PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Wednesday, 13 May 1998      Volume 07 : Issue 09

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
                  of MCI Telecommunications Corporation), 
                  Cisco Systems, Inc., and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Some PRIVACY Forum Miscellany 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        American Express Selling Customer Purchase Data
           (Lauren Weinstein; PRIVACY Forum Moderator)
        ID implants, anyone? (Brian Clapper)
        Mark of the beast (Phil Agre)
        Remotely tracked passports (Philip N. Gross)
        Woman tackles 'deadbeat-dad' glitches (Peter G. Neumann)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  

Access to PRIVACY Forum materials is also available through the Internet
World Wide Web (WWW) via the Vortex Technology WWW server at the URL:
"http://www.vortex.com"; full keyword searching of all PRIVACY Forum files
is available via WWW access.
-----------------------------------------------------------------------------

VOLUME 07, ISSUE 09

   Quote for the day:

        "How extravagant you are throwing away 
         women like that--one day they may be scarce!"
        
                -- Captain Louis Renault (Claude Rains)
                   "Casablanca" (Warner Brothers; 1942)

----------------------------------------------------------------------

Date:    Wed, 13 May 98 19:36 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Some PRIVACY Forum Miscellany

Greetings.  A couple of unrelated topics as we begin today's digest...

First, I wanted to take this opportunity to thank the numerous persons who
have sent e-mail regarding the semi-regular commentaries on various
"technology and society" issues that they've heard me doing on National
Public Radio's "Morning Edition" program.  Your e-mailed thoughts and
comments regarding the commentaries are very much appreciated.  It's clear
that "Morning Edition" has a very broad audience of listeners who are really
in-tune with these important issues!

I should add that in my continuing efforts to provide information and venues
for discussion on both issues of privacy and the other ways in which
technology impacts society, I continue to make available a range of short
and longer form audio newsfeatures and other program elements designed for
radio broadcast use, especially in news and/or talk station environments.
Any parties interested in learning more about these programs are invited to
contact me directly for information.  It has become increasingly clear that
these issues are rising rapidly in importance in the popular
consciousness--my goal as always is to foster both discussion and
understanding of these issues in a manner that can be appreciated by as many
folks as possible.

Finally, my SPAM mail block list continues to grow, and there is increasing
evidence that it is actually having a significant impact towards reducing
the amount of SPAM entering this domain.  The list is updated on a daily
basis, and is available via:

http://www.vortex.com/mailblock.html

And now, back to the continuing privacy saga...

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Wed, 13 May 98 11:30 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: American Express Selling Customer Purchase Data

Greetings.  You hand over your American Express (AMEX) card to a merchant,
and later walk away with your goodies.  Not only have you just made a
convenient purchase, but apparently you've also participated in a largescale
marketing plan, where your purchase profiles will be cross-referenced
through an external database and sold to outside parties for commercial use.

Surprised?  You don't recall giving permission for this sort of use of your
purchase data?  You're not alone.  It's another example of business 
"data creep"--data that was collected for one purpose, being used for various
different purposes, often without the knowledge or explicit permission of
the customer party involved.

It was recently reported that AMEX has entered into an agreement with
KnowledgeBase Marketing to provide detailed purchase profiles to small
businesses for marketing purposes.

KnowledgeBase Marketing states that it gathers information from public
sources, and reports indicate that the information can include everything
from the value of your home to the ages of your children.  AMEX would
apparently be combining in your purchase profiles--reportedly not the
specific purchases you made--but rather the detailed types of purchases.
Perhaps you make frequent trips to Europe or buy lots of cat food.  Your
purchase history can be profiled down to very specific categories and
targeted in a precise manner.

While AMEX has stated that customers can choose to remove themselves
("opt-out") of the plan by writing to them, initial reports indicate that
AMEX has not been planning to explicitly inform customers about this
database/marketing effort or their options in regard to this plan.

My reading of AMEX's policies about such issues on their web site suggests
that this marketing plan would not explicitly violate the letter of those
principles.  As long as AMEX customers have been notified (presumably
somewhere deep in the routine customer disclosure documents) that they can
write in to opt-out from (unspecified) marketing plans, AMEX apparently
considers them to be "on notice" for all future outside marketing efforts.

However, by not being more explicit about notifying customers regarding
specific marketing plans and partners, it would appear that AMEX is
definitely not interested in making the opt-out option (writing a letter)
particularly popular.  And of course, it would apparently be unthinkable for
AMEX to ask customers in advance if they wanted to participate in particular
marketing efforts ("opt-in").

I've been attempting to get more information about this AMEX plan and their
policies in this regard.  However, my efforts to reach the AMEX Vice
President who has been quoted about this marketing plan, have so
far been unsuccessful.

For a point of comparison, I contacted Visa International regarding their
policies when it comes to customer information and received a prompt
response.  Visa International says that they themselves do not sell
cardholder information to merchants, though individual members (e.g. card
issuing banks) set their own policies regarding such matters, since the
members themselves manage their relationships with their cardholders.

This whole issue tends to again call into question the repeated claims from
the marketing industry that "self-regulation" is sufficient to protect
consumers, and that legislation to shield consumers from abuse of their
purchase and other personal data is unnecessary.  The best intentions of
some business entities can be swamped by the more exploitive data management
practices of less enlightened enterprises.

So just say "charge it!"

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Mon, 20 Apr 1998 09:30:13 -0400 (EDT)
From:    Brian Clapper <bmc@WillsCreek.COM>
Subject: ID implants, anyone?

The first page of section B of the Wall Street Journal, Monday, April 20,
1998, contains a story about electronic tags--radio frequency identification
(RFID) technology that broadcasts arbitrary information. Not only is the
technology used in many of the plastic anti-theft devices attached to
merchandise, but its use in wrist bracelets is becoming very popular. The
story discusses various new, "exciting" uses for such technology, including:

- Keeping track of children in those temporary day care centers in
  supermarkets.
- Keeping Alzheimer's patients from wandering astray in nursing homes.
- Controlling who has access to office buildings, parking garages, etc.
- Paying for auto fuel without using cash, credit or debit card (i.e.,
  Mobil's Speedpass system, which I believe has been mentioned before
  in this forum).
- Tracking medical information. According to the article, "[RFID devices]
  have even found their way into some breast implants to store information
  that doctors may need later."

There are a few specific comments in the article that, while chilling, will
come as no surprise to readers of the PRIVACY Forum. For example:

- "Someday, a few RFID enthusiasts say, we may all have tags implanted
  under our skin. If so, the tags could zap data about us into computers,
  saving us from endlessly reciting our names, allergic reactions, and
  frequent-flier codes."
- A property developer contracted with a security company to install an
  RFID security system in his office building; he uses the system to track
  computers and other office equipment, and to track employees. "`We had
  a cleaning lady who said that she worked all night,' he recalls, `and we
  know she left at 9:04 [pm]'".
- The CEO of Sensormatic (Robert Vanourek) is hoping retailers will start
  using RFID for customer tracking, giving customers cards that can track
  not only what they purchase, but where they go in the store and how much
  time they spend at each location. At that point in the article, one
  encounters the only paragraph that even comes close to touching on the
  privacy concerns of this technology: "Wouldn't customers resent an
  electronic snoop? Sensormatic thinks they will get used to it,
  especially if they get more personalized service in return."  Sadly,
  they're bound to be correct in that assumption.

The article ends with a paragraph that asks the question: "While they're at
it, why not implant ID tags in people?" That final paragraph does not
contain one single sentence that acknowledges the dangers of this kind of
monitoring; instead, it merely mentions Robert Vanourek's belief that "it
will take time", but will eventually happen; and, he believes, the earlobes
will make the perfect location for such implants.

The article is decidedly enthusiastic about RFID technology; it fails to
discuss, or even mention in passing, the frightening compromises to privacy
and personal autonomy that become possible once this kind of technology has
gained broad acceptance. Instead, it focuses entirely on the gee-whiz
nature of the technology and on the wonderful conveniences it will bestow
upon us.

Maybe it's not as bad as I fear, though: Perhaps some entrepreneur will
come along and devise portable Tempest technology for one's earlobes,
wrists, and automobiles. Of course, by that time, such technology will have
been outlawed in the interests of national security.

Brian Clapper, bmc@WillsCreek.COM

------------------------------

Date:    Sun, 3 May 1998 19:07:13 -0700 (PDT)
From:    Phil Agre <pagre@weber.ucsd.edu>
Subject: Mark of the beast

According to the LA Times (Hilary E. MacGregor, Deputy sues to have
his social security number removed, LA Times, 4/23/98, page A3), a
Ventura County sheriff's deputy named Patrick Dain has filed a lawsuit
against the county to delete his social security number from his
records on account of his religious beliefs; he regards the SSN as
the mark of the beast spoken of in Revelations 13:16.  Although the
county's deputy counsel reported reacting to the case with incredulity,
in fact the article says that a Los Angeles County Superior Court
judge ruled that the California Department of Motor Vehicles had to
accommodate five men who refused to give the DMV their social security
numbers on the same grounds.  I am ambivalent.  Folk beliefs like that
particular construal of Revelations frequently include elements of
truth, but I would not want to see all such beliefs given the weight
of law.

Phil Agre

------------------------------

Date:    Fri, 08 May 1998 15:10:23 -0400
From:    "Philip N. Gross" <png3@columbia.edu>
Subject: Remotely tracked passports

Last week's issue of the Far Eastern Economic Review (http://www.feer.com)
had an article on Malaysia's new high-tech passports.  These will have a
chip and antenna embedded in the rear cover.  In its 8K of encrypted
memory, "the chip can store a digitized photograph, a thumb print, a
digital signature and several pages of information about the passport's
owner".

Later in the same article they mention that the same company is planning to
use the same technology for airline boarding passes, and an extra feature
is revealed:

"Yap says the hi-tech boarding passes also could be used to track
passengers in the departure lounge. Airlines lose hundreds of millions of
dollars a year because passengers miss their flights while they're busy
shopping or eating. With chips in their boarding passes, laggard passengers
could be quickly located (their movements would be picked up by electronic
readers stationed throughout airports)."

Finally (you can see this coming) plans are revealed for:

"...Malaysia's new multipurpose smart card. This would merge several
documents--the identity card carried by all Malaysians, a restricted
passport for travel to Singapore, a driving licence and health data--into
one card. The company is part of a consortium bidding to supply 14 million
such cards."

Unsurprisingly, among the other countries that have expressed interest in
the technology are Indonesia, China, Syria, and Iran.

Governments and others are offering "high-security" tamper-proof encrypted
smart cards/passports, while playing down the fact that the carrier can be
tracked remotely.

Philip Gross
png3@columbia.edu

------------------------------

Date: Mon, 4 May 1998 13:34:23 -0500
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Woman tackles 'deadbeat-dad' glitches 

    [ From Risks-Forum Digest; Volume 19 : Issue 73
                             -- PRIVACY Forum Moderator ]

Danny Woodall was pursued by West Virginia for seven years because the state
had falsely tagged him as a deadbeat dad, according to OSCAR, their $20M
Online Support Collections and Receipts system.  Finally, his wife Lisa
implemented software that debunked OSCAR.  She proved that the state
actually owed her husband money.  She has now started a company called
Support Scrutiny to help out in other similar cases.  In June 1997, a
legislative audit found that almost one-third of the West Virginia Child
Support Enforcement Division's files contained incorrect data.  Those errors
led the agency to wrongly collect about $1.7 million from 3,788 parents
during the 1995-96 fiscal year, the auditors say.  [Source: USA Today, 2
May 1998, PGN Abstracting]

------------------------------

End of PRIVACY Forum Digest 07.09
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.