PRIVACY Forum Archive Document
PRIVACY Forum Digest Wednesday, 13 May 1998 Volume 07 : Issue 09 Moderated by Lauren Weinstein (firstname.lastname@example.org) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Some PRIVACY Forum Miscellany (Lauren Weinstein; PRIVACY Forum Moderator) American Express Selling Customer Purchase Data (Lauren Weinstein; PRIVACY Forum Moderator) ID implants, anyone? (Brian Clapper) Mark of the beast (Phil Agre) Remotely tracked passports (Philip N. Gross) Woman tackles 'deadbeat-dad' glitches (Peter G. Neumann) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "email@example.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "firstname.lastname@example.org". Mailing list problems should be reported to "email@example.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 09 Quote for the day: "How extravagant you are throwing away women like that--one day they may be scarce!" -- Captain Louis Renault (Claude Rains) "Casablanca" (Warner Brothers; 1942) ---------------------------------------------------------------------- Date: Wed, 13 May 98 19:36 PDT From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Some PRIVACY Forum Miscellany Greetings. A couple of unrelated topics as we begin today's digest... First, I wanted to take this opportunity to thank the numerous persons who have sent e-mail regarding the semi-regular commentaries on various "technology and society" issues that they've heard me doing on National Public Radio's "Morning Edition" program. Your e-mailed thoughts and comments regarding the commentaries are very much appreciated. It's clear that "Morning Edition" has a very broad audience of listeners who are really in-tune with these important issues! I should add that in my continuing efforts to provide information and venues for discussion on both issues of privacy and the other ways in which technology impacts society, I continue to make available a range of short and longer form audio newsfeatures and other program elements designed for radio broadcast use, especially in news and/or talk station environments. Any parties interested in learning more about these programs are invited to contact me directly for information. It has become increasingly clear that these issues are rising rapidly in importance in the popular consciousness--my goal as always is to foster both discussion and understanding of these issues in a manner that can be appreciated by as many folks as possible. Finally, my SPAM mail block list continues to grow, and there is increasing evidence that it is actually having a significant impact towards reducing the amount of SPAM entering this domain. The list is updated on a daily basis, and is available via: http://www.vortex.com/mailblock.html And now, back to the continuing privacy saga... --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Wed, 13 May 98 11:30 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: American Express Selling Customer Purchase Data Greetings. You hand over your American Express (AMEX) card to a merchant, and later walk away with your goodies. Not only have you just made a convenient purchase, but apparently you've also participated in a largescale marketing plan, where your purchase profiles will be cross-referenced through an external database and sold to outside parties for commercial use. Surprised? You don't recall giving permission for this sort of use of your purchase data? You're not alone. It's another example of business "data creep"--data that was collected for one purpose, being used for various different purposes, often without the knowledge or explicit permission of the customer party involved. It was recently reported that AMEX has entered into an agreement with KnowledgeBase Marketing to provide detailed purchase profiles to small businesses for marketing purposes. KnowledgeBase Marketing states that it gathers information from public sources, and reports indicate that the information can include everything from the value of your home to the ages of your children. AMEX would apparently be combining in your purchase profiles--reportedly not the specific purchases you made--but rather the detailed types of purchases. Perhaps you make frequent trips to Europe or buy lots of cat food. Your purchase history can be profiled down to very specific categories and targeted in a precise manner. While AMEX has stated that customers can choose to remove themselves ("opt-out") of the plan by writing to them, initial reports indicate that AMEX has not been planning to explicitly inform customers about this database/marketing effort or their options in regard to this plan. My reading of AMEX's policies about such issues on their web site suggests that this marketing plan would not explicitly violate the letter of those principles. As long as AMEX customers have been notified (presumably somewhere deep in the routine customer disclosure documents) that they can write in to opt-out from (unspecified) marketing plans, AMEX apparently considers them to be "on notice" for all future outside marketing efforts. However, by not being more explicit about notifying customers regarding specific marketing plans and partners, it would appear that AMEX is definitely not interested in making the opt-out option (writing a letter) particularly popular. And of course, it would apparently be unthinkable for AMEX to ask customers in advance if they wanted to participate in particular marketing efforts ("opt-in"). I've been attempting to get more information about this AMEX plan and their policies in this regard. However, my efforts to reach the AMEX Vice President who has been quoted about this marketing plan, have so far been unsuccessful. For a point of comparison, I contacted Visa International regarding their policies when it comes to customer information and received a prompt response. Visa International says that they themselves do not sell cardholder information to merchants, though individual members (e.g. card issuing banks) set their own policies regarding such matters, since the members themselves manage their relationships with their cardholders. This whole issue tends to again call into question the repeated claims from the marketing industry that "self-regulation" is sufficient to protect consumers, and that legislation to shield consumers from abuse of their purchase and other personal data is unnecessary. The best intentions of some business entities can be swamped by the more exploitive data management practices of less enlightened enterprises. So just say "charge it!" --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Mon, 20 Apr 1998 09:30:13 -0400 (EDT) From: Brian Clapper <bmc@WillsCreek.COM> Subject: ID implants, anyone? The first page of section B of the Wall Street Journal, Monday, April 20, 1998, contains a story about electronic tags--radio frequency identification (RFID) technology that broadcasts arbitrary information. Not only is the technology used in many of the plastic anti-theft devices attached to merchandise, but its use in wrist bracelets is becoming very popular. The story discusses various new, "exciting" uses for such technology, including: - Keeping track of children in those temporary day care centers in supermarkets. - Keeping Alzheimer's patients from wandering astray in nursing homes. - Controlling who has access to office buildings, parking garages, etc. - Paying for auto fuel without using cash, credit or debit card (i.e., Mobil's Speedpass system, which I believe has been mentioned before in this forum). - Tracking medical information. According to the article, "[RFID devices] have even found their way into some breast implants to store information that doctors may need later." There are a few specific comments in the article that, while chilling, will come as no surprise to readers of the PRIVACY Forum. For example: - "Someday, a few RFID enthusiasts say, we may all have tags implanted under our skin. If so, the tags could zap data about us into computers, saving us from endlessly reciting our names, allergic reactions, and frequent-flier codes." - A property developer contracted with a security company to install an RFID security system in his office building; he uses the system to track computers and other office equipment, and to track employees. "`We had a cleaning lady who said that she worked all night,' he recalls, `and we know she left at 9:04 [pm]'". - The CEO of Sensormatic (Robert Vanourek) is hoping retailers will start using RFID for customer tracking, giving customers cards that can track not only what they purchase, but where they go in the store and how much time they spend at each location. At that point in the article, one encounters the only paragraph that even comes close to touching on the privacy concerns of this technology: "Wouldn't customers resent an electronic snoop? Sensormatic thinks they will get used to it, especially if they get more personalized service in return." Sadly, they're bound to be correct in that assumption. The article ends with a paragraph that asks the question: "While they're at it, why not implant ID tags in people?" That final paragraph does not contain one single sentence that acknowledges the dangers of this kind of monitoring; instead, it merely mentions Robert Vanourek's belief that "it will take time", but will eventually happen; and, he believes, the earlobes will make the perfect location for such implants. The article is decidedly enthusiastic about RFID technology; it fails to discuss, or even mention in passing, the frightening compromises to privacy and personal autonomy that become possible once this kind of technology has gained broad acceptance. Instead, it focuses entirely on the gee-whiz nature of the technology and on the wonderful conveniences it will bestow upon us. Maybe it's not as bad as I fear, though: Perhaps some entrepreneur will come along and devise portable Tempest technology for one's earlobes, wrists, and automobiles. Of course, by that time, such technology will have been outlawed in the interests of national security. Brian Clapper, bmc@WillsCreek.COM ------------------------------ Date: Sun, 3 May 1998 19:07:13 -0700 (PDT) From: Phil Agre <firstname.lastname@example.org> Subject: Mark of the beast According to the LA Times (Hilary E. MacGregor, Deputy sues to have his social security number removed, LA Times, 4/23/98, page A3), a Ventura County sheriff's deputy named Patrick Dain has filed a lawsuit against the county to delete his social security number from his records on account of his religious beliefs; he regards the SSN as the mark of the beast spoken of in Revelations 13:16. Although the county's deputy counsel reported reacting to the case with incredulity, in fact the article says that a Los Angeles County Superior Court judge ruled that the California Department of Motor Vehicles had to accommodate five men who refused to give the DMV their social security numbers on the same grounds. I am ambivalent. Folk beliefs like that particular construal of Revelations frequently include elements of truth, but I would not want to see all such beliefs given the weight of law. Phil Agre ------------------------------ Date: Fri, 08 May 1998 15:10:23 -0400 From: "Philip N. Gross" <email@example.com> Subject: Remotely tracked passports Last week's issue of the Far Eastern Economic Review (http://www.feer.com) had an article on Malaysia's new high-tech passports. These will have a chip and antenna embedded in the rear cover. In its 8K of encrypted memory, "the chip can store a digitized photograph, a thumb print, a digital signature and several pages of information about the passport's owner". Later in the same article they mention that the same company is planning to use the same technology for airline boarding passes, and an extra feature is revealed: "Yap says the hi-tech boarding passes also could be used to track passengers in the departure lounge. Airlines lose hundreds of millions of dollars a year because passengers miss their flights while they're busy shopping or eating. With chips in their boarding passes, laggard passengers could be quickly located (their movements would be picked up by electronic readers stationed throughout airports)." Finally (you can see this coming) plans are revealed for: "...Malaysia's new multipurpose smart card. This would merge several documents--the identity card carried by all Malaysians, a restricted passport for travel to Singapore, a driving licence and health data--into one card. The company is part of a consortium bidding to supply 14 million such cards." Unsurprisingly, among the other countries that have expressed interest in the technology are Indonesia, China, Syria, and Iran. Governments and others are offering "high-security" tamper-proof encrypted smart cards/passports, while playing down the fact that the carrier can be tracked remotely. Philip Gross firstname.lastname@example.org ------------------------------ Date: Mon, 4 May 1998 13:34:23 -0500 From: "Peter G. Neumann" <email@example.com> Subject: Woman tackles 'deadbeat-dad' glitches [ From Risks-Forum Digest; Volume 19 : Issue 73 -- PRIVACY Forum Moderator ] Danny Woodall was pursued by West Virginia for seven years because the state had falsely tagged him as a deadbeat dad, according to OSCAR, their $20M Online Support Collections and Receipts system. Finally, his wife Lisa implemented software that debunked OSCAR. She proved that the state actually owed her husband money. She has now started a company called Support Scrutiny to help out in other similar cases. In June 1997, a legislative audit found that almost one-third of the West Virginia Child Support Enforcement Division's files contained incorrect data. Those errors led the agency to wrongly collect about $1.7 million from 3,788 parents during the 1995-96 fiscal year, the auditors say. [Source: USA Today, 2 May 1998, PGN Abstracting] ------------------------------ End of PRIVACY Forum Digest 07.09 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.