PRIVACY Forum Digest Friday, 29 September 1995 Volume 04 : Issue 21 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy, and the Data Services Division of MCI Communications Corporation. CONTENTS Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) SSNs for E-mail addresses! (James W. O'Toole Jr.) Caller ID experiences (Privacy Rights Clearinghouse) Privacy International Calls for CCTV Debate [EPIC Alert 2.10] (Marc Rotenberg) New info-sec related mailing list (Dr. Frederick B. Cohen) "Financial Privacy News" publication (Duane Pitlock) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 21 Quote for the day: "Just say 'oops', and get out!" -- Max Bialystock (Zero Mostel) "The Producers" (1968) ---------------------------------------------------------------------- Privacy Briefs (Lauren Weinstein; PRIVACY Forum Moderator) --- You may have heard about a recent incident involving "America Online" (AOL) where a number of AOL subscribers were arrested as part of a "kiddie-porn" investigation, after AOL turned over their private email to the investigating authorities. A number of rumors regarding these actions were circulating, so I called AOL and in the course of phone and fax communications learned a bit more about the situation. AOL states that their policy was (and remains) to *not* monitor or release customers' private email (or private "chat" area communications) except in response to specific law enforcement requests as authorized by applicable laws. In the kiddie-porn case they apparently received such requests after subscribers complained about kiddie-porn-related communications from other AOL subscribers. My initial reading of the situation is that AOL's actions were appropriate (and required) by the existing laws that relate to such incidents. --- If you have a non-published ("unlisted") phone number, is it *really* unlisted? More and more non-phone company and other third-party services are appearing that provide phone numbers which are *not* drawn exclusively from current telco databases. In some cases the numbers are culled from a variety of sources including credit reports, DMV records, and other widely available data where phone numbers were originally supplied by customers who probably assumed they'd be kept private. Outside of the obvious privacy concerns, the accuracy of the phone numbers supplied by many such services is sometimes quite poor, due to the frequently "stale" nature of the original data sources. --- Services have appeared on the Internet that offer to provide social security numbers to match names, names to match social security numbers, and all manner of credit reporting and other sorts of checks. In most cases all that these organizations want is a credit card to charge, and in general they return the desired information via non-encrypted, non-secured email traversing standard Internet routes. ------------------------------ Date: Thu, 14 Sep 95 18:15:37 EDT From: james@sparta.lcs.mit.edu (James W. O'Toole Jr.) Subject: SSNs for E-mail addresses! [ From Risks-Forum Digest; Volume 17 : Issue 35 -- MODERATOR ] At Villanova University, the Internet E-mail addresses assigned to undergraduates consist of the student's Social Security Number, as in 123456789@ucis.vill.edu . I haven't seen SSNs as E-mail addresses before, and I figure ... maybe other people would tell Villanova and any other schools that are doing this to stop. However, a message sent to postmaster@ucis.vill.edu inquiring about this policy produced no response. ------------------------------ Date: Thu, 21 Sep 1995 11:34:47 -0700 (PDT) From: Privacy Rights Clearinghouse Subject: Caller ID experiences TO: Privacy advocates FROM: Beth Givens Privacy Rights Clearinghouse (prc@acusd.edu) University of San Diego The state of California does not now have Caller ID. But it is likely that the local phone companies will offer it in the coming months. The Privacy Rights Clearinghouse is preparing a fact sheet for consumers which describes Caller ID and discusses the various privacy issues related to the service. The purpose of the fact sheet is to help consumers make informed decisions about whether or not to subscribe to Caller ID. To help us prepare this publication, we would like to hear from people in states *with* caller ID (currently 48, we're told) about their experiences with it. Feel free to respond to any or all of the following questions: - Is Caller ID widely used in your state? Or has it been a marketplace flop? - About what percent of phone customers subscribe to it? Are these primarily businesses -- or residential customers? - Have consumers been adequately notified of their blocking options? - Have the blocking options available in your state been effective in allowing consumers to control the dissemination of their phone numbers? - Has Caller ID been used by marketers and other entities to gather phone numbers? - Has it been effective at thwarting harassing callers, or is that argument over-sold? - Do you have any "horror" stories to relate about Caller ID being used to invade privacy? For example, are there documented cases of it being used by stalkers and other types of harassers to learn the unpublished numbers of their victims? - Have domestic violence shelters and various "help" hotlines (such as AIDS and suicide prevention hotlines) noticed a "chilling effect" on the uses made of their services because of Caller ID? - Have your phone company's efforts at marketing Caller ID been above-board, or have they been misleading and manipulative? - Has the introduction of Caller ID resulted in anything which was unexpected and which surprised you -- either good or bad? Your comments are most welcome. Please email them directly to us -- prc@acusd.edu -- or if the moderator wishes, to this discussion group. FYI, when the fact sheet is completed, it will be added to our gopher and Web sites, along with the other 18 Privacy Rights Clearinghouse fact sheets currently available. Thanks for your help! ------------------------------ Date: Mon, 25 Sep 1995 02:00:15 -0700 From: "Marc Rotenberg" Subject: Privacy International Calls for CCTV Debate [EPIC Alert 2.10] [ From EPIC Alert 2.10 -- MODERATOR ] Privacy International Calls for CCTV Debate [On September 8, ABC News 20/20 ran a special segment on Closed Circuit Television and the growth of surveillance technologies. Simon Davies, Directot General of Privacy International, spoke about the threat to democratic government. He provided this statement from London] PRIVACY INTERNATIONAL BACKGROUND In recent years, the use of Closed Circuit Television (CCTV) in the UK has grown to unprecedented levels. Between 150 and 300 million pounds per year is now spent on a surveillance industry involving an estimated 200,000 cameras. According to the British Security Industry Association, more than three quarters of these systems have been professionally installed. Most towns and cities are moving to CCTV surveillance of public areas, housing estates, car parks and public facilities. Growth in the market is estimated at fifteen to twenty per cent annually. Many Central Business Districts in Britain are now covered by surveillance camera systems involving a linked system of cameras with full pan, tilt, zoom and infrared capacity. Their use on private property is also becoming popular. Increasingly, police and local councils are placing camera systems into housing estates and red light districts. Residents Associations are independently organising their own surveillance initiatives. Tens of thousands of cameras operate in public places,; in phone booths, vending machines, buses, trains, taxis, alongside motorways and inside Automatic Teller Machines. Barclays has pioneered the use of pin-hole cameras in its cash machines, and this lead is being followed by other banks. The government is heavily promoting the use of video surveillance as a key plank in its law and order strategy. One initiative was to offer a funding pot to support local CCTV projects. The Home Secretary first announced the CCTV competition on 18 October 1994. There were 480 bids from local authorities, community groups, schools and industrial estates. Nationally, more than one hundred schemes received a share of the 5 million funding, with a further 13.8 million levered in from other partnerships. National winners of the Home Office CCTV competition were announced in March. These systems involve sophisticated technology. Features include night vision, computer assisted operation, and motion detection facilities which allows the operator to instruct the system to go on red alert when anything moves in view of the cameras. Camera systems increasingly employ bullet-proof casing, and automated self defence mechanisms. The clarity of the pictures is usually excellent, with many systems being able to read a cigarette packet at a hundred metres. The systems can often work in pitch blackness, bringing images up to daylight level. According to statistics published by police districts and local councils, the effect on crime is dramatic. Car theft is reduced by up to ninety percent, while assaults and theft drop by as much as 75 per cent. IMPACT The justification for CCTV is seductive, but the evidence is not convincing. In a report to the Scottish Office on the impact of CCTV, Jason Ditton, Director of the Scottish Centre for Criminology, argued that the claims of crime reduction are little more than fantasy. "All (evaluations and statistics) we have seen so far are wholly unreliable", The British Journal of Criminology described the statistics as "....post hoc shoestring efforts by the untrained and self interested practitioner. In short, the crime statistics are without credibility. They are collected over too short a time, in dubious circumstances, and without regard for statistical conventions. Different categories of crime are indiscriminately combined, concealing possible increases in some and decreases in others. The crime statistics rarely, if ever, reflect the hypothesis that CCTV merely displaces criminal activity to areas outside the range of the cameras. One of the features of current surveillance practice is that the cameras are often installed in high-rent commercial areas. Crime may be merely pushed from high value commercial areas into low rent residential areas. Councils often find that it is impossible to resist demands for such systems. Originally installed to deter burglary, assault and car theft, in practice most camera systems have been used to combat what town officials call ''anti-social behavior,'' including many such minor offences as littering, urinating in public, traffic violations, fighting, obstruction, drunkenness, and evading meters in town parking lots. They have also been widely used to intervene in other undesirable behaviour such as underage smoking and a variety of public order transgressions. According to a Home Office promotional booklet, CCTV can be a solution for such problems as vandalism, drug use, drunkenness, racial harassment, sexual harassment, loitering and disorderly behaviour. Other innovative uses are constantly being discovered. The cameras are particularly effective in detecting people using marijuana and other substances. Authorities in Britain are slowly pushing out the limits of camera surveillance. For the past ten years, hospitals have used Covert Video Surveillance (CVS) to monitor parents who visit their children. These videos are taken by concealed cameras and microphones located behind the walls of specially prepared surveillance rooms, and are used in cases of unexplained injuries or illnesses. The video surveillance boom is likely to extend even inside the home. Andrew May, Assistant Chief Constable of South Wales, has urged victims of domestic violence to conceal video cameras in their homes to collect evidence. Michael Jack, then Minister for State at the Home Office was reported as responding that the idea brought a "freshness of approach" which highlighted the role of new technology. CONCERNS Privacy International believes the CCTV trend involves a number of grave risks. A situation is developing in which CCTV surveillance is so commonplace that fundamental changes are occuring in policing, community development policy and personal privacy. Privacy International is calling on the UK government to prohibit or restrict the use of three categories of CCTV equipment, and to institute a range of protections and legislation to cover all systems. The categories that require immediate restriction are : Computerised Face Recognition (CFR) systems that have the capacity to automatically compare faces captured on CCTV, with a database of facial images. Several police and commercial organisations are developing this technology. Manchester City Football Club has installed a system at its Maine Road Ground. Infra-red, high sensitivity equipment, and systems operating outside the visible light spectrum. These include Forward Looking Infra-red Radar (FLIR) systems able to detect activity behind walls, and infra-red systems able to detect activities in darkness. Miniature and micro-engineered devices designed for covert surveillance. Around 125,000 of these devices are sold each year from UK surveillance equipment outlets. The current legal situation is that visual surveillance escapes the cover of law. Privacy International believes this is an unacceptable situation. Surveillance should not be conducted without legal protections, and legislation should be passed without delay. Planning jurisdiction should be returned to Councils to re-establish some democratic mechanism in the development of wide-scale urban CCTV systems. There is a grave risk that the CCTV industry is out of control. Fueled by fear of crime, the systems take on a life of their own, defying quantification and quashing public debate. In a very short time, the systems have challenged some fundamental tenets of justice, and created the threat of a surveillance society. Other more traditional approaches to law enforcement and social justice are being undermined without due process. CCTV is emerging as one of this centuries most profoundly important developments, and its implications need urgently to be debated. [More information about Privacy International may be found at http://www.privacy.org/pi/] ------------------------------ Date: Fri, 15 Sep 1995 14:59:16 -0400 (EDT) From: fc@all.net (Dr. Frederick B. Cohen) Subject: New info-sec related mailing list Info-sec heaven is one of the world's most comprehensive and easily usable on-line collections of information related to information security. Included in our collection are searchable archives of: - state computer crime laws - The risks and privacy forums - the firewalls, privacy, virus-l forums and CIAC and CERT alerts - several books on information protection and things like the TCSEC in hypertext for for easy search and access - periodic articles from several widely respected info-sec sources including Computer Security Institute's "Security Alert", the ASIS journal "Security Management" Ray Jarvis's newsletter on industrial espionage, and other similar quality articles. It also includes sources to over 50 info-sec software programs including our secure Web and Gopher servers and name of the most widely used free or shareware protection packages - and Much Much More! We are introducing a new mailing list. Unlike many of the Internet's mailing lists, this is not an open forum for people on the Internet to exchange ideas. Rather, it is a monthly mailing used to inform readers of new information that can be found in info-sec heaven. If you would like to be informed of new information, services, search capabilities, protection software, articles, books, and other information that appears in info-sec heaven without having to come in periodically and look for yourself, please let us know by sending email to fc@all.net and we will add you to our monthly list. Thank you for your time. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------------------------------ Date: Tue, 19 Sep 1995 07:37:01 -0700 From: invis@ix.netcom.com (Duane Pitlock) Subject: "Financial Privacy News" publication. A publication entitled "Financial Privacy News" or "FPN" is a 12 page newsletter self-described "to give the Client continuous monthly information on a variety of subjects regarding privacy and confidentiality and how to protect, preserve and expand assets and develop (tax-free) income opportunities." "FPN" includes relevant current events, a Question and Answer area, professional articles and a comprehensive "Privacy Library" for further detailed reading/learning. "FPN" states also that services are performed outside U.S. or Canadian jurisdiction since 1976. What many find interesting are the solutions to personal privacy facing us all (email/mail/phone/fax ect...) A free copy of this informative privacy source can be yours by emailing stephenw@sol.racsa.co.cr Put FREE NEWSLETTER/MR. PATIENCE in the SUBJECT and YOUR POSTAL ADDRESS in the BODY of your message. Respectfully, Duane Pitlock ------------------------------ End of PRIVACY Forum Digest 04.21 ************************