PRIVACY Forum Digest Saturday, 3 September 1994 Volume 03 : Issue 16 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Sprint's phone-card stupidity (Alan Wexelblat) More problems with Sprint Voice FonCard (Bob Stratton) Re: Medical Privacy Dilemma (Joan Eslinger) Re: Medical Privacy Dilemma (Chris Hibbert) Re: Medical Privacy Dilemma (a_rubin@dsg4.dse.beckman.com) EPIC Statement on FBI Wiretap Bill (Dave Banisar) New indecency rules proposed for all online services (Daniel J. Weitzner) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 16 Quote for the day: "Hey! You can't bring a frozen guru into California!" -- California agricultural inspector "Candy" (1968) ---------------------------------------------------------------------- Date: Mon, 15 Aug 94 10:37:40 -0400 From: "Alan (Miburi-san) Wexelblat" Subject: Sprint's phone-card stupidity Sigh. I used to post about this anonymously, but I figure since TI has declared me persona non grata anyway I may as well tell the story in the clear: The Sprint phone system was designed and implemented by Texas Instruments, initially during the time I worked for them. (I worked for a different division that was physically and managerially adjacent to the Sprint implementers.) I knew that a "voice recognition" project was underway, but it wasn't until a big branch meeting that I saw the details of the then- prototyped project. The project manager put up on a big screen in the cafeteria an overhead of the prototype card, with his SSN emblazoned on it and described the intended system. Apparently, the biggest complaint that Sprint thought it had was people who couldn't/wouldn't deal with the long (14+ digit) number required to use other phone card systems. Their solution was to use a shorter number which many people have already memorized (the SSN). Needless to say, I was flabberghasted (a not-uncommon experience for me at TI). I pointed out to my coworkers around the table the obvious weaknesses of the system. They agreed. After the meeting, I spoke to the manager personally and privately. I pointed out that he had just displayed enough information that any person in the whole division who had a grudge against him would be able to really mess his life over. He expressed severe disbelief that this was possible, or that anyone would do such a thing. When I asked if there had been any review of safety or privacy concerns he noted that I was not involved with the project, that he had over 10 years with the company compared to my over-10 weeks, and that further questioning would not be tolerated. I sat at my desk for a long time after that, wondering if it was really in me to screw up this guy's life to make a point. Obviously it wasn't, or I would not be posting this :) --Alan Wexelblat, Reality Hacker, Author, and Cyberspace Bard Media Lab - Intelligent Agents Group wex@media.mit.edu Voice: 617-253-9601 Page: 617-945-1842 na53607@anon.penet.fi ------------------------------ Date: Tue, 16 Aug 1994 23:30:39 -0400 From: Bob Stratton Subject: More problems with Sprint Voice FonCard >>>>> "Willis H Ware" writes: Willis> Sprint has thoughtlessly conceived the world's most Willis> foolish way to expose one's SSN to illcit acquisition. Willis> The well know schemes for stealing conventional telephone Willis> credit card numbers is to observe a user key-in his number Willis> on the public touch pad, or to listen to the user speak Willis> his number. The scam is reported to be particularly Willis> threatening at airports, but now it will be directed at Willis> acquiring "SSNs for sale" rather than telephone credit Willis> card numbers. I had planned on releasing this bit of information in a more dramatic way, as was hoping to gather more information, but in light of your comments, I'll announce my discoveries which, to thinking people, should be the nail in the coffin of this particular "service". I signed up for a Voice FonCard (which, incidentally, requires you to sign up for the $5/month "Priority Gold" service), and gave them a number that was not my SSN. I trained the voice recognition system over several weeks, as their literature claims it becomes more attuned to your voice the more you use it. I then called up a friend who happens not only to be a telephony engineer, but also a pretty fair imitator of several voices, including my own. He came over to my house, I handed him the card with the number that they expect me to shout for identification, and listened while he authenticated himself as me and was WARMLY ACCEPTED by the system as the authorized user. This wasn't the really galling part. I then began calling around Sprint to speak to someone about this travesty. Since the Voice FonCard person wasn't in his office, I called Sprint security, knowing that Sprint has a full-time corporate security department. When I finally reached someone who would discuss this with me, I got the following: "We never advertised that as a secure service, just a convenient one." Willis> ... But then, the threat in this case is against the Willis> consumer, not against the telephone company for having to Willis> swallow the cost of fraudulent calls. It appears to be both. Perhaps if enough customers get used as the basis for new identities and sue Sprint, they'll catch on. Bob Stratton strat@uunet.uu.net UUNET Technologies, Inc. uunet!strat 3110 Fairview Park Dr., Suite 570 Voice) +1 703 204 8000 Falls Church, Va 22042 Fax) +1 703 204 8001 ------------------------------ Date: Fri, 12 Aug 94 22:44:21 -0700 From: Joan Eslinger Subject: re: Medical Privacy Dilemma * Date: Wed, 27 Jul 94 09:49:18 * From: [Name withheld] * * Here's a hypothetical situation for you. * * ..... The official then explains that, to protect * the hospital's good name, he is prepared to release some of the patient's * medical history as long as it is strictly off the record. * * 2. How does the paper know that the hospital is telling the truth - obviously * it can't check back with the patient because this would reveal that the * hospital has disclosed the medical records. I don't see the "obviously" here at all. The hospital has disclosed confidential patient information to a newspaper. The public and the patient have a right to know that this hospital is willing to do that. Joan Eslinger / wombat@engr.sgi.com ------------------------------ Date: Sat, 13 Aug 94 10:37:34 -0700 From: Chris Hibbert Subject: Re: Medical Privacy Dilemma [Name withheld] told of a patient complaining about mistreatment by a hospital to a newspaper. The hospital was unable to defend itself because of patient confidentiality laws. If I represented either the newspaper or the hospital, I would have suggested that the patient could get the newspaper to print the story if he is willing to waive his privacy rights in order to allow the paper to hear the hospital's side. The newspaper should promise that the patient's identity would be protected. If the patient is willing to let editors and reporters see the confidential records, then they will listen to both sides and decide what to print. If the patient isn't willing to open his records, the paper should refuse to print unsubstantiated attacks. Chris ------------------------------ Date: Mon, 15 Aug 94 07:01:06 PST From: a_rubin@dsg4.dse.beckman.com Subject: Re: Medical Privacy Dilemma >Issues: >1. Should the hospital release the information about the patient's psychiatric > problems to prevent possible damage to its reputation. Not without the patient's permission. >2. How does the paper know that the hospital is telling the truth - obviously > it can't check back with the patient because this would reveal that the > hospital has disclosed the medical records. Simple -- the paper should request that the patient request the hospital release the records to the newspaper. If the patient and hospital comply, there's no problem -- the paper can do whatever further research is required. If the patient doesn't comply, the paper should probably drop the story. If the patient complies and the hospital does not, the paper should CLEARLY print the story. ------------------------------ Date: Sun, 22 Aug 1993 16:42:34 +0000 From: Dave Banisar Subject: EPIC Statement on FBI Wiretap Bill [ The complete text of the bill discussed below is now available in the PRIVACY Forum archive. To access: Via Anon FTP: From site "ftp.vortex.com": /privacy/fbi-tel.2.Z or: /privacy/fbi-tel.2 Via e-mail: Send mail to "listserv@vortex.com" with the line: get privacy fbi-tel.2 as the first text in the BODY of your message. Via gopher: From the gopher server on site "gopher.vortex.com" in the "*** PRIVACY Forum ***" area under "fbi-tel.2". -- MODERATOR ] *DISTRIBUTE WIDELY* EPIC Statement on Digital Telephony Wiretap Bill The digital telephony bill recently introduced in Congress is the culmination of a process that began more than two years ago, when the Federal Bureau of Investigation first sought legislation to ensure its ability to conduct electronic surveillance through mandated design changes in the nation's information infrastructure. We have monitored that process closely and have scrutinized the FBI's claims that remedial legislation is necessary. We have sponsored conferences at which the need for legislation was debated with the participation of the law enforcement community, the telecommunications industry and privacy advocates. We have sought the disclosure of all relevant information through a series of requests under the Freedom of Information Act. Having thus examined the issue, EPIC remains unconvinced of the necessity or advisability of the pending bill. As a threshold matter, we do not believe that a compelling case has been made that new communications technologies hamper the ability of law enforcement agencies to execute court orders for electronic surveillance. For more than two years, we have sought the public disclosure of any FBI records that might document such a problem. To date, no such documentation has been released. Without public scrutiny of factual information on the nature and extent of the alleged technological impediments to surveillance, the FBI's claims remain anecdotal and speculative. Indeed, the telecommunications industry has consistently maintained that it is unaware of any instances in which a communications carrier has been unable to comply with law enforcement's requirements. Under these circumstances, the nation should not embark upon a costly and potentially dangerous re-design of its telecommunications network solely to protect the viability of fewer than 1000 annual surveillances against wholly speculative impediments. We also believe that the proposed legislation would establish a dangerous precedent for the future. While the FBI claims that the legislation would not enhance its surveillance powers beyond those contained in existing law, the pending bill represents a fundamental change in the law's approach to electronic surveillance and police powers generally. The legislation would, for the first time, mandate that our means of communications must be designed to facilitate government interception. While we as a society have always recognized law enforcement's need to obtain investigative information upon presentation of a judicial warrant, we have never accepted the notion that the success of such a search must be guaranteed. By mandating the success of police searches through the re-design of the telephone network, the proposed legislation breaks troubling new ground. The principle underlying the bill could easily be applied to all emerging information technologies and be incorporated into the design of the National Information Infrastructure. It could also lead to the prohibition of encryption techniques other than government-designed "key escrow" or "Clipper" type systems. In short, EPIC believes that the proposed digital telephony bill raises substantial civil liberties and privacy concerns. The present need for the legislation has not been established and its future implications are frightening. We therefore call upon all concerned individuals and organizations to express their views on the legislation to their Congressional representatives. We also urge you to contact Rep. Jack Brooks, Chairman of the House Judiciary Committee, to share your opinions: Rep. Jack Brooks Chair, House Judiciary Committee 2138 Rayburn House Office Bldg. Washington, DC 20515 (202) 225-3951 (voice) (202) 225-1958 (fax) The bill number is H.R. 4922 in the House and S. 2375 in the Senate. It can be referred to as the "FBI Wiretap Bill" in correspondence. Electronic Privacy Information Center 666 Pennsylvania Avenue, S.E. Suite 301 Washington, DC 20003 (202) 544-9240 (voice) (202) 547-5482 (fax) EPIC is a project of the Fund for Constitutional Government and Computer Professionals for Social Responsibility. [ The PRIVACY Forum also received a mailing from Voter's Telecommunications Watch (VTW) with arguments against the bill, their detailed suggestions for people who wish to oppose the bill, press releases, and other data. They can be reached at: Voice mail: (718) 596-2851 General questions: vtw@vtw.org Mailing List Requests: vtw-list-request@vtw.org Press Contact: stc@vtw.org Gopher URL: gopher://gopher.panix.com:70/11/vtw Interested readers should contact them directly for information. -- MODERATOR ] ------------------------------ Date: Thu, 25 Aug 1994 14:32:40 -0600 From: djw@eff.org (Daniel J. Weitzner) Subject: New indecency rules proposed for all online services (900#s in cyberspace) I. Overview During the final hours before the Senate telecommunications bill (S.1822) was marked-up by the Senate Commerce Committee, a provision was added which would expand the current FCC regulation on obscene and indecent audiotext (900 number) services to virtually all electronic information services, including commercial online service providers, the Internet, and BBS operators. This proposal, introduced by Senator Exon, would require all information service providers and all other electronic communication service providers, to take steps to assure that minors do not have access to obscene or indecent material through the services offered by the service provider. Placing the onus, and criminal liability, on the carrier, as opposed to the originator of the content, threatens to limit the free flow of all kinds of information in the online world. If carriers are operating under the threat of criminal liability for all of the content on their services, they will be forced to pre-screen all messages and limit both the privacy and free expression of the users of these services. Senator Exon's amendment raises fundamental questions about the locus on liability for harm done from content in new digital communications media. These questions must be discussed in a way that assures the free flow of information and holds content originators responsible for their actions. II. Summary of Exon Amendment The Exon amendment which is now part of S.1822, expands section of the Communications Act to cover anyone who "makes, transmits, or otherwise makes available" obscene or indecent communication. It makes no distinction between those entities which transmit the communications from those which create, process, or use the communication. This section of the Communications Act was originally intended to criminalize harassment accomplished over interstate telephone lines, and to require telephone companies that offer indecent 900 number services to prevent minors from having access to such services. The 900 number portions are known as the Helms Amendments, having been championed by Senator Jesse Helms. These sections have been the subject of extension constitutional litigation. If enacted into law, these amendments would require that anyone who "makes, transmits, or otherwise makes available" indecent communication take prescribed steps to assure that minors are prevented from having access to these communications. In the case of 900 numbers, acceptable procedures include written verification of a subscriber's age, payment by credit card, or use of a scrambling device given to the subscriber after having verified his or her age. Failure to do so would result in up to a $100,000 fine or up to two years imprisonment. III. Carrier Liability and Threats to the Free Flow of Information These provisions raise serious First Amendment concerns. (Note that we use the term 'carrier' here to refer to a wide range of information and communication service providers. This does not suggest that these entities are, or should be, common carriers in the traditional sense of the term.) Overbroad carrier liability forces carriers to stifle the free flow of information on their systems and to act as private censors If carriers are responsible for the content of all information and communication on their systems, then they will be forced to attempt to screen all content before it is allowed to enter the system. In many cases, this would be simply impossible. But even where it is possible, such pre-screening can severely limit the diversity and free flow of information in the online world. To be sure, some system operators will want to offer services that pre-screen content. However, if all systems were forced to do so, the usefulness of digital media as communication and information dissemination systems would be drastically limited. Where possible, we must avoid legal structures which force those who merely carry messages to screen their content. Carriers are often legally prohibited from screening messages In fact, under the Electronic Communications Privacy Act of 1986, electronic communication service providers are generally prohibited from examining the contents of messages or information carrier from one subscriber to another. Extension of the 900 number rules to all electronic information services may be unconstitutional The regulation of indecent 900 number programming was only accomplished after nearly a decade of constitutional litigation, with rules being overturned by the Supreme Court. The regulations were finally found constitutional only after being substantially narrowed to meet First Amendment scrutiny. Since the access methods offered by online service providers are significantly different than simple telephone access to 900 services, we doubt that the same constitutional justifications would support the newly expanded rules. This issue requires considerable study and analysis. Content creators, or those who represent the content as their own, should be responsible for liability arising out of the content In sum, it should be content originators, not carriers, who are responsible for their content. Any other approach will stifle the free flow of information in the new digital media. IV. Next Steps Having only just received the language offered by Senator Exon, EFF still needs to do further analysis, and consult with others in the online community. We also hope to speak with Senator Exon's staff to understand their intent. Another important hearing will be held on S.1822 in mid-September by the Senate Judiciary Committee. By that time, we hope to have this issue resolved. While we agree that these carrier liability problems are in need of Congressional consideration, we do not believe that the time is ripe to act. Before any action is taken, hearings must be held and careful evaluation of all the issues, not just indecency, must be undertaken. Daniel J. Weitzner, Deputy Policy Director, Electronic Frontier Foundation, 1001 G St. NW Suite 950 East, Washington, DC 20001 +1 202-347-5400(v) [ It appears that efforts to restrict electronic distribution of information to minors is being expanded to include both obscene/indecent materials and other information that could be deemed to be hazardous in other ways. This is being driven by recent events where minors injured themselves after constructing devices based on information from books which had been transcribed onto BBS systems. There are some interesting fundamental questions in this area, that are worthy of discussion and debate. To what extent does the operator of an electronic distribution system have the same or different responsibilities from that of, for example, a mail-order book distributor? Can or should the models applied to control of magazines and books (where such controls are present) be applied to electronic information systems which may have millions of individuals submitting information for distribution, with various levels of editorial control ranging from none to quite significant? Are these issues subject to relatively "simple" legislative fixes? Or will the technology and topologies of these new information systems require a more fundamental shift in perspective to achieve the desired balances? Comments? -- MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 03.16 ************************