|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Sunday, 29 March 1998 Volume 07 : Issue 06
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation),
Cisco Systems, Inc., and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Pacific Bell's Caller-ID Expansion
(Lauren Weinstein; PRIVACY Forum Moderator)
Bookstore Purchase Records in a "Starring" Role
(Lauren Weinstein; PRIVACY Forum Moderator)
Re: Satellite Surveillance (Derek Ziglar)
Lines drawn over privacy (Simson L. Garfinkel)
Medical Records Proposal Puts Privacy at Risk, ACLU Says
(Monty Solomon)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".
Access to PRIVACY Forum materials is also available through the Internet
World Wide Web (WWW) via the Vortex Technology WWW server at the URL:
"http://www.vortex.com"; full keyword searching of all PRIVACY Forum files
is available via WWW access.
-----------------------------------------------------------------------------
VOLUME 07, ISSUE 06
Quote for the day:
"If this picture doesn't make you scream and squirm,
you'd better see a psychiatrist--quick!"
-- "They Came From Within" [Trailer Voiceover]
(Trans-America; 1975)
----------------------------------------------------------------------
Date: Sat, 28 Mar 98 11:35 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Pacific Bell's Caller-ID Expansion
Greetings. California telephone subscribers should take note that Pacific
Bell is currently engaged in a significant expansion of Caller-ID (CID)
services in the state. In particular, they are promoting their new services
which not only deliver the caller's number but the name associated with
that number as well, and "anonymous blocking" where incoming calls are blocked
unless name/number are delivered from CID-capable originating exchanges.
As always, if the calling subscriber has not either blocked the sending of
their number/name information on a per-call basis ("selective blocking") or
a full-time basis ("complete blocking"), the name and number information
will be sent and displayed even for unlisted or non-published numbers.
Of particular concern is Pacific Bells' apparent attempt to use this
expansion to try convince subscribers to switch from complete to selective
blocking, in advertising and discussions with their customer service
representatives, by suggesting that "selective blocking" is the ideal
choice. This is quite ironic, given that most California subscribers have
seemingly already opted for complete blocking (I've never been able to
obtain precise figures on this from Pacific Bell), and since complete
blocking can be overridden to send name/number information on a per-call
basis whenever the caller wishes.
So why would anyone possibly want selective blocking, which always sends name
and number unless you remember to block on a per-call basis? There
doesn't seem to be any possible benefit, except to Pacific Bell's attempt to
get more people to unblock and make their CID services more marketable, in a
state where most people apparently wish to keep their name and number
information private on their calls.
Some states have had name/number CID services for quite awhile; folks
in other states may wish to be on the lookout for similar expansions.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Sat, 28 Mar 98 10:33 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Bookstore Purchase Records in a "Starring" Role
Greetings. As has been discussed here in the PRIVACY Forum in the past, many
persons tend to assume that the information regarding purchases that they
make is private. In most cases this simply isn't true, and never has been.
Except in a few limited cases or by contractual agreement, purchase records
can normally be bought, sold, revealed, published--you name it, for both
commercial use and investigatory purposes. Interestingly, one of the few
types of purchases that generally now has some degree of protection is
videotape rental records--this came in the wake of the revelations about a
Supreme Court nominee's tape rental history.
Arguments can be and have been made on all sides of this issue, but recent
events in the continuing Monica Lewinsky investigation have recently brought
the topic to national attention. Within the last few days, Independent
Counsel Kenneth Starr was reported to have obtained Ms. Lewinsky's bookstore
purchase records. Seemingly immediately, the focus turned to one particular
purchase, a book supposedly about "phone sex." No information about any
other of her book purchases has apparently been "interesting" enough to reach
public attention.
If nothing else, this event is likely to further fan the flames of arguments
regarding the extent to which purchase record information should, or should
not, be available for various purposes in both the public and private sectors,
an issue largely unaddressed by current U.S. law.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Mon, 16 Mar 1998 08:09:07 -0500
From: "Derek Ziglar" <dziglar@mindspring.com>
Subject: Re: Satellite Surveillance
In PRIVACY Forum Digest V07 #05, Bryan Costin <bcostin@ix.netcom.com> said:
> I found the "When is a Satellite Photo An Unreasonable Search" article quite
> interesting. But I find the distinction between sat imaging and standard
> airplane-based photos somewhat confusing. One is new, the other is old, but
> practically speaking they pretty much amount to the same thing.
Good point. But consider... the real privacy issue is the _justification_
for the search, not specific technique employed. The old way was notably
more expensive and required them to know just where they needed to search.
In essence, that involved a certain amount of due process of law -- they
needed reasonable suspicion in order to go to the effort and expense to
look. Following the American philosophy of 'presumed innocence,' your
privacy was not invaded without cause.
Your protections in this are came more from it being cost prohibitive rather
than being legally prohibited.
But now it is easy to do and at a low cost. Without new legal protections
(or judicial precedences), no longer is any due process-like justification
required. They can toss out one huge net and catch anything that may not
meet the letter of the law. In effect, you lose the presumption of
innocence.
------------------------------
Date: Wed, 18 Mar 1998 05:15:55 -0500
From: "Simson L. Garfinkel" <simsong@vineyard.net>
Subject: Lines drawn over privacy
03/05/98
By Simson L. Garfinkel
Nearly all Western European nations have data protection laws, which are
backed by commissioners who ensure neither government nor private companies
are overstepping their bounds when handling personal information.
Many businesses go further, with their own rules about respecting the
privacy of customers and employees. These rules are implemented by data
protection officers on the corporate payroll.
But in this country, major corporations and some lawmakers have worked for
more than 20 years to prevent the passage of general privacy legislation.
With so much personal information unprotected, it's only natural for us to
experience a ''privacy Pearl Harbor'' every couple years. For example, in
1988 a Washington newspaper obtained the videocassette rental records of
Judge Robert Bork. Worried about their own privacy, lawmakers passed the
Video Privacy Protection Act, which made it illegal for video stores to
distribute this information.
As a result of that and other incidents, we now have a patchwork of state
and federal privacy statutes. But most personal information remains
unprotected.
In the United States today there is nothing to stop a big pharmacy chain
from taking information it has on prescription medications and contracting
with a direct marketer to remind customers to buy medications - a practice
CVS ceased last month after it was revealed in news reports.
You can't legally prohibit newspapers or magazines from selling your name
to people who want to send you junk mail. And nothing prevents your
supermarket from selling a list of the groceries you rolled through the
checkout line.
In this era of increasing globalization, the European and US privacy
protection regimes are fundamentally in conflict. And while a battle has
been brewing for years, the first shots in an all-out war between the
continents on personal privacy might be just about seven months away.
On Oct. 25, the European Commission's privacy directive governing
''Transborder Flows of Personal Data'' will become law for European Union
member countries. Adopted in 1995 by the EU Parliament, this directive
prohibits companies in the EU from transmitting personal data to other
countries that do not abide by a specified list of data protection
standards. Surprisingly, the privacy directive has received little
attention in the United States, but that could change soon.
The directive's scope is breathtaking. ''Personal data would include
medical data, credit card records, employee records, airline
reservations,'' and even invoices for mail-order products, says Deborah
Hurley, director of Harvard's Information Infrastructure Project, who has
studied the directive for years.
Furthermore, the directive has a number of extraterritorial provisions that
apply to American businesses when their customers are in Europe. Companies
that collect information on European citizens over their World Wide Web
sites might be found in violation of European law, just as European
companies doing business in Cuba can be found in violation of certain US
laws.
Many American businesses and lawmakers throw up their hands before questions
of privacy, asking, ''How can privacy coexist with free speech?'' Europeans
have been thinking about these issues for more than 20 years. For the most
part, they shake their heads at our ill-informed debates. Of course privacy
laws restrict free speech. So do laws that govern copyright, defamation,
libel, and national security. In a civilized society, both privacy and free
speech are important values.
Europeans see little reason to rehash these debates. Many feel that
Americans, after inventing the idea of data protection in the 1970s, have
given up their right to privacy in the computer age. Europeans do not wish
to follow in our footprints.
Will the Europeans actually make good on their threat and cut the flow of
data or levy fines against US companies? ''This is the international
privacy question at the moment,'' says Hurley.
In recent months Hurley has been asked this question again and again by the
Clinton administration, regulators, and US executives. After spending years
in Paris working for the Organization for Economic Cooperation and
Development on issues of privacy, cryptography, and intellectual property,
she is regarded as one of this country's leading authorities on how European
governments view these issues.
But even Hurley doesn't know the answer. In part, that's because the
Europeans haven't decided themselves.
''The Europeans are serious about it,'' says Hurley. They could start by
levying fines against US firms that violate the privacy of European
citizens.
''On one side of the balance is the fact that this would be to the economic
disadvantage of the Europeans,'' says Hurley. ''It would clog or stop
transactions that are beneficial to their economy as well. On the other
side is the strongly held belief that a citizen of an EU country enjoys
protection of his or her data and privacy, by law.''
One reason the Europeans shouldn't trust us is that we have no federal
commission or official charged with protecting personal privacy. ''There is
an international meeting of Data Protection Commissioners... every year,''
says Hurley. The group just had its 19th meeting. ''The US does not have a
seat at the table.''
Many US firms might argue it's too difficult or expensive to honor
individual privacy. But Hurley says these arguments ring hollow. ''IBM
operates in Europe. American Express operates in Europe. American Airlines
operates in Europe. In order to do that, they are already complying with
European data protection laws. They know how to do it. And they are doing
it.''
They just aren't doing it on this side of the Atlantic.
The complete text of the EU's privacy directive is at
http://www2.echo.lu/legal/en/
Technology writer Simson L. Garfinkel can be reached at
plugged-in@simson.net, and runs the SIMSON-SAYS mailing list, which reprints
his Globe columns. Send "subscribe SIMSON-SAYS" to majordomo@vineyard.net
to subscribe.
------------------------------
Date: Fri, 27 Mar 1998 02:46:54 -0500
From: Monty Solomon <monty@roscom.COM>
Subject: Medical Records Proposal Puts Privacy at Risk, ACLU Says
Excerpt from ACLU News 03-25-98
-----
Medical Records Proposal
Puts Privacy at Risk, ACLU Says
FOR IMMEDIATE RELEASE
Tuesday, March 24, 1998
WASHINGTON -- With a House panel opening hearings on medical records
confidentiality, the American Civil Liberties Union today denounced the
newest medical records proposal, saying it would license the widespread
disclosure of personal medical information held by doctors, hospitals,
employers and others.
The new proposal -- drafted by Republican Senators Robert Bennett of
Utah and Jim Jeffords of Vermont -- would place virtually no restriction
on the disclosure of personal medical records by health care providers,
public health agencies and state health care databases. It would allow
law enforcement agencies easy access to browse computerized medical
records, making every citizen's medical records part of a new massive
law enforcement database, and preempt state laws that granted more
protection to confidential medical records.
"This proposal serves only the interests of the burgeoning health care
industry," said John Roberts, Executive Director of the ACLU of
Massachusetts, which has closely monitored the various medical records
proposals.
"Senators Bennett and Jeffords would allow the transfer of our medical
records to many organizations that stand to profit from the
information," Roberts said. "Doctor-patient confidentiality would be
destroyed as even employers would have access to any of our medical
records without our knowledge or consent."
ACLU Legislative Counsel Solange Bitol, who is following the issue in
Washington, agreed. "This proposal purports to be a privacy bill," she
said. "But it is, in fact, just the opposite. Once personal information
is collected for one purpose, the temptation to use it for others is
often irresistible."
The Bennett-Jeffords proposal is just the latest twist in increasingly
complicated maneuvering by Congress, the Clinton Administration,
scientists, major businesses and privacy advocates over medical records
and who should have access to individual data. The hearing today before
the House Ways and Means Committee is the latest addition to the fray.
The battle began with the passage of "Administrative Simplification," a
little-known amendment to the 1996 Health Insurance and Portability Act.
The Act requires the federal Department of Health and Human Services to
make medical privacy recommendations to Congress. If Congress fails to
pass privacy legislation within three years, HHS can establish binding
rules. Under the 1996 law, states can, however, provide greater privacy
protections for their residents.
Currently, the ACLU said, the United States has no coherent, consistent
privacy policy. "What we have is an ad hoc collection of laws that
protect movie rentals, books we check out at libraries, and cable
television records, but do not protect the far more sensitive medical,
insurance or employment records," Bitol said.
Last September, HHS Secretary Donna Shalala offered recommendations that
the ACLU and other privacy advocates said opened medical records to
abuses by government and private agencies. Even before the
administration weighed in, various members of Congress had offered
conflicting proposals.
According to an ACLU of Massachusetts analysis, the new Jeffords-Bennett
proposal -- which has yet to be introduced -- would also:
Impose requirements that patients sign blanket consent forms for release
of information as a condition of getting treatment, even for self-pay
patients. Redefine the notion of "treatment" to make the patient's
record a subject of continuous research. Blur the boundaries between
individual patient care and so-called "Population Management" and
"Disease System Management." Pre-empt all state laws that may be more
protective of the confidentiality of medical records.
The ACLU reiterated its belief that to provide true protection for
medical records privacy, the federal government must:
Set a foundation or floor of privacy protection. Prohibit "unique
patient identification numbers." Block electronic "linkage" of patient
records stored in various databases. Encrypt computerized patient
records with keys provided only to those directly involved in the
individual patient care. Protect the right of the individual patient to
contract directly with physicians and health care providers regarding
the privacy of the patient's medical records.
"Our bottom line," Bitol said, "is that individual privacy interests
must prevail over industry and other economic interests."
------------------------------
End of PRIVACY Forum Digest 07.06
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.