PRIVACY Forum Digest Tuesday, 28 July 1992 Volume 01 : Issue 10 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Seminole ACCESS (John G. Otto) CPSR Recommends NREN Privacy Principles (Dave Banisar) News from Spain (Rafael Fernandez Calvo) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 10 Quote for the day: "This time for SURE!" -- Bullwinkle J. Moose ---------------------------------------------------------------------- Date: Thu, 23 Jul 92 17:09:42 EDT From: John G. Otto Subject: Re: Seminole ACCESS "Seminole ACCESS" has been implemented over the past year (starting just with in-coming freshmen last fall and mandated for everyone - faculty, staff and students - beginning August 24) at FSU (the Florida State University) and was planned/developed/championed by Billy Norwood, Associate Director of Administrative Information Systems. It involves a new photo-id, credit, library, phone, key card tied into a number of integrated data-bases. The credit card portion is administered by First Florida bank (after a challenge from Guaranty National Bank that the university was violating a state law forbidding the government to operate banking services). The phone card "feature" is with MCI. The rest is operated by the university controller's office and AIS, with interfaces (e.g. for the library system) with the state's Northeast Regional Data Center (NERDC) at the U of Florida, in Gainesville. The Seminole ACCESS system, as described in the bright and bouncy articles published in the local media, sounds great. It will "offer convenience" and "prevent crime". You can use it to shop, make long distance calls, get into your dorm room, buy soft drinks or do the laundry, all with one wooonnderfully convenient card. What the university's PR boys don't tell faculty, staff, students, and soon to be matriculated freshmen and their parents, is the number of ways in which they bend and break the existing feeble privacy laws (and Florida's Article 1 Section 23 privacy guarantee). For all their weasel clauses, FERPA74 and PA74 (Family Educational Right to Privacy Act, sometimes called the Buckley Amendment, and the Privacy Act of 1974) do require that even internal dissemination of personally identifiable information be on a "need to know" basis (the term used in FERPA is "legitimate educational purpose" if my memory serves). Though over-ridden for certain specific purposes (e.g. by the Bank Secrecy Act, a tax reform act and an act to control illegal immigrants) PA74 also states that no "right, benefit or privilege" shall be denied to people who refuse to disclose their socialist insecurity numbers. Despite this, students have been prevented from being seen by a physician at the Thagard Health Center, and have been denied access to public documents contained in the Robert M. Strozier library, a federal document depository library with "guaranteed access to the public". Records of "private" meetings, and other individually identifiable records, and, needless to say, the ubiquitous socialist insecurity numbers, have been duplicated and distributed with not a jot of consideration for the receiver's need to know. With the addition of the credit card features, records of long distance calls and of individual items purchased at area stores will be funnelled into the data-base. Plans for expansion of the system include making the campus "cashless" (no mention is made to legal tender laws, or the detailed records of purchases this portion of the scheme will generate) and mounting card readers on every door to control access and keep class & examination attendance with terminals in the campus police office, "the better to watch where you've gone, my dear". (Where's the "educational purpose" in that, I wonder?) ------------------------------ Date: Fri, 24 Jul 1992 17:24:51 EDT From: Dave Banisar Subject: CPSR Recommends NREN Privacy Principles PRESS RELEASE July 24, 1992 CPSR Recommends NREN Privacy Principles WASHINGTON, DC -- Computer Professionals for Social Responsibility (CPSR), a national public interest organization, has recommended privacy guidelines for the nation's computer network. At a hearing this week before the National Commission on Library and Information Science, CPSR recommended a privacy policy for the National Research and Education Network or "NREN." Marc Rotenberg, Washington Director of CPSR, said "We hope this proposal will get the ball rolling. The failure to develop a good policy for the computer network could be very costly in the long term." The National Commission is currently reviewing comments for a report to the Office of Science and Technology Policy on the future of the NREN. Mr. Rotenberg said there are several reasons that the Commission should address the privacy issue. "First, the move toward commercialization of the network is certain to exacerbate privacy concerns. Second, current law does not do a very good job of protecting computer messages. Third, technology won't solve all the problems." The CPSR principles are (1) protect confidentiality, (2) identify privacy implications in new services, (3) limit collection of personal data, (4) restrict transfer of personal information,(5) do not charge for routine privacy protection, (6) incorporate technical safeguards, (7) develop appropriate security policies, and (8) create an enforcement mechanism. Professor David Flaherty, an expert in telecommunications privacy law, said "The CPSR principles fit squarely in the middle of similar efforts in other countries to promote network services. This looks like a good approach." Evan Hendricks, the chair of the United States Privacy Council and editor of Privacy Times, said that the United States is "behind the curve" on privacy and needs to catch up with other countries who are already developing privacy guidelines. "The Europeans are racing forward, and we've been left with dust on our face." The CPSR privacy guidelines are similar to a set of principles developed almost 20 years ago called The Code of Fair Information practices. The Code was developed by a government task force that included policy makers, privacy experts, and computer scientists. The Code later became the basis of the United States Privacy Act. Dr. Ronni Rosenberg, who has studied the role of computer scientists in public policy, said that "Computer professionals have an important role to play in privacy policy. The CPSR privacy guidelines are another example of how scientists can contribute to public policy." CPSR is a membership organization of 2500 professionals in the technology field. For more information about the Privacy Policies and how to join CPSR, contact CPSR, P.O. Box 717, Palo Alto CA 94302. 415/322-3778 (tel) and 415/322-3798 (fax). Email at cpsr@csli.stanford.edu. [ When the complete CPSR testimony text has been received, it will be placed in the PRIVACY Forum archives and will be announced here in the digest. -- MODERATOR ] ------------------------------ Date: Sun, 26 Jul 1992 19:19:34 EDT From: "Rafael Fernandez Calvo" Subject: News from Spain On July 20, the Spanish Commission for Liberties and Informatics (CLI) has addressed a letter to the Minister of Health and Consumers' Affairs, Mr. Grinan, with regard to the implementation of the National Health Card in the Public Health System. A copy of the letter has been mailed to the Spanish Ombudsman. CLI is concerned that this informatized tool, designed to improve the quality of the service provided to the citizens by the aforementioned entity, may endanger their right to privacy, consecrated by the Spanish Constitution, if it is not accompanied by adequate administrative and technological measures. These measures must be in accordance with the the Recommendation of the Ministers' Committee of the European Council of January 23, 1981 on Automatized Medical Data Bases. CLI requests Mr. Grinan that the implementation of the National Health Card be suspended until the above measures are in place and offers its collaboration for a successful and privacywise put in work of the card. CLI is an independent and pluralistic organization that met for the first time in November '90 and was officially constituted in April '91 in Madrid, Spain. The mission of CLI is "to promote, in a permanent and regular fashion, the development and protection of individual and collective rights, specially the right to privacy, with regard to the usage of Information Technologies, both by Public Administrations and private companies, raising the level of consciousness of the Spanish people about the importance of this issue for progress in an increasingly technified democratic society." As of July '92, CLI is composed by several organizations, with a joint membership of about 3,000,000 people. They cover a very wide spectrum of social interest groups: associations of computer professionals, judges, civil rights leagues, trade unions, consumers groups, DP industry collectives, etc. We will be delighted to provide you with additional information about CLI and the condition of computers, freedom and privacy issues in Spain if you contact our headquarters: CLI Padilla 66, 3 dcha. E-28006 Madrid, Spain Phone: (34-1) 402 9391. Fax: (34-1) 309 3685 and/or send a note to Rafael Fernandez Calvo (member of the Presidential Board of CLI) at the following e-mail address: rfcalvo@guest2.atimdr.es ------------------------------ End of PRIVACY Forum Digest 01.10 ************************