------------------------------

Date: 28 Mar 1996 17:08:23 -0500
From: "Marc Rotenberg" <rotenberg@epic.org>
Subject: House Approves Immigration Bill, Rejects National 
         ID Card [From EPIC Alert]

        [ From EPIC Alert 3.07; March 28, 1996 ]

The House of Representatives rejected proposals for a national ID card
and a mandatory national database of all workers in the United States.
The vote came on March 22 when the House approved a far reaching
immigration reform bill.

A manager's amendment submitted by Rep. Lamar Smith (R-TX) made the
employment verification provisions voluntary in at least five of the
seven states with the highest levels of illegal immigration.  To
encourage companies to use the voluntary system, firms would be
provided various  incentives.

By a vote of 221 to 191, the House rejected a proposal from Rep. Bill
McCollum (R-FL) to create a "tamperproof social security account card."
Previous proposals by McCollum would have required that all individuals
over the age of 16 obtain such a card, which would include the person's
photograph, name, address, social security number, and some form of
biometric identification such as a fingerprint or retinal scan.

An amendment by Rep. Steve Chabot (R-OH) to eliminate all
identification provisions was defeated by a vote of 260 to 159.  The
final bill passed on a vote of 333 to 87.  The Senate is expected to
take up the Immigration bill starting this week.

------------------------------

Date: 28 Mar 1996 17:08:23 -0500
From: "Marc Rotenberg" <rotenberg@epic.org>
Subject: Medical Privacy Coalition Releases Draft Medical 
         Privacy Bill [From EPIC Alert]

        [ From EPIC Alert 3.07; March 28, 1996 ]

The Medical Privacy Coalition, an ad hoc group of privacy, medical,
consumer and patient rights groups has prepared a draft medical
privacy bill.  Dr. Denise Nagel, chair of the Privacy Coalition and 
the head of the Coalition for Patient's Rights, said that the draft bill
addresses privacy concerns that have been raised about Senate 
measure S. 1360. (The American Medical Association recently wrote to
Senator Kassebaum to express concern about S. 1360. See EPIC Alert 3.06)

The new draft bill is based on a patient-centered view of medical record
privacy and strictly limits disclosure of medical information for other
purposes. It is based on five principles:

    o Individuals posses a right to privacy with respect to their
      personally identifiable health information;

    o This right to privacy may not be waived in the absence of 
      meaningful notice and informed (not coerced) consent;

    o In the absence of an express waiver, the right to privacy 
      may not be eliminated or limited, except as expressly provided
      under this legislation;

    o The private patient/physician relationship must be facilitated 
      and protected; and

    o Information that is disclosed must be limited in amount,            
      duration, and use, thus prohibiting secondary, unauthorized 
      uses or disclosures, as well as fishing expeditions.

The proposed bill gives each patient the right to access, copy and
correct health information, limits third party access, prohibits the
use of the SSN as a health care identifier, and prohibits the creation
of longitudinal health records without the consent of the patient.

Activity in Washington on medical privacy is likely to accelerate in the
next few months. The Consumer Project on Technology is expected to
host a workshop in Washington, DC in early May on medical record
privacy.

A copy of the Medical Privacy Coalition's draft bill and more 
information on medical privacy is available at:

     http://www.epic.org/privacy/medical/

------------------------------

Date:    1 Apr 1996 16:26:22 -0500
From:    "Dave Banisar" <banisar@epic.org>
Subject: ACM/IEEE Letter on Crypto

                 Association For Computing Machinery
                     Office of US Public Policy
                     666 Pennsylvania Avenue SE
                              Suite 301
                      Washington, DC 20003 USA
              (tel) 202/298-0842 (fax) 202/547-5482

         Institute of Electronics and Electrical Engineers
                     United States Activities
                        1828 L Street NW
                              Suite 1202
                   Washington, DC 20036-5104 USA
              (tel) 202/785-0017 (fax) 202/785-0835

April 2, 1996

Honorable Conrad Burns
Chairman, Subcommittee on Science, Technology and Space
Senate Commerce, Science and Transportation Committee
US Senate SD-508
Washington, DC 20510

Dear Chairman Burns:

        On behalf of the nation's two leading computing and engineering 
associations, we are writing to support your efforts, and the efforts of 
the other cosponsors of the Encrypted Communications Privacy Act, to 
remove unnecessarily restrictive controls on the export of encryption 
technology.  The Encrypted Communications Privacy Act sets out the 
minimum changes that are necessary to the current export controls on  
encryption technology.  However, we believe that the inclusion of issues 
that are tangential to export, such as key escrow and encryption in 
domestic criminal activities, is not necessary.  The relaxation of 
export controls is of great economic importance to industry and users, 
and should not become entangled in more controversial matters.

        Current restrictions on the export of encryption technology harm 
the interests of the United States in three ways: they handicap American 
producers of software & hardware, prevent the development of a secure 
information infrastructure, and limit the ability of Americans using new 
online services to protect their privacy.  The proposed legislation will 
help mitigate all of these problems, though more will need to be done to 
assure continued US leadership in this important hi-tech sector.

        Technological progress has moved encryption from the realm of 
national security into the commercial sphere. Current policies, as well 
as the policy-making processes, should reflect this new reality. The 
legislation takes a necessary first step in shifting authority to the 
Commerce Department and removing restrictions on certain encryption 
products.  Future liberalization of export controls will allow Americans 
to excel in this market.

        The removal of out-dated restrictions on exports will also enable 
the creation of a Global Information Infrastructure sufficiently secure 
to provide seamless connectivity to customers previously unreachable by 
American companies.   The United States is a leader in Internet 
commerce.  However, Internet commerce requires cryptography.  Thus 
American systems have been hindered by cold-war restraints on the 
necessary cryptography as these systems have moved from the laboratory 
to the marketplace.  This legislation would open the market to secure, 
private, ubiquitous electronic commerce.  The cost of not opening the 
market may include the loss of leadership in computer security 
technologies, just at the time when Internet users around the world will 
need good security to launch commercial applications.

        For this legislation to fulfill its promise the final approval of 
export regulations must be based on analysis of financial and commercial 
requirements and opportunities, not simply on the views of experts in 
national security cryptography. Therefore, we urge you to look at ways 
to further relax restrictive barriers.

        Finally, the legislation will serve all users of electronic 
information systems by supporting the development of a truly global 
market for secure desktop communications.  This will help establish 
private and secure spaces for the work of users, which is of particular 
interest to the members of the IEEE/USA and the USACM.

        On behalf of the both the USACM and the IEEE/USA we look forward 
to working with you on this important legislation to relax export 
controls and promote the development of a robust, secure, and reliable 
communications infrastructure for the twenty-first century.

        Please contact Deborah Rudolph in the IEEE Washington Office at 
(202) 785-0017 or Lauren Gelman in the ACM Public Policy Office at (202) 
298-0842 for any additional information.

                                                
                                                Sincerely,


                                                Barbara Simons, Ph.D.3
                                                Chair, U.S. Public Policy
                                                Committee of ACM


                                                Joel B. Snyder, P.E.
                                                Vice President, Professional Activities and
                                                Chair, United States Activities Board

cc:     Members of the Subcommittee on 
        Science, Technology and Space

------------------------------

Date:    Wed, 27 Mar 1996 22:50:24 -0600
From:    shel@MTN.Org (Sheldon Mains)
Subject: Minnesota Online privacy bill in conference committee

The following online privacy option bill passed the full Minnesota State
House and is now in conference committee with a "study" passed
today by the State Senate.  The various interests, including major
commercial on-line services, woke up to the bill and found Senate members
to amend their version which was similar to the House's on the floor with
a short bill that would instead require study.

It is a pretty incredible story that the House bill (following after this
intro) has gotten so far without major attention.

Sheldon Mains
shel@mtn.org

You can track the legislation via the legislative WWW at:
        http://www.leg.state.mn.us

Here is the House bill:

H.F. No. 2816,   3rd Engrossment

  1.1                          A bill for an act
  1.2             relating to consumer privacy; regulating the use and
  1.3             dissemination of personally identifiable information
  1.4             on consumers of computer information services;
  1.5             amending Minnesota Statutes 1994, section 13.99, by
  1.6             adding a subdivision; proposing coding for new law as
  1.7             Minnesota Statutes, chapter 13D.
  1.8   BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
  1.9      Section 1.  Minnesota Statutes 1994, section 13.99, is
  1.10  amended by adding a subdivision to read:
  1.11     Subd. 116.  [CONSUMERS OF COMPUTER INFORMATION
  1.12  SERVICES.] Personally identifiable information on consumers of
  1.13  computer information services is governed by chapter 13D.
  1.14     Sec. 2.  [13D.01] [DEFINITIONS.]
  1.15     Subdivision 1.  [SCOPE.] The definitions in this section
  1.16  apply to this chapter.
  1.17     Subd. 2.  [CONSUMER.] "Consumer" means a person who agrees
  1.18  to pay a fee for access to an information service for personal,
  1.19  family, or household purposes.
  1.20     Subd. 3.  [ORDINARY COURSE OF BUSINESS.] "Ordinary course
  1.21  of business" means debt collection activities, order
  1.22  fulfillment, request processing, or the transfer of ownership.
  1.23     Subd. 4.  [PERSONALLY IDENTIFIABLE INFORMATION.]
  1.24  "Personally identifiable information" means information that:
  1.25     (1) identifies a person by physical or electronic address
  1.26  or telephone number;
  2.1      (2) identifies a person as having requested or obtained
  2.2   specific materials or services from an information service;
  2.3      (3) identifies internet sites visited by a person; or
  2.4      (4) identifies any of the contents of a subscriber's data
  2.5   storage devices.
  2.6      Subd. 5.  [INFORMATION SERVICE.] "Information service"
  2.7   means any person in the primary business of offering a
  2.8   capability for generating, acquiring, storing, transforming,
  2.9   processing, retrieving, utilizing, or making available
  2.10  information directly to or for a consumer via
  2.11  telecommunications, and includes electronic publishing, but does
  2.12  not include:
  2.13     (1) any service which is provided to business,
  2.14  professional, or commercial users;
  2.15     (2) any use of any such capability for the management,
  2.16  control, or operation of a telecommunications system or the
  2.17  management of a telecommunications service; or
  2.18     (3) any governmental entity.
  2.19     Subd. 6.  [TELECOMMUNICATIONS SERVICE.] "Telecommunications
  2.20  service" means the offering, on a common carrier basis, of
  2.21  telecommunications facilities, or of telecommunications by means
  2.22  of such facilities.  It does not include an information service.
  2.23     Sec. 3.  [13D.02] [LIMITS ON ACCESS TO CONSUMER'S
  2.24  PERSONALLY IDENTIFIABLE INFORMATION.]
  2.25     The information service may require from the consumer the
  2.26  following personally identifiable information for purposes of
  2.27  its ordinary course of business:  name, home telephone number,
  2.28  home address, and electronic address.  Any further consumer
  2.29  information provided shall be optional at the discretion of the
  2.30  consumer.
  2.31     Sec. 4.  [13D.03] [DISCLOSURE OF CONSUMER'S PERSONALLY
  2.32  IDENTIFIABLE INFORMATION.]
  2.33     Subdivision 1.  [DISCLOSURE PROHIBITED.] Except as provided
  2.34  in subdivisions 3 and 4, an information service who knowingly
  2.35  discloses, to any person other than the consumer, personally
  2.36  identifiable information concerning any consumer of the
  3.10  sections 2510 to 2521;
  3.11     (3) pursuant to a court order in a civil proceeding upon a
  3.12  showing of compelling need for the information that cannot be
  3.13  accommodated by other means; or
  3.14     (4) to a court in a civil action for conversion commenced
  3.15  by the information service or in a civil action to enforce
  3.16  collection of unpaid subscription fees or purchase amounts; and
  3.17  then only to the extent necessary to establish the fact of the
  3.18  subscription delinquency or purchase agreement, and with
  3.19  appropriate safeguards against unauthorized disclosure.
  3.20     Subd. 3.  [DISCLOSURE PERMITTED.] (a) An information
  3.21  service may disclose personally identifiable information
  3.22  concerning any consumer:
  3.23     (1) to the consumer;
  3.24     (2) to any person with the informed, documented consent of
  3.25  the consumer as provided in subdivision 4; or
  3.26     (3) to any person if the disclosure is incident to the
  3.27  ordinary course of business of the information service.
  3.28     (b) A telecommunications service may disclose published
  3.29  telephone numbers and physical addresses without the informed,
  3.30  documented consent of the consumer, if the telecommunications
  3.31  service provides consumers the alternative of an unpublished
  3.32  listing.
  3.33     Subd. 4.  [PROCEDURE FOR INFORMED, DOCUMENTED CONSENT OF
  3.34  CONSUMER.] (a) For purposes of subdivision 3, paragraph (a),
  3.35  clause (2), in order to obtain the informed documented consent
  3.36  of the consumer, the information service, before furnishing any
  4.1   information services, must offer the consumer an opportunity
  4.2   substantially conforming to the notice contained in this
  4.3   subdivision to refuse to have personally identifiable
  4.4   information disclosed.  The notice must be in an introductory
  4.5   portion of the information service's subscriber section with the
  4.6   title "Privacy Policy" or a title which conveys a similar
  4.7   meaning.  This notice applies to any membership, subscription,
  4.8   rental, or purchase agreement between the consumer and the
  4.9   information service and, must be completed by the consumer
  4.10  before service can be provided.  The notice must convey the
  4.11  substance of the following:
 4.12                          Privacy Policy
  4.13     This information service occasionally provides to marketers
  4.14  of goods and services, or organizations with similar goals,
  4.15  lists of the names, physical addresses, telephone numbers, and
  4.16  electronic addresses of consumers and material accessed or
  4.17  purchased by the consumer.  We respect the consumer's right not
  4.18  to have name, physical address, electronic address, or
  4.19  information regarding material accessed or purchased included in
  4.20  these lists.  This election may be changed by you the consumer
  4.21  at any time.
  4.22  -I do/do not object to the release of my name, telephone number,
  4.23  and physical address.
  4.24  -I do/do not object to the release of my name and electronic
  4.25  address.
  4.26  -I do/do not object to the release of my name and information
  4.27  about services I use, including internet sites visited, or
  4.28  information obtained or purchased by me.
  4.29  -I do/do not object to the release of my name and information
  4.30  about the contents of my computer's electronic storage device or
  4.31  devices, such as a hard disk drive.
  4.32  Full name:
  4.33  Account name:
  4.34  Electronic verification:
  4.35  Repeat electronic verification:
  4.36     (b) The information service shall provide the consumer or
  5.1   subscriber with a secured, verifiable account.  The information
  5.2   service shall be responsible for maintaining the security and
  5.3   privacy of a consumer's personally identifiable information
  5.4   concerning this account.
  5.5      Subd. 5.  [EXCLUSION FROM EVIDENCE.] Personally
  5.6   identifiable information obtained in any manner other than as
  5.7   provided in this section may not be received in evidence in any
  5.8   trial, hearing, arbitration, or other proceeding before any
  5.9   court, grand jury, officer, agency, regulatory body, legislative
  5.10  committee, or other authority of the state or any political
  5.11  subdivision.
  5.12     Subd. 6.  [DESTRUCTION OF INFORMATION.] A person subject to
  5.13  this section shall destroy personally identifiable information
  5.14  relating to the product, services, or information obtained or
  5.15  requested by a consumer, internet sites visited by the consumer,
  5.16  and the contents of the consumer's computer's electronic storage
  5.17  devices as soon as practicable, but no later than six months
  5.18  from the date the information is no longer necessary for the
  5.19  purpose for which it was collected, except that requests or
  5.20  orders for access to the information under this section pending
  5.21  at that time shall be completed before the information is
  5.22  destroyed.  Destruction of personally identifiable information
  5.23  includes electronic erasing or expungement.
  5.24     Sec. 5.  [13D.04] [ENFORCEMENT; CIVIL LIABILITY.]
  5.25     A consumer who prevails or substantially prevails in an
  5.26  action brought under sections 13D.01 to 13D.04 is entitled to a
  5.27  minimum of $500 in damages, regardless of the amount of actual
  5.28  damage provided, plus costs, disbursements, and reasonable
  5.29  attorney fees.
  5.30     Sec. 6.  [13D.05] [OTHER LAW.]
  5.31     This chapter does not limit any greater protection of the
  5.32  privacy of individual medical records or financial records
  5.33  provided by any other state or federal law.
  5.34     Sec. 7.  [13D.06] [APPLICATION.]
  5.35     This chapter applies to information services in the
  5.36  provision of services to customers in this state.

The Senate file as amended is SF 2454 (only pre-amended version is
currently online). It should soon be available from:

        http://www.leg.state.mn.us/

sheldon mains          coordinator, Minnesota E-Democracy
shel@mtn.org           URL:  http://freenet.msp.mn.us/govt/e-democracy

------------------------------

End of PRIVACY Forum Digest 05.08
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.