PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 16 January 1999      Volume 08 : Issue 02

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Signatures in E-Mail (Lauren Weinstein; PRIVACY Forum Moderator)
        Law Enforcement Access to Supermarket "Club" Data
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Pacific Bell's Caller ID Push (Conrad Heiney)
        Privacy Discussions Classified as a "Criminal Skill" (Marcus de Geus)
        A New Concept in Privacy Invasion (Carlos A. Alvarez)
        Re: Arrest puts jury-selection form on trial (Billy Harvey)
        Harmful changes to Wassenaar Arrangement (Monty Solomon)
        Report on the implementation of the "Adequacy" provisions
           of the EU Data Protection Directive (Colin Bennett)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 02

     Quote for the day:
         
           "I make death into a game for people like you 
            to get thrilled about."

                Professor Groeteschele (Walter Matthau)
                "Fail-Safe" (Columbia; 1964)
                
----------------------------------------------------------------------

Date:    Sat, 16 Jan 99 09:54 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Signatures in E-Mail

Greetings.  An enterprising firm, currently receiving considerable
publicity, believes it has solved the "problem" of people not being able to
include their familiar written signatures in e-mail.  Presumably oriented
towards persons not possessing a scanner (or functioning neurons in their
brains) they'll set it all up for you, all at no charge for a limited time.
Step one: fax them your signature...

And they said Vaudeville was dead.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sat, 16 Jan 99 11:09 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Law Enforcement Access to Supermarket "Club" Data

Greetings.  It appears that the practice of supermarket purchase data being
made available for investigatory purposes may be going mainstream.  In one
recent case, a major national chain admitted that it had provided "club card"
purchase information, under subpoena, to investigators (in a drug
enforcement case) who wanted to know if a particular person had bought large
numbers of plastic garbage bags.  Apparently such purchases may be an
indication of involvement with illicit drugs (or, perhaps, lots of deciduous
trees in the backyard?  Are garbage bags classified as a "dual use"
technology?)

I believe it would certainly be inappropriate to fault the supermarket for
complying with the subpoena.  But a more fundamental question revolves
around what happens if such investigatory practices continue to spread.
Will supermarket and credit card records be subpoenaed in civil cases, such
as divorce settlement suits?  Did the spouse by a lot of booze?  Racy
books?  Whip cream?  Brightly colored prophylactics?  

In the absence of laws setting down standards for how incidental
transactional purchase data are protected in different situations, abuses are
sure to occur.  The problem will only get worse as more persons are lured
into providing additional data about their purchases and web browsing habits
in exchange for free e-mail accounts, discount airline tickets, twenty cents
off on a jar of mayo, or any number of other goodies.

Vacuum does not make for good law.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date: Wed, 30 Dec 1998 08:49:52 -0800 (PST)
From: Conrad Heiney <conrad@fringehead.org>
Subject: Pacific Bell's Caller ID Push

I received a call from a hapless telemarketer yesterday. His pitch was that
he was making a courtesy customer service call to "let you know about an
upgrade in your area". The "upgrade", of course, was to change our line from
complete blocking to selective blocking of Caller ID.

Some things about this call were interesting. He never used the phrase
"Caller ID". He just kept talking about "selective blocking" and how it was
better than "complete blocking". In fact, when I told him that we didn't
want Caller ID he said "This isn't caller ID, it's just selective blocking."
Second, it wasn't at all clear that there was an option to refuse the
"upgrade". When I explicitly said that I didn't want the change made, he
agreed, but I have no idea what would have happened if I hadn't very
strenuously objected. Finally, the pitch was that I would find it more
convenient because, in his words "so many people are now blocking calls if
this isn't done".

I'm not sure what the fine line legal details of this call would be; perhaps
if I just said "ok" or "yes" sometime during the conversation my service
would have been switched? 

The whole way this call was handled certainly violates the spirit of the law;
who knows about the letter.

Thanks again for your Privacy Forum; it's an invaluable resource and I look
forward to each mailing.

Best,

Conrad

Conrad Heiney
conrad@fringehead.org
http://fringehead.org

          [ I contacted John Britton, Pacific Bell's media relations
            representative, with whom I've had prior discussions regarding
            these sorts of issues.  We had another couple of long
            chats.  The call you received was apparently made by
            a third party telemarketing firm under contract
            to Pacific Bell/SBC Communications.  He obtained copies
            of the telemarketing scripts involved, which he says
            do not contain language of that misleading sort (though
            they are clearly very much oriented towards trying
            to convince people to dump their complete blocking choice).

            I've asked him to look into the issue of what sorts of financial
            incentives individual telemarketers, or that outside firm
            itself, might have that could potentially cause them to "stray"
            from the script in order to apply additional pressure to
            customers to encourage their switching.  I hope to have
            information about this soon.

            Given this use of telemarketers by PacBell to promote caller-ID
            services, I couldn't help mentioning to John my "amusement" at
            the latest round of PacBell caller-ID television ads.  These
            portray a number of telemarketers, and suggest caller-ID as a
            way to block them (which, as we know, is highly problematical).
            The irony is impossible to ignore.  

               -- PRIVACY Forum Moderator ]

------------------------------

Date:    Mon, 21 Dec 1998 08:33:00 GMT
From:    Marcus de Geus <marcus@degeus.com>
Subject: Privacy Discussions Classified as a "Criminal Skill".

On reading Lauren Weinstein's contribution on the (lack of) accuracy of
web software filtering systems, the first question that occurred to me,
particularly in view of the fact that the classification itself remains
the work of people, not an automated system, was to what extent such a
system might be (is?) susceptible to criminal tampering.

Consider the following scenario. Party X wishes to hinder access to a
web site belonging to a competitor, Party Y. One method would be to
approach the people making the decisions on which sites to include in
the blocking lists of the web filtering software and convince them that
it would be to their advantage to include the web site of Party Y. This
would render it impossible for any users (sufferers?) of the affected
web filtering software to gain access to said web site, and in the
process would cast serious doubt on the trustworthiness of Party Y,
which would be represented as a purveyor of "criminal skills" (or any
other category of Party X's choosing, provided it is/can be included in
the blocking software).

Which brings up another question: does the current system (i.e.
selection by people) include any form of peer review by the selectors
themselves? If not, the scenario outlined above would be extremely
simple to set up.

And another question springs to mind: since the occurrence of the above
scenario (i.e. the use of "criminal skills") would be extremely
difficult to disprove, should not the purveyors of the blocking lists
themselves be included in the blocking lists? <g>

Regards,

Marcus de Geus
marcus@degeus.com
http://www.degeus.com

------------------------------

Date:    Sun, 10 Jan 1999 12:11:07
From:    "Carlos A. Alvarez" <carlos@theriver.com>
Subject: A New Concept in Privacy Invasion

I was shocked today to discover a whole new concept in online privacy
invasion.  The Costco Wholesale web site (formerly Price Club) will not
allow ANY viewing unless you accept their cookies.  I was sent to a page
telling me how to enable them, and how great they are.

I sent them an e-mail letting them know how much this practice disgusted
me, and that I would not be visiting their site.  My visit was made so I
could see their hours and whether they carried a certain type of product.
That's a sale that will go to a merchant who wants my business (and private
web traffic).

        [ Cookies are of course not a new concept, but it does appear that
          Costco may have broken some new ground.  I checked out this site
          and found that, indeed, you cannot even access their home page
          with cookies disabled.  Instead you receive (as of the date I
          write this) a text-only page (with a Costco URL) that doesn't even
          contain the text "Costco" within the page text.  Since I first
          checked, the page has changed--now it's displaying apparently the
          same text (at least on my browser) but in tiny little print.  A
          link on the page leads to the usual benign descriptions of cookies
          (only mention the positive!) and a discussion of Costco's 
          data collection practices.

          While there are obviously many sites that use cookies for various
          display and control purposes (and the wisdom of this can be
          considered separately for any given case) I've never run across a
          site before that wouldn't even let you see their home page unless
          you were cookie-friendly.  For an enterprise like Costco to do this
          certainly doesn't seem likely to engender much good will among
          customers, or potential customers.  Whether it's arrogance or
          cluelessness, the effect is really the same.

             -- PRIVACY Forum Moderator ]

------------------------------

Date:    Mon, 21 Dec 1998 18:37:23 -0500 (EST)
From:    Billy Harvey <Billy.Harvey-Privacy@thrillseeker.net>
Subject: Re: Arrest puts jury-selection form on trial

Bill Fason writes:
 > On November 10, 1998, a potential juror in a capital murder case in was
 > held in contempt, jailed for 30 days, and fined $500.00 for refusing to
 > answer a jury questionnaire.  
 ...
 > As the fully informed jury movement picks up steam, I am willing to bet
 > that in the coming years we will see more and more jury questionnaires
 > designed to help prosecutors ferret out citizens who understand the true
 > power of juries to judge both the facts and the law.

A book I recently read put forth the idea of having professional
jurors.  I had personally never heard of the idea before, but the
concept began to make a lot of sense when I thought about it.  The use
of a professional juror would alleviate problems such as I read about
after the O.J. trial when one juror said they (as a group) did not
understand what DNA testing meant so the data presented to them was
not properly considered.  Professions normally entail some type of
national standardized testing, written by members held in some esteem
by their peers (I am thinking along the lines of a Professional
Engineer).  This would imply a sufficient intelligence to at least
follow the presentation of evidence, and good problem solving skills.

Removing the supposed right (where did that idea ever come from
anyway?) of attornies and jury-pickers to cull juries for appropriate
selections would remove any violations of privacy.  Jurors would
normally work some distance away from their residences, and their
identities could be kept secret from all involved except the judge who
could verify credentials, etc.  Attempting to ferret out information
about jurors could be considered along the lines of contempt of court,
or worse if mandated.

Better, faster, cheaper?

Billy

------------------------------

Date:    Fri, 18 Dec 1998 19:53:11 -0500
From:    Monty Solomon <monty@roscom.COM>
Subject: Harmful changes to Wassenaar Arrangement

FYI, from the IETF Secretariat.

Subject: Harmful changes to Wassenaar Arrangement
Date: Fri, 18 Dec 1998 18:15:36 -0500
From: Steve Coya <scoya@ns.cnri.reston.va.us>

The IAB and the IESG deplore the recent changes to the Wassenaar
Arrangement (http://www.wassenaar.org) that further limit the
availability of encryption software by including it in the Wassenaar
agreement's list of export controlled software (section 5.A.2.a.1
of the list of dual-use goods, WA LIST 98 (1)).  As discussed in
RFC 1984, strong cryptography is essential to the security of the
Internet; restrictions on its use or availability will leave us
with a weak, vulnerable network, endanger the privacy of users and
businesses, and slow the growth of electronic commerce.

The new restrictions will have a particularly deleterious effect
on smaller countries, where there may not be enough of a local
market or local expertise to support the development of indigenous
cryptographic products.  But everyone is adversely affected by
this; the Internet is used world-wide, and even sites with access
to strong cryptographic products must be able to talk to those who
do not.  This in turn endangers their own security.

We are happy that the key size limit has been raised in some cases
from 40 bits to 64; however, this is still too small to provide
real security.  We estimate that after a modest capital investment,
a company or criminal organization could crack a 64-bit cipher in less
than a day for about $2500 per solution.  This cost will only drop
in coming years.  A report released about three years ago suggested
that 90-bit keys are the minimum for long-term security.

   Brian Carpenter (IAB Chair)
   Fred Baker (IESG and IETF Chair)

------------------------------

Date:    Wed, 13 Jan 1999 09:38:59 -0800
From:    "Colin Bennett" <cjb@uvic.ca>
Subject: Report on the implementation of the "Adequacy" provisions
         of the EU Data Protection Directive

For the last year, four privacy experts (Charles Raab, Colin Bennett, 
Nigel Waters and Bob Gellman) have been working on a report for the 
European Commission on the implementation of Articles 25 and 26 of the 
EU Data Protection Directive.

The report contains 30 empirical case studies of the international 
transfer of personal data from Europe to 6 jurisdictions (Canada, US, 
Japan, Australia, New Zealand, Hong Kong).   These cases represent five 
different transfer categories: sensitive information in airline 
reservations systems; human resources data; electronic commerce; 
medical data; and subcontracted outsourcing.  For each transfer, we 
gained the collaboration of certain partner organizations to give us a 
realistic sense of the nature of the personal data transferred and the 
means of communication.   We then made certain evaluations about the 
"adequacy" of protection according to a common evaluative methodology.

The final report entitled "Application of a methodology designed to 
assess the adequacy of the level of protection of individuals with 
regard to processing personal data" has just been published and can be 
found under the "Reports" section at:  
http://europa.eu.int/comm/dg15/en/public/index.htm#5

Colin J. Bennett, cjb@uvic.ca
Department of Political Science
University of Victoria
PO Box 3050
Victoria, BC
Canada, V8W 3P5
Phone: (250) 721-7495
Fax: (250) 721-7485
http://www.cous.uvic.ca/poli/bennett/

------------------------------

End of PRIVACY Forum Digest 08.02
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.