PRIVACY Forum Archive Document
PRIVACY Forum Digest Saturday, 25 September 1999 Volume 08 : Issue 13 (http://www.vortex.com/privacy/priv.08.13) Moderated by Lauren Weinstein (email@example.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Intuit "Shuts Down" Privacy Site After PRIVACY Forum Query (Lauren Weinstein; PRIVACY Forum Moderator) Inspections of Parcels by UPS (Lauren Weinstein; PRIVACY Forum Moderator) Pacific Bell Reverses Statement Regarding PRIVACY Forum Query (Lauren Weinstein; PRIVACY Forum Moderator) The Microsoft/NSA Crypto Brouhaha (Lauren Weinstein; PRIVACY Forum Moderator) ACLU Joins International Protest Against Global Internet Censorship Plans (Monty Solomon) Commercial Satellite Imagery Workshop Announcement (Gerald Thomas) Administration Updates Encryption Export Policy (Monty Solomon) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "firstname.lastname@example.org" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "email@example.com". Mailing list problems should be reported to "firstname.lastname@example.org". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 13 Quote for the day: "I'm not completely rotten you know." -- Donelli (Jesse White) "The Reluctant Astronaut" (Universal; 1967) ---------------------------------------------------------------------- Date: Sat, 25 Sep 99 12:04 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Intuit "Shuts Down" Privacy Site After PRIVACY Forum Query Greetings. An alert PRIVACY Forum reader recently brought a somewhat bizarre and certainly ironic situation to my attention. Intuit (makers of "Quicken" and other extremely widely-used financial software packages) had a web site (http://privacy.intuit.com) that presented various information regarding their privacy policies. It also included a feature which allowed any registered Intuit customer to view and alter their "privacy preferences." This included data such as whether or not they wished to receive promotional materials from Intuit, how they should or should not be contacted (e.g. e-mail, phone, etc.), and whether or not their name and address would be released to outside firms. To access this feature, the customer needed to supply their last name, zip code, and ... nothing else! Upon entering any last name and zip code (and given the number of Intuit customers, a hit would be pretty likely for most common names) the user would see the associated first name, city, and last four digits of phone number for that person. The user could then freely modify the privacy preferences for that customer. Needless to say, I immediately expressed my concern over this situation to Intuit officials. Within a few days, I was contacted by their VP Corporate Communications, informing me that the preference access features of the site had been shut down, and that any users attempting to access them would be directed to an 800 number. A live customer service representative would then verify their contact information before performing any preferences changes. Intuit plans to restore the web preferences feature to the site after making security enhancements, probably within a month or two. That Intuit responded promptly to my concerns by closing down the feature is to be commended. One must still wonder, however, about the chain of events and review which permitted such an obviously flawed feature to have been implemented in the first place--it is, unfortunately, an all too common sort of situation. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 25 Sep 99 12:36 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Inspections of Parcels by UPS Greetings. I've recently received a number of queries from persons concerned about the policy, at least at some United Parcel Service shipping centers, of requiring that parcels be open, not sealed, when brought in for shipping. I've pursued this issue with UPS officials, and their statement on this matter is that the policy is aimed at helping to make sure that packages are adequately packed before shipping to avoid damage to the contents. They feel that this can be best accomplished by having their own people inspect the packing, then sealing it while the customer is present. However, with so many more individuals shipping merchandise to each other due to the rise of services such as "eBay," it's worth noting that you actually have very few rights when damage occurs. Getting UPS to pay on parcel insurance can be extremely difficult unless the package simply "vanishes" somewhere along the way. When damage occurs to items within a parcel, UPS-employed inspectors are sent out to view the package. If they declare that the packing was in their estimate "inadequate," they will deny the claim. There are no independent inspectors, and there is no normal non-UPS route for appeal. In one recent case that came to my attention, UPS told a customer that part of the reason for the damage to their item was that it had been "over-packaged" by using a wooden crate instead of flimsy cardboard--they refused to pay the associated insurance claim. UPS national officials have told me that they consider it too "confusing" to provide customers with detailed information concerning the stresses their parcels might undergo during shipping, which I suggested might make proper packing more practical for customers. I was told that only a "packaging engineer" could understand the specifications. UPS did admit, however, that they would not consider it unusual for parcels to fall six feet or more onto hard floors--off conveyor belts for example--during routine shipping, perhaps a "shock" for most customers to learn! All in all, it's something to think about if you're ever pondering your options for shipment of anything more fragile than an ingot of iron. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 25 Sep 99 12:18 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Pacific Bell Reverses Statement Regarding PRIVACY Forum Query Greetings. In PRIVACY Forum Digest Volume 08 #12 (http://www.vortex.com/privacy/priv.08.12), I reported on Pacific Bell/SBC's new policy of tying certain employee phone service discounts, known as "concessions," to those employees not selecting per-line caller ID blocking on their associated home phones. Before I wrote that piece, I had discussed this matter at length with PacBell's main media relations contact, based on information I had received from a PacBell employee. In particular, I was told by PacBell that they had definitely not tied any "grandfathered" benefits to this choice, but only new "vertical service" benefits--contrary to what the employee claimed. Shortly after that digest was distributed, I received another call from the PacBell media contact, informing me that they had been in error. In fact, the continuance of all concessions, including grandfathered ones which have in many cases been in place for decades, are now contingent on the employee not choosing home per-line caller ID blocking. My original information had been correct all along. The spokesman apologized for their misstatement, and I appreciate his having rapidly corrected the record. This would seem to again underscore the aggressive nature of PacBell/SBC's dedication to the promotion of caller ID services, and their desire to discourage the use of per-line blocking to the greatest extent possible. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Fri, 24 Sep 99 12:01 PDT From: email@example.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: The Microsoft/NSA Crypto Brouhaha Greetings. By now most of you have probably seen or heard something of the controversy surrounding Andrew Fernandes' (Cryptonym) announcement implying that Microsoft had provided the National Security Agency a key to the Windows 95/98/NT Crypto Applications Programming Interface (API). His main evidence? A secondary key variable with the string "NSAKEY" buried in the code. The problem? He doesn't appear to have any information beyond that variable to indicate that such a key has actually been provided to anyone outside of Microsoft. Microsoft strongly asserts that the variable name only represents the presence of the subsystem and related key required by export regulations to obtain NSA certification of the Windows Crypto API code, and that they have not provided any keys to NSA or anyone else. While Microsoft's response to this furor could certainly be termed defensive, and perhaps even somewhat disingenuous, I am inclined to believe them. I have a sense that there is some grandstanding going on amongst some of the persons ready to jump on anything that would make it appear that Microsoft was engaged in some sort of security conspiracy. In fact, in response to my e-mailed queries, Andrew Fernandes acknowledged to me that in retrospect, his original press release may have somewhat overstated his case... As much as Microsoft can be faulted for a variety of security, privacy, and other problems with their software, the collusion theory just doesn't add up. However, there is a clear moral to this whole episode. It's very difficult to trust crypto software whose innards are not available for inspection. Closed-source crypto, such as the package under discussion in this case, is impossible to verify or completely test, and can play directly into the hands of the "conspiracy theorists" who are ready to believe the worst. This is certainly a good example of why the open-source model seems to be the only way to fly when it comes to crypto systems and software. --Lauren-- Lauren Weinstein firstname.lastname@example.org Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Sat, 11 Sep 1999 02:36:36 -0400 From: Monty Solomon <email@example.com> Subject: ACLU Joins International Protest Against Global Internet Censorship Plans Excerpt from ACLU News -- 09-10-99 ---------------------------- ACLU Joins International Protest Against Global Internet Censorship Plans FOR IMMEDIATE RELEASE Thursday, September 9, 1999 MUNICH, GERMANY-- The American Civil Liberties Union today joined rights groups from around the world in denouncing a proposed international Internet rating system that could provide governments with a blueprint for censorship. In a joint statement issued at an Internet policy conference here today, members of the Global Internet Liberty Campaign (GILC) -- including the ACLU and other prominent defenders of cyberliberties -- said the so-called voluntary ratings system may actually facilitate governmental restrictions on Internet expression. The three-day "Internet Content Summit," organized by the Bertelsmann Foundation, a nonprofit social policy group based in Germany, has brought together some 300 Internet and computer industry executives and experts in the fields of technology, law and government to discuss ways to control illegal or potentially harmful material online without resorting to government regulation. But after analyzing an advance copy of the Bertelsmann recommendations, which will be issued formally on Friday, GILC said that censorship is a foregone conclusion. "This approach merely shifts the focus of governmental censorship initiatives from direct prohibition of speech to mandating the use of existing ratings and blocking technologies," the GILC members said in their statement. Speaking from the conference, Barry Steinhardt, Associate Director of the ACLU and a co-founder of GILC, said that much of the Bertelsmann plan was prophesied in a 1997 ACLU report http://www.aclu.org/issues/cyber/burning.html warning of the free speech dangers in various ratings plans then being proposed by U.S. industry groups. "We said it then, we say it now and we'll keep saying it even after software programs try to block us: proposals like this will transform the Internet from a true marketplace of ideas into just another mainstream, lifeless medium," Steinhardt said. And in remarks circulated to participants prior to the conference, ACLU President Nadine Strossen, a member of the Bertelsmann Foundation's "expert network" for the conference, invoked principles of free expressions enshrined in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and analogous national guarantees, such as the First Amendment to the United States Constitution. Echoing GILC's criticism, Strossen said that the proposed rating and blocking schemes violate these free expression guarantees. Strossen strongly criticized a plan to establish telephone hotlines that the public can use to report objectionable Internet content, saying that it turns hotline operators into "self-appointed judges of law" and encourages vigilantism. "These hotlines violate due process concepts that are also enshrined in international, regional, and national guarantees around the world," she said. Strossen also stressed her agreement with the GILC recommendation that emphasizing education and parental supervision should receive far more attention than it has to date. ------------------------------ Date: Wed, 08 Sep 1999 08:43:14 -0600 From: Gerald Thomas <firstname.lastname@example.org> Subject: Commercial Satellite Imagery Workshop Announcement ********* WORKSHOP ANNOUNCEMENT ******* Please forward as appropriate. Apologies for cross posting. "ASSESSING THE IMPLICATIONS OF VERY-HIGH RESOLUTION COMMERCIAL SATELLITE IMAGERY" A National Workshop November 19-20, 1999 Purdue University The Center for Education and Research on Information Assurance and Security (CERIAS) in association with The Laboratory for the Application of Remote Sensing and the Department of Political Science are pleased to announce a 2-day national workshop: Assessing the Implications of Very-High Resolution Commercial Satellite Imagery to be held on the Purdue University Campus in West Lafayette, Indiana on November 19-20, 1999. This workshop will bring together internationally known experts from a variety of fields to discuss the social, political, economic, legal, military, environmental, and ethical implications of the newest generation of commercial observation satellites. Details on the workshop including registration information are located at: http://icdweb.cc.purdue.edu/~gbthomas/workshop/ ------------------------------ Date: Thu, 16 Sep 1999 22:17:20 -0400 From: Monty Solomon <email@example.com> Subject: Administration Updates Encryption Export Policy THE WHITE HOUSE Office of the Press Secretary ______________________________________________________________________ For Immediate Release September 16, 1999 FACT SHEET Administration Updates Encryption Export Policy Today, the Clinton Administration announced a new approach to encryption policy that includes updates and simplifies export controls. The major components of this update are as follows: Global exports to individuals, commercial firms or other non-governmental entities Any encryption commodity or software of any key length can now be exported under a license exception (i.e., without a license) after a technical review, to commercial firms and other non-government end users in any country except for the seven state supporters of terrorism. Exports previously allowed only for a company's internal use can now be used for communication with other firms, supply chains and customers. Additionally, telecommunication and Internet service providers may use any encryption commodity or software to provide services to commercial firms and non-government end users. Previous liberalizations for banks, financial institutions and other approved sectors are subsumed under this Update. Exports to governments can be approved under a license. Global exports of retail products Retail encryption commodities and software of any key length may be exported under a license exception (i.e., without a license) after a technical review, to any recipient in any country except to the seven state supporters of terrorism. Retail encryption commodities and software are those products which do not require substantial support for installation and use and which are sold in tangible form through independent retail outlets, or products in tangible or intangible form, which have been specifically designed for individual consumer use. There is no restriction on the use of these products. Additionally, telecommunication and Internet service providers may use retail encryption commodities and software to provide services to any recipient. Implementation of the December 1998 Wassenaar Arrangement Revisions Last year, the Wassenaar Arrangement (33 countries which have common controls on exports, including encryption) made a number of changes to modernize multilateral encryption controls. As part of this update, the U.S. will allow exports without a license of 56 bits DES and equivalent products, including toolkits and chips, to all users and destinations (except the seven state supporters of terrorism) after a technical review. Encryption commodities and software with key lengths of 64-bits or less which meet the mass market requirements of Wassenaar's new cryptographic note will also be eligible for export without a license after a technical review. U.S. Subsidiaries Foreign nationals working in the United States no longer need an export license to work for U.S. firms on encryption. This extends the policy adopted in last year's update, which allowed foreign nationals to work for foreign subsidiaries of U.S. firms under a license exception (i.e., without a license). Export Reporting Post-export reporting will now be required for any export to a non-U.S. entity of any product above 64 bits. Reporting helps ensure compliance with our regulations and allows us to reduce licensing requirements. The reporting requirements will be streamlined to reflect business models and practices, and will be based on what companies normally collect. We intend to consult with industry on how best to implement this part of the update. ### ------------------------------ End of PRIVACY Forum Digest 08.13 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.