PRIVACY Forum Archive Document
PRIVACY Forum Digest Saturday, 19 June 1999 Volume 08 : Issue 09 Moderated by Lauren Weinstein (firstname.lastname@example.org) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Intuit/Quicken Force Users to Internet & MS Internet Explorer (Lauren Weinstein; PRIVACY Forum Moderator) DoubleClick & Abacus: Double Trouble? (Lauren Weinstein; PRIVACY Forum Moderator) AT&T Privacy "Study" (Russ Smith) Sensitive DMV data still for sale in SC despite new law (Robert Biggerstaff) Re: "Decoding Developments in Iceland" (Michael Bacon) Re: Euthanasia/Kevorkian (Bob Rahe) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "email@example.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "firstname.lastname@example.org". Mailing list problems should be reported to "email@example.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 09 Quote for the day: "You've surrounded yourself with a bunch of weirdos!" -- Dolores Fuller (Sarah Jessica Parker) "Ed Wood" (Touchstone; 1994) ---------------------------------------------------------------------- Date: Sat, 19 Jun 99 09:46 PDT From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Intuit/Quicken Force Users to Internet & MS Internet Explorer Greetings. Just as the banking industry in the U.S. has been issuing concerns about the security of Internet and Web-based banking systems, one of the biggest players in the online banking industry, Intuit, makers of Quicken, have quietly moved to force all of their users onto the Internet for all online banking services, and in some cases are requiring the use of Microsoft's Internet Explorer instead of other browsers such as Netscape Navigator. Catherine Allen, chief executive of the Banking Industry Technology Secretariat, a division of Bankers Roundtable, recently said, "The banks feel that firewalls and what they have internally is in great shape, but the link is to the consumer and PC environments [where they find security more suspect]." While newer versions of Quicken software have apparently been Internet-based for some time, many users had opted to stay with older versions since they used direct dialup lines for communications, and did not rely on Microsoft's Internet Explorer. However, Intuit (and/or in some cases users' banks) over the last two months or so have been sending out a somewhat confusing series of letters, informing these users that their versions of Quicken are not "Y2K" compliant, and that they must upgrade by designated nearby dates (e.g. June 30, 1999) or lose their online banking access. Some materials simply suggested that certain features (such as pre-scheduled bill payments) would have problems past Jan 1 2000--other materials claimed a total cutoff of services to non-upgraded users. Sometimes the same letter seemed to make both statements. Intuit and/or user banks made a number of options available, including a free minimalist downloadable upgrade and various payment-based enhanced upgrades. However, the fine print of these offers (sometimes buried at the end of the letters) indicated that all access would be via the Internet for these new versions. Arrangements for limited free Internet access would be available to those who didn't already have an Internet Service Provider, the letters suggested. I spent a couple of weeks clarifying this whole situation with Intuit and their public relations firm through a lengthy series of phone calls. While it wasn't difficult reaching Intuit's public relations folks, getting to people who could answer technical questions at this level was a bit more of an effort. However, everyone involved was polite and willing to address my questions in a direct manner to the extent that they could. The bottom line is that all users of older Quicken software do need to upgrade and will be using the Internet for all future transactions. There will be limited free Internet access available for Quicken transactional use (I believe an hour a month, which would be sufficient for this purpose) for people who need the service. It is a bit unclear how long this free access would be available--one person suggested indefinitely, but this does not appear to be a guarantee. I'm told that existing users doing the minimalist upgrade from older Quicken versions (e.g. Version 5 for Windows) will not need to install or use Internet Explorer (IE) for most online operations. Users of the more sophisticated upgrades may be required to use IE for more functions, and all new users of Quicken will be required to install and use IE for secure signup--Intuit claims that Netscape doesn't have the "required" functionality for this purpose. I'm also told that the "standard" installation option of many or all of these new Quicken versions will install IE by default. This means that if you do not want an IE installation (and if you're in a category of existing user that doesn't need it) you would probably have to disable the IE installation via the "custom" installation options of the Quicken setup program. This could be particularly important to users who may be concerned about losing existing associations and defaults for any other web browser already installed (which may be affected by an IE installation), or where security concerns over IE's ActiveX functions and other related system complexities are present. I have in the past expressed other concerns with Quicken. A continuing problem is that if online banking transactions are not downloaded at frequent enough (unannounced) intervals, transactions will be silently lost and all related calculations and records from that point onward will be in error unless manually corrected. Intuit's response to this issue continues to be suggesting that users have paper records to fix such problems, and that most users access their data frequently enough that it isn't an issue for them. Frankly, I would argue that this rather negates much of the point of using the software in the first place, if you can't trust the transaction record, even if relatively few people might be affected by this particular undocumented problem! I did by the way again suggest (this time to a Quicken product manager) that users at least be warned when transactions have been lost--they again said they'd consider it... So, if you're a Quicken user, and you've recently been told you need to upgrade due to that mean old Y2K monster, you're not alone if the situation seemed a bit confusing based on the materials you received in the mail. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum --- http://www.vortex.com Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 19 Jun 99 09:46 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: DoubleClick & Abacus: Double Trouble? Greetings. One of the recurring responses to concerns over corporate collection of personal information is that "the detailed information is only used internally and not provided to outsiders except in aggregate form"--or words to that effect. But as is often pointed out, corporate policies and structures can change, and when they do, the effects can be decidedly significant. The latest dramatic example is provided by our old friend DoubleClick, Inc., who is seeking to buy out catalog database operator Abacus Direct for over $800 million in stock. Regular readers may recall DoubleClick's previous appearances here in the PRIVACY Forum Digest and my past discussion with DoubleClick's president [ http://www.vortex.com/privacy/priv.07.11 ]. To quote DoubleClick's chief financial officer, Stephen Collins, regarding the Abacus deal: "Abacus is an incredibly dominant company in their market, because they've crushed all the competition." Apparently true--since they reportedly control about 85 percent of the market, with about 2 billion catalog transactions stored in the Abacus database. The possibility of merging that data on the offline buying behavior of consumers with the online data from DoubleClick's own massive databases has been enough to trigger calls to the Federal Trade Commission to block the sale. If nothing else, this story provides a vivid example of why mere compartmentalization of customer data may often not be enough. In many cases, one must question the wisdom of even collecting much of this information in the first place, regardless of the intended uses at the time. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum --- http://www.vortex.com Host, "Vortex Daily Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sun, 30 May 1999 00:07:22 -0400 From: "Russ Smith" <firstname.lastname@example.org> Subject: AT&T Privacy "Study" I don't think too much should be concluded from studies such as this. A review of some of the methodology and conclusions indicate it is not a serious study but rather an anecdotal discussion. One excerpt: "The sample was drawn from the FamilyPC magazine/Digital Research, Inc. Family Panel. While this is not a statistically representative sample of US Internet users, our respondents are heavy Internet users, and quite possibly lead innovators. As such, we believe that this sample is important for understanding the future Internet user population." These conclusions are tenuous at best and border on ridiculous. Another excerpt: "Prospective survey participants were selected from the Digital Research, Inc. (DRI) Family Panel. The DRI Family Panel is a group of Internet users that evaluates products and responds to surveys for FamilyPC magazine. Approximately one-third of the panel members are FamilyPC subscribers, and most of the panel members who are not subscribers joined the panel after visiting the FamilyPC Web site. Invitations to complete a Web-based survey were emailed to 1,500 Family Panel members (selected randomly, but weighted so that approximately 20% were sent to members outside the US), resulting in 523 surveys completed between November 6 and November 23, 1998 -- a response rate of 35%. Code numbers were used to ensure that each respondent filled out the survey only once, and a sweepstakes was offered to encourage participation." Since the response to these surveys is only 35% and it seems clear to me that whether a person would fill in such a survey would be strongly correlated to their privacy concerns, then this would bias the results. There is not even a discussion of this bias nor is there an estimate of what this bias would be and how it would effect the overall error. Only the random error is reported. A final excerpt puts everything in perspective: "Finally, we believe that a few technical and policy implications can be drawn from our work. As the software engineering community attempts to implement the Platform for Privacy Preferences (P3P) and similar privacy protocols..." The authors are involved in the P3P program which is on hold because of patent issues. The P3P has been incorrectly touted as a "privacy tool" or protocol. In fact, P3P is a data transfer standard. While P3P may be good or bad for a variety of reasons the overall effect will be to transfer more information due to standard formats rather than reduce the amount of information transferred. In addition, BBBonline has been using the results of this "study" to promote their seal program and I suspect TRUSTe will be doing the same thing. It is also interesting to note that many of the references used for this report came from a report written by a TRUSTe official. Russ Smith http://consumer.net ------------------------------ Date: Mon, 31 May 1999 11:25:25 PDT From: email@example.com (Robert Biggerstaff) Subject: Sensitive DMV data still for sale in SC despite new law The Governor [of South Carolina] signed Senate Bill 620 last week, which places some restrictions on release and use of some pieces of information from driver's license records, and it is hailed as a solution to the privacy problem in this state. This bill is a small step forward, but it is only a first step... there are many more that must follow. The worst thing that could happen is for legislators and the people they represent to consider the privacy problem solved, and then fail to take the additional steps toward a comprehensive solution. This bill has many shortcomings that must be addressed in the future. 1. The bill only applies to height, weight, race, photograph, social security number, and signature. It does not address three of the four most sensitive pieces of personal information. While restricting release of social security numbers, it does not protect a person's name, home address, date of birth, and driver's license number. Stalkers can still get the records to track down their victims. Direct marketers can still get this sensitive information to sell at will to third parties. Name, address, and date of birth is all that is needed by a criminal to commit identity theft or to obtain someone's credit report. This same information is all fraud artists need to find elderly women living alone in order to target them for telemarketing scams. 2. The bill only applies to driver's license records. It ignores many, many other similar records that the state also sells such as voter registration records, motor vehicle registration and license tag records, property records, recreational licenses such as hunting and fishing licenses, and student enrollment records from state schools. 3. The bill only applies to the Department of Public Safety. Any other agency, such as the Department of Revenue or a county government still has unrestricted access to the records, and can release the information at will. 4. The bill provides no enforcement mechanism or penalty. The citizen should be provided the right to sue anyone who violates this law by obtaining or releasing that citizen's driver's license information. Providing $5,000 in minimum statutory damages plus attorney fees will put teeth into this statute and ensure that violators will not be able to simply ignore the law. The state should not be in the business of building databases of personal information for sale to direct marketers, information brokers, and snoops. There should be a blanket prohibition on the release of any personal information, including name, address, and date of birth, from state records for commercial use, solicitation, or resale. The sale of drivers license data to Image Data was only the tip of the iceberg. Many companies and information brokers buy the entire DMV database of name, address, and birthdate every year, and then sell that information over the Internet. This bill will not end that practice. A few months ago, Governor Hodges said "We need to protect our images, addresses and medical records from being sold to the highest bidder." They have addressed our images... now where is the legislation to protect addresses and medical records? The Freedom of Information advocates decry this statute... but the FOIA is about freedom of information about what the government is up to, not about exposing every scrap of personal information to snoops and crooks. "When the subject of [a record] is a private citizen and when the information is in the Government's control as a compilation, rather than as a record of "what the Government is up to," the privacy interest protected by [the Privacy Act] is in fact at its apex while the FOIA-based public interest in disclosure is at its nadir." US Supreme Court in _U.S. Dept. Of Justice v. Reporters Committee_, 489 U.S. 749 (1989). [ California's new Governor Davis recently suspended a plan, that had apparently been championed by an appointee of the previous Governor, to begin selling financial data relating to California residents to private firms. While the issue is now under study, a spokesman for the Governor said that it was highly unlikely that the plan would move forward in any case. -- PRIVACY Forum Moderator ] ------------------------------ Date: Wed, 2 Jun 1999 12:13:42 +0100 From: Michael Bacon <streaky_Bacon@email.msn.com> Subject: Re: "Decoding Developments in Iceland" One can understand the commercial drivers for this (grant of a 12-year license to deCODE Genetics Inc giving them exclusive access to Iceland's entire health care database) as Iceland has probably the best established genome database in the world. The population is small and tissue from operations has been kept since 1948 (so I understand). At the Iceland Computer Society Conference (keynote speech given by one of my then UK colleagues) in 1997 access to this database was hotly debated (in Icelandic!). The Icelandic 'data protection registrar' appeared to be strongly against increasing access even to local researchers and even suggested that those given access should be subject to psychological testing - so concerned was he about potential abuses. This new development appears to fly in the face of the registrar's concerns and I wonder what he had to say about it. Michael (Streaky) Bacon ------------------------------ Date: Tue, 1 Jun 1999 15:40:46 EDT From: firstname.lastname@example.org (Bob Rahe) Subject: Re: Euthanasia/Kevorkian In Privacy Digest V8#8 Mark Hull-Richter <email@example.com> writes: >This is exactly one of the biggest problems with the so-called >"Pro-Life" movement and the attitude of all of its adherents. They >claim the right to dictate to others (us, women in particular) that all >"conceptions" be protected all the way through birth, and not for one >second thereafter, even at the expense of the life of the mother. This is a grievous misstatement of any Pro-life (without quotes) position I've ever seen. The Pro-life position definitely does NOT claim to stop protection of a life one second after birth. Just the opposite; they seek to protect life at ALL stages, from pre-birth thru birth and up until a natural death. (Including, in most pro-life positions, the attempt to ban capital punishment.) To claim otherwise is pure misstatement of the opposing argument. ... >While I do not approve of abortion per se, I believe that the state of >child abuse and molestation in this country is totally unacceptable. >Until we are prepared to ensure that all births are "wanted," and that >even those which start out as wanted but degenerate into the unwanted >category will be fostered and cared for in a loving, nurturing home, it >is the absolute and overriding burden on our legislative bodies to >abstain from the process altogether. Until legislation can be adopted This is a preposterous and illogical position. Where does the requirement of 'wantedness' or 'safety' come from? The logical conclusion of this position is that we turn the situation on its head and require forced abortions unless it can be show the child will be wanted, loved and safe from molestation. The Chinese are showing us, with their forced abortion practices, where this might lead. >to ensure the safe and secure raising of all of society's children into >mature adults, legislation restricting the rights of mothers to decide >whether to bear children or not is at least abhorrent, if not >unthinkable. Again, preposterous. What is next? Licensing of parents? Maybe the the all knowing legislature can also provide for the 'proper' and 'safe' raising of these children also? And just how/what legislation could be adopted that can ensure the safe and secure raising of all of these children? The argument degenerates into a better-dead-than-unwanted argument with the unwantee getting to decide the fate of the unwanted. There are huge numbers of 'unwanted' children out there who are now adults, some actual survivors of abortion. Maybe it's THEM we should ask. Maybe it's THEIR privacy and their life that is at stake. Couldn't Jeffrey Dahmer have invoked HIS right to privacy? >We need to destroy the cycle of abuse and/or neglect that leads to >tragedies involving children, whether by accident or design. I agree. But I DON'T agree that would should murder those who may not fit into your nice little niche until that happens. >Perhaps it is time we pushed Congress to pass an explicit Right to >Privacy amendment to the Constitution. It's certainly more important an >issue than whether or not we have the right to burn a piece of cloth in >public, just because it happens to be striped and starred appropriately. Bringing up a good point. Since we obviously rank rights, and usually give the right to life top billing over liberty and happiness, shouldn't we also be ranking the right to life higher than the right to privacy? Isn't my right to life more important than your right to speech - or flag burning? -- Bob Rahe, Delaware Tech&Comm Coll. Computer Center, Dover, Delaware Internet: firstname.lastname@example.org ------------------------------ End of PRIVACY Forum Digest 08.09 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.