PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Saturday, 19 June 1999      Volume 08 : Issue 09

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Intuit/Quicken Force Users to Internet & MS Internet Explorer
           (Lauren Weinstein; PRIVACY Forum Moderator)
        DoubleClick & Abacus: Double Trouble?
           (Lauren Weinstein; PRIVACY Forum Moderator)
        AT&T Privacy "Study" (Russ Smith)
        Sensitive DMV data still for sale in SC despite new law
           (Robert Biggerstaff)
        Re: "Decoding Developments in Iceland" (Michael Bacon)
        Re: Euthanasia/Kevorkian (Bob Rahe)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 09

     Quote for the day:
         
        "You've surrounded yourself with a bunch of weirdos!"

                -- Dolores Fuller (Sarah Jessica Parker)
                   "Ed Wood" (Touchstone; 1994)

----------------------------------------------------------------------

Date:    Sat, 19 Jun 99 09:46 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Intuit/Quicken Force Users to Internet & MS Internet Explorer

Greetings.  Just as the banking industry in the U.S. has been issuing
concerns about the security of Internet and Web-based banking systems, one
of the biggest players in the online banking industry, Intuit, makers of
Quicken, have quietly moved to force all of their users onto the Internet
for all online banking services, and in some cases are requiring the
use of Microsoft's Internet Explorer instead of other browsers such
as Netscape Navigator.

Catherine Allen, chief executive of the Banking Industry Technology
Secretariat, a division of Bankers Roundtable, recently said, "The banks
feel that firewalls and what they have internally is in great shape, but the
link is to the consumer and PC environments [where they find security more
suspect]." 

While newer versions of Quicken software have apparently been Internet-based
for some time, many users had opted to stay with older versions since they
used direct dialup lines for communications, and did not rely on Microsoft's
Internet Explorer.

However, Intuit (and/or in some cases users' banks) over the last two months
or so have been sending out a somewhat confusing series of letters, informing
these users that their versions of Quicken are not "Y2K" compliant, and that
they must upgrade by designated nearby dates (e.g. June 30, 1999) or lose
their online banking access.  Some materials simply suggested that certain
features (such as pre-scheduled bill payments) would have problems past 
Jan 1 2000--other materials claimed a total cutoff of services to 
non-upgraded users.  Sometimes the same letter seemed to make 
both statements.

Intuit and/or user banks made a number of options available, including a
free minimalist downloadable upgrade and various payment-based enhanced
upgrades.  However, the fine print of these offers (sometimes buried at the
end of the letters) indicated that all access would be via the Internet for
these new versions.  Arrangements for limited free Internet access would be
available to those who didn't already have an Internet Service Provider, the
letters suggested.

I spent a couple of weeks clarifying this whole situation with Intuit and
their public relations firm through a lengthy series of phone calls.  While
it wasn't difficult reaching Intuit's public relations folks, getting to
people who could answer technical questions at this level was a bit more of
an effort.  However, everyone involved was polite and willing to address my
questions in a direct manner to the extent that they could.

The bottom line is that all users of older Quicken software do need to
upgrade and will be using the Internet for all future transactions.  There
will be limited free Internet access available for Quicken transactional use
(I believe an hour a month, which would be sufficient for this purpose) for
people who need the service.  It is a bit unclear how long this free access
would be available--one person suggested indefinitely, but this does not
appear to be a guarantee.

I'm told that existing users doing the minimalist upgrade from older Quicken
versions (e.g. Version 5 for Windows) will not need to install or use
Internet Explorer (IE) for most online operations.  Users of the more
sophisticated upgrades may be required to use IE for more functions, and
all new users of Quicken will be required to install and use IE for secure
signup--Intuit claims that Netscape doesn't have the "required"
functionality for this purpose.

I'm also told that the "standard" installation option of many or all of
these new Quicken versions will install IE by default.  This means that if
you do not want an IE installation (and if you're in a category of existing
user that doesn't need it) you would probably have to disable the IE
installation via the "custom" installation options of the Quicken setup
program.  This could be particularly important to users who may be concerned
about losing existing associations and defaults for any other web browser
already installed (which may be affected by an IE installation), or where
security concerns over IE's ActiveX functions and other related system
complexities are present.

I have in the past expressed other concerns with Quicken.  A continuing
problem is that if online banking transactions are not downloaded at frequent
enough (unannounced) intervals, transactions will be silently lost and all
related calculations and records from that point onward will be in error
unless manually corrected.  Intuit's response to this issue continues to be
suggesting that users have paper records to fix such problems, and that most
users access their data frequently enough that it isn't an issue for them.
Frankly, I would argue that this rather negates much of the point of using
the software in the first place, if you can't trust the transaction
record, even if relatively few people might be affected by this particular
undocumented problem!  I did by the way again suggest (this time to a
Quicken product manager) that users at least be warned when transactions
have been lost--they again said they'd consider it...

So, if you're a Quicken user, and you've recently been told you need to
upgrade due to that mean old Y2K monster, you're not alone if the situation
seemed a bit confusing based on the materials you received in the mail.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum --- http://www.vortex.com
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
   --- http://www.vortex.com/reality

------------------------------

Date:    Sat, 19 Jun 99 09:46 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: DoubleClick & Abacus: Double Trouble?

Greetings.  One of the recurring responses to concerns over corporate
collection of personal information is that "the detailed information is only
used internally and not provided to outsiders except in aggregate form"--or
words to that effect.  But as is often pointed out, corporate policies and
structures can change, and when they do, the effects can be decidedly
significant.

The latest dramatic example is provided by our old friend DoubleClick, Inc.,
who is seeking to buy out catalog database operator Abacus Direct for over
$800 million in stock.  Regular readers may recall DoubleClick's previous
appearances here in the PRIVACY Forum Digest and my past discussion with
DoubleClick's president [ http://www.vortex.com/privacy/priv.07.11 ].

To quote DoubleClick's chief financial officer, Stephen Collins, regarding
the Abacus deal:

   "Abacus is an incredibly dominant company in their market, 
    because they've crushed all the competition."

Apparently true--since they reportedly control about 85 percent of the
market, with about 2 billion catalog transactions stored in the Abacus
database.  The possibility of merging that data on the offline buying
behavior of consumers with the online data from DoubleClick's own massive
databases has been enough to trigger calls to the Federal Trade
Commission to block the sale.

If nothing else, this story provides a vivid example of why mere
compartmentalization of customer data may often not be enough.  In many
cases, one must question the wisdom of even collecting much of this
information in the first place, regardless of the intended uses at the time.

--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum --- http://www.vortex.com
Host, "Vortex Daily Reality Report & Unreality Trivia Quiz"
   --- http://www.vortex.com/reality

------------------------------

Date:    Sun, 30 May 1999 00:07:22 -0400
From:    "Russ Smith" <russ@moon.jic.com>
Subject: AT&T Privacy "Study"

I don't think too much should be concluded from studies such as this.  
A review of some of the methodology and conclusions indicate it is not a
serious study but rather an anecdotal discussion.  One excerpt:

"The sample was drawn from the FamilyPC magazine/Digital Research, Inc.
Family Panel. While this is not a statistically representative sample of US
Internet users, our respondents are heavy Internet users, and quite possibly
lead innovators. As such, we believe that this sample is important for
understanding the future Internet user population."

These conclusions are tenuous at best and border on ridiculous.  Another
excerpt:

"Prospective survey participants were selected from the Digital Research,
Inc. (DRI) Family Panel. The DRI Family Panel is a group of Internet users
that evaluates products and responds to surveys for FamilyPC magazine.
Approximately one-third of the panel members are FamilyPC subscribers, and
most of the panel members who are not subscribers joined the panel after
visiting the FamilyPC Web site.

Invitations to complete a Web-based survey were emailed to 1,500 Family
Panel members (selected randomly, but weighted so that approximately 20%
were sent to members outside the US), resulting in 523 surveys completed
between November 6 and November 23, 1998 -- a response rate of 35%.  Code
numbers were used to ensure that each respondent filled out the survey only
once, and a sweepstakes was offered to encourage participation."

Since the response to these surveys is only 35% and it seems clear to me
that whether a person would fill in such a survey would be strongly
correlated to their privacy concerns, then this would bias the results.
There is not even a discussion of this bias nor is there an estimate of what
this bias would be and how it would effect the overall error.  Only the
random error is reported.

A final excerpt puts everything in perspective:

"Finally, we believe that a few technical and policy implications can be
drawn from our work. As the software engineering community attempts to
implement the Platform for Privacy Preferences (P3P) and similar privacy
protocols..."

The authors are involved in the P3P program which is on hold because of
patent issues.  The P3P has been incorrectly touted as a "privacy tool" or
protocol.  In fact, P3P is a data transfer standard.  While P3P may be good
or bad for a variety of reasons the overall effect will be to transfer more
information due to standard formats rather than reduce the amount of
information transferred.  In addition, BBBonline has been using the results
of this "study" to promote their seal program and I suspect TRUSTe will be
doing the same thing.  It is also interesting to note that many of the
references used for this report came from a report written by a TRUSTe
official.

Russ Smith
http://consumer.net

------------------------------

Date:    Mon, 31 May 1999 11:25:25 PDT
From:    privacy@bitsmart.com (Robert Biggerstaff)
Subject: Sensitive DMV data still for sale in SC despite new law

The Governor [of South Carolina] signed Senate Bill 620 last week, which
places some restrictions on release and use of some pieces of information
from driver's license records, and it is hailed as a solution to the privacy
problem in this state.  This bill is a small step forward, but it is only a
first step... there are many more that must follow.  The worst thing that
could happen is for legislators and the people they represent to consider
the privacy problem solved, and then fail to take the additional steps
toward a comprehensive solution.  This bill has many shortcomings that must
be addressed in the future.

1.      The bill only applies to height, weight, race, photograph, social
security number, and signature.  It does not address three of the four most
sensitive pieces of personal information.  While restricting release of
social security numbers, it does not protect a person's name, home address,
date of birth, and driver's license number.  Stalkers can still get the
records to track down their victims.  Direct marketers can still get this
sensitive information to sell at will to third parties.  Name, address, and
date of birth is all that is needed by a criminal to commit identity theft
or to obtain someone's credit report.  This same information is all fraud
artists need to find elderly women living alone in order to target them for
telemarketing scams.

2.      The bill only applies to driver's license records.  It ignores many,
many other similar records that the state also sells such as voter
registration records, motor vehicle registration and license tag records,
property records, recreational licenses such as hunting and fishing
licenses, and student enrollment records from state schools.

3.      The bill only applies to the Department of Public Safety.  Any other
agency, such as the Department of Revenue or a county government still has
unrestricted access to the records, and can release the information at will.

4.      The bill provides no enforcement mechanism or penalty.  The citizen
should be provided the right to sue anyone who violates this law by
obtaining or releasing that citizen's driver's license information.
Providing $5,000 in minimum statutory damages plus attorney fees will put
teeth into this statute and ensure that violators will not be able to simply
ignore the law.

The state should not be in the business of building databases of personal
information for sale to direct marketers, information brokers, and snoops.
There should be a blanket prohibition on the release of any personal
information, including name, address, and date of birth, from state records
for commercial use, solicitation, or resale.  The sale of drivers license
data to Image Data was only the tip of the iceberg.  Many companies and
information brokers buy the entire DMV database of name, address, and
birthdate every year, and then sell that information over the Internet.
This bill will not end that practice.  A few months ago, Governor Hodges
said "We need to protect our images, addresses and medical records from
being sold to the highest bidder."  They have addressed our images... now
where is the legislation to protect addresses and medical records?

The Freedom of Information advocates decry this statute... but the FOIA is
about freedom of information about what the government is up to, not about
exposing every scrap of personal information to snoops and crooks.

"When the subject of [a record] is a private citizen and when the
information is in the Government's control as a compilation, rather than as
a record of "what the Government is up to," the privacy interest protected
by [the Privacy Act] is in fact at its apex while the FOIA-based public
interest in disclosure is at its nadir."  US Supreme Court in _U.S. Dept. Of
Justice v. Reporters Committee_, 489 U.S. 749 (1989).

   [ California's new Governor Davis recently suspended a plan, that had
     apparently been championed by an appointee of the previous
     Governor, to begin selling financial data relating to California
     residents to private firms.  While the issue is now under study, a
     spokesman for the Governor said that it was highly unlikely that the
     plan would move forward in any case.

                -- PRIVACY Forum Moderator ]

------------------------------

Date:    Wed, 2 Jun 1999 12:13:42 +0100
From:    Michael Bacon <streaky_Bacon@email.msn.com>
Subject: Re: "Decoding Developments in Iceland"

One can understand the commercial drivers for this (grant of a 12-year 
license to deCODE Genetics Inc giving them exclusive access to Iceland's 
entire health care database) as Iceland has probably the best established 
genome database in the world.  The population is small and tissue from 
operations has been kept since 1948 (so I understand).

At the Iceland Computer Society Conference (keynote speech given by one of 
my then UK colleagues) in 1997 access to this database was hotly debated 
(in Icelandic!).  The Icelandic 'data protection registrar' appeared to be 
strongly against increasing access even to local researchers and even 
suggested that those given access should be subject to psychological 
testing - so concerned was he about potential abuses.  This new development 
appears to fly in the face of the registrar's concerns and I wonder what 
he had to say about it.

Michael (Streaky) Bacon

------------------------------

Date:    Tue, 1 Jun 1999 15:40:46 EDT
From:    bob@hobbes.dtcc.edu (Bob Rahe)
Subject: Re: Euthanasia/Kevorkian

In Privacy Digest V8#8 Mark Hull-Richter <markh@procom.com> writes:

>This is exactly one of the biggest problems with the so-called
>"Pro-Life" movement and the attitude of all of its adherents.  They
>claim the right to dictate to others (us, women in particular) that all
>"conceptions" be protected all the way through birth, and not for one
>second thereafter, even at the expense of the life of the mother.

  This is a grievous misstatement of any Pro-life (without quotes) position
I've ever seen.  The Pro-life position definitely does NOT claim to stop
protection of a life one second after birth.  Just the opposite; they seek
to protect life at ALL stages, from pre-birth thru birth and up until a 
natural death.  (Including, in most pro-life positions, the attempt to ban
capital punishment.)  To claim otherwise is pure misstatement of the 
opposing argument.

...

>While I do not approve of abortion per se, I believe that the state of
>child abuse and molestation in this country is totally unacceptable. 
>Until we are prepared to ensure that all births are "wanted," and that
>even those which start out as wanted but degenerate into the unwanted
>category will be fostered and cared for in a loving, nurturing home, it
>is the absolute and overriding burden on our legislative bodies to
>abstain from the process altogether.  Until legislation can be adopted

  This is a preposterous and illogical position.  Where does the requirement
of 'wantedness' or 'safety' come from?  The logical conclusion of this
position is that we turn the situation on its head and require forced
abortions unless it can be show the child will be wanted, loved and safe
from molestation.  The Chinese are showing us, with their forced abortion
practices, where this might lead.

>to ensure the safe and secure raising of all of society's children into
>mature adults, legislation restricting the rights of mothers to decide
>whether to bear children or not is at least abhorrent, if not
>unthinkable.

   Again, preposterous.  What is next?  Licensing of parents?  Maybe the the
all knowing legislature can also provide for the 'proper' and 'safe' raising
of these children also?  And just how/what legislation could be adopted that
can ensure the safe and secure raising of all of these children?

  The argument degenerates into a better-dead-than-unwanted argument with
the unwantee getting to decide the fate of the unwanted.  There are huge
numbers of 'unwanted' children out there who are now adults, some actual
survivors of abortion.  Maybe it's THEM we should ask.  Maybe it's THEIR
privacy and their life that is at stake.  Couldn't Jeffrey Dahmer have
invoked HIS right to privacy?

>We need to destroy the cycle of abuse and/or neglect that leads to
>tragedies involving children, whether by accident or design.

I agree.  But I DON'T agree that would should murder those who may not fit
into your nice little niche until that happens.

>Perhaps it is time we pushed Congress to pass an explicit Right to
>Privacy amendment to the Constitution.  It's certainly more important an
>issue than whether or not we have the right to burn a piece of cloth in
>public, just because it happens to be striped and starred appropriately.

  Bringing up a good point.  Since we obviously rank rights, and usually
give the right to life top billing over liberty and happiness, shouldn't we
also be ranking the right to life higher than the right to privacy?

  Isn't my right to life more important than your right to speech - or flag
burning?

-- 
Bob Rahe, Delaware Tech&Comm Coll. 
Computer Center, Dover, Delaware 
Internet: bob@dtcc.edu  

------------------------------

End of PRIVACY Forum Digest 08.09
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.