PRIVACY Forum Archive Document
PRIVACY Forum Digest Monday, 1 November 1999 Volume 08 : Issue 14 (http://www.vortex.com/privacy/priv.08.14) Moderated by Lauren Weinstein (firstname.lastname@example.org) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS "Spies" in Your Software? (Lauren Weinstein; PRIVACY Forum Moderator) Students Forced to Wear SSN (Lauren Weinstein; PRIVACY Forum Moderator) IPv6 Identifier Privacy Issues: The Reality (Lauren Weinstein; PRIVACY Forum Moderator) Video Cameras: "Watching Out For You?" Or Watching You? (Lauren Weinstein; PRIVACY Forum Moderator) Concern over home photo database (Dominic Cooney) Unsolicited Ad Mailing Containing Private Financial Information (Mr. Bentor) Privacy Act system notice rule and amendment (Monty Solomon) Telephone Privacy (Monty Solomon) Privacy of Health Information (Monty Solomon) Thermal Imaging In-Home Surveillance OK Without Warrants (Jim Warren) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "email@example.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "firstname.lastname@example.org". Mailing list problems should be reported to "email@example.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 14 Quote for the day: "I thought I'd wake up dead." -- James [Agent 007] Bond (Sean Connery) "Goldfinger" (United Artists; 1964) ---------------------------------------------------------------------- Date: Mon, 1 Nov 99 11:57 PST From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: "Spies" in Your Software? Greetings. As the percentage of computer users with either on-demand or permanent connections to the Internet continues to creep ever closer to 100%, some techniques are beginning to appear in software which can only be described as underhanded--apparently implemented by software firms who consider it their right to pry into your behavior. It's becoming increasingly popular for various software packages, which would not otherwise seem to have any need for a network connection, to establish "secret" links back to servers to pass along a variety of information or to establish hidden control channels. One rising star in this area of abuse is remote software control. Various firms now promote packages and libraries, which can be "invisibly" added to other software, to provide detailed "command and control" over the software's use, often without any clue to the user as to what's actually going on. These firms promote that they can monitor usage, remotely disable the software, gather statistics--anything you can imagine. The oft-cited major benign justification for such systems is piracy control, leading to gathering of information such as site IP numbers, for example. If the software seems to be running on the "wrong" machine, it can be remotely disabled. But information gathering and control most certainly doesn't necessarily stop there! Another example is the use of such systems in "demo" software. I recently received promotional material from a firm touting their package's ability to prevent demo software from running without it first "signing in" to a remote server on each run, which would then report all usage of the demo--so the demo producer could figure out who to target for more contacts ("buy now!") or to disable the demo whenever they wished--or whatever might be desired. It is frequently the case that software using such techniques will establish network connections without even asking the user (though I did succeed in getting one such firm to promise to change this policy after a long phone conversation with their president). But as a general rule, you cannot assume that you'll ever know that software is establishing a "hidden" channel, except in cases with dialup modems where you might actually hear the process. With permanent net connections, there'd typically be no clue. If you think that your firewalls will protect you against such systems, think again. The protocol of choice for such activities is HTTP--the standard web protocol--meaning that these control and monitoring activities will typically flow freely through most firewalls and proxies that permit web browsing. Other examples of such "backchannels" have also been appearing, such as e-mail messages containing "hidden" HTTP keys which will indicate to the sender when the e-mail was viewed by the recipient (assuming the e-mail was read in an HTTP-compliant mail package). Is this any of the firms' business? No, of course not. They just think they're being cute, and do it since they can. If you care about this sort of thing, read your e-mail in text-based packages--they're safer from a wide variety of e-mail "surprises" (including viruses) in any case. In the Unix/Linux world, "mh" is a good choice. Whether one cares to view any particular application of these sorts of "network spy" technologies as trivial or critical will vary of course. Some people probably couldn't care less. Others (especially in business and government, where hidden flows of information can have serious consequences indeed) will be much more concerned. Unfortunately, until such a time as it is clearly illegal for such packages to siphon information from, or remotely control, users' computers without their knowledge or permissions, such abuses are likely only to continue growing in scope and risks. We haven't seen anything yet. --Lauren-- Lauren Weinstein email@example.com Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Mon, 1 Nov 99 12:29 PST From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Students Forced to Wear SSN Greetings. In yet another example of what I'll politely call "muddy" thinking, a school in Louisiana began forcing students to wear "over the neck" ID badges at all times in school, which contained a barcoded version of their Social Security Numbers (even though an alternate Student ID, established to avoid problems with SSN usage, apparently could have been used). Teachers, cafeteria workers, custodians, and administrators must wear these badges as well, I'm told. Of course, in no time at all students had decoded the barcodes, and even established a web site to provide the decoding information, to demonstrate how trivially the SSN could be derived. This demonstrates pretty clearly the difference between "encryption" (the word administrators have apparently erroneously used to describe the barcoded SSN) and simple standardized encoding. As an aside, students also found that it was easy to grab the ID badge rope around other students' necks and play all sorts of "fun" games that way... In the wake of the continuing controversy, the school's principal declared that concerned students could cover up the bar code--but of course it'll be the students who don't realize the potential problems, and don't bother to take such actions, who would continue to be at most risk. It's a bad policy all around. These sorts of knee-jerk reaction of schools to highly publicized (but statistically exceedingly rare) events doesn't really provide any additional useful security against such occurrences, but seem designed to convince parents that administrators are "doing something," however useless--or counterproductive--they might be. --Lauren-- Lauren Weinstein email@example.com Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Mon, 1 Nov 99 11:29 PST From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: IPv6 Identifier Privacy Issues: The Reality Greetings. Many of you will by now be aware of all the publicity surrounding reported privacy problems associated with IPv6 (a new version of the Internet IP communications protocol) currently being developed under the auspices of the IETF (Internet Engineering Task Force). Executive Summary: "Don't Panic!" Some Background: The concerns revolve around the use of hardware identifiers (e.g. Network Interface Card IDs) as part of IPv6 packet addressing. It has been asserted that this would enable tracking of individuals' activities on the net much more easily than is the case today, and bring forth a new range of privacy problems. It's of course necessary to have some form of addressing in computer networks, or you wouldn't be able to read this message right now. The packets have to know where they're headed. In practice, the existing Internet protocol (IPv4) provides much the same kind of information in many cases, particularly when "static" (unchanging) addresses are in use. Static addresses are the norm for conventional permanent circuit connections to the net, and increasingly common for DSL and cable modems. The IPv6 idea of a unique identifier derived from hardware was intended to help make sure that address duplication would not occur between different machines--a continuing headache for present-day network administrators. It is also considered important to the authentication and security improvements of IPv6. The risk of such data potentially being misused would appear to be highest in "mobile" applications, significantly less in dialup Internet access environments (since many such computers wouldn't even possess the hardware ID), and least important in permanently linked dedicated circuit situations, where a static address already provides an essentially unchanging identity, even in today's environment. The Good News: To the extent that the permanent IDs are considered to be a privacy problem, it's obvious that existing technologies such as proxy servers could be used to wall off identifiers. This could well prove to be unnecessary, however. It appears that many of the folks raising the red flag on this issue may be unfamiliar with the fact that the IETF has been aware of these privacy concerns regarding the permanent identifier, and that they have been addressed in the IETF Draft: "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" http://www.ietf.org/internet-drafts/draft-ietf-ipngwg-addrconf-privacy-01.txt (Note: as an Internet Draft, this document is subject to removal, updating, or change at any time--it would be best to track it via Internet Draft indexes at http://www.ietf.org.) The above referenced document gives an excellent overview of the issues involved and a proposed solution to address the privacy concerns. It would seem prudent to encourage the adoption of this proposal into the IPv6 specification, and to urge its implementation by IPv6 developers and vendors, ideally as the default mode under user control. --Lauren-- Lauren Weinstein email@example.com Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Mon, 1 Nov 99 10:47 PST From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Video Cameras: "Watching Out For You?" Or Watching You? Greetings. The proliferation of video cameras, often ostensibly for various "public safety" purposes, has been a matter of concern for some time. One interesting example occurred recently when four employees at KEZI-TV in Oregon were fired for using the station's "Sky-Cam" (mounted on a downtown Eugene bank building) to spy on patrons of the nearby Eugene Hilton. KEZI uses the slogan: "Watching Out For You." An Oregon State Police Detective confirmed that it is illegal under Oregon law to photograph or tape a person in the nude in areas where they have an expectation of privacy, without their consent. But he emphasized that simple viewing was not a crime in Oregon, unless a visual recording of some sort were also made, and that they couldn't find any such recordings in the KEZI case. It does cause you to wonder about all those cameras one sees around many cities, that seem to be pointing in "odd" directions much of the time... --Lauren-- Lauren Weinstein email@example.com Moderator, PRIVACY Forum --- http://www.vortex.com Member, ACM Committee on Computers and Public Policy Host, "Vortex Reality Report & Unreality Trivia Quiz" --- http://www.vortex.com/reality ------------------------------ Date: Wed, 29 Sep 1999 22:58:03 +1000 From: "Dominic Cooney" <firstname.lastname@example.org> Subject: Concern over home photo database A Brisbane, Australia company, RP Data (http://www.rpdata.com.au), is developing a database product that includes a photograph of every home in Brisbane (566,100 households; Source: Australian Bureau of Statistics), who owns it and the last recorded sales price. RP Data has claimed that it is not breaking any laws, and that clients are screened before information is given to them. The Australian Broadcasting Corporation reports: (http://www.abc.net.au/news/state/qld/metqld-29sep1999-19.htm) that RP Data "...stresses it has no known crime gangs as clients". [ This qualifies as the "reassuring quote of the week"! -- PRIVACY Forum Moderator ] A state member of parliament has raised privacy and security concerns over the product. RP Data has plans to extend the coverage of the database to all of Australia (Source: ABC News). Dominic Cooney ------------------------------ Date: Thu, 21 Oct 1999 23:11:42 -0700 From: "Ben" <MrBentor@hotmail.com> Subject: Unsolicited Ad Mailing Containing Private Financial Information. I do not even know where to begin with this. I am none-the-less a little hot over this. Today I received a letter of solicitation in the post from Providian Financial MasterCard. On it's own, this is not so unusual as many companies send out many different mailings. Now comes the rub, which is not even that competitive of an offer; they send me this letter with attached checks that are pre-made out to other credit card company saying that they are offering a 12.99% apr. for 3 months if I transfer my balances to their card. They do not say what the percentage it will go to after three months. Then in this unsolicited offer they include the balances and bank names of the other credit card accounts I own. Good Grief! What are these people doing using private information in their unsolicited advertisement they are sending in the mail me that contain information of other private accounts such as the names of the other banks and the balances? I realize that the reporting companies sell financial information and credit ratings to other banks so they can determine if the target is worth an offer of service. But now they are pointing out that you have accounts at XX, YY, and ZZ with current balances in their offers. I have also told them (banks an reporting agencies) in the past not to sell my data. One caveat, I did once have an account with this company; but I terminated months ago, as they purchased another credit card Company and raised the rates to 19.8%, their rates were not competitive with other percentages on other accounts. All the checks were pre-filled out with the name of the other bank it did not specifically have the account number on the check. It did have the balances on the stub of the check for to be put in amount line on the check. I suppose that any account number could be put on the check if they were to have been pilfered from the mails. I guess I resent that they are using private information from other banks to sell me their services. I find it a privacy violation. I will now write them a nasty gram. Disturbed, Mr. Bentor. Cc: Providian. Credit reporting agencies ------------------------------ Date: Sun, 24 Oct 1999 15:28:21 -0400 From: Monty Solomon <email@example.com> Subject: Privacy Act system notice rule and amendment * Privacy Act system notice rule and amendment: The FTC will publish shortly a Federal Register notice approving the development of a records system needed to implement the Identity Theft and Assumption Deterrence Act of 1998. The new system is being established subject to the Privacy Act of 1974 (as amended) and will be used by the Commission to log and acknowledge complaints submitted by victims of identity theft, to provide information to such individuals, and to refer their complaints to appropriate entities, including, but not limited to, the three national consumer reporting agencies and law enforcement agencies for potential law enforcement action. Because the categories of individuals covered by the system may include (among others) the target of an identity theft complaint, the Commission has determined that it is necessary to exempt the system from disclosure to such individuals for law enforcement purposes. Accordingly, the Commission will also publish a notice in the Federal Register to amend its Privacy Act rules to include this system in a list of similar systems covered by this exemption. Comments on this notice (and the related notice amending the Commission's Privacy Act rules to exempt the system) must be submitted within 30 days following publication in the Federal Register to: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Ave., NW, Washington, DC 20580. The Commission vote to publish the Federal Register notice was 4-0. (FTC File No. P859907; see press release dated May 20, 1998; staff contact is Alex Tang, 202-326-2447.) ------------------------------ Date: Fri, 29 Oct 1999 03:30:59 -0400 From: Monty Solomon <firstname.lastname@example.org> Subject: Telephone Privacy Excerpt from ACLU News 10-28-99 ----------------------------------------------------------------- Consumer and Privacy Organizations, Legal Scholars Urge Appeals Court to Protect Consumers' Telephone Privacy FOR IMMEDIATE RELEASE Monday, October 25, 1999 WASHINGTON -- In a friend-of-the-court brief filed today, 15 consumer and privacy organizations and 22 legal scholars urged a federal appeals court to reconsider a decision that would allow telephone companies to use private telephone records for marketing purposes. The groups, including the American Civil Liberties Union, said that the case is of great importance to consumers across the United States. The brief, filed in support of a petition from the Federal Communications Commission, asks the 10th Circuit Court of Appeals to uphold a privacy provision that was enacted by Congress in 1996 and implemented by the FCC. In US West v. FCC, the federal appeals court said that the "opt-in" privacy safeguard recommended by the FCC violated the First Amendment rights of the telephone company to market products and services. The information that would be disclosed "consists of customer calling records that would not exist but for the private activities of telephone customers," the groups said in legal papers. "These records, which are not publicly available, include such sensitive and personal information as who an individual calls, when, for how long, and how often." An alternative "opt-out" approach, they argued, is burdensome and "would have required telephone customers to contact their carrier to prevent the disclosure of their personal calling records." The groups concluded that an "opt-in approach is consistent with the First Amendment and is the most reasonable fit with Congress's intent to protect the privacy of telephone subscribers' personal information." "This is not a question of whether there is a First Amendment right to commercial speech, but instead of whether corporations have a right to disclose the sensitive personal information of their customers without consent," said Barry Steinhardt, associate director of the ACLU. "If the courts allow companies to claim a right to disclose personal information, then every law that gives us control over our own data is called into question," he added. The brief was supported by a wide range of privacy and consumer organizations, including the ACLU, the Electronic Privacy Information Center, the Consumer Federation of America, and the U.S. Public Interest Research Group. The brief was also endorsed by many leading legal scholars. The Washington law firm of Covington & Burling filed the brief on behalf of the coalition. The friend-of-the-court brief filed by the coalition is available on the ACLU's website: http://www.aclu.org/court/uswest_brief.html Additional information about US West v. FCC: http://www.epic.org/privacy/litigation/uswest/ ------------------------------ Date: Fri, 29 Oct 1999 23:37:11 -0400 From: Monty Solomon <email@example.com> Subject: Privacy of Health Information THE WHITE HOUSE Office of the Press Secretary ______________________________________________________________________ For Immediate Release October 29, 1999 PRESIDENT CLINTON TAKES STRONG NEW STEPS TO PROTECT THE PRIVACY OF PERSONAL HEALTH INFORMATION October 29, 1999 President Clinton today will unveil a landmark set of privacy protections for medical information stored or transmitted electronically. This new regulation, which the President is proposing because of Congress's failure to act, underscores the Administration's commitment to safeguarding the security of personal health information. But the President will note that because his regulatory authority is limited, comprehensive federal legislation is urgently needed, and he will urge Congress to enact broader privacy protections without further delay. The new regulation that President Clinton and HHS Secretary Shalala are announcing today would apply to all health plans and many health care providers, as well as to health care clearinghouses such as billing companies. It would: 1) limit the non-consensual use and release of private health information; 2) inform consumers about their right to access their records and to know who else has accessed them; 3) restrict the disclosure of protected health information to the minimum necessary; 4) establish new disclosure requirements for researchers and others seeking access to health records; and 5) establish new criminal and civil sanctions for the improper use or disclosure of such information... -------------------- [ The full release is at (the long!) URL: http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1999/10/29/4.text.1 -- PRIVACY Forum Moderator ] ------------------------------ Date: Sun, 31 Oct 1999 07:55:49 -0700 From: Jim Warren <firstname.lastname@example.org> Subject: Thermal Imaging In-Home Surveillance OK Without Warrants At 1:24 AM -0700 10/31/99, email@example.com (Johnny King) wrote: WESTERN FEDERAL APPEALS COURT RULES POLICE MAY CONDUCT THERMAL IMAGING SURVEILLANCE ON PRIVATE HOMES WITHOUT WARRANT Court Reverses: No Warrant Needed for Thermal Imaging The 9th Circuit Court of Appeals reversed last week (9/10) by deciding that police need not obtain a warrant before turning thermal imaging technology on private homes. The new ruling delighted law enforcement, which uses the technology to look for indoor marijuana-grow operations or drug labs by detecting excess heat coming from within a residence. The original ruling, in August, 1998, said that the technology was intrusive enough to necessitate a warrant. Even as the government's motion for re-hearing was pending, however, one of the three panel judges retired, and the new judge, Melvin Brunetti, joined Judge Michael Hawkins, the lone dissenter in the first opinion, to overturn. Judge John Noonan, dissenting to the new ruling, likened the use of thermal imaging to a high-powered telescope looking into a home, an activity which would require a warrant. But Judge Michael Hawkins, who wrote the new majority opinion said that the technology "intrude(s) into nothing." Military analyst Joseph Miranda, however, told The Week Online that the technology is more invasive than the majority opinion lets on. "Thermal imaging technology involves infrared detectors which basically allow people to see through walls. It can determine changes in heat levels within a house. While the police might be using this technology to find marijuana grow lights, they can also determine which rooms have people in them and even what you are doing in your bedroom. In fact, the technology is getting to the stage that with the help of computer-enhancement, authorities could use the technology to get a pretty accurate picture of very personal activities." From: firstname.lastname@example.org (Blaine-Laura Katz) Subject: Court Reverses: No Warrant Needed for Thermal Imaging Date: Wed, 22 Sep 1999 04:40:29 -0400 ======================================================== The Federal 9th Circuit Court of Appeal covers most of the Western U.S. Cases are usually decided by a 3 judge panel. The first time this case was heard, two of the three judges voted that thermal imaging surveillance was so intrusive of privacy that it required a warrant. One judge ruled that it needed no warrant. One of the judges that ruled it needed a warrant retired, and the judge who took his place voted oppositely when the case was granted a rehearing at the government's (police's) request. It seem unlikely that this ruling will stand, but it will probably be the law of the land for the next year or so, until it is overturned. The next likely step will be a rehearing before the court "en banc", when all of the 23 or so judges who sit on the 9th Circuit Court of Appeal will hear and decide the case together. The next, and last step, is an appeal to the U.S. Supreme Court. -Johnny ------------------------------ End of PRIVACY Forum Digest 08.14 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.