PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 20 February 1999      Volume 08 : Issue 04

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Confidential Patient Data Accidently Released to the Web
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Driver's License Photos and "Data Creep"
           (Lauren Weinstein; PRIVACY Forum Moderator)
        GAO Report on Govt/Comm Use of SSN (Peter Marshall)
        More on eBay "privacy" (Christopher M. Conway)
        Announcement: CFP 99 April 6-8, Washington, DC (Dave Banisar)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 04

     Quote for the day:
         
        "Ask me no questions and I'll tell you no lies."

            -- Elaine Zacharides (Margaret Hamilton)
               "13 Ghosts" (William Castle Productions; 1960)

----------------------------------------------------------------------

Date:    Sat, 20 Feb 99 10:54 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Confidential Patient Data Accidently Released to the Web

Greetings.  What would happen if information from computers containing
confidential patient data at a major medical center found its way into a
publicly available search engine?  What if it were more than 18 Megabytes of
patient data?

This isn't an academic question.  It recently happened at the University of
Michigan Health System, and it's a clear illustration about what can happen
when unencrypted confidential information is moving between medical
operations and their outside vendors.

The PRIVACY Forum recently received e-mail from a generically named e-mail
address (no actual name was provided) at one of the popular "free e-mail"
services, from a person claiming to have stumbled across vast amounts of
patient name, address, phone and some other data while doing an HMO search
on a University of Michigan Health System public web search page.  This
person provided a couple of web URLs, and expressed concern that they hadn't
been able to reach anyone there about this issue.  I offered to look into it.

The URLs were indeed valid at the U. of Mich. Health System.  They led to
what appeared to be large amounts of patient data--primarily names,
addresses, phone numbers, and patient IDs (which in this case, and contrary
to the norm, were not equivalent to Social Security Numbers). One of the
referenced files was over 18 Megabytes of text--my web browser kept freezing
up trying to handle a single page of such a length.

While I hoped that the data wasn't real--that it was dummy test data or
something similar, I had to assume that there was a good chance it was
valid.  My first concern was to determine if this was a genuine problem, and
if so with the protection of those patients by closing this hole.  I called
in to the main U. of Mich. Health System number (found on their home web
page) and within a few minutes had reached people who understood what I was
talking about.  They were interested, polite, and moved swiftly--within an
hour or so the access was apparently closed.

Then followed a number of individual calls and a conference call from
various administrative, technical, and legal folks at U. of Mich.  It turns
out that the data was indeed real.  It was logging data files from runs
involving an outside vendor, that should not have found their way into an
environment where their search engine would have indexed it or where the
public could have found it.  The University thanked me for informing them of
the problem, which they claimed didn't exist for more than a couple of days
before it came to my attention.

However, the story is actually a bit more complicated.  The University
representatives felt strongly that nobody could have originally found that
data on public URLs unless that person was on the "inside" of the medical
center staff.  While I of course have not revealed the e-mail address of the
party who had written to me originally, the University felt that they had
independently identified this person within their staff via analysis of the
logs recording access to those files.  They expressed concern that this
person had (they believe) tried to "go public" with the information without
taking steps internally to inform them of the problem, and they appeared to
be looking into various disciplinary and/or legal actions to possibly be
taken against them.

I have no way to know if the party they're talking about is the same person
who contacted me, or what that person's motives might actually have been,
but I find this emphasis on possible punishments targeted at that person to
be disturbing.

I brought up the issue of encryption as a possible means to help avoid
problems like this in the future.  I got the impression that they had
discussed that in the past and had ruled it out as "impractical" at this
time in their opinion.  I also strongly urged that they take steps to notify
patients whose data was exposed, since there's no way to know where copies
of that data might have been sent by other parties, however few they might
have been, who had accessed them via those public URLs.  The last I heard
from the medical centers' representatives, they were working on some sort of
plan to notify patients' doctors privately of the problem, but apparently no
public statement was planned as far as I know.

The actual potential damage done to patients by the exposure of that data,
in this case, was probably comparatively minimal.  Luckily, the particular
files involved didn't contain even more detailed data, and were apparently
not widely accessed.  But this should serve as a loud and clear wakeup
call.  With the increasingly enormous amounts of medical data being moved
between public and private entities, these sorts of technical "glitches" can
have major implications.  You can't get the data genie back into the
bottle.  With so many organizations rushing to bring up web interfaces and
virtual "storefronts," the likelihood of confidential or hazardous data
crossing the boundary into public view is ever increasing. 

In the rush to cyberspace, it's easy for some to forget that real people,
and real lives, are involved.  Things do go wrong, but technical glitches at
major, publicly accessible web sites are not excuses for releasing
personal data that individuals have every right to expect will be maintained
in confidence.  In my opinion, it's largely a matter of priorities.  And
ultimately, it's society that needs to set and enforce those priorities in
this area.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Sat, 20 Feb 99 11:01 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Driver's License Photos and "Data Creep"

Greetings.  "Data Creep" is a term I use to describe the tendency for data
collected for one purpose to be desired by, released to, and used by,
various parties for other purposes.  We've seen a multitude of examples in
the past involving medical data, auto toll information, cellular phone
location data, and so on--the list is impressive.  

The latest furor over the selling of driver's license photos is yet another
example, with some interesting new twists.  A small New Hampshire firm
called Image Data LLC has been promoting their "TrueID" system to flash
pictures of customers on small displays at point of sale, to help verify
check and credit card transactions.  They bought more than 22 million such
photos from South Carolina, Florida and Colorado (and at discount prices
too, possibly as low as a penny each in some cases!)  After some public
reports and negative public reaction to this system began circulating, there
have been various actions taken by some state officials to try prevent
further release of photos and/or to demand return of the photos already
released.  Lawsuits and court battles are already underway.

Adding fuel to the fire was the revelation that Image Data's project was
partially funded by over a million dollars of federal funds and Secret
Service technical assistance, which was offered after a number of
Congressmen expressed interest in the broader applications of the system.
While most observers had thought that the company was promoting its product
only to help stop credit card and check fraud, other applications such as
fighting terrorism, various identity-related crimes, immigration abuses, and
related areas were apparently the impetus for the federal funding.  It is
reported that state officials who had worked with the company were unaware
of this aspect of the project.

Some have argued that the system is no more obtrusive than someone showing
their driver's license when they want to cash a check.  But there is a
fundamental difference between voluntarily showing an ID as part of a
transaction (even if the transaction won't be completed unless the ID is
presented) and being forced to participate in systems where images or other
biometric data are being bought and sold at what amounts to a personal
information swap meet. 

There could be a silver lining to this story.  It appears that it has
triggered new moves in some states to restrict their sales of personal
information--maybe.

At the same time that proponents of the TrueID system argue what a benefit
it will be to consumers, it is noteworthy that individuals are almost never
asked if they wish to participate in these programs.  The reason why is
obvious--it's the same reason that the direct marketing folks don't want
opt-in programs for direct mail.  There is a strong tendency to just avoid
asking the question in the first place, when you know that most people are
going to answer no!

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com

------------------------------

Date:    Thu, 18 Feb 1999 12:37:27 -0800
From:    Peter Marshall <techdiff@ix.netcom.com>
Subject: GAO Report on Govt/Comm Use of SSN

    Date: Tue, 16 Feb 1999 23:54:33 -0500
    Reply-To: IRE-L@showme.missouri.edu
    From: "Tim Wise" <timwise@dgsys.com>
    To: "IRE-L List Service" <IRE-L@lists.missouri.edu>
    Subject: GAO Report on Govt/Comm Use of SSN

    February 16, 1999

    The General Accounting Office (GAO) today released the following:

    REPORTS:

    1.    Social Security: Government and Commercial Use of the Social
          Security Number Is Widespread
          GAO/HEHS-99-28, Feb. 16.

    To obtain copies of GAO reports or testimony, the press only may
    call 202-512-4800.  Others should call GAO's Document Distribution
    Center, 202-512-6000.

    This GAO report may be of special interest to many on this list.

    Tim Wise

------------------------------

Date:    Mon, 15 Feb 1999 10:38:34 -0700 (MST)
From:    "Christopher M. Conway" <cmconwa@sandia.gov>
Subject: More on eBay "privacy"

It should also be noted that eBay on the one hand claims that they make no
effort to verify user information, and that users may not hold them liable
for false information about other users; and, that, on the other hand,
they will terminate users that do not provide verifiable information.

Sounds to me like they want to have their cake, and eat it too...

Far worse, actually, is that they claim that your personal information
is only available to "registered users." They fail to note that
"registered users" can include anyone and everyone who has an email
address which is usable for the minute or so that registration takes.
You see, registration consists of entering personal information (on
an unprotected page, unless they've changed that quite recently) which
is not verified in any way (how can it be); they send an email
confirmation to the email address you give, with a codeword; and then
you enter that code word into a web page, and Voila! You're a registered
user, with the right to peruse personal information (including phone
number and address) of any other registered user in their system.

Oh, and they do "adult verification" by requiring a credit card number.
There is, of course, no way of knowing that the card holder is actually
an adult (many children get cards based on their parents' accounts now).
Plus, there's no way of telling whether the card number given belongs
to the registrant (there's no mapping between card number and names;
I've tried putting in bogus information, and succeeded), so that a minor
could put in their parents' card number (how hard is it for a minor to
get a quick look at the monthly statement, or a receipt?), not to mention
other card numbers gathered other ways. So, all they do is figure out
if the card is a valid one, regardless of where it comes from. Further
validation is not done; I've used a card number for debit card for a
closed account successfully. (I don't know if this would work if the
card number is initially entered while invalid.)

Oh, and one final warning-- I tried to talk some sense with their "safe
harbor" people, and, then, finally, the company founder; with the result
that they retaliated against me, permanently deregistering my account
for not allowing them to publish my unlisted telephone number. They had
received no complaints about me, I'd just made myself a target by daring
to criticize their policies.

There's a reason why my .sig at home contains the line "EBay violates
your privacy-- email me for details." I am currently pursuing an action
with TrustE to get eBay's certification yanked due to their bogus
privacy "protection."

-- 
Christopher M. Conway     U*IX and C Guru
cmconwa@sandia.gov      
wombat@prickly-wombat.com

------------------------------

Date:    Sat, 20 Feb 1999 15:01:54 -0500
From:    Dave Banisar <banisar@epic.org>
Subject: Announcement: CFP 99 April 6-8, Washington, DC

     [Circulate until March 15, 1999]

            Register now for the cyber event of the year:


         C                COMPUTERS, FREEDOM, AND PRIVACY
         F                      THE GLOBAL INTERNET
         P
         9                         WASHINGTON, DC
         9                      Omni Shoreham Hotel
         .                        April 6-8, 1999
         O
         R
         G

       For almost a decade, the conference on Computers, Freedom and
       Privacy has shaped the public debate on the future
       of privacy and freedom in the online world. Register now for the
       number one Internet policy conference. Join a diverse audience from
       government, industry, academics, the non-profit sector, the hacker
       community and the media. Enjoy the U.S. Capital in the Spring at one
       of Washington's premier hotels.

         *     Keynote speakers include Tim Berners-Lee (Director, World Wide
               Web Consortium), Vint Cerf (President, Internet Society),
               Congressman Ed Markey (sponsor of "The Electronic Bill of
               Rights Act"), Congressman Ron Paul (sponsor of the Freedom and
               Privacy Restoration Act), Henrikas Yushkiavitshus (Associate
               Director, UNESCO)

         *     Lively and thought-provoking panels on -- "the Creation of a
               Global Surveillance Network," "Access and Equity on the Global
               Internet," "Anonymity and Identity in Cyberspace," "Free
               Speech and Cyber Censorship," "Is Escrow Dead? And what is
               Wassenaar?", "Self-Regulation Reconsidered" and more

         *     Tutorials -- "The Electronic Communications Privacy Act" (Mark
               Eckenwiler); "Cryptography: Basic Overview & Nontraditional
               Uses" (Matt Blaze and Phil Zimmermann), "Free Speech, The
               Constitution and Privacy in Cyberspace" (Mike Godwin),
               "Techniques for Circumventing Internet Censorship" (Bennett
               Haselton and Brian Ristuccia)

         Early Registration Deadline - March 15, 1999
         --------------------------------------------

       Register on-line at http://www.regmaster.com/cfp99.html or call +1 407
       628 3602.  Registration inquiries may also be sent to
       mann@regmaster.com.

               - Mark the dates - April 6-8, 1999

               - Note the place - Washington, DC

               - Make your hotel reservations.

               See you at CFP99.

       For more information about CFP99, visit http://www.cfp99.org/ or call
       +1 401 628 3186

            Sponsored by the Association for Computing Machinery

  -------
David Banisar (Banisar@epic.org)                *    202-544-9240 (tel)
Electronic Privacy Information Center           *    202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301             *    HTTP://www.epic.org
Washington, DC 20003 * PGP Key 
http://www.epic.org/staff/banisar/key.html              

------------------------------

End of PRIVACY Forum Digest 08.04
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.