PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Sunday, 6 February 2000      Volume 09 : Issue 07

                (http://www.vortex.com/privacy/priv.09.07)

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        "People For Internet Responsibility" Issues and Status Report 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Compaq's New "Free" Internet Service
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Anybirthday.com Developments (and Javascript!)
           (Lauren Weinstein; PRIVACY Forum Moderator)
        "My Deja" defaults to public disclosure of personal details
           (Nickee Sanders)
        Oz Draft Privacy Bill Appalling (Roger Clarke)
        Revised U.S. Encryption Export Control Regulations (Monty Solomon)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 09, ISSUE 07

     Quote for the day:

        "You make me afraid of myself!"

           -- Adenoid Hynkel, Dictator of Tomania (Charles Chaplin)
              "The Great Dictator" (United Artists; 1940)

----------------------------------------------------------------------

Date:    Sat, 5 Feb 2000 21:15 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "People For Internet Responsibility" Issues and Status Report 

Greetings.  The current version of the PFIR (People For Internet
Responsibility) "Issues" document, and a status report regarding PFIR
activities, are now available via the PFIR Web site at:

   http://www.pfir.org

The issues document covers a wide range of important Internet and Web topics.
It is (and will continue to be) a work in progress, and while quite
comprehensive is undergoing rapid expansion.  Many of the topics relate to
privacy issues, technology risks, and other matters that should be of
interest to current and potential Internet users.

Your input and comments regarding both of these documents would be very much 
appreciated via the e-mail addresses indicated within the docs 
themselves.

Thanks very much.

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy

------------------------------

Date:    Wed, 26 Jan 2000 20:01 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Compaq's New "Free" Internet Service

Greetings.  It has become common for computer vendors to promote hardware
bundles which include some number of monthly hours of Internet service.
Compaq Computer Corp. has now taken this idea off in something of a different
direction, by promoting the inclusion of "free" Internet service provided by
NetZero, Inc.

The irony of this is significant.  Not only is there no reason for you to
deal with Compaq in order to use NetZero net access services without charge--
virtually anybody in the U.S. can already do so--but promoting NetZero as if
they were a conventional ISP is, frankly, misleading.  True, some reports
suggest that NetZero is now the second largest provider of Internet access
services (after AOL).  However, NetZero's obnoxious forced screen display
management and pervasive monitoring and data collection (and commercial use
of that collected data) from their customers' Web activities puts NetZero in
a class by themselves, worlds apart from the providers of conventional ISP
services.

People's willingness to deal with such services may be difficult for many
readers of this digest to fathom.  But there's considerable evidence that
many persons are naively willing to give up all manner of privacy to save a
few bucks.  Of course, later when the snake comes back to bite them, they
discover that there's no way to ever put all that data back into the privacy
bottle from which they willingly released it.  The direct marketing folks
will be your very special personal, close friends forevermore, as they watch
your every move, your every click, around not only "cyberspace" but the rest
of your purchasing world as well.

As recent events with DoubleClick, Inc. have so vividly demonstrated
(http://www.vortex.com/privacy/priv.09.06), privacy gets eaten away a bit at
a time.  One day you turn around, and those bits have turned into a gaping
hole.  Is that hole really a reasonable tradeoff for saving a few dollars
per month?  It's definitely something to ponder.

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy

------------------------------

Date:  Sat, 15 Jan 2000 09:52 PST 
From:  lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) 
Subject: Anybirthday.com Developments (and Javascript!)

Greetings.  There are continuing developments regarding the public database
of names, gender data, locations, and date of birth info at
http://www.anybirthday.com.  Some persons who have attempted to remove their
entries from the database since my original reports
(http://www.vortex.com/privacy/priv.09.03 and
http://www.vortex.com/privacy/priv.09.04) have informed me that they have
finally succeeded after numerous failures.

While the system still appears to be overloaded much of the time, it is at
least possible to occasionally inject deletion requests that are ultimately
processed.  There also is apparently now an e-mail address which can be used
(in the same basic format as the form) to request removal if the form
fails--users have reported varying degrees of success and delays in seeing
results from this as well.

A Very Important Note: Unless you have Javascript enabled in your browser,
you will probably see responses like "no row returned" rather than actual
records in response to your queries.  Many persons have assumed that they
were not in the database when they saw this response!  It appears that you
cannot depend on accurate results (at least judging from reports and my
testing) unless you have Javascript turned on.  And if you're just enabling
Javascript for that search page, be sure to reload the page after enabling
before entering your search query, so that Javascript will be fully activated
for that page.  An easy test to determine if you're doing real searches or
not is to enter a query for "John Smith"...

As of my last test, the database is now providing name, date of birth, city,
state, and zip code, plus it has also returned to providing "recommended
gifts" rather than explicit gender data, though the gender is easily
determined from the type of gift indicated in the search results.

Their database continues to change its formats, but the problems associated
with public access to such personal information remain very much the same.

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy

------------------------------

Date:    Fri, 21 Jan 2000 13:32:53 +1300
From:    Nickee Sanders <njs@ihug.co.nz>
Subject: "My Deja" defaults to public disclosure of personal details

I've been a subscriber of deja.com for two years now.  I have an email
account with them, and I subscribe to several newsgroups.

During that time a number of changes have happened to the site.  Most of
them have been more cosmetic than anything else.  On accessing the site a
couple of days ago, I found that they now have a "private profile"
(everything they know about you, accessible allegedly only by you) and a
"public profile" (everything in your private profile which you allow them
to make public).

Imagine my surprise to find that the "keep private" settings all default to
OFF!  This includes my zip code.

I sure didn't get any warning of this change from them............

I picked myself up off the floor and proceeded to change all of my profile
to private access only.  Then I had a friend verify, using her deja
account, that nothing about me was publicly visible any more.

She found that my forum subscriptions were still publicly visible.
Admittedly, this is not nearly so bad as it would be to find that my
personal details were still publicly visible, but it's hardly unreasonable
to expect them to actually honor my privacy wishes, as expressed through
their mechanism.

A day later, it appears that only my posting history is now publicly
visible, so perhaps it takes 24 hours to update.  Since this is all (to my
knowledge) that deja has ever displayed about me, I'm not inclined to take
this further.

But I thought others might like to know that suddenly -- and apparently
silently -- deja has opened their bedroom curtains.  And I'm not impressed
that they have chosen an opt-out scheme, rather than an opt-in one.

Nickee Sanders
Software Engineer
Auckland, New Zealand
PGP Public Key available from http://www.keyserver.net:11371/
Fingerprint: 2D83 0E4B 4B19 C0C5 BBA1  339A C52B EE11 FD09 20C7

        [ I spoke at length with a Deja.com official about these
          issues.  He readily admitted that there have been
          technical problems which resulted in information that
          should have been private, actually being marked
          public and available.  This was supposedly fixed.

          He also admitted that the format of the form you described
          above was confusing.  He claims that in reality until
          users reached that page as part of the required "upgrade"
          to the new version of MyDeja, all of their info was still
          private.  After leaving this page, the new settings would
          take effect.

          He freely acknowledged that the decision to force users into
          an "opt-out" stance to protect their privacy, by defaulting
          the selections on the form to their least private settings,
          was purely a marketing decision.  It is this sudden
          switch from being a "pro-privacy by default" service to
          effectively a "no privacy by default" service that is the most
          disturbing aspect of this entire episode.

                        -- PRIVACY Forum Moderator ]

------------------------------

Date:    Mon, 17 Jan 2000 09:53:48 +1100
From:    Roger Clarke <Roger.Clarke@anu.edu.au>
Subject: Oz Draft Privacy Bill Appalling

The Australian Attorney-General released a document on 14 Dec 99 which
contained Key Provisions of the Private Sector Privacy Bill that he
proposes to table in the House in February.  Submissions were invited by 17
January 2000.

My conclusion is that the Draft Bill is absolutely appalling.  Rather than
a privacy protection instrument, it is a Bill for the Legitimisation of
Hitherto Unauthorised Abuses of Personal Data.

The Abstract and the URL for my detailed Submission are below;  also an
extract from the Australian Computer Society's submission.

              SUBMISSION to the Commonwealth Attorney-General
               Re: 'A privacy scheme for the private sector:
              Release of Key Provisions' of 14 December 1999

                              Roger Clarke

      http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

                                Abstract

The draft Bill fails to satisfy the needs of the public, because it
contains large numbers of exemptions and exceptions, and legitimises many
unreasonable uses of personal data. As a result, it would actually reduce
privacy protections rather than enhance them. The draft Bill also fails to
satisfy the needs of the private sector, because it is long and complex,
and fails to encourage the confidence of consumers in their dealings with
companies. The Bill needs to be very substantially revised, or withdrawn
and re-written.

                                Contents
Introduction
Background
The Inadequacies To Be Addressed
    1. Inflexible Legislation Rather Than Codes
    2. Failure to Require Consultation and Participation
    3. Exemptions from the Protection Regime
    4. Exceptions within the Protection Regime
       4.1 Weaknesses in the Privacy Commissioner's Original NPFHPI
       4.2 Additional Weaknesses in the 'National Privacy Principles'
    5. Further Specific Weaknesses in the Principles
    6. Inadequate Code Approval Criteria
    7. No Compulsory Complaints-Handling Mechanism Within Organisations
    8. Lack of Oversight, Sanctions and Enforcement
    9. Failure to Address Outsourced Government Operations
    10. Failure to Provide 21st Century Protections
Conclusions
References


The Australian Computer Society's Submission says:

"The Society's Economic, Legal and Social Implications Committee has
considered the 'Key Provisions' document, together with the analysis
prepared by one of the Society's longstanding Fellows, Dr Roger Clarke,
which is available at:

    http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

"The Committee agrees with the critique in that document.  It suitably
expresses our serious concern about inadequacies in the draft Bill.  In its
current form, the Bill seems to contemplate a reduction in privacy
protection, and even appears to sanction privacy-invasive practices.  In
our respectful opinion the Bill needs to be very substantially revised to
address the deficiencies identified in Dr Clarke's paper.  The Australian
Computer Society would welcome the opportunity to participate in the
development of a revised Bill".

Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke@xamax.com.au            http://www.xamax.com.au/

Visiting Fellow                       Department of Computer Science
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211       Tel:  +61  2  6249 3666

------------------------------

Date:    Sat, 15 Jan 2000 14:59:04 -0500
From:    Monty Solomon <monty@roscom.com>
Subject: Revised U.S. Encryption Export Control Regulations

Revised U.S. Encryption Export Control Regulations
January 2000

(PDF Version Available)

------------------------------------------------------------------------

January 10, 2000
Billing Code: 3510 33-P

DEPARTMENT OF COMMERCE

Bureau of Export Administration

15 CFR Parts 734, 740, 742, 770, 772, and 774

[Docket No. ]

RIN: 0694-AC11

Revisions to Encryption Items

AGENCY: Bureau of Export Administration, Commerce
ACTION: Interim final; request for comments.

SUMMARY: This rule amends the Export Administration Regulations (EAR) to 
allow the export and reexport of any encryption commodity or software to 
individuals, commercial firms, and other non-government end-users in all 
destinations. It also allows exports and reexports of retail encryption 
commodities and software to all end-users in all destinations. 
Post-export reporting requirements are streamlined, and changes are made 
to reflect amendments to the Wassenaar Arrangement. This rule implements 
the encryption policy announced by the White House on September 16 and 
will simplify U.S. encryption export rules. Restrictions on terrorist 
supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or 
Syria), their nationals and other sanctioned entities are not changed by 
this rule.

http://www.epic.org/crypto/export_controls/regs_1_00.html 

------------------------------

End of PRIVACY Forum Digest 09.07
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.