|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Monday, 1 November 1999 Volume 08 : Issue 14
(http://www.vortex.com/privacy/priv.08.14)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
"Spies" in Your Software?
(Lauren Weinstein; PRIVACY Forum Moderator)
Students Forced to Wear SSN
(Lauren Weinstein; PRIVACY Forum Moderator)
IPv6 Identifier Privacy Issues: The Reality
(Lauren Weinstein; PRIVACY Forum Moderator)
Video Cameras: "Watching Out For You?" Or Watching You?
(Lauren Weinstein; PRIVACY Forum Moderator)
Concern over home photo database (Dominic Cooney)
Unsolicited Ad Mailing Containing Private Financial Information
(Mr. Bentor)
Privacy Act system notice rule and amendment (Monty Solomon)
Telephone Privacy (Monty Solomon)
Privacy of Health Information (Monty Solomon)
Thermal Imaging In-Home Surveillance OK Without Warrants
(Jim Warren)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 08, ISSUE 14
Quote for the day:
"I thought I'd wake up dead."
-- James [Agent 007] Bond (Sean Connery)
"Goldfinger" (United Artists; 1964)
----------------------------------------------------------------------
Date: Mon, 1 Nov 99 11:57 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "Spies" in Your Software?
Greetings. As the percentage of computer users with either on-demand or
permanent connections to the Internet continues to creep ever closer to
100%, some techniques are beginning to appear in software which can only be
described as underhanded--apparently implemented by software firms who
consider it their right to pry into your behavior.
It's becoming increasingly popular for various software packages, which
would not otherwise seem to have any need for a network connection, to
establish "secret" links back to servers to pass along a variety of
information or to establish hidden control channels.
One rising star in this area of abuse is remote software control. Various
firms now promote packages and libraries, which can be "invisibly" added to
other software, to provide detailed "command and control" over the
software's use, often without any clue to the user as to what's actually
going on. These firms promote that they can monitor usage, remotely disable
the software, gather statistics--anything you can imagine. The oft-cited
major benign justification for such systems is piracy control, leading to
gathering of information such as site IP numbers, for example. If the
software seems to be running on the "wrong" machine, it can be remotely
disabled. But information gathering and control most certainly doesn't
necessarily stop there!
Another example is the use of such systems in "demo" software. I recently
received promotional material from a firm touting their package's ability to
prevent demo software from running without it first "signing in" to a remote
server on each run, which would then report all usage of the demo--so the
demo producer could figure out who to target for more contacts ("buy now!")
or to disable the demo whenever they wished--or whatever might be
desired.
It is frequently the case that software using such techniques will establish
network connections without even asking the user (though I did succeed in
getting one such firm to promise to change this policy after a long phone
conversation with their president). But as a general rule, you cannot
assume that you'll ever know that software is establishing a "hidden"
channel, except in cases with dialup modems where you might actually hear
the process. With permanent net connections, there'd typically be no clue.
If you think that your firewalls will protect you against such systems, think
again. The protocol of choice for such activities is HTTP--the standard web
protocol--meaning that these control and monitoring activities will
typically flow freely through most firewalls and proxies that permit web
browsing.
Other examples of such "backchannels" have also been appearing, such as
e-mail messages containing "hidden" HTTP keys which will indicate to the
sender when the e-mail was viewed by the recipient (assuming the e-mail was
read in an HTTP-compliant mail package). Is this any of the firms'
business? No, of course not. They just think they're being cute, and do it
since they can. If you care about this sort of thing, read your e-mail in
text-based packages--they're safer from a wide variety of e-mail "surprises"
(including viruses) in any case. In the Unix/Linux world, "mh" is a good
choice.
Whether one cares to view any particular application of these sorts of
"network spy" technologies as trivial or critical will vary of course. Some
people probably couldn't care less. Others (especially in business and
government, where hidden flows of information can have serious consequences
indeed) will be much more concerned.
Unfortunately, until such a time as it is clearly illegal for such packages
to siphon information from, or remotely control, users' computers without
their knowledge or permissions, such abuses are likely only to continue
growing in scope and risks. We haven't seen anything yet.
--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality
------------------------------
Date: Mon, 1 Nov 99 12:29 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Students Forced to Wear SSN
Greetings. In yet another example of what I'll politely call "muddy"
thinking, a school in Louisiana began forcing students to wear "over the
neck" ID badges at all times in school, which contained a barcoded version
of their Social Security Numbers (even though an alternate Student ID,
established to avoid problems with SSN usage, apparently could have been
used). Teachers, cafeteria workers, custodians, and administrators must wear
these badges as well, I'm told.
Of course, in no time at all students had decoded the barcodes, and even
established a web site to provide the decoding information, to demonstrate
how trivially the SSN could be derived. This demonstrates pretty clearly
the difference between "encryption" (the word administrators have apparently
erroneously used to describe the barcoded SSN) and simple standardized
encoding. As an aside, students also found that it was easy to grab the ID
badge rope around other students' necks and play all sorts of "fun" games
that way...
In the wake of the continuing controversy, the school's principal declared
that concerned students could cover up the bar code--but of course it'll be
the students who don't realize the potential problems, and don't bother to
take such actions, who would continue to be at most risk.
It's a bad policy all around. These sorts of knee-jerk reaction of schools
to highly publicized (but statistically exceedingly rare) events doesn't
really provide any additional useful security against such occurrences, but
seem designed to convince parents that administrators are "doing something,"
however useless--or counterproductive--they might be.
--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality
------------------------------
Date: Mon, 1 Nov 99 11:29 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: IPv6 Identifier Privacy Issues: The Reality
Greetings. Many of you will by now be aware of all the publicity
surrounding reported privacy problems associated with IPv6 (a new version of
the Internet IP communications protocol) currently being developed under
the auspices of the IETF (Internet Engineering Task Force).
Executive Summary: "Don't Panic!"
Some Background:
The concerns revolve around the use of hardware identifiers (e.g. Network
Interface Card IDs) as part of IPv6 packet addressing. It has been asserted
that this would enable tracking of individuals' activities on the net much
more easily than is the case today, and bring forth a new range of privacy
problems.
It's of course necessary to have some form of addressing in computer
networks, or you wouldn't be able to read this message right now. The
packets have to know where they're headed. In practice, the existing
Internet protocol (IPv4) provides much the same kind of information in many
cases, particularly when "static" (unchanging) addresses are in use. Static
addresses are the norm for conventional permanent circuit connections to the
net, and increasingly common for DSL and cable modems.
The IPv6 idea of a unique identifier derived from hardware was intended to
help make sure that address duplication would not occur between different
machines--a continuing headache for present-day network administrators.
It is also considered important to the authentication and security
improvements of IPv6.
The risk of such data potentially being misused would appear to be highest
in "mobile" applications, significantly less in dialup Internet access
environments (since many such computers wouldn't even possess the hardware
ID), and least important in permanently linked dedicated circuit situations,
where a static address already provides an essentially unchanging identity,
even in today's environment.
The Good News:
To the extent that the permanent IDs are considered to be a privacy problem,
it's obvious that existing technologies such as proxy servers could be used
to wall off identifiers.
This could well prove to be unnecessary, however. It appears that many of
the folks raising the red flag on this issue may be unfamiliar with the fact
that the IETF has been aware of these privacy concerns regarding the
permanent identifier, and that they have been addressed in the IETF Draft:
"Privacy Extensions for Stateless Address Autoconfiguration in IPv6"
http://www.ietf.org/internet-drafts/draft-ietf-ipngwg-addrconf-privacy-01.txt
(Note: as an Internet Draft, this document is subject to removal,
updating, or change at any time--it would be best to track it
via Internet Draft indexes at http://www.ietf.org.)
The above referenced document gives an excellent overview of the issues
involved and a proposed solution to address the privacy concerns. It would
seem prudent to encourage the adoption of this proposal into the IPv6
specification, and to urge its implementation by IPv6 developers and
vendors, ideally as the default mode under user control.
--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality
------------------------------
Date: Mon, 1 Nov 99 10:47 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Video Cameras: "Watching Out For You?" Or Watching You?
Greetings. The proliferation of video cameras, often ostensibly for various
"public safety" purposes, has been a matter of concern for some time. One
interesting example occurred recently when four employees at KEZI-TV in
Oregon were fired for using the station's "Sky-Cam" (mounted on a downtown
Eugene bank building) to spy on patrons of the nearby Eugene Hilton. KEZI
uses the slogan: "Watching Out For You."
An Oregon State Police Detective confirmed that it is illegal under Oregon
law to photograph or tape a person in the nude in areas where they have an
expectation of privacy, without their consent. But he emphasized that simple
viewing was not a crime in Oregon, unless a visual recording of some sort
were also made, and that they couldn't find any such recordings in the KEZI
case.
It does cause you to wonder about all those cameras one sees around many
cities, that seem to be pointing in "odd" directions much of the time...
--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality
------------------------------
Date: Wed, 29 Sep 1999 22:58:03 +1000
From: "Dominic Cooney" <coonsta@ozemail.com.au>
Subject: Concern over home photo database
A Brisbane, Australia company, RP Data (http://www.rpdata.com.au), is
developing a database product that includes a photograph of every home in
Brisbane (566,100 households; Source: Australian Bureau of Statistics), who
owns it and the last recorded sales price.
RP Data has claimed that it is not breaking any laws, and that clients are
screened before information is given to them. The Australian Broadcasting
Corporation reports:
(http://www.abc.net.au/news/state/qld/metqld-29sep1999-19.htm) that RP Data
"...stresses it has no known crime gangs as clients".
[ This qualifies as the "reassuring quote of the week"!
-- PRIVACY Forum Moderator ]
A state member of parliament has raised privacy and security concerns over
the product.
RP Data has plans to extend the coverage of the database to all of Australia
(Source: ABC News).
Dominic Cooney
------------------------------
Date: Thu, 21 Oct 1999 23:11:42 -0700
From: "Ben" <MrBentor@hotmail.com>
Subject: Unsolicited Ad Mailing Containing Private Financial Information.
I do not even know where to begin with this. I am none-the-less a little hot
over this.
Today I received a letter of solicitation in the post from Providian
Financial MasterCard. On it's own, this is not so unusual as many companies
send out many different mailings.
Now comes the rub, which is not even that competitive of an offer; they send
me this letter with attached checks that are pre-made out to other credit
card company saying that they are offering a 12.99% apr. for 3 months if I
transfer my balances to their card. They do not say what the percentage it
will go to after three months.
Then in this unsolicited offer they include the balances and bank names of
the other credit card accounts I own.
Good Grief! What are these people doing using private information in their
unsolicited advertisement they are sending in the mail me that contain
information of other private accounts such as the names of the other banks
and the balances?
I realize that the reporting companies sell financial information and credit
ratings to other banks so they can determine if the target is worth an offer
of service. But now they are pointing out that you have accounts at XX, YY,
and ZZ with current balances in their offers. I have also told them (banks
an reporting agencies) in the past not to sell my data.
One caveat, I did once have an account with this company; but I terminated
months ago, as they purchased another credit card Company and raised the
rates to 19.8%, their rates were not competitive with other percentages on
other accounts.
All the checks were pre-filled out with the name of the other bank it did
not specifically have the account number on the check. It did have the
balances on the stub of the check for to be put in amount line on the check.
I suppose that any account number could be put on the check if they were to
have been pilfered from the mails.
I guess I resent that they are using private information from other banks to
sell me their services. I find it a privacy violation. I will now write them
a nasty gram.
Disturbed,
Mr. Bentor.
Cc: Providian.
Credit reporting agencies
------------------------------
Date: Sun, 24 Oct 1999 15:28:21 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Privacy Act system notice rule and amendment
* Privacy Act system notice rule and amendment:
The FTC will publish shortly a Federal Register notice approving the
development of a records system needed to implement the Identity Theft
and Assumption Deterrence Act of 1998. The new system is being
established subject to the Privacy Act of 1974 (as amended) and will be
used by the Commission to log and acknowledge complaints submitted by
victims of identity theft, to provide information to such individuals,
and to refer their complaints to appropriate entities, including, but
not limited to, the three national consumer reporting agencies and law
enforcement agencies for potential law enforcement action.
Because the categories of individuals covered by the system may include
(among others) the target of an identity theft complaint, the Commission
has determined that it is necessary to exempt the system from disclosure
to such individuals for law enforcement purposes. Accordingly, the
Commission will also publish a notice in the Federal Register to amend
its Privacy Act rules to include this system in a list of similar
systems covered by this exemption.
Comments on this notice (and the related notice amending the
Commission's Privacy Act rules to exempt the system) must be submitted
within 30 days following publication in the Federal Register to: Federal
Trade Commission, Office of the Secretary, 600 Pennsylvania Ave., NW,
Washington, DC 20580.
The Commission vote to publish the Federal Register notice was 4-0. (FTC
File No. P859907; see press release dated May 20, 1998; staff contact is
Alex Tang, 202-326-2447.)
------------------------------
Date: Fri, 29 Oct 1999 03:30:59 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Telephone Privacy
Excerpt from ACLU News 10-28-99
-----------------------------------------------------------------
Consumer and Privacy Organizations, Legal Scholars
Urge Appeals Court to Protect Consumers' Telephone Privacy
FOR IMMEDIATE RELEASE
Monday, October 25, 1999
WASHINGTON -- In a friend-of-the-court brief filed today, 15 consumer and
privacy organizations and 22 legal scholars urged a federal appeals court
to reconsider a decision that would allow telephone companies to use
private telephone records for marketing purposes.
The groups, including the American Civil Liberties Union, said that the
case is of great importance to consumers across the United States.
The brief, filed in support of a petition from the Federal Communications
Commission, asks the 10th Circuit Court of Appeals to uphold a privacy
provision that was enacted by Congress in 1996 and implemented by the FCC.
In US West v. FCC, the federal appeals court said that the "opt-in" privacy
safeguard recommended by the FCC violated the First Amendment rights of the
telephone company to market products and services.
The information that would be disclosed "consists of customer calling
records that would not exist but for the private activities of telephone
customers," the groups said in legal papers. "These records, which are not
publicly available, include such sensitive and personal information as who
an individual calls, when, for how long, and how often."
An alternative "opt-out" approach, they argued, is burdensome and "would
have required telephone customers to contact their carrier to prevent the
disclosure of their personal calling records."
The groups concluded that an "opt-in approach is consistent with the First
Amendment and is the most reasonable fit with Congress's intent to protect
the privacy of telephone subscribers' personal information."
"This is not a question of whether there is a First Amendment right to
commercial speech, but instead of whether corporations have a right to
disclose the sensitive personal information of their customers without
consent," said Barry Steinhardt, associate director of the ACLU.
"If the courts allow companies to claim a right to disclose personal
information, then every law that gives us control over our own data is
called into question," he added.
The brief was supported by a wide range of privacy and consumer
organizations, including the ACLU, the Electronic Privacy Information
Center, the Consumer Federation of America, and the U.S. Public Interest
Research Group. The brief was also endorsed by many leading legal scholars.
The Washington law firm of Covington & Burling filed the brief on behalf of
the coalition.
The friend-of-the-court brief filed by the coalition is available on the
ACLU's website: http://www.aclu.org/court/uswest_brief.html
Additional information about US West v. FCC:
http://www.epic.org/privacy/litigation/uswest/
------------------------------
Date: Fri, 29 Oct 1999 23:37:11 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Privacy of Health Information
THE WHITE HOUSE
Office of the Press Secretary
______________________________________________________________________
For Immediate Release October 29, 1999
PRESIDENT CLINTON TAKES STRONG NEW STEPS TO
PROTECT THE PRIVACY OF PERSONAL HEALTH INFORMATION
October 29, 1999
President Clinton today will unveil a landmark set of privacy
protections for medical information stored or transmitted
electronically. This new regulation, which the President is proposing
because of Congress's failure to act, underscores the Administration's
commitment to safeguarding the security of personal health information.
But the President will note that because his regulatory authority is
limited, comprehensive federal legislation is urgently needed, and he
will urge Congress to enact broader privacy protections without further
delay.
The new regulation that President Clinton and HHS Secretary Shalala are
announcing today would apply to all health plans and many health care
providers, as well as to health care clearinghouses such as billing
companies. It would: 1) limit the non-consensual use and release of
private health information; 2) inform consumers about their right to
access their records and to know who else has accessed them; 3) restrict
the disclosure of protected health information to the minimum necessary;
4) establish new disclosure requirements for researchers and others
seeking access to health records; and 5) establish new criminal and
civil sanctions for the improper use or disclosure of such information...
--------------------
[ The full release is at (the long!) URL:
http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1999/10/29/4.text.1
-- PRIVACY Forum Moderator ]
------------------------------
Date: Sun, 31 Oct 1999 07:55:49 -0700
From: Jim Warren <jwarren@well.com>
Subject: Thermal Imaging In-Home Surveillance OK Without Warrants
At 1:24 AM -0700 10/31/99, johnnyk@primenet.com (Johnny King) wrote:
WESTERN FEDERAL APPEALS COURT RULES
POLICE MAY CONDUCT THERMAL IMAGING SURVEILLANCE
ON PRIVATE HOMES WITHOUT WARRANT
Court Reverses: No Warrant Needed for Thermal Imaging
The 9th Circuit Court of Appeals reversed last week (9/10) by deciding that
police need not obtain a warrant before turning thermal imaging technology
on private homes. The new ruling delighted law enforcement, which uses the
technology to look for indoor marijuana-grow operations or drug labs by
detecting excess heat coming from within a residence.
The original ruling, in August, 1998, said that the technology was
intrusive enough to necessitate a warrant. Even as the government's motion
for re-hearing was pending, however, one of the three panel judges retired,
and the new judge, Melvin Brunetti, joined Judge Michael Hawkins, the lone
dissenter in the first opinion, to overturn.
Judge John Noonan, dissenting to the new ruling, likened the use of thermal
imaging to a high-powered telescope looking into a home, an activity which
would require a warrant. But Judge Michael Hawkins, who wrote the new
majority opinion said that the technology "intrude(s) into nothing."
Military analyst Joseph Miranda, however, told The Week Online that the
technology is more invasive than the majority opinion lets on.
"Thermal imaging technology involves infrared detectors which basically
allow people to see through walls. It can determine changes in heat levels
within a house. While the police might be using this technology to find
marijuana grow lights, they can also determine which rooms have people in
them and even what you are doing in your bedroom. In fact, the technology
is getting to the stage that with the help of computer-enhancement,
authorities could use the technology to get a pretty accurate picture of
very personal activities."
From: katz@netwide.net (Blaine-Laura Katz)
Subject: Court Reverses: No Warrant Needed for Thermal Imaging
Date: Wed, 22 Sep 1999 04:40:29 -0400
========================================================
The Federal 9th Circuit Court of Appeal covers most of the Western U.S.
Cases are usually decided by a 3 judge panel. The first time this case was
heard, two of the three judges voted that thermal imaging surveillance was
so intrusive of privacy that it required a warrant. One judge ruled that
it needed no warrant. One of the judges that ruled it needed a warrant
retired, and the judge who took his place voted oppositely when the case
was granted a rehearing at the government's (police's) request. It seem
unlikely that this ruling will stand, but it will probably be the law of
the land for the next year or so, until it is overturned. The next likely
step will be a rehearing before the court "en banc", when all of the 23 or
so judges who sit on the 9th Circuit Court of Appeal will hear and decide
the case together. The next, and last step, is an appeal to the U.S.
Supreme Court.
-Johnny
------------------------------
End of PRIVACY Forum Digest 08.14
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.