From privacy@cv.vortex.com Sat Sep 5 16:33:23 1992 Return-Path: Received: from cv.vortex.com by csrc.ncsl.nist.gov (4.1/NIST) id AA22212; Sat, 5 Sep 92 16:33:04 EDT Posted-Date: Sat, 5 Sep 92 12:44 PDT Received-Date: Sat, 5 Sep 92 16:33:04 EDT Received: by cv.vortex.com (Smail3.1.26.7 #2) id m0mR63u-0001viC; Sat, 5 Sep 92 12:44 PDT Message-Id: Date: Sat, 5 Sep 92 12:44 PDT From: privacy@cv.vortex.com (PRIVACY Forum) To: privacy-forum@csrc.ncsl.nist.gov Subject: PRIVACY Forum Digest V01 #15 Status: R PRIVACY Forum Digest Saturday, 5 August 1992 Volume 01 : Issue 15 Moderated by Lauren Weinstein (lauren@cv.vortex.com) Vortex Technology, Topanga, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Selling customer lists (James Camp) Selling video customer lists (Larry Hunter) Wells Fargo Bank changes customer security system (Randy Gellens) Vernam Cipher (Art Zimmermann) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "cv.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@cv.vortex.com, call (310) 455-9300, or FAX to (310) 455-2364. ----------------------------------------------------------------------------- VOLUME 01, ISSUE 15 Quote for the day: "Gentlemen! You can't fight in here--this is the war room!" -- The President "Dr. Strangelove: Or, How I Learned to Stop Worrying and Love the Bomb" (1964) ---------------------------------------------------------------------- Date: Wed, 26 Aug 92 06:48:44 PDT From: jamesc@scotch.nic.ddn.mil (James Camp) Subject: Selling customer lists >A local video rental store went belly-up, and the contents of the store >were put up for auction. >In addition to some 2400 used videotapes . . . , and a two-drawer >filecard cabinet labeled "mailing list" . . . with name, address, place of > work and >originally-presented ID on the front, and on the back a list of > the names of all the videotapes that customer had rented. All of the video stores I've done business with required a credit card number to guarantee the account. If this data were also in the files, the security of many (former) clients could be put in jeopardy. ------------------------------ Date: Wed, 26 Aug 92 10:07:16 -0400 From: hunter@nlm.nih.gov (Larry Hunter) Subject: Selling video customer lists In the privacy forum digest V01 #14, Jerome Saltzer describes the sale of customer lists from a bankrupt video rental store. He says: Exactly how the new federal law prohibiting disclosure of videotape rental records applies to this situation is not at all clear. But it seems safe to say that business ethics can't be very effective in protecting data when the business vanishes. As part of a new CPSR project, I have been putting together a demonstration hypertext system for browsing materials relevant to privacy law. My demonstration area happens to be the Video Privacy Protection Act of 1988. Although I'm not a lawyer, it seems clear from the wording of the act that disclosing customer records as part of the transfer of ownership of a business is within the law. 18 U.S.C. 121 Section 2710(b)(2)(E): "A video tape service provider may disclose personally identifiable information concerning any customer... to any person if the disclosure is incident to the ordinary course of business of the video tape service provider." Paragraph 2710(a)(2) says "the term 'ordinary course of business' means only debt collection activities, order fulfillment, request processing, and the transfer of ownership." There is, however, a clause requiring the destruction of records more than a year old, with certain exceptions. It is also apparent from the legislative background that the mere names of customers (not associated with specific rentals) are not protected. The report of the Senate Judiciary Committee (Report 100-599, Legislative day Oct 18, 1988) says (p. 18) "[F]or example, a video tape service provider is not prohibited from responding to a law enforcement agent's inquiry as to whether a person patronized a video tape service provider at a particular time or on a particular date." In my personal opinion, unless you are a potential supreme court justice who likes to watch porno movies, there isn't a lot of protection for you in the video privacy act. By the way, I am interested in hearing from anybody who has suggestions about how to produce a useful browsing system (say, recommendations of specific Macintosh hypertext tools) or from a lawyer who has outlined this material. Larry Hunter Co-chair, CPSR-DC chapter ------------------------------ Date: 26 AUG 92 20:49 From: Subject: Re: Wells Fargo Bank changes customer security system > Of some concern is other information that is now available via the automated > system. Apparently anybody can now call, enter any account number and an > amount, and be told whether or not that amount of funds is available in the > specified account. With a relatively few calls, it would be possible to > pretty well range in on the amount in any account using this system. When I > questioned them about the wisdom of allowing this information to be > available in an automated manner with absolutely no security or tracking of > any kind, they replied that since federal regulations allow it, they're > doing it. This is nothing new. Banks have traditionally allowed anyone to call up and give an account number and an amount, and be told if a check for that amount would clear at the moment. What is new is that this is now automatced. Other banks have provided an automated version of this for years. For example, anyone can call the Bank of America automated information number, press -2- for merchant services, an account number, and be told the order of magnitude of the accout, and the binary position within that magnitude ("high" or "low"). A yes/no on a specific dollar amount is also available. = Randy Gellens randy%mpa15ab@trenga.tredydev.unisys.com = [ Yes, I know that such automated systems are now becoming widely available. However, the question for this Forum is, *should* such information be freely accessible, without any controls by the customer, no recording of who is requesting the information, and no notification to the customer that their account information is being queried? Also, does the widespread move from "manual" to "automated" systems for dispensing this information possibly encourage abuse through easier repetitive access? -- MODERATOR ] ------------------------------ Date: Sun, 30 Aug 92 17:00:47 PDT From: GlasNet Subject: Vernam Cipher There is a well-known cryptographic technique - the Vernam Cipher, also known as the one-time pad - which is secure against any known form of decryption attack. The problem with this technique has always been in key distribution; an amount of key equal to that of the plaintext is required. I believe there is a method for allowing a variant of the Vernam Cipher to be applied to data and perhaps to voice communications. I think this is fundementally a good thing; one of the guiding principles of privacy should be that anyone's communications should be secure from unauthorized access. If an inexpensive and quite secure method of encryption were available to all, would not use of end-to-end encryption go some distance toward solving the privacy problem ? This would not be a popular idea with law enforcement agencies, the NSA, and other spooks. Aside from obvious objections from this quarter, are there any good arguments against general availability of such an encryption method ? Art Zimmermann ------------------------------ End of PRIVACY Forum Digest 01.15 ************************