PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest      Sunday, 21 March 1999      Volume 08 : Issue 05

            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

        Digital signature capture (Phil Agre)
        Re: GAO Report on Govt/Comm Use of SSN (Quentin Fennessy)
        New, More-Secure U.S. Passport (Monty Solomon)
        CA bill [via PrivacyExchange] (Peter Marshall)
        DataGlyphs: Hiding a serial number when printing (Tom Robinson)
        Required registration of computer programs (E. Baker)
        Call for Papers: CQRE (Detlef)
        ACLU Launches New Web Site: Defend Your Data (Jessica Botta)
        1999 Privacy Intl Big Brother Awards USA Nominations
           (Privacy International)
        "Privacy in Cyberspace" Lecture Series (Jocelyn R. Dabeau)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:
        "I believe everything, and I believe nothing."

               Inspector Jacques Clouseau (Peter Sellers)
               "A Shot in the Dark" (United Artists; 1964)


Date:    Mon, 22 Feb 1999 22:39:58 -0800 (PST)
From:    Phil Agre <>
Subject: digital signature capture

Last week I made a purchase at Macy's department store in Los Angeles.
As I handed over my Visa card, I noticed a device for digitally
capturing signatures.  Although such devices have come and gone for
years, this one was not familiar.  As the guy at the cash register
put the charge slip on the device, I said, as nonconfrontationally
as I could, "I'm not signing on that machine. I can sign a piece of
paper if you like."  He did not seem surprised by this, or more than
a little bit put out.  He simply unplugged the device, voided the sale,
and rang it up again, whereupon the cash register generated a standard
charge slip, which I signed.  (Another casher said in a low voice,
as if reminding him of something he already knew, "you're supposed to
call security before you do that".)  Everything suggested that mine
was not the first objection of the day.  When I got home, I found a
yellow slip of paper in the bag with the merchandise.  Here is its
complete text, indented, with my comments.

  Macy's continues to look for innovative ways to protect our
  customers from fraudulent use of their credit cards.  You may be

  Q. What happens to my signature after I've signed?
  A. It is stored in a secure unreadable format on another computer.
  Store associates have no access to it once you have signed.

The first sentence of this reply is quite unclear.  If the format is
unreadable, why store it?  I know that passwords are often stored in
encrypted form, since future passwords can be verified by encrypting
them as well and comparing them to the stored password.  But this
would never work signatures, which are too variable.  I would thus
conjecture that they don't really mean what they've said.

  Q. Do I have to sign on the pad?
  A. Yes, we require all credit card transactions to have customer
  signatures attached to them.

This answer is misleading.  You do have to sign, but not on the pad,
as my experience demonstrated.  This misleading answer is already
enough to undermine my trust in the test.

  Q. What happens if I have an inquiry about my credit card bill
  (wrong amount, etc)?
  A. As always, Macy's charge card customers should call our Customer
  Service Department, 1-800-659-6229.  For other credit cards please
  contact the issuer for assistance.

  Thank you for helping us test this new technology!

The point of my message is not the technology as such.  I haven't
talked to the Macy's people about the new device, so I don't know
what's really new and how digitizing my signature in an unreadable
format is supposed to prevent credit card fraud.  The point, rather,
is the misleading and confusing way that Macy's is explaining the
technology to its customers.

Phil Agre

        [ We've discussed these systems here in the PRIVACY Forum Digest in
          the past, but they continue to be a topic of frequent inquiries
          and concerns, for the sorts of reasons that Phil mentions.  While
          the ostensible purpose for these signature capture systems is to
          reduce credit card fraud, it's clear that many customers are
          choosing to sign the paper slips but refusing (one way or another)
          to allow their signatures to be transferred into the capture
          devices, as evidenced by many cashiers' reported lack of surprise
          or concern at this attitude.

                -- PRIVACY Forum Moderator ]

Date:    Sat, 20 Feb 1999 15:45:27 -0600
From:    Quentin Fennessy <>
Subject: Re: GAO Report on Govt/Comm Use of SSN

The GAO article "Social Security: Government and Commercial 
Use of the Social Security Number Is Widespread" is available
on the web at:

Thanks for providing an excellent publication.

Quentin Fennessy


Date:    Sun, 14 Mar 1999 12:19:37 -0500
From:    Monty Solomon <monty@roscom.COM>
Subject: New, More-Secure U.S. Passport

U.S. Department of State
Office of the Spokesman

For Immediate Release

November 18, 1998


The State Department Issues A New, More-Secure U.S. Passport Featuring 
Digitized Imaging

On November 16, the State Department introduced a new U.S. passport 
featuring a digitized photograph and data page. The first one was issued 
at the National Passport Center in Portsmouth, NH. This represents the 
most important improvement in passport technology in 17 years. This 
innovation vastly enhances the security of the passport. Having a 
computer-generated image of the bearer in the passport makes it much less 
vulnerable to photo-substitution. (Photo-substitution is an illegal 
technique used to replace the picture of the legitimate bearer with that 
of an impostor.) Identity fraud is considered one of the fastest growing 
types of crimes perpetrated on innocent victims each year.


Date:    Thu, 11 Mar 1999 19:58:55 -0800
From:    Peter Marshall <>
Subject: CA bill [via PrivacyExchange]

CA Bill Would Restrict Use Of Personal Information

State Senator Steve Peace has introduced a bill in California, SB 129,
that would prohibit collection, use, and disclosure of any type of
personally-identifiable information without the consent of the record
subject. The "Personal Information and Privacy Act of 1999" would
require organizations to "inform individuals about the type of
information it collects, how it collects the information, the purposes
for which the information is collected, the types of organizations to
which the information is disclosed, and the choices and means the
organization offers individuals to limit the use and disclosure of the
information." A privacy ombudsman would be appointed to accept
complaints about organizations from private citizens. Industry experts
believe SB 129 may be the most important state bill facing businesses
this year; if the bill passes in California, it would dramatically
change everyday business information practices and possibly lead other
states to enact similar legislation. Peace, a Democrat from the San
Diego area, has been able to enact tough privacy measures in the past --
including a statute limiting access to criminal histories -- and last
year organized a legislative task force that developed fair information
principles for California. February 15, 1999.

A copy of proposed Personal Information and Privacy Act of 1999 may be
found at:


Date:    Wed, 17 Mar 1999 16:43:58 +1300
From:    Tom Robinson <>
Subject: DataGlyphs:  Hiding a serial number when printing

Xerox are marketing a technology which allows a hidden serial number to be
encoded on a printed page.  This has obvious implications for "anonymous"
surveys and the like.

There's a page from Xerox explaining their new "DataGlyph" technology at

        [ The technology actually allows for essentially any information
          to be encoded in a very compact and innocuous manner.

                -- PRIVACY Forum Moderator ]


Date:    Fri, 19 Mar 1999 19:32:50 -0500
From:    "E. Baker" <>
Subject: Required registration of computer programs

Caere Corporation's Omniform 3.0 (which costs approx. $150) provides
only a limited number of uses (even though you paid for the full
program) unless you call them or register on their web site.

Unless you block your outgoing phone number they can track your phone
number if you call in.

Registry via the internet requires that you provide a home address to
receive the unlocking code via mail or an e-mail address (in addition)
to receive the code faster.

In addition, EACH time you install the program you must reregister it
because the original code will not work.

I appreciate the effort to limit unauthorized use of the program, but I,
as a lawful consumer, have rights too.  This is an invasion of privacy.

        [ Given rampant software piracy (over the Internet and via other
          means), the desire for software publishers to try find means to
          better control their product is at least understandable.  The
          question is to what extent such registration techniques are, or
          are not, appropriate or effective means to this end.  Of course,
          persons who would legitimately obtain and use such software can
          vote on such systems via their wallet and their purchase
          decisions--which ultimately are likely to have the most impact on
          software manufacturers' decisions in this regard.

                -- PRIVACY Forum Moderator ]


Date:    Mon, 08 Mar 1999 08:10:05 +0000
From:    "Detlef =?iso-8859-1?Q?H=FChnlein?=" <>
Subject: Call for Papers: CQRE

                     Call for Papers
            CQRE [Secure] Congress & Exhibition
       Duesseldorf, Germany, Nov. 30 - Dec. 2 1999
provides a new international forum covering most aspects of
information security with a special focus to the role of
information security in the context of rapidly evolving economic
Deadline for submission of extended abstracts: May 14, 1999
mailing-list: send =

(where the subject is "subscribe" without parenthesis)

The "CQRE - secure networking" provides a new international
forum giving a close-up view on information security in the context
of rapidly evolving economic processes. The unprecedented
reliance on computer technology transformed the previous technical
side- issue "information security'' to a management problem
requiring decisions of strategic importance. Hence, the targeted
audience represents decision makers from government, industry,
commercial, and academic communities. If you are developing
solutions to problems relating to the protection of your country's
information infrastructure or a commercial enterprise, consider
submitting a paper to the "CQRE - secure networking" conference.

We are looking for papers and panel discussions covering:
 electronic commerce
 - new business processes
 - secure business transactions
 - online merchandising
 - electronic payment / banking
 - innovative applications

 network security
 - virtual private networks
 - security aspects in internet utilization
 - security aspects in multimedia-
- intrusion detection systems

 legal aspects
 - digital signatures acts
 - privacy and anonymity
 - crypto regulation
 - liability

 corporate security
 - access control
 - secure teleworking
 - enterprise key management
 - IT-audit
 - risk / disaster management
 - security awareness and training
 - implementation, accreditation, and
   operation of secure systems in a
   government, business, or industry

 security technology
 - cryptography
 - public key infrastructures
 - chip card technology
 - biometrics

 trust management
 - evaluation of products and systems
 - international harmonization of security
   evaluation criterias
 future perspectives

Any other contribution addressing the involvement of IT security in
economic processes will be welcome. Authors are invited to submit
an extended abstract of their contribution to the program chair.
The submissions should be original research results, survey
articles or ``high quality'' case studies and position papers.
Product advertisements are welcome for presentation, but will not
be considered for the proceedings. Manuscripts must be in English,
and not more than 2.000 words. The extended abstracts should be in
a form suitable for anonymous review, with no author names,
affiliations, acknowledgments or obvious references. Contributions
must not be submitted in parallel to any conference or workshop
that has proceedings. Separately, an abstract of the paper with no
more than 200 words and with title, name and addresses (incl. an
E-mail address) of the authors shall be submitted. In the case of
multiple authors the contacting author must be clearly identified.
We strongly encourage electronic submission in Postscript format.
The submissions must be in 11pt format, use standard fonts or
include the necessary fonts. Proposals for panel discussions should
also be sent to the program chair. Panels of interest include those
that present alternative/controversial viewpoints or those that
encourage lively discussions of relevant issues. Panels that are
collections of unrefereed papers will not be considered. Panel
proposals should be a minimum of one page describing the subject
matter, the appropriateness of the panel for this conference and
should identify participants and their respective viewpoints.

mailing list/ web-site:
If you want to receive emails with subsequent Call for Papers and
registration information, please send a brief mail to You will find this call for papers and further
information at .

important dates:
deadline for submission of extended abstracts May 14, 1999
deadline for submission of panel proposals    June 1, 1999
notification of acceptance                   June 25, 1999
deadline for submission of complete papers   July 30, 1999

program chair:
secunet - Security Networks GmbH
c/o Rainer Baumgart 

Weidenauer Str. 223 - 225
57076 Siegen
Tel.: +49-271-48950-15
Fax:  +49-271-48950-50

program committee:
Johannes Buchmann   (TU Darmstadt)
Dirk Fox            (Secorvo)
Walter Fumy         (Siemens)
R=FCdiger Grimm     (GMD)
Helena Handschuh    (ENST/Gemplus)
Thomas Hoeren       (Uni Muenster)
Pil Joong Lee       (POSTECH)
Alfred Menezes      (U.o.Waterloo/Certicom)
David Naccache      (Gemplus)
Clifford Neumann    (USC)
Mike Reiter         (Bell Labs)
Matt Robshaw        (RSA)
Richard Schlechter  (EU-comm.)
Bruce Schneier      (Counterpane)
Tsuyoshi Takagi     (NTT)
Yiannis Tsiounis    (GTE Labs)
Michael Waidner     (IBM)
Moti Yung           (CERTCO)
Robert Zuccherato   (Entrust)


Date:    Wed, 10 Mar 1999 12:15:16 -0500
From:    Jessica Botta <>
Subject: ACLU Launches New Web Site: Defend Your Data

What They Do Know Can Hurt You!

ACLU Launches Special Web Collection On Privacy and Data Protection

Urging netizens everywhere to defend their data, the American Civil 
Liberties Union today launched a special web site to focus public 
attention on the threat to personal privacy through the collection 
and widespread distribution of personal data. 

The new web collection -- which can be found at 
<>; -- 
features several interactive elements, including:
-- A complaint form where individuals can spell out their privacy horror 
-- A tool that shows individuals just what can be learned about them on the 
-- A survey and postcard utility. 
-- Faxable letters to Congress. 
-- A discussion forum.

The web collection marks the ACLU's increasing efforts to protect 
individual privacy in America. "We clearly have our work cut out 
for us to derail what has been an endless stream of proposals that 
attack our privacy rights," said ACLU Executive Director Ira Glasser. 
"And although many believe widespread dissemination of our data 
is harmless, the ACLU believes that what they do know, can hurt us." 
Glasser pointed out that 200 years ago nearly every bit of personal 
information about an individual was kept at home, on paper, and 
stored as a personal effect. "To protect privacy of this information," 
he said, "early Americans insisted on the Fourth Amendment, 
which established the home as a person's 'castle,' inviolate against 
government searches except when warranted by a court for very 
specific and particular criminal investigations."

The Fourth Amendment still protects the privacy of our homes, but 
personal information isn't exclusively stored there anymore, Glasser 
said. Now, a wide array of personal information about each of us is 
kept electronically by others -- by medical insurers, employers, 
credit card companies, banks, phone companies and a wide range 
of government and private agencies.

"Some of these entities exist solely to sell our personal information, 
no matter how private," Glasser said. "And new technologies keep 
arising to develop, collect, store and disseminate the most private 
information about each of us, with few if any legal protections."

A leading privacy advocate, the ACLU is a nationwide, non-partisan 
organization dedicated to defending and preserving the Bill of Rights 
for all individuals through litigation, legislation and public education. 
Headquartered in New York City, the ACLU has 53 staffed affiliates 
in major cities, more than 300 chapters nationwide, and a legislative 
office in Washington. The bulk of its $35 million annual budget is 
raised by contributions from members -- 275,000 strong -- and gifts 
and grants from other individuals and foundations. The ACLU does 
not accept government funds.

The new web collection can be found at: 


Date:    Sun, 7 Mar 1999 16:56:37 -0500
From:    Privacy International <>
Subject: 1999 Privacy Intl Big Brother Awards USA Nominations

                  ********* CALL FOR NOMINATIONS *********


On April 6, 1999, the human rights group Privacy International will
present the first annual US "Big Brother" awards to the government and
private sector organizations which have done the most to invade personal
privacy in the United States.

The awards will be bestowed at an event during the 9th Computers, Freedom
and Privacy Conference in the Ballroom of the Omni Shoreham Hotel in
Washington, DC. "Big Brother" awards will be presented to the government
agencies, companies, individuals and initiatives which have done most to
invade personal privacy. A "lifetime achievement" award will also
be presented.

The judging panel, consisting of lawyers, academics, consultants,
journalists and civil liberties activists, are inviting nominations from
members of the public.

Awards will also be given to individuals and organizations that have made
an outstanding contribution to the protection of privacy.

The event will be the first of its kind in the United States. Privacy
International previously held a ceremony in the United Kingdom in October
1998. Awards were given in the UK to the NSA's spybase in northern
England, the Department of Trade and Industry's Key Escrow plan, the
township of Newham for its camera system with facial recognition,
Harlequin Corp for its WatCall software system to track phone calls, and
to Procurement Services International for exporting surveillance
equipment to such military regimes as Indonesia and Nigeria.

Privacy International (PI) was formed in 1990 as a non-government
watchdog on surveillance and privacy invasion. The organization has
campaigned throughout the world on dozens of issues ranging from identity
cards and encryption policy, to workplace surveillance and military
intelligence. PI's membership includes IT specialists, lawyers, judges
and journalists from forty countries. More information on PI can be
found at:

The awards page can be found at:

Nominations can be made directly from this site.

More information on CFP 99 can be located at:


Date:    Tue, 16 Mar 1999 00:05:26 -0500
From:    "Jocelyn R. Dabeau" <>
Subject: "Privacy in Cyberspace" Lecture Series

For immediate release:


Cambridge, MA.-- The Berkman Center for Internet & Society at Harvard Law
School invites the public to register for "Privacy in Cyberspace," a free
Online Lecture and Discussion Series open to participants worldwide.

The series, led by Professor Arthur Miller, will consider how the Internet
and related technologies reframe traditional privacy concerns and the
control users have over their personal information online.  Discussion will
often spring from events in the news, such as the controversy over Intel's
Pentium III serial numbers and the $104 million jury verdict against the
website for detailed personal information on doctors who performed
abortions.  Topics will also include browser data trails and "cookies,"
medical privacy, cross-border issues raised by the European Data Privacy
Act, and Internet privacy in the workplace.

The series follows the Berkman Center's entrepreneurial research method of
studying cyberspace by building within it.  In addition to real-time chat
and threaded discussion modules, we will be using software developed by the
Center to facilitate the exchange of ideas among series participants.  Each
week will begin with a hypothetical situation described by Professor Miller
in the Socratic method he uses in the Law School classroom.  Participants
will be challenged to ask questions and offer their own analyses in
discussions moderated by the course's Teaching Fellows. They will also be
asked to respond to their classmates' analyses in software-directed
conversations.  At the conclusion of each lesson, Professor Miller will
engage in a real-time chat with participants and invited guests.

The Series begins on the 15th of March and lasts for 8 weeks.

Apply to "Privacy in Cyberspace" at:

Additional information on all of the Harvard Law School Online Lecture and
Discussion Series can be found at the Center's Web Site:

Please note that this offering is not a Harvard Law School course.
Therefore, do not direct inquiries to the Harvard Law School Registrar's
office; they will be unable to assist you.  Please direct press inquiries
to Donna Wentworth at 617.496.0747.

Jocelyn R. Dabeau
Teaching Fellow
Berkman Center for Internet & Society
Harvard Law School


End of PRIVACY Forum Digest 08.05

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.