|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Saturday, 13 February 1999 Volume 08 : Issue 03
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Computer Serial Numbers: Pentiums Not Required!
(Lauren Weinstein; PRIVACY Forum Moderator)
Stolen Lives: Identity theft (David Brownell)
eBay's Very Open Trading Policies (Mike O'Brien)
Domestic Violence (Phil Agre)
Boxed In: Why US Privacy Self Regulation Has Not Worked
(Joseph M. Reagle Jr.)
ALAWON v8, n7 - Filtering Bill Introduced (ALAWASH E-MAIL)
Supermarket Tracking Cards / Professional Jurors (Mike O'Brien)
Interesting US Supreme Court case (John R Levine)
New California laws for 1999 (Kevin Maguire)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 08, ISSUE 03
Quote for the day:
"Wrong thinking is punishable.
Right thinking will be as quickly rewarded."
-- The Keeper (Meg Wylie)
"Star Trek": Original Pilot Episode: "The Cage" (Desilu; 1964)
----------------------------------------------------------------------
Date: Sat, 13 Feb 99 11:29 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Computer Serial Numbers: Pentiums Not Required!
Greetings. By now most of you are probably familiar with the barrage of
stories relating to Intel's annoucement of a "serial number" in their new
line of Pentium processor chips, and the controversies that immediately
emerged. Given all that's already been written about the pros, cons,
reliability issues, uses and abuses of such a system, there's no need to
rehash it all here.
But there is one point I'd like to emphasize. The ability to create and
interrogate a totally or reasonably unique identity for a given piece of
computer hardware has long existed, and need not be dependent on the
presence or enabling of a chip serial number. And since all such
procedures rely on software to transmit that information, all are ultimately
subject to potential modification or disruption.
Outside of the PC world, various other computer platforms have long included
dedicated readable machine serial numbers. Any PC with an installed Ethernet
adapter contains a unique ID which can be easily interrogated. It's also
possible to "fingerprint" any system via values in system ROMs, disk firmware
interfaces and layouts, operating system or application software IDs, or any
manner of other parameters which can be combined in creative manners. Some
of these can be changed by the user of course, but a CPU chip can usually be
replaced as well. Techniques like these are already used by some software
packages as an anti-piracy measure.
So whatever good or ill that we perceive to be associated with unique
identification of computer systems, it's important to note that most of the
same factors are present regardless of whether or not a particular CPU chip
is in use or a specific chip serial number capability enabled.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Sat, 06 Feb 1999 11:40:40 -0800
From: David Brownell <david-b@pacbell.net>
Subject: Stolen Lives: Identity theft
The January 26 1999 edition of the San Jose Mercury News has
an article about identity theft. Titled "Stolen Lives, How
to Avoid Being a Victim of Identity Fraud", the article presents
several case studies; it's a relatively long article (2400 words
in the on-line version for $2, plus pictures).
Of particular interest were interviews with some people whose
identies had been stolen. In effect, they had been made the
victim in multiple ways ... first by having their credit records
ruined, second by having the credit bureaus refuse to correct
the false information they were recording, third by employers
not being supportive of the months or years it can take to recover
from such a theft, fourth by courts and police departments holding
that it was financial institutions which were the primary victims,
and unfortunately much more.
It's clear that such theft is facilitated by sloppy practices
on the part of credit issuing agencies. In one case, they did
not even consider the fact that the person applying for credit
had a different age, size, residence, and race from the person
whose credit record was used. (Yet they were held to be the
victim ... hmm.)
However, it's also clear that credit reporting agencies haven't
been doing their jobs in making sure the information they report
is correct. (I was wishing that the EU privacy regulations were
in effect ... making this their legal responsibility, rather than
at best a good-neighborly thing.)
Mari Frank is a Laguna Niguel attorney who wrote a manual on coping
with identity theft. www.identitytheft.org has more info on that.
There is now US federal legislation which makes identity theft a
felony, as it has been for a while in ten states including California.
California's legal infrastructure is already in place, which will
help victims since it requires credit bureaus and lenders to fix
their records given a police report of the crime.
- Dave
------------------------------
Date: Mon, 1 Feb 1999 13:07:16 -0800
From: "Mike O'Brien" <obrien@rush.aero.org>
Subject: eBay's very open trading policies
eBay is instituting a new User Agreement, binding on everyone
who uses eBay in about 25 days, which says a few hair-raising things.
It references a new Privacy Policy which is even more hair-raising.
The new Privacy Policy says:
Unfortunately, due to the existing regulatory environment, we cannot
ensure that all of your private communications and other personally
identifiable information will never be disclosed in ways not otherwise
described in this Privacy Policy. By way of example (without limiting
the foregoing), we may be forced to disclose information to the
government or third parties under certain circumstances, or third
parties may unlawfully intercept or access transmissions or private
communications.
Well, that sure sounds practical and fair enough. However,
this paragraph goes on to say:
Further, we can (and you authorize us to) disclose any information
about you to law enforcement or other government officials as we, in
our sole discretion, believe necessary or appropriate. Therefore,
although we use industry standard practices to protect your privacy,
we do not promise, and you should not expect, that your personally
identifiable information or private communications will remain
private.
A paragraph or two above this, it also says:
eBay cooperates with all law enforcement inquires and with all third
parties to enforce their intellectual property or other rights.
Therefore, members of the eBay Legal Buddy Program (which includes
local, state and federal law enforcement) can request your UserID,
name, street address, city, state, zip code, country, phone number,
email and company information. For more information about the Legal
Buddy Program, email buddy@ebay.com.
I dug into this some. Apparently, all you have to do is sign
a form that says you own copyright or trademark interests in something
or other, and based solely on this claim, eBay will disclose to you
all the information they have on anybody whom you claim is selling
something in violation of your rights.
This stuff was all instituted because eBay was catching
heat about allowing the sale of fraudulent "knock-off" items. I
don't know about you, but the cure looks worse than the disease.
I'm all for complying with subpoenas and warrants, but this all
looks to me like all you have to do is CLAIM to represent a law
enforcement agency or a "Content Owner", and their books are open
for your easy inspection.
Mike O'Brien
------------------------------
Date: Sun, 7 Feb 1999 20:43:54 -0800 (PST)
From: Phil Agre <pagre@alpha.oac.ucla.edu>
Subject: Domestic Violence
The state of California has started a program to protect victims of
domestic violence from being tracked down by their assailants using
public records and the like. Measures include confidential voter
registration records and a state-provided post office box whose contents
are regularly forwarded by state workers to the victim's real location.
(Reference: Carl Ingram, New program to help domestic violence victims,
Los Angeles Times, 7 February 1999, page A13. The article also claims
that "[t]he era of hacking electronic databases further compounds the
difficulties of victims", without providing evidence that is hacking
rather than deception or corruption that causes information about the
victims to be revealed.) We shall see how well the law works. If it
is not sufficient, a next step would be to strengthen a victim's ability
to recover damages from an organization that reveals personal information
to someone who shouldn't have it.
Phil Agre
------------------------------
Date: Mon, 18 Jan 1999 10:23:47 -0500
From: "Joseph M. Reagle Jr." <reagle@MIT.EDU>
Subject: Boxed In: Why US Privacy Self Regulation Has Not Worked
http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html
Joseph M. Reagle Jr.
Resident Fellow, Berkman Center for Internet & Society, Harvard
Law School
Its easy to answer that efforts -- to date -- for Internet privacy
self-regulation have not worked in the US. However, to ask the question
itself is not so easy. What does effective privacy protection and self
regulation mean? How do we know when its working? In an attempt to frame
this issue, the Department of Commerce has issued two drafts and held a
public meeting last summer with the theme of "Thinking Out of the Box."
Little progress had been made on the most important aspect of self
regulation: enforcement and user remedy.
The crux of the problem is not a need to think out of the box, but to think
about the box we are in. By this I mean the history and incentives that
motivate present day behavior:
Self Regulation by Sustaining User Ignorance
This regulatory approach operates when market players suppress
business practices (or reports thereof) that alarm a majority of the
citizenry. Problems which are pointed out by the FTC, advocacy
groups, or the media can sometimes result in improvements by the
targeted company. Occasionally, a coalition of companies may find
the scrutiny to be loathsome enough to exceed their legal obligations
and uniformly reform the industry's practices. Given the number and
diversity of services on the Web, such efforts are doubly difficult.
Enforcing Norms May Violate Anti-Trust
Antitrust law attempts to mitigate a dominant company, or set of
companies, from colluding in order to suppress competition. This
includes attempts at price fixing and excluding rivals by raising
barriers of entry within a market. Consider the proposal that Internet
companies that are part of a self-regulatory program adopt a
consistent set of privacy procedures and that those procedures must
be reviewed by external privacy audits. This could be construed as
raising a barrier to entry in the ecommerce market for those
companies that cannot readily afford such processes.
Being a Good Actor Increases Liability
Outside of a few specific sectors (credit reporting, video rental
records, etc.) there are very few limits on what one can do with
information solicited, garnered, or inferred about users. In fact, by
disclosing one's privacy practices, one is substantiality increasing
one's liability without any noticeable or immediate benefit. In this
context, I find it remarkable that any company has made substantive
disclosures beyond the useless "We may share your information with
partners and affiliates who wish to provide you with complementary
products or services," and laud those that have.
Privacy is Expensive
It costs to be proactive on privacy. Companies concerned with
privacy may turn away from business practices their less principled
competitors jump at, or devote significant resources to supporting
self-regulatory or technical programs. Regulatory actions (self or
statutory) are not cheap. The cost of privacy when placed in the
broader context of user satisfaction, fraud reduction, and user
confidence in the Web is worthwhile, however the cost is uncertain
and poorly distributed.
Given the above constraints, it is not surprising that self regulatory
efforts have not advanced further. The efforts to date are simply not
sufficient to overcome these significant pre-existent disincentives towards
a self regulatory program. For progress to be made, we need enforceable rules
regarding a baseline of acceptable behavior that cast pro-privacy policies
as an advantage rather than a liability.
References
Elements of Effective Self-Regulation for Protection of Privacy
Privacy and Electronic Commerce.
Introduction to Antitrust Terms
Antitrust Guidelines for the Licensing of Intellectual Property. April
6, 1995 Issued by the U.S. Department of Justice and the Federal
Trade Commission These Guidelines supersede section 3.6 in Part
I, "Intellectual Property Licensing Arrangements," and cases 6, 10,
11, and 12 in Part II of the U.S. Department of Justice 1988
Antitrust Enforcement Guidelines for International Operations
United States v. IBM, 1975-I. Trade Cas. (CCH) Sec 60,104
(S.D.N.Y. 1974) (amending complaint).
Sherman Antitrust Act of 1890, 15 U.S.C. 1.
Clayton Act, 15 U.S.C. 12
Federal Trade Commission Act, 15 U.S.C. 41
Regards, http://web.mit.edu/reagle/www/home.html
Joseph Reagle
independent research account
------------------------------
Date: Fri, 22 Jan 1999 17:56:53 -0500
From: "ALAWASH E-MAIL (ALAWASH E-MAIL)" <ALAWASH@alawash.org>
Subject: ALAWON v8, n7 - FILTERING BILL INTRODUCED
ALAWON: American Library Association Washington Office Newsline
Volume 8, Number 7
January 22, 1999
In this issue:
Sens. McCain, Hollings Introduce Filtering Bill
Sen. John McCain (R-AZ), chair of the Senate Commerce Committee,
and Sen. Ernest Hollings (D-SC), ranking minority member of the
Senate Commerce Committee, have introduced The Children's Internet
Protection Act, S. 97. The bill would require filtering and
blocking software to be used by any school or library receiving E-
rate discounts.
According to the S. 97, libraries would be required to use a
filtering system on one or more of their computers so that at
least one computer will be "appropriate for minors' use." Schools
receiving universal service discounts -- also known as the E-rate
-- would be required to use filtering or blocking software on all
of their computers.
The Children's Internet Protection Act appears to be very similar
to the bill that Sens. McCain and Hollings cosponsored last year.
ALA, the EdLiNC coalition and others did not support that bill.
"As Internet use in our schools and libraries continues to grow,
children's potential exposure to harmful online content and to
those who seek to sexually abuse children will only increase,"
Sen. McCain said in a January 20 statement. "Perhaps most
important, this legislation will not censor what goes onto the
Internet, nor will it censor what adults may see, but rather
filters what comes out of it onto the computers our children use
outside the home."
"This legislation is an important step in the battle to protect
children from the dark side of the Internet," said Sen. Hollings.
"Children should be protected from stumbling onto indecent
material while using the web for legitimate purposes and this bill
will go a long way in obtaining that goal."
A summary, provided by the Senate Commerce Committee, of The
Children's Internet Protection Act, S. 97 is as follows:
-------
Schools would have to certify with the FCC that they are using or
will use a filtering or block system on computers with Internet
access so that students will not be exposed to harmful material on
the Internet. A school will not be eligible to receive universal
service support for Internet access unless they do this.
In order to be eligible for universal service, libraries would
only have to certify that they are using a filtering or blocking
system for one or more of their computers so that at least one
computer will be suitable for minors' use.
School and library administrators are free to choose any filtering
or blocking system that would best fit their community standards
and local needs. In providing for universal service discounts for
Internet access, no federal governmental body can make any
qualitative judgements about the system nor the material to be
filtered that the school or library has chosen.
-------
Rep. Bob Franks (R-NJ) also introduced a similar bill to S. 97 in
the House of Representatives this week. In the 105th Congress,
two similar bills, S. 1619 and the Sen. Franks-sponsored H.R.
3177, were unsuccessful.
ALAWON readers will recall that last congressional session,
alternative language was proposed by Sen. Conrad Burns (R-MT) and
others to require local Internet use policies rather than blocking
or filtering software. ALA and others argued that, if there were
to be any federal legislation passed in this arena, the Burns
approach was preferable.
Advocates are working to see if such an alternative can again be
introduced. Emphasizing control at the local level through local
use policies (LUPs) would be consistent with the need to have all
such content and curriculum decisions made at the local level.
ALA will review S. 97 in more detail. Many issues are raised,
including when it would become effective and how it would impact
the libraries and schools just now receiving their E-rate
commitment letters. The application process for the second year
of the E-rate has also just begun. Further news about the
Children's Internet Protection Act will be forthcoming as it
becomes available.
******
ALAWON (ISSN 1069-7799) is a free, irregular publication of the
American Library Association Washington Office. All materials
subject to copyright by the American Library Association may be
reprinted or redistributed for noncommercial purposes with
appropriate credits.
To subscribe to ALAWON, send the message: subscribe ala-wo
[your_firstname] [your_lastname] to listproc@ala.org or go to
http://www.ala.org/washoff/alawon. To unsubscribe to ALAWON, send
the message: unsubscribe ala-wo to listproc@ala.org or go to
http://www.ala.org/washoff/alawon. ALAWON archives at
http://www.ala.org/washoff/alawon.
ALA Washington Office, 1301 Pennsylvania Ave., N.W., Suite 403,
Washington, D.C. 20004-1701; phone: 202.628.8410 or 800.941.8478
toll-free; fax: 202.628.8419; e-mail: alawash@alawash.org; Web
site: http://www.ala.org/washoff. Editor: Lynne E. Bradley;
Managing Editor: Deirdre Herman; Contributors: Phyllis Albritton,
Mary Costabile, Adam Eisgrau, Carol Henderson, Peter Kaplan,
Claudette Tennant and Rick Weingarten.
------------------------------
Date: Thu, 21 Jan 1999 14:22:51 -0800
From: "Mike O'Brien" <obrien@rush.aero.org>
Subject: Supermarket Tracking Cards / Professional Jurors
Two items in the latest digest moved me to respond:
1) Concerning supermarket consumer tracking systems: These
people are willing to pay far, far more than "twenty cents off a
jar of mayo." Those who have not used these systems are probably
unaware of just how much. I have the best of both worlds: My
housemate does all our shopping, and he self-confessedly has no
life to spy on. Between the 5%-off-your-entire-order coupons, the
10%-off-your-entire-order coupons, the 2/3 off specials, the
free Thanksgiving turkeys and the free Easter hams, we save
several hundred dollars per year off our grocery bill. These
savings are predicated on accumulated use of the SAME ID tag,
so the "card-swapping club", while an attractive notion, wouldn't
allow these savings.
Frankly, while the accumulation of customer data seems
off-putting, the savings are so huge that even the privacy-conscious
might think twice. They're willing to pay big bucks for the info.
2) On professional jurors: I had the privilege of growing
up (in Western Pennsylvania) in one of the most corrupt judicial
districts in the country. The daily course of conduct in my
small-town country seat was so openly corrupt, and had been so
for so long, that when labor leader Jock Yablonsky went and got
himself assassinated, the national spotlight thrown on the trial of the
accused assassin caused the entire legal population of the city
to scurry around like bugs under a suddenly lifted rock as they all
tried to remember how this stuff was actually supposed to be done.
We had professional jurors. They consisted of a population
of gentlemen of leisure and undetermined means who hung out in back
of the courthouse next to the jail. When a trial was called for,
a sufficiency of them were rounded up and routinely sworn in with
little questioning and no objection by either side. They duly
deliberated and returned a verdict. So professional and reasonable
were they in their attitude that if the judge didn't care for
the verdict, he would send them out again for further deliberations,
after which they would duly return an opposing point of view.
I've seen professional jurors. I prefer road kill.
Mike O'Brien
------------------------------
Date: Mon, 25 Jan 1999 21:49:08 -0500 (EST)
From: John R Levine <johnl@iecc.com>
Subject: Interesting US Supreme Court case
The supremes agreed today to hear this case.
Los Angeles Police Dept. v. United Reporting Pub. Corp.
No. 98-678
Court below: 146 F.3d 1133 (9th Cir 06/25/98)
At issue in this freedom of information case is whether a private
publishing company may provide the names and addresses of recently
arrested individuals to their clients for a fee. Prior to July
1996, California Code Section 6254 stated that state and local law
enforcement agencies shall make public the full name, current
address, and occupation of every individual arrested by the agency.
In July of 1996, California amended the Code to prohibit the
release of arrestee addresses to people who intend to use those
addresses for commercial purposes. United Reporting Publishing
Corporation had been providing the names and addresses of recently
arrested individuals to their clients under the old version of the
statute. United reporting filed a complaint seeking declaratory
judgment and injunctive relief on the grounds the amendment was
unconstitutional under the First and Fourteenth Amendments. The
court below held that the Code amendment violates the holding in
Central Hudson Gas and Elec. Corp. v. Public Service Comm. of NY,
447 US 557 (1980), in that it does not directly and materially
advance the government's interest in protecting privacy and
tranquility of its residents.
------------------------------
Date: Wed, 20 Jan 1999 16:23:32 -0800
From: Kevin Maguire <kmaguire@mail1.jpl.nasa.gov>
Subject: New California laws for 1999
I found the following items reported in the Los Angeles
Times Jan. 1 issue, in an article highlighting new
California laws for 1999:
- Unless they have obtained a court order, employers may
not use audio or video recording devices to eavesdrop on
employees in restrooms, locker rooms or other areas where
employees change clothes. (AB 2303 by Assemblyman George
Runner Jr., R-Lancaster)
- Employers may not discriminate against healthy individuals
who have a genetic predisposition to a disease. (SB 654 by
Sen. Patrick Johnston, D-Stockton)
- Before they are released from prison, people convicted of
manslaughter, kidnapping, mayhem, torture and felony spousal
abuse must provide DNA samples, which will be added to the
state DNA database. Previously, only sex offenders and
people convicted of murder and felony assualt and battery
had to provide samples. (AB 1332 by Assemblyman Kevin
Murray, D-Los Angeles)
- Senders of spam must provide a return toll-free number
or e-mail address and stop sending the unsolicited mail
if the recipient asks them to cease (AB 1629 by Assemblyman
Gary Miller, R-Diamond Bar, and AB 1626 by Assemblywoman
Debra Bowen, D-Marina del Rey).
[ KM: AB 1629 specifically refers to advertising, not
unsolicited bulk email. AB 1626, according to the
California Senate website, has nothing to do with email. ]
- It is now a misdemeanor to place an electronic tracking
device on a person or the person's property, such as
a car. Law enforcement agencies are exempt from the
law. (SB 1667 by Sen. John Burton, D-San Francisco)
[KM: I checked the text of this bill. It includes
an exception for devices placed with the consent of the
owner, lessor or lessee of the property as well as devices
lawfully employed by law enforcement. And it opens with:
SECTION 1. The Legislature finds and declares that the right to
privacy is fundamental in a free and civilized society and that the
increasing use of electronic surveillance devices is eroding personal
liberty. The Legislature declares that electronic tracking of a
person's location without that person's knowledge violates that
person's reasonable expectation of privacy.
Which is nice. ]
- Kevin Maguire
--
Required disclaimer: I'm not speaking for JPL, Caltech, or NASA.
------------------------------
End of PRIVACY Forum Digest 08.03
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.