PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 13 February 1999      Volume 08 : Issue 03

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Computer Serial Numbers: Pentiums Not Required!
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Stolen Lives: Identity theft (David Brownell)
        eBay's Very Open Trading Policies (Mike O'Brien)
        Domestic Violence (Phil Agre)
        Boxed In: Why US Privacy Self Regulation Has Not Worked
           (Joseph M. Reagle Jr.)
        ALAWON v8, n7 - Filtering Bill Introduced (ALAWASH E-MAIL)
        Supermarket Tracking Cards / Professional Jurors (Mike O'Brien)
        Interesting US Supreme Court case (John R Levine)
        New California laws for 1999 (Kevin Maguire)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 03

     Quote for the day:
         
       "Wrong thinking is punishable.
        Right thinking will be as quickly rewarded."

        -- The Keeper (Meg Wylie)
           "Star Trek": Original Pilot Episode: "The Cage" (Desilu; 1964)
                
----------------------------------------------------------------------

Date:    Sat, 13 Feb 99 11:29 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Computer Serial Numbers: Pentiums Not Required!

Greetings.  By now most of you are probably familiar with the barrage of
stories relating to Intel's annoucement of a "serial number" in their new
line of Pentium processor chips, and the controversies that immediately
emerged.  Given all that's already been written about the pros, cons,
reliability issues, uses and abuses of such a system, there's no need to
rehash it all here. 

But there is one point I'd like to emphasize.  The ability to create and
interrogate a totally or reasonably unique identity for a given piece of
computer hardware has long existed, and need not be dependent on the
presence or enabling of a chip serial number.  And since all such
procedures rely on software to transmit that information, all are ultimately
subject to potential modification or disruption.

Outside of the PC world, various other computer platforms have long included
dedicated readable machine serial numbers.  Any PC with an installed Ethernet
adapter contains a unique ID which can be easily interrogated.  It's also
possible to "fingerprint" any system via values in system ROMs, disk firmware
interfaces and layouts, operating system or application software IDs, or any
manner of other parameters which can be combined in creative manners.  Some
of these can be changed by the user of course, but a CPU chip can usually be
replaced as well.  Techniques like these are already used by some software
packages as an anti-piracy measure. 

So whatever good or ill that we perceive to be associated with unique
identification of computer systems, it's important to note that most of the
same factors are present regardless of whether or not a particular CPU chip
is in use or a specific chip serial number capability enabled.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sat, 06 Feb 1999 11:40:40 -0800
From:    David Brownell <david-b@pacbell.net>
Subject: Stolen Lives: Identity theft

The January 26 1999 edition of the San Jose Mercury News has
an article about identity theft.  Titled "Stolen Lives, How
to Avoid Being a Victim of Identity Fraud", the article presents
several case studies; it's a relatively long article (2400 words
in the on-line version for $2, plus pictures).

Of particular interest were interviews with some people whose
identies had been stolen.  In effect, they had been made the
victim in multiple ways ... first by having their credit records
ruined, second by having the credit bureaus refuse to correct
the false information they were recording, third by employers
not being supportive of the months or years it can take to recover
from such a theft, fourth by courts and police departments holding
that it was financial institutions which were the primary victims,
and unfortunately much more.

It's clear that such theft is facilitated by sloppy practices
on the part of credit issuing agencies.  In one case, they did
not even consider the fact that the person applying for credit
had a different age, size, residence, and race from the person
whose credit record was used.  (Yet they were held to be the
victim ... hmm.)

However, it's also clear that credit reporting agencies haven't
been doing their jobs in making sure the information they report
is correct.  (I was wishing that the EU privacy regulations were
in effect ... making this their legal responsibility, rather than
at best a good-neighborly thing.)

Mari Frank is a Laguna Niguel attorney who wrote a manual on coping
with identity theft.  www.identitytheft.org has more info on that.

There is now US federal legislation which makes identity theft a
felony, as it has been for a while in ten states including California.
California's legal infrastructure is already in place, which will
help victims since it requires credit bureaus and lenders to fix
their records given a police report of the crime.

- Dave

------------------------------

Date:    Mon, 1 Feb 1999 13:07:16 -0800
From:    "Mike O'Brien" <obrien@rush.aero.org>
Subject: eBay's very open trading policies

        eBay is instituting a new User Agreement, binding on everyone
who uses eBay in about 25 days, which says a few hair-raising things.
It references a new Privacy Policy which is even more hair-raising.

        The new Privacy Policy says:

    Unfortunately, due to the existing regulatory environment, we cannot
    ensure that all of your private communications and other personally
    identifiable information will never be disclosed in ways not otherwise
    described in this Privacy Policy.  By way of example (without limiting
    the foregoing), we may be forced to disclose information to the
    government or third parties under certain circumstances, or third
    parties may unlawfully intercept or access transmissions or private
    communications.

        Well, that sure sounds practical and fair enough.  However,
this paragraph goes on to say:

    Further, we can (and you authorize us to) disclose any information
    about you to law enforcement or other government officials as we, in
    our sole discretion, believe necessary or appropriate.  Therefore,
    although we use industry standard practices to protect your privacy,
    we do not promise, and you should not expect, that your personally
    identifiable information or private communications will remain
    private.


        A paragraph or two above this, it also says:

    eBay cooperates with all law enforcement inquires and with all third
    parties to enforce their intellectual property or other rights.
    Therefore, members of the eBay Legal Buddy Program (which includes
    local, state and federal law enforcement) can request your UserID,
    name, street address, city, state, zip code, country, phone number,
    email and company information.  For more information about the Legal
    Buddy Program, email buddy@ebay.com.

        I dug into this some.  Apparently, all you have to do is sign
a form that says you own copyright or trademark interests in something
or other, and based solely on this claim, eBay will disclose to you
all the information they have on anybody whom you claim is selling
something in violation of your rights.

        This stuff was all instituted because eBay was catching
heat about allowing the sale of fraudulent "knock-off" items.  I
don't know about you, but the cure looks worse than the disease.
I'm all for complying with subpoenas and warrants, but this all
looks to me like all you have to do is CLAIM to represent a law
enforcement agency or a "Content Owner", and their books are open
for your easy inspection.

Mike O'Brien

------------------------------

Date:    Sun, 7 Feb 1999 20:43:54 -0800 (PST) 
From:    Phil Agre <pagre@alpha.oac.ucla.edu> 
Subject: Domestic Violence

The state of California has started a program to protect victims of
domestic violence from being tracked down by their assailants using
public records and the like.  Measures include confidential voter
registration records and a state-provided post office box whose contents
are regularly forwarded by state workers to the victim's real location.
(Reference: Carl Ingram, New program to help domestic violence victims,
Los Angeles Times, 7 February 1999, page A13.  The article also claims
that "[t]he era of hacking electronic databases further compounds the
difficulties of victims", without providing evidence that is hacking
rather than deception or corruption that causes information about the
victims to be revealed.)  We shall see how well the law works.  If it
is not sufficient, a next step would be to strengthen a victim's ability
to recover damages from an organization that reveals personal information
to someone who shouldn't have it.

Phil Agre

------------------------------

Date:    Mon, 18 Jan 1999 10:23:47 -0500
From:    "Joseph M. Reagle Jr." <reagle@MIT.EDU>
Subject: Boxed In: Why US Privacy Self Regulation Has Not Worked

http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html

Joseph M. Reagle Jr.
Resident Fellow, Berkman Center for Internet & Society, Harvard
Law School

Its easy to answer that efforts -- to date -- for Internet privacy
self-regulation have not worked in the US. However, to ask the question
itself is not so easy. What does effective privacy protection and self
regulation mean? How do we know when its working? In an attempt to frame
this issue, the Department of Commerce has issued two drafts and held a
public meeting last summer with the theme of "Thinking Out of the Box."
Little progress had been made on the most important aspect of self
regulation: enforcement and user remedy. 

The crux of the problem is not a need to think out of the box, but to think
about the box we are in. By this I mean the history and incentives that
motivate present day behavior: 

Self Regulation by Sustaining User Ignorance 
     This regulatory approach operates when market players suppress
     business practices (or reports thereof) that alarm a majority of the
     citizenry. Problems which are pointed out by the FTC, advocacy
     groups, or the media can sometimes result in improvements by the
     targeted company. Occasionally, a coalition of companies may find
     the scrutiny to be loathsome enough to exceed their legal obligations
     and uniformly reform the industry's practices. Given the number and
     diversity of services on the Web, such efforts are doubly difficult. 

Enforcing Norms May Violate Anti-Trust 
     Antitrust law attempts to mitigate a dominant company, or set of
     companies, from colluding in order to suppress competition. This
     includes attempts at price fixing and excluding rivals by raising
     barriers of entry within a market. Consider the proposal that Internet
     companies that are part of a self-regulatory program adopt a
     consistent set of privacy procedures and that those procedures must
     be reviewed by external privacy audits. This could be construed as
     raising a barrier to entry in the ecommerce market for those
     companies that cannot readily afford such processes. 

Being a Good Actor Increases Liability 
     Outside of a few specific sectors (credit reporting, video rental
     records, etc.) there are very few limits on what one can do with
     information solicited, garnered, or inferred about users. In fact, by
     disclosing one's privacy practices, one is substantiality increasing
     one's liability without any noticeable or immediate benefit. In this
     context, I find it remarkable that any company has made substantive
     disclosures beyond the useless "We may share your information with
     partners and affiliates who wish to provide you with complementary
     products or services," and laud those that have. 

Privacy is Expensive 
     It costs to be proactive on privacy. Companies concerned with
     privacy may turn away from business practices their less principled
     competitors jump at, or devote significant resources to supporting
     self-regulatory or technical programs. Regulatory actions (self or
     statutory) are not cheap. The cost of privacy when placed in the
     broader context of user satisfaction, fraud reduction, and user
     confidence in the Web is worthwhile, however the cost is uncertain
     and poorly distributed. 

Given the above constraints, it is not surprising that self regulatory
efforts have not advanced further. The efforts to date are simply not
sufficient to overcome these significant pre-existent disincentives towards
a self regulatory program. For progress to be made, we need enforceable rules
regarding a baseline of acceptable behavior that cast pro-privacy policies
as an advantage rather than a liability.

References 

     Elements of Effective Self-Regulation for Protection of Privacy 
     Privacy and Electronic Commerce. 
     Introduction to Antitrust Terms 
     Antitrust Guidelines for the Licensing of Intellectual Property. April
     6, 1995 Issued by the U.S. Department of Justice and the Federal
     Trade Commission These Guidelines supersede section 3.6 in Part
     I, "Intellectual Property Licensing Arrangements," and cases 6, 10,
     11, and 12 in Part II of the U.S. Department of Justice 1988
     Antitrust Enforcement Guidelines for International Operations 
     United States v. IBM, 1975-I. Trade Cas. (CCH) Sec 60,104
     (S.D.N.Y. 1974) (amending complaint). 
     Sherman Antitrust Act of 1890, 15 U.S.C. 1. 
     Clayton Act, 15 U.S.C. 12 
     Federal Trade Commission Act, 15 U.S.C. 41 

Regards,          http://web.mit.edu/reagle/www/home.html
Joseph Reagle
independent research account

------------------------------

Date:    Fri, 22 Jan 1999 17:56:53 -0500
From:    "ALAWASH E-MAIL (ALAWASH E-MAIL)" <ALAWASH@alawash.org>
Subject: ALAWON v8, n7 - FILTERING BILL INTRODUCED

ALAWON: American Library Association Washington Office Newsline
Volume 8, Number 7
January 22, 1999

In this issue:

Sens. McCain, Hollings Introduce Filtering Bill

Sen. John McCain (R-AZ), chair of the Senate Commerce Committee, 
and Sen. Ernest Hollings (D-SC), ranking minority member of the 
Senate Commerce Committee, have introduced The Children's Internet 
Protection Act, S. 97.  The bill would require filtering and 
blocking software to be used by any school or library receiving E-
rate discounts.

According to the S. 97, libraries would be required to use a 
filtering system on one or more of their computers so that at 
least one computer will be "appropriate for minors' use."  Schools 
receiving universal service discounts -- also known as the E-rate 
-- would be required to use filtering or blocking software on all 
of their computers.

The Children's Internet Protection Act appears to be very similar 
to the bill that Sens. McCain and Hollings cosponsored last year.  
ALA, the EdLiNC coalition and others did not support that bill. 

"As Internet use in our schools and libraries continues to grow, 
children's potential exposure to harmful online content and to 
those who seek to sexually abuse children will only increase,"  
Sen. McCain said in a January 20 statement. "Perhaps most 
important, this legislation will not censor what goes onto the 
Internet, nor will it censor what adults may see, but rather 
filters what comes out of it onto the computers our children use 
outside the home." 

"This legislation is an important step in the battle to protect 
children from the dark side of the Internet," said Sen. Hollings. 
"Children should be protected from stumbling onto indecent 
material while using the web for legitimate purposes and this bill 
will go a long way in obtaining that goal."

A summary, provided by the Senate Commerce Committee, of The 
Children's Internet Protection Act, S. 97 is as follows:

                        -------
Schools would have to certify with the FCC that they are using or 
will use a filtering or block system on computers with Internet 
access so that students will not be exposed to harmful material on 
the Internet.  A school will not be eligible to receive universal 
service support for Internet access unless they do this.

In order to be eligible for universal service, libraries would 
only have to certify that they are using a filtering or blocking 
system for one or more of their computers so that at least one 
computer will be suitable for minors' use.

School and library administrators are free to choose any filtering 
or blocking system that would best fit their community standards 
and local needs.  In providing for universal service discounts for 
Internet access, no federal governmental body can make any 
qualitative judgements about the system nor the material to be 
filtered that the school or library has chosen.
                        -------

Rep. Bob Franks (R-NJ) also introduced a similar bill to S. 97 in 
the House of Representatives this week.  In the 105th Congress, 
two similar bills, S. 1619 and the Sen. Franks-sponsored H.R. 
3177, were unsuccessful. 

ALAWON readers will recall that last congressional session, 
alternative language was proposed by Sen. Conrad Burns (R-MT) and 
others to require local Internet use policies rather than blocking 
or filtering software.  ALA and others argued that, if there were 
to be any federal legislation passed in this arena, the Burns 
approach was preferable.  

Advocates are working to see if such an alternative can again be 
introduced.  Emphasizing control at the local level through local 
use policies (LUPs) would be consistent with the need to have all 
such content and curriculum decisions made at the local level.

ALA will review S. 97 in more detail.  Many issues are raised, 
including when it would become effective and how it would impact 
the libraries and schools just now receiving their E-rate 
commitment letters.  The application process for the second year 
of the E-rate has also just begun. Further news about the 
Children's Internet Protection Act will be forthcoming as it 
becomes available.

******
ALAWON (ISSN 1069-7799) is a free, irregular publication of the 
American Library Association Washington Office. All materials 
subject to copyright by the American Library Association may be 
reprinted or redistributed for noncommercial purposes with 
appropriate credits.

To subscribe to ALAWON, send the message: subscribe ala-wo 
[your_firstname] [your_lastname] to listproc@ala.org or go to 
http://www.ala.org/washoff/alawon.  To unsubscribe to ALAWON, send 
the message: unsubscribe ala-wo to listproc@ala.org or go to 
http://www.ala.org/washoff/alawon. ALAWON archives at 
http://www.ala.org/washoff/alawon. 

ALA Washington Office, 1301 Pennsylvania Ave., N.W., Suite 403, 
Washington, D.C. 20004-1701; phone: 202.628.8410 or 800.941.8478 
toll-free; fax: 202.628.8419; e-mail: alawash@alawash.org; Web 
site: http://www.ala.org/washoff.  Editor: Lynne E. Bradley; 
Managing Editor: Deirdre Herman; Contributors: Phyllis Albritton, 
Mary Costabile, Adam Eisgrau, Carol Henderson, Peter Kaplan, 
Claudette Tennant and Rick Weingarten.

------------------------------

Date:    Thu, 21 Jan 1999 14:22:51 -0800
From:    "Mike O'Brien" <obrien@rush.aero.org>
Subject: Supermarket Tracking Cards / Professional Jurors

        Two items in the latest digest moved me to respond:

        1) Concerning supermarket consumer tracking systems: These
people are willing to pay far, far more than "twenty cents off a
jar of mayo."  Those who have not used these systems are probably
unaware of just how much.  I have the best of both worlds: My
housemate does all our shopping, and he self-confessedly has no
life to spy on.  Between the 5%-off-your-entire-order coupons, the
10%-off-your-entire-order coupons, the 2/3 off specials, the
free Thanksgiving turkeys and the free Easter hams, we save
several hundred dollars per year off our grocery bill.  These
savings are predicated on accumulated use of the SAME ID tag,
so the "card-swapping club", while an attractive notion, wouldn't
allow these savings.

        Frankly, while the accumulation of customer data seems
off-putting, the savings are so huge that even the privacy-conscious
might think twice.  They're willing to pay big bucks for the info.

        2) On professional jurors: I had the privilege of growing
up (in Western Pennsylvania) in one of the most corrupt judicial
districts in the country.  The daily course of conduct in my
small-town country seat was so openly corrupt, and had been so
for so long, that when labor leader Jock Yablonsky went and got
himself assassinated, the national spotlight thrown on the trial of the
accused assassin caused the entire legal population of the city
to scurry around like bugs under a suddenly lifted rock as they all
tried to remember how this stuff was actually supposed to be done.

        We had professional jurors.  They consisted of a population
of gentlemen of leisure and undetermined means who hung out in back
of the courthouse next to the jail.  When a trial was called for,
a sufficiency of them were rounded up and routinely sworn in with
little questioning and no objection by either side.  They duly
deliberated and returned a verdict.  So professional and reasonable
were they in their attitude that if the judge didn't care for
the verdict, he would send them out again for further deliberations,
after which they would duly return an opposing point of view.

        I've seen professional jurors.  I prefer road kill.

Mike O'Brien

------------------------------

Date:    Mon, 25 Jan 1999 21:49:08 -0500 (EST)
From:    John R Levine <johnl@iecc.com>
Subject: Interesting US Supreme Court case

The supremes agreed today to hear this case.

Los Angeles Police Dept. v. United Reporting Pub. Corp.
No. 98-678

Court below: 146 F.3d 1133 (9th Cir 06/25/98)

At issue in this freedom of information case is whether a private
publishing company may provide the names and addresses of recently
arrested individuals to their clients for a fee.  Prior to July 
1996, California Code Section 6254 stated that state and local law
enforcement agencies shall make public the full name, current 
address, and occupation of every individual arrested by the agency.  
In July of 1996, California amended the Code to prohibit the 
release of arrestee addresses to people who intend to use those
addresses for commercial purposes.  United Reporting Publishing
Corporation had been providing the names and addresses of recently
arrested individuals to their clients under the old version of the
statute.  United reporting filed a complaint seeking declaratory
judgment and injunctive relief on the grounds the amendment was
unconstitutional under the First and Fourteenth Amendments.  The 
court below held that the Code amendment violates the holding in 
Central Hudson Gas and Elec. Corp. v. Public Service Comm. of NY,
447 US 557 (1980), in that it does not directly and materially 
advance the government's interest in protecting privacy and 
tranquility of its residents.

------------------------------

Date:    Wed, 20 Jan 1999 16:23:32 -0800
From:    Kevin Maguire <kmaguire@mail1.jpl.nasa.gov>
Subject: New California laws for 1999

I found the following items reported in the Los Angeles
Times Jan. 1 issue, in an article highlighting new
California laws for 1999:

 - Unless they have obtained a court order, employers may
   not use audio or video recording devices to eavesdrop on
   employees in restrooms, locker rooms or other areas where
   employees change clothes. (AB 2303 by Assemblyman George
   Runner Jr., R-Lancaster)

 - Employers may not discriminate against healthy individuals
   who have a genetic predisposition to a disease. (SB 654 by
   Sen. Patrick Johnston, D-Stockton)

 - Before they are released from prison, people convicted of
   manslaughter, kidnapping, mayhem, torture and felony spousal
   abuse must provide DNA samples, which will be added to the
   state DNA database.  Previously, only sex offenders and
   people convicted of murder and felony assualt and battery
   had to provide samples.  (AB 1332 by Assemblyman Kevin
   Murray, D-Los Angeles)

 - Senders of spam must provide a return toll-free number
   or e-mail address and stop sending the unsolicited mail
   if the recipient asks them to cease (AB 1629 by Assemblyman
   Gary Miller, R-Diamond Bar, and AB 1626 by Assemblywoman
   Debra Bowen, D-Marina del Rey).

  [ KM: AB 1629 specifically refers to advertising, not
    unsolicited bulk email.  AB 1626, according to the
    California Senate website, has nothing to do with email. ]

 - It is now a misdemeanor to place an electronic tracking
   device on a person or the person's property, such as
   a car.  Law enforcement agencies are exempt from the
   law. (SB 1667 by Sen. John Burton, D-San Francisco)

   [KM: I checked the text of this bill.  It includes
    an exception for devices placed with the consent of the
    owner, lessor or lessee of the property as well as devices
    lawfully employed by law enforcement.  And it opens with:

       SECTION 1.  The Legislature finds and declares that the right to
       privacy is fundamental in a free and civilized society and that the
       increasing use of electronic surveillance devices is eroding personal
       liberty.  The Legislature declares that electronic tracking of a
       person's location without that person's knowledge violates that
       person's reasonable expectation of privacy.
  
    Which is nice. ]

- Kevin Maguire
--
Required disclaimer:  I'm not speaking for JPL, Caltech, or NASA.

------------------------------

End of PRIVACY Forum Digest 08.03
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.