PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Sunday, 6 February 2000 Volume 09 : Issue 07 (http://www.vortex.com/privacy/priv.09.07) Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS "People For Internet Responsibility" Issues and Status Report (Lauren Weinstein; PRIVACY Forum Moderator) Compaq's New "Free" Internet Service (Lauren Weinstein; PRIVACY Forum Moderator) Anybirthday.com Developments (and Javascript!) (Lauren Weinstein; PRIVACY Forum Moderator) "My Deja" defaults to public disclosure of personal details (Nickee Sanders) Oz Draft Privacy Bill Appalling (Roger Clarke) Revised U.S. Encryption Export Control Regulations (Monty Solomon) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 09, ISSUE 07 Quote for the day: "You make me afraid of myself!" -- Adenoid Hynkel, Dictator of Tomania (Charles Chaplin) "The Great Dictator" (United Artists; 1940) ---------------------------------------------------------------------- Date: Sat, 5 Feb 2000 21:15 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: "People For Internet Responsibility" Issues and Status Report Greetings. The current version of the PFIR (People For Internet Responsibility) "Issues" document, and a status report regarding PFIR activities, are now available via the PFIR Web site at: http://www.pfir.org The issues document covers a wide range of important Internet and Web topics. It is (and will continue to be) a work in progress, and while quite comprehensive is undergoing rapid expansion. Many of the topics relate to privacy issues, technology risks, and other matters that should be of interest to current and potential Internet users. Your input and comments regarding both of these documents would be very much appreciated via the e-mail addresses indicated within the docs themselves. Thanks very much. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Wed, 26 Jan 2000 20:01 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Compaq's New "Free" Internet Service Greetings. It has become common for computer vendors to promote hardware bundles which include some number of monthly hours of Internet service. Compaq Computer Corp. has now taken this idea off in something of a different direction, by promoting the inclusion of "free" Internet service provided by NetZero, Inc. The irony of this is significant. Not only is there no reason for you to deal with Compaq in order to use NetZero net access services without charge-- virtually anybody in the U.S. can already do so--but promoting NetZero as if they were a conventional ISP is, frankly, misleading. True, some reports suggest that NetZero is now the second largest provider of Internet access services (after AOL). However, NetZero's obnoxious forced screen display management and pervasive monitoring and data collection (and commercial use of that collected data) from their customers' Web activities puts NetZero in a class by themselves, worlds apart from the providers of conventional ISP services. People's willingness to deal with such services may be difficult for many readers of this digest to fathom. But there's considerable evidence that many persons are naively willing to give up all manner of privacy to save a few bucks. Of course, later when the snake comes back to bite them, they discover that there's no way to ever put all that data back into the privacy bottle from which they willingly released it. The direct marketing folks will be your very special personal, close friends forevermore, as they watch your every move, your every click, around not only "cyberspace" but the rest of your purchasing world as well. As recent events with DoubleClick, Inc. have so vividly demonstrated (http://www.vortex.com/privacy/priv.09.06), privacy gets eaten away a bit at a time. One day you turn around, and those bits have turned into a gaping hole. Is that hole really a reasonable tradeoff for saving a few dollars per month? It's definitely something to ponder. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Sat, 15 Jan 2000 09:52 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Anybirthday.com Developments (and Javascript!) Greetings. There are continuing developments regarding the public database of names, gender data, locations, and date of birth info at http://www.anybirthday.com. Some persons who have attempted to remove their entries from the database since my original reports (http://www.vortex.com/privacy/priv.09.03 and http://www.vortex.com/privacy/priv.09.04) have informed me that they have finally succeeded after numerous failures. While the system still appears to be overloaded much of the time, it is at least possible to occasionally inject deletion requests that are ultimately processed. There also is apparently now an e-mail address which can be used (in the same basic format as the form) to request removal if the form fails--users have reported varying degrees of success and delays in seeing results from this as well. A Very Important Note: Unless you have Javascript enabled in your browser, you will probably see responses like "no row returned" rather than actual records in response to your queries. Many persons have assumed that they were not in the database when they saw this response! It appears that you cannot depend on accurate results (at least judging from reports and my testing) unless you have Javascript turned on. And if you're just enabling Javascript for that search page, be sure to reload the page after enabling before entering your search query, so that Javascript will be fully activated for that page. An easy test to determine if you're doing real searches or not is to enter a query for "John Smith"... As of my last test, the database is now providing name, date of birth, city, state, and zip code, plus it has also returned to providing "recommended gifts" rather than explicit gender data, though the gender is easily determined from the type of gift indicated in the search results. Their database continues to change its formats, but the problems associated with public access to such personal information remain very much the same. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Fri, 21 Jan 2000 13:32:53 +1300 From: Nickee Sanders <njs@ihug.co.nz> Subject: "My Deja" defaults to public disclosure of personal details I've been a subscriber of deja.com for two years now. I have an email account with them, and I subscribe to several newsgroups. During that time a number of changes have happened to the site. Most of them have been more cosmetic than anything else. On accessing the site a couple of days ago, I found that they now have a "private profile" (everything they know about you, accessible allegedly only by you) and a "public profile" (everything in your private profile which you allow them to make public). Imagine my surprise to find that the "keep private" settings all default to OFF! This includes my zip code. I sure didn't get any warning of this change from them............ I picked myself up off the floor and proceeded to change all of my profile to private access only. Then I had a friend verify, using her deja account, that nothing about me was publicly visible any more. She found that my forum subscriptions were still publicly visible. Admittedly, this is not nearly so bad as it would be to find that my personal details were still publicly visible, but it's hardly unreasonable to expect them to actually honor my privacy wishes, as expressed through their mechanism. A day later, it appears that only my posting history is now publicly visible, so perhaps it takes 24 hours to update. Since this is all (to my knowledge) that deja has ever displayed about me, I'm not inclined to take this further. But I thought others might like to know that suddenly -- and apparently silently -- deja has opened their bedroom curtains. And I'm not impressed that they have chosen an opt-out scheme, rather than an opt-in one. Nickee Sanders Software Engineer Auckland, New Zealand PGP Public Key available from http://www.keyserver.net:11371/ Fingerprint: 2D83 0E4B 4B19 C0C5 BBA1 339A C52B EE11 FD09 20C7 [ I spoke at length with a Deja.com official about these issues. He readily admitted that there have been technical problems which resulted in information that should have been private, actually being marked public and available. This was supposedly fixed. He also admitted that the format of the form you described above was confusing. He claims that in reality until users reached that page as part of the required "upgrade" to the new version of MyDeja, all of their info was still private. After leaving this page, the new settings would take effect. He freely acknowledged that the decision to force users into an "opt-out" stance to protect their privacy, by defaulting the selections on the form to their least private settings, was purely a marketing decision. It is this sudden switch from being a "pro-privacy by default" service to effectively a "no privacy by default" service that is the most disturbing aspect of this entire episode. -- PRIVACY Forum Moderator ] ------------------------------ Date: Mon, 17 Jan 2000 09:53:48 +1100 From: Roger Clarke <Roger.Clarke@anu.edu.au> Subject: Oz Draft Privacy Bill Appalling The Australian Attorney-General released a document on 14 Dec 99 which contained Key Provisions of the Private Sector Privacy Bill that he proposes to table in the House in February. Submissions were invited by 17 January 2000. My conclusion is that the Draft Bill is absolutely appalling. Rather than a privacy protection instrument, it is a Bill for the Legitimisation of Hitherto Unauthorised Abuses of Personal Data. The Abstract and the URL for my detailed Submission are below; also an extract from the Australian Computer Society's submission. SUBMISSION to the Commonwealth Attorney-General Re: 'A privacy scheme for the private sector: Release of Key Provisions' of 14 December 1999 Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html Abstract The draft Bill fails to satisfy the needs of the public, because it contains large numbers of exemptions and exceptions, and legitimises many unreasonable uses of personal data. As a result, it would actually reduce privacy protections rather than enhance them. The draft Bill also fails to satisfy the needs of the private sector, because it is long and complex, and fails to encourage the confidence of consumers in their dealings with companies. The Bill needs to be very substantially revised, or withdrawn and re-written. Contents Introduction Background The Inadequacies To Be Addressed 1. Inflexible Legislation Rather Than Codes 2. Failure to Require Consultation and Participation 3. Exemptions from the Protection Regime 4. Exceptions within the Protection Regime 4.1 Weaknesses in the Privacy Commissioner's Original NPFHPI 4.2 Additional Weaknesses in the 'National Privacy Principles' 5. Further Specific Weaknesses in the Principles 6. Inadequate Code Approval Criteria 7. No Compulsory Complaints-Handling Mechanism Within Organisations 8. Lack of Oversight, Sanctions and Enforcement 9. Failure to Address Outsourced Government Operations 10. Failure to Provide 21st Century Protections Conclusions References The Australian Computer Society's Submission says: "The Society's Economic, Legal and Social Implications Committee has considered the 'Key Provisions' document, together with the analysis prepared by one of the Society's longstanding Fellows, Dr Roger Clarke, which is available at: http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html "The Committee agrees with the critique in that document. It suitably expresses our serious concern about inadequacies in the draft Bill. In its current form, the Bill seems to contemplate a reduction in privacy protection, and even appears to sanction privacy-invasive practices. In our respectful opinion the Bill needs to be very substantially revised to address the deficiencies identified in Dr Clarke's paper. The Australian Computer Society would welcome the opportunity to participate in the development of a revised Bill". Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, and 6288 6916 mailto:Roger.Clarke@xamax.com.au http://www.xamax.com.au/ Visiting Fellow Department of Computer Science The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 2 6249 3666 ------------------------------ Date: Sat, 15 Jan 2000 14:59:04 -0500 From: Monty Solomon <monty@roscom.com> Subject: Revised U.S. Encryption Export Control Regulations Revised U.S. Encryption Export Control Regulations January 2000 (PDF Version Available) ------------------------------------------------------------------------ January 10, 2000 Billing Code: 3510 33-P DEPARTMENT OF COMMERCE Bureau of Export Administration 15 CFR Parts 734, 740, 742, 770, 772, and 774 [Docket No. ] RIN: 0694-AC11 Revisions to Encryption Items AGENCY: Bureau of Export Administration, Commerce ACTION: Interim final; request for comments. SUMMARY: This rule amends the Export Administration Regulations (EAR) to allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non-government end-users in all destinations. It also allows exports and reexports of retail encryption commodities and software to all end-users in all destinations. Post-export reporting requirements are streamlined, and changes are made to reflect amendments to the Wassenaar Arrangement. This rule implements the encryption policy announced by the White House on September 16 and will simplify U.S. encryption export rules. Restrictions on terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria), their nationals and other sanctioned entities are not changed by this rule. http://www.epic.org/crypto/export_controls/regs_1_00.html ------------------------------ End of PRIVACY Forum Digest 09.07 ************************
Copyright © 2005 Vortex Technology. All Rights Reserved.