PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest     Saturday, 25 September 1999     Volume 08 : Issue 13


            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

        Intuit "Shuts Down" Privacy Site After PRIVACY Forum Query
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Inspections of Parcels by UPS
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Pacific Bell Reverses Statement Regarding PRIVACY Forum Query
           (Lauren Weinstein; PRIVACY Forum Moderator)
        The Microsoft/NSA Crypto Brouhaha
           (Lauren Weinstein; PRIVACY Forum Moderator)
        ACLU Joins International Protest Against Global 
           Internet Censorship Plans (Monty Solomon)
        Commercial Satellite Imagery Workshop Announcement (Gerald Thomas)
        Administration Updates Encryption Export Policy (Monty Solomon)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:

        "I'm not completely rotten you know."

            -- Donelli (Jesse White)
               "The Reluctant Astronaut" (Universal; 1967)


Date:    Sat, 25 Sep 99 12:04 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Intuit "Shuts Down" Privacy Site After PRIVACY Forum Query

Greetings.  An alert PRIVACY Forum reader recently brought a somewhat
bizarre and certainly ironic situation to my attention.  Intuit (makers of
"Quicken" and other extremely widely-used financial software packages) had a
web site ( that presented various information
regarding their privacy policies.

It also included a feature which allowed any registered Intuit customer to
view and alter their "privacy preferences."  This included data such as
whether or not they wished to receive promotional materials from Intuit, how
they should or should not be contacted (e.g. e-mail, phone, etc.), and
whether or not their name and address would be released to outside firms.  

To access this feature, the customer needed to supply their last name, zip
code, and ... nothing else!  Upon entering any last name and zip code (and
given the number of Intuit customers, a hit would be pretty likely for most
common names) the user would see the associated first name, city, and last
four digits of phone number for that person.  The user could then freely
modify the privacy preferences for that customer.

Needless to say, I immediately expressed my concern over this situation to
Intuit officials.  Within a few days, I was contacted by their VP Corporate
Communications, informing me that the preference access features of the site
had been shut down, and that any users attempting to access them would be
directed to an 800 number.  A live customer service representative would then
verify their contact information before performing any preferences changes.
Intuit plans to restore the web preferences feature to the site after making
security enhancements, probably within a month or two.

That Intuit responded promptly to my concerns by closing down the feature is
to be commended.  One must still wonder, however, about the chain of events
and review which permitted such an obviously flawed feature to have been
implemented in the first place--it is, unfortunately, an all too common
sort of situation.

Lauren Weinstein
Moderator, PRIVACY Forum ---
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"


Date:    Sat, 25 Sep 99 12:36 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Inspections of Parcels by UPS

Greetings.  I've recently received a number of queries from
persons concerned about the policy, at least at some United Parcel
Service shipping centers, of requiring that parcels be open,
not sealed, when brought in for shipping.

I've pursued this issue with UPS officials, and their statement on this
matter is that the policy is aimed at helping to make sure that packages are
adequately packed before shipping to avoid damage to the contents.  They
feel that this can be best accomplished by having their own people inspect
the packing, then sealing it while the customer is present.

However, with so many more individuals shipping merchandise to each other
due to the rise of services such as "eBay," it's worth noting that you
actually have very few rights when damage occurs.  Getting UPS to pay on
parcel insurance can be extremely difficult unless the package simply
"vanishes" somewhere along the way.  When damage occurs to items within a
parcel, UPS-employed inspectors are sent out to view the package.  If they
declare that the packing was in their estimate "inadequate," they will deny
the claim.  There are no independent inspectors, and there is no normal
non-UPS route for appeal.  In one recent case that came to my attention, UPS
told a customer that part of the reason for the damage to their item was
that it had been "over-packaged" by using a wooden crate instead of flimsy
cardboard--they refused to pay the associated insurance claim.

UPS national officials have told me that they consider it too "confusing" to
provide customers with detailed information concerning the stresses their
parcels might undergo during shipping, which I suggested might make proper
packing more practical for customers.  I was told that only a "packaging
engineer" could understand the specifications.  UPS did admit, however, that
they would not consider it unusual for parcels to fall six feet or more onto
hard floors--off conveyor belts for example--during routine shipping,
perhaps a "shock" for most customers to learn!

All in all, it's something to think about if you're ever pondering
your options for shipment of anything more fragile than
an ingot of iron.

Lauren Weinstein
Moderator, PRIVACY Forum ---
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"


Date:    Sat, 25 Sep 99 12:18 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Pacific Bell Reverses Statement Regarding PRIVACY Forum Query

Greetings.  In PRIVACY Forum Digest Volume 08 #12 
(, I reported on 
Pacific Bell/SBC's new policy of tying certain employee phone service 
discounts, known as "concessions," to those employees not 
selecting per-line caller ID blocking on their associated home phones.  
Before I wrote that piece, I had discussed this matter at length 
with PacBell's main media relations contact, based on information 
I had received from a PacBell employee.

In particular, I was told by PacBell that they had definitely not tied
any "grandfathered" benefits to this choice, but only new
"vertical service" benefits--contrary to what the employee claimed.

Shortly after that digest was distributed, I received another call
from the PacBell media contact, informing me that they had been
in error.  In fact, the continuance of all concessions, including
grandfathered ones which have in many cases been in place
for decades, are now contingent on the employee not choosing home
per-line caller ID blocking.  My original information had been
correct all along.  The spokesman apologized for their misstatement,
and I appreciate his having rapidly corrected the record.

This would seem to again underscore the aggressive nature of
PacBell/SBC's dedication to the promotion of caller ID services,
and their desire to discourage the use of per-line blocking to the
greatest extent possible.

Lauren Weinstein
Moderator, PRIVACY Forum ---
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"


Date:    Fri, 24 Sep 99 12:01 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: The Microsoft/NSA Crypto Brouhaha

Greetings.  By now most of you have probably seen or heard something of the
controversy surrounding Andrew Fernandes' (Cryptonym) announcement
implying that Microsoft had provided the National Security Agency a key to
the Windows 95/98/NT Crypto Applications Programming Interface (API).

His main evidence?  A secondary key variable with the string "NSAKEY" buried
in the code.  The problem?  He doesn't appear to have any information beyond
that variable to indicate that such a key has actually been provided to
anyone outside of Microsoft.  Microsoft strongly asserts that the variable
name only represents the presence of the subsystem and related key required
by export regulations to obtain NSA certification of the Windows Crypto
API code, and that they have not provided any keys to NSA or anyone else.  

While Microsoft's response to this furor could certainly be termed
defensive, and perhaps even somewhat disingenuous, I am inclined to believe
them.  I have a sense that there is some grandstanding going on amongst some
of the persons ready to jump on anything that would make it appear that
Microsoft was engaged in some sort of security conspiracy.  In fact, in
response to my e-mailed queries, Andrew Fernandes acknowledged to me that in
retrospect, his original press release may have somewhat overstated 
his case...

As much as Microsoft can be faulted for a variety of security, privacy, and
other problems with their software, the collusion theory just doesn't add up.
However, there is a clear moral to this whole episode.  It's very difficult
to trust crypto software whose innards are not available for inspection.
Closed-source crypto, such as the package under discussion in this case, is
impossible to verify or completely test, and can play directly into the
hands of the "conspiracy theorists" who are ready to believe the worst.
This is certainly a good example of why the open-source model seems to be
the only way to fly when it comes to crypto systems and software.

Lauren Weinstein
Moderator, PRIVACY Forum ---
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"


Date:    Sat, 11 Sep 1999 02:36:36 -0400
From:    Monty Solomon <>
Subject: ACLU Joins International Protest Against Global Internet
         Censorship Plans

Excerpt from ACLU News -- 09-10-99


     ACLU Joins International Protest Against 
     Global Internet Censorship Plans 

Thursday, September 9, 1999 

MUNICH, GERMANY-- The American Civil Liberties Union today joined rights
groups from around the world in denouncing a proposed international 
Internet rating system that could provide governments with a blueprint for 

In a joint statement issued at an Internet policy conference here today, 
members of the Global Internet Liberty Campaign (GILC) -- including the 
ACLU and other prominent defenders of cyberliberties -- said the so-called 
voluntary ratings system may actually facilitate governmental restrictions 
on Internet expression.

The three-day "Internet Content Summit," organized by the Bertelsmann 
Foundation, a nonprofit social policy group based in Germany, has brought 
together some 300 Internet and computer industry executives and experts in 
the fields of technology, law and government to discuss ways to control 
illegal or potentially harmful material online without resorting to 
government regulation.

But after analyzing an advance copy of the Bertelsmann recommendations, 
which will be issued formally on Friday, GILC said that censorship is a 
foregone conclusion.

"This approach merely shifts the focus of governmental censorship 
initiatives from direct prohibition of speech to mandating the use of 
existing ratings and blocking technologies," the GILC members said in their 

Speaking from the conference, Barry Steinhardt, Associate Director of the 
ACLU and a co-founder of GILC, said that much of the Bertelsmann plan was 
prophesied in a 1997 ACLU report warning of the free speech 
dangers in various ratings plans then being proposed by U.S. industry 

"We said it then, we say it now and we'll keep saying it even after 
software programs try to block us: proposals like this will transform the 
Internet from a true marketplace of ideas into just another mainstream, 
lifeless medium," Steinhardt said.

And in remarks circulated to participants prior to the conference, ACLU 
President Nadine Strossen, a member of the Bertelsmann Foundation's "expert 
network" for the conference, invoked principles of free expressions 
enshrined in the Universal Declaration of Human Rights, the International 
Covenant on Civil and Political Rights, the European Convention on Human 
Rights, and analogous national guarantees, such as the First Amendment to 
the United States Constitution. Echoing GILC's criticism, Strossen said 
that the proposed rating and blocking schemes violate these free
expression guarantees. 

Strossen strongly criticized a plan to establish telephone hotlines that 
the public can use to report objectionable Internet content, saying that it 
turns hotline operators into "self-appointed judges of law" and encourages 

"These hotlines violate due process concepts that are also enshrined in 
international, regional, and national guarantees around the world," she 

Strossen also stressed her agreement with the GILC recommendation that 
emphasizing education and parental supervision should receive far more 
attention than it has to date.


Date:    Wed, 08 Sep 1999 08:43:14 -0600
From:    Gerald Thomas <>
Subject: Commercial Satellite Imagery Workshop Announcement

*********     WORKSHOP ANNOUNCEMENT     *******

Please forward as appropriate.
Apologies for cross posting.


A National Workshop
November 19-20, 1999
Purdue University

The Center for Education and Research on Information Assurance and
Security (CERIAS) in association with The Laboratory for the Application
of Remote Sensing and the Department of Political Science are pleased to

announce a 2-day national workshop:  Assessing the Implications of
Very-High Resolution Commercial Satellite Imagery to be held on the
Purdue University Campus in West Lafayette, Indiana on November 19-20,

This workshop will bring together internationally known experts from a
variety of fields to discuss the social, political, economic, legal,
military, environmental, and ethical implications of the newest
generation of commercial observation satellites.

Details on the workshop including registration information are located


Date:    Thu, 16 Sep 1999 22:17:20 -0400
From:    Monty Solomon <>
Subject: Administration Updates Encryption Export Policy

                            THE WHITE HOUSE

                     Office of the Press Secretary
For Immediate Release                                 September 16, 1999

                               FACT SHEET

            Administration Updates Encryption Export Policy

Today, the Clinton Administration announced a new approach to encryption
policy that includes updates and simplifies export controls.  The major
components of this update are as follows:

Global exports to individuals, commercial firms or other
non-governmental entities

Any encryption commodity or software of any key length can now be
exported under a license exception (i.e., without a license) after a
technical review, to commercial firms and other non-government end users
in any country except for the seven state supporters of terrorism.
Exports previously allowed only for a company's internal use can now be
used for communication with other firms, supply chains and customers.
Additionally, telecommunication and Internet service providers may use
any encryption commodity or software to provide services to commercial
firms and non-government end users.  Previous liberalizations for banks,
financial institutions and other approved sectors are subsumed under
this Update.  Exports to governments can be approved under a license.

Global exports of retail products

Retail encryption commodities and software of any key length may be
exported under a license exception (i.e., without a license) after a
technical review, to any recipient in any country except to the seven
state supporters of terrorism.  Retail encryption commodities and
software are those products which do not require substantial support for
installation and use and which are sold in tangible form through
independent retail outlets, or products in tangible or intangible form,
which have been specifically designed for individual consumer use.
There is no restriction on the use of these products.  Additionally,
telecommunication and Internet service providers may use retail
encryption commodities and software to provide services to any

Implementation of the December 1998 Wassenaar Arrangement Revisions

Last year, the Wassenaar Arrangement (33 countries which have common
controls on exports, including encryption) made a number of changes to
modernize multilateral encryption controls.  As part of this update, the
U.S. will allow exports without a license of 56 bits DES and equivalent
products, including toolkits and chips, to all users and destinations
(except the seven state supporters of terrorism) after a technical
review.  Encryption commodities and software with key lengths of 64-bits
or less which meet the mass market requirements of Wassenaar's new
cryptographic note will also be eligible for export without a license
after a technical review.

U.S. Subsidiaries

Foreign nationals working in the United States no longer need an export
license to work for U.S. firms on encryption.  This extends the policy
adopted in last year's update, which allowed foreign nationals to work
for foreign subsidiaries of U.S. firms under a license exception (i.e.,
without a license).

Export Reporting

Post-export reporting will now be required for any export to a non-U.S.
entity of any product above 64 bits.  Reporting helps ensure compliance
with our regulations and allows us to reduce licensing requirements.
The reporting requirements will be streamlined to reflect business
models and practices, and will be based on what companies normally
collect.  We intend to consult with industry on how best to implement
this part of the update.



End of PRIVACY Forum Digest 08.13

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.