PRIVACY Forum Digest Friday, 13 September 1995 Volume 04 : Issue 22 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy, and the Data Services Division of MCI Communications Corporation. CONTENTS Privacy Brief (Lauren Weinstein; PRIVACY Forum Moderator) Re: SSNs for E-mail addresses! (Mark W. Eichin) Where Caller ID Is Headed (Beth Givens) Electronic road taxation in Singapore (Phil Agre) Announcement: Alert Mailing List (Christopher Klaus) National Privacy & Public Policy Symposium (RAKEROYD@csunet.ctstateu.edu) ------------------------------ --- Happy Friday the 13th! --- ------------------------------ *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com". ----------------------------------------------------------------------------- VOLUME 04, ISSUE 22 Quote for the day: "It's much too dangerous to jump through the fire with your clothes on." -- Lord Summerisle (Christopher Lee) "The Wicker Man" (1973) ---------------------------------------------------------------------- Privacy Brief (Lauren Weinstein; PRIVACY Forum Moderator) --- The federal appeals court in Denver has ruled that it is unconstitutional for police to scan homes with heat-sensing equipment in an attempt to detect suspected criminal activity, without a warrant. The case involved the use of infrared imaging equipment where marijuana growth within a home was suspected. In its 3 to 0 decision, the court also noted that four federal appeals courts in other circuits have ruled in exactly the opposite manner, which would appear to make the long-term impact of this decision somewhat questionable, to say the least. No evidence was suppressed in this case, since other valid grounds for a search warrant, which were not related to the thermal imaging, were found to be valid. ------------------------------ Date: Sat, 30 Sep 1995 12:05:28 -0400 From: "Mark W. Eichin" Subject: Re: SSNs for E-mail addresses! I was once told that Bell Atlantic used a compressed form of SSN (== Employee ID number) as part of the email address. (Perhaps they still do, though I've seen more normal addresses as well.) I don't recall the exact encoding, but I note that a 9 digit number easily fits in 7 lower case characters or if you allow numbers as well, 6 characters. (I believe they use the latter with a prefix, though if you break up the pieces, 999-99-9999 could encode as 11-c1-hz1 if 0->a, 25->z, 26->0 through 36->9.) And of course just about everyone has their email address printed on their business card... ------------------------------ Date: Mon, 9 Oct 1995 13:13:29 -0700 (PDT) From: Beth Givens Subject: Where Caller ID Is Headed Thanks to the many readers of this forum who have responded to my recent posting asking how Caller ID works in your states. (FYI, California is one of only two states which does not now have Caller ID, although it is likely to be offered here in the coming months.) The information you have provided is most useful. You might be interested in a recent Caller ID story from Missouri. Southwestern Bell, the major local telephone company in that state, recently announced a new service called Caller Intellidata, which would be available to businesses. It is essentially "an embellishment of Caller ID," according to Jerri Stroud, a reporter for the St. Louis Post-Dispatch. She described the service in stories appearing October 5 and 6, 1995. Here are excerpts: "The new service would package the Caller ID information with the caller's address and demographic information compiled by Equifax Inc., a national credit reporting and information service.... "Bell proposes to sell businesses monthly reports about their callers. The reports would include the date and time of each call, the caller's name, telephone number, street address, city, state, nine-digit zip code and whether the number is a resident or business.... "The company would also give businesses a statistical profile of their customers as a group, using demographic information from Equifax...The information would include income, lifestyle, education, neighborhood and other information from census reports. A Bell spokesman said the demographic information cannot be tied to a specific caller..." The Public Counsel for Missouri, Martha Hogerty, objected to the service, saying that it "smacks of Big Brother." She said "Consumers should not be forced to become statistics in a marketing study merely by placing a telephone call." She called the service "an abuse of the company's local telephone monopoly." The next day Southwestern Bell withdrew its plans and said it would reintroduce Intellidata after the regulators have a chance to understand it better. Apparently Caller Intellidata is already in place in other Southwestern Bell cities: Houston and Austin, Texas, and Wichita and Topeka, Kansas. It should be noted that phone customers in the state of Missouri do not have the ability to use Per Line Blocking for their outgoing telephone numbers, only Per Call Blocking. This means that for each call they make, they must dial *67 before dialing the phone number in order to prevent their calling number ID from being transmitted to the display device of the call recipient. In most other states, phone customers can sign up for Per Line Blocking, which automatically blocks every number from being delivered. Customers can unblock the number by entering another code before dialing the number. Southwestern Bell's use of Caller ID data in its Caller Intellidata service is, I believe, a good indicator of what is yet to come on a much larger scale. This type of transaction-generated data is far too lucrative for business marketing applications to be allowed to be limited strictly to billing purposes. One of the many things that concerns me about the proposed Southwestern Bell use of Caller ID data is that phone customers were apparently not going to be notified about the proposed usage. Nor were they going to be given the opportunity to opt-out of such usage. In addition, they do not even have the ability to put the Per Line Blocking feature on their phone line. Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 [ In a phone conversation Beth and I had recently regarding this "service", a couple of other interesting points were discussed. First, while we assume that customers with non-published telephone numbers are protected from having their addresses disclosed by the telco, this is not made clear from available information regarding the service. Beth pointed out that such a service, at least in terms of the telephone company releasing customer addresses, would probably not be possible to such an extent in areas (such as California) where more stringent regulations concerning the release of customer information have been put into place. However, it is still possible that a great deal of information, much of it probably "stale" (inaccurate through age) might be tied to customer phone numbers through third party sources. -- MODERATOR ] ------------------------------ Date: Thu, 12 Oct 1995 09:49:39 +0100 From: agre@laforia.ibp.fr (AGRE Phil 44.27.71.39 Professeur invite d'A Collinot) Subject: electronic road taxation in Singapore The International Herald Tribune reports that the government of Singapore has awarded a S$197 million (US$140 million) contract to Philips Singapore, Mitsubishi Heavy Industries, Miyoshi Electronics, and its own Singapore Technologies group to build the first phase of an electronic system for automatic collection of taxes ("tolls") aimed at regulating demand for the country's road capacity. The full reference is: Michael Richardson, Singapore moves toward electronic tolls for vehicles, International Herald Tribune, 10 October 1995, page 4. Such systems have raised significant civil liberties concerns because, unless care is taken in their design, they can lead to the creation of electronic records of drivers' movements. The article does not comment on the civil liberties aspects of the Singapore system or on the Singapore government's highly controversial record on privacy and other civil liberties issues. It does say that the "smart cards", which "will be slotted into small holders mounted inside the windshield", will be debit cards from which "charges will be deducted from credit stored in the cards" by means of interactions with "electronic scanners mounted on gantries leading to congested areas and busy highways". It does not say how compliance with the system will be enforced. Nonetheless, the system does create one clearly ominous precedent: these cards will be "installed on *all* of Singapore's 650,000 motor vehicles" (emphasis added). This kind of coercion is needed, for all practical purposes, to implement an electronic road-use taxation system, also known by the somewhat misleading term "congestion pricing". Transportation officials in the United States have repeatedly asserted that such systems in this country will be "voluntary", yet moves toward congestion pricing are under way in several parts of the country. It is not at all clear how these two trends will be reconciled -- unless, of course, submitting to electronic monitoring of one's road travel is "voluntary" in just the same sense that driving a car at all is voluntary. In any event, the developments in Singapore redouble the urgent need to develop, implement, and standardize technologies for anonymous electronic toll collection systems. Phil Agre ------------------------------ Date: Mon, 9 Oct 1995 16:13:20 +1494730 (PDT) From: Christopher Klaus Subject: Announcement: Alert Mailing List Announcing a new security mailing list - The Alert. The Alert will be covering the following topics: - Security Product Announcements - Updates to Security Products - New Vulnerabilities found - New Security Frequently Asked Question files. - New Intruder Techniques and Awareness To join, send e-mail to request-alert@iss.net and, in the text of your message (not the subject line), write: subscribe alert To remove, send e-mail to request-alert@iss.net and, in the text of your message (not the subject line), write: unsubscribe alert This is a moderated list in the effort to keep the noise to a minimal and provide quality security information. If your site is interested in network security, we put out several FAQes (Frequently Asked Question) that cover the following main areas of topic: Vendor Contacts - Who is the security contacts at IBM, HP, Dec, Motorola, etc. - Web page at: http://iss.net/iss/vendor.html Patches - List of all security related patches catergorized by OS type. - Web page at: http://iss.net/iss/patch.html Compromise - Check list of things to do if your machines are compromised. - Web page at: http://iss.net/iss/compromise.html Anonymous FTP Security - How to correctly set up FTP and check for vulnerabilities. - Web page at: http://iss.net/iss/anonftp.html Sniffers - What they are. How they work. How to detect them. And solutions. - Web page: http://iss.net/iss/sniff.html Security Mailing Lists - A comprehensive list of security mailing lists. - Web page: http://iss.net/iss/maillist.html If possible, it might be a good idea for you to add links to the above web pages on your own Web server and point people who need to know some of the network security issues to the web page. It is possible to point to all of the FAQ pages at: http://iss.net/iss/faq.html -- Christopher William Klaus Voice: (770)441-2531. Fax: (770)441-2431 Internet Security Systems, Inc. "Internet Scanner lets you find 2000 Miller Court West, Norcross, GA 30071 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." ------------------------------ Date: Wed, 11 Oct 1995 19:12:50 -0400 (EDT) From: RAKEROYD@csunet.ctstateu.edu Subject: National Privacy & Public Policy Symposium -- Registration Form NATIONAL PRIVACY AND PUBLIC POLICY SYMPOSIUM HISTORY IN THE MAKING -- Privacy is a vague concept that has assumed an increasingly important role in many areas of national debate. From questions of abortion and crime prevention to international commerce and emerging technologies, policy-makers are confronting ever more and difficult choices involving the sanctity of the person on the one hand, and societal efficiency on the other. Yet privacy has neither been studied nor defined comprehensively to address both traditional relationships and the many new ones produced by a rapidly evolving society. The Connecticut Foundation for Open Government, Inc. ("CFOG"), a tax exempt, non-profit corporation, is sponsoring a first-ever symposium to effectively remedy this omission. The ultimate goal of the symposium is to create a comprehensive definition of "privacy," tailored to contemporary and foreseeable needs, that can be used in formulating public policy on a broad range of privacy-related issues. To meet this goal, the symposium for the first time will bring together some of the best minds and leading experts from a host of disciplines to explore and discuss the many complex issues that ought to be considered in a comprehensive definition. THE PROGRAM -- The program will consist of plenary sessions, focused panels and featured speakers. Participants represent a broad spectrum of perspectives and backgrounds. The first plenary session will present a social and legal history of privacy. This will provide the intellectual setting for consideration of a new and comprehensive definition of privacy. In addition to featured speakers at some meals, there will also be a series of concurrent panel discussions covering an array of disciplines in which privacy issues are a significant concern. The disciplines and key privacy issues that will be discussed include: Bio-technology and Medicine Info. and Communications Technologies ! Euthanasia and prolongation of life ! "Information superhighway" ! Genetic engineering and testing ! "Smart cards" ! Medical "smart cards" ! Transmitting personal information ! Physician-patient relationship ! Wiring car, home and person Business Journalism ! Credit and customer information ! Primacy of privacy or news ! Direct and targeted advertising ! Privacy and "live" journalism ! Employee drug testing ! Private and public figures ! Institutional security ! Public places and private property Economics of Information Law ! Accurate, secure personal data ! Future of the tort law of privacy ! Computer matching ! Government and the family ! Databases: too much information? ! Government and one's body ! Use and ownership of personal data ! Government and one's home and property Gov. Information Practices and FOI National Security and Law Enforcement ! Accurate, secure personal data ! "Clipper chip" ! Collecting and revealing personal ! Criminal history information data ! Electronic "bugging" and surveillance ! Privacy rights of the deceased ! Intelligence dossiers and databases ! Social security numbers The final plenary session will consist of reports by each panel chairperson and a moderated discussion that will attempt to synthesize the various issues and positions into a comprehensive definition of privacy. The Symposium Reporter will prepare a final report which will include the history of privacy, pre-symposium papers for each panel, a summary of the final plenary session, an analysis of the work of the symposium, and a comprehensive definition of privacy. THE FACULTY Moderator -- Claire L. Gaudiani, Ph.D. Dr. Gaudiani is the President of Connecticut College, a prestigious liberal arts college located in New London, CT. She has become widely known as an advocate of global civic virtues. She was responsible for Connecticut College's sponsorship of the first International Conference on Ethics in Government held in Washington in 1994. Most recently she participated in the United Nations Summit on Global Social Development in Copenhagen. Dr. Gaudiani has an expertise in public policy development, a knowledge of the concepts of privacy and the facility to lead a diverse group of exceptionally able people in a structured, yet open, discourse. Privacy Scholar -- Professor Alan F. Westin. Professor Westin is Professor of Public Law and Government at Columbia University. He is perhaps the preeminent scholar of privacy in the United States, having specialized for four decades in the social, ethical and legal impacts of information on individuals, organizations and society. He also maintains a continuing special interest in medical confidentiality and health-information-systems privacy issues. Among his many publications, Professor Westin's award-winning book Privacy and Freedom is considered the leading work in its field. Professor Westin is the founder and Publisher of Privacy and American Business, a non-profit bi-monthly national report and information service and is senior advisor and consultant to numerous government panels and national and multi-national companies. Reporter -- Harry A. Hammitt. Mr. Hammitt is both a lawyer and a journalist. He is Publisher and Editor of Access Reports and is internationally recognized as a leading expert in the field of information access and privacy. Panel Chairpersons -- Thomas Blanton, Executive Director, National Security Archives (National Security and Law Enforcement); Anne Wells Branscomb, Center for Information Policy Research, Harvard University (Economics of Information); Ann Cavoukian, Assistant Commissioner for Privacy, Ontario, Canada (Bio-technology and Medicine); Robert Gellman, privacy and information policy consultant (Government Information Practices and Freedom of Information); Janlori Goldman, Deputy Director, Center for Technology and Democracy (Business); Victor Kovner, partner, Lankenau, Kovner and Kurtz (Law); Paul Evan Peters, Executive Director, Coalition for Networked Information (Information and Communications Technologies); and Herbert Strentz, Professor, Drake University School of Journalism and Mass Communication(Journalism). Panelists Include -- Alan Adler, Attorney, Cohn & Marks; Edward Appel, chief of counterintelligence, National Security Council; Kathleen A. Callaghan, former Dir., Hawaii Office of Information Practices; James X. Dempsey, Dpty. Dir., Center for National Security Studies; Mark Effron, V.P. and News Director, WFSB TV; Ralph G. Elliot, Attorney, Tyler Cooper & Alcorn; John Fanning, Policy Analyst, Public Health Service; John A. Ford, V.P., Equifax, Inc.; Robert J. Freeman, Ex. Dir., N.Y. State Committee on Open Government; Gerald Gates, Chair, Privacy Group, National Information Infrastructure Advisory Committee; Gerald R. Green, Professor of Economics, Harvard University; Jane Kirtley, Ex. Dir., Reporters Committee for Freedom of the Press; Steven Levy, Fellow, Freedom Forum Media Studies Center, Columbia University; David Malkin, MD, Hospital for Sick Children Foundation; Kate Martin, Ex. Dir., Center for National Security Studies; Roger G. Noll, Professor of Economics, Stanford University; Barbara A. Petersen, Ex. Dir., Florida First Amendment Foundation; Robert Ellis Smith, Publisher, Privacy Journal; George B. Trubow, Professor of Law, John Marshall Law School; Hal Varian, Dean and Professor of Economics, University of California at Berkeley; Tom Wright, Information and Privacy Commissioner, Ontario. Featured Speakers -- U.S. Senator Joseph I. Lieberman; Francis Aldhouse, Deputy Data Protection Registrar, United Kingdom; Vice President Albert Gore (invited). WHEN, WHERE AND HOW -- The symposium will be held on Friday, November 3 and Saturday, November 4 (until noon) 1995 at the Aetna Life and Casualty Company's Conference Center and Home office, a world-class facility in Hartford, CT. The approximately 400 people who will attend the symposium will represent a virtual "Who's Who" of business, information and communications technologies, the medical, health care, legal and journalism professions, academia and government. ----------------------------------------------------------------- REGISTRATION FORM Complete and Return to: National Privacy a d Public Policy Symposium 18-20 Trinity Street, First Floor Hartford, Connecticut 06106 (Name) (Mailing Address) (Title) (City, State, Zip Code) (Organization) (Telephone and Fax Numbers) Check the Appropriate Box(es) [ ] Please register me for the symposium; make checks payable to CFOG.* List in order of preference the designation letters (A-H) listed below of the three concurrent panels you would most like to attend. Depending on response, it is possible that some registrants' first choices cannot be honored. All decisions will be made based on the date of receipt of registration. Every attempt, however, will be made to honor each registrant's first choice. You will be notified in the event your first choice cannot be honored. [ ] First Choice [ ] Second Choice [ ] Third Choice Panel Selections (A) Bio-technology and Medicine (E) Info. and Communications Technologies (B) Business (F) Journalism (C) Economics of Information (G) Law (D) Gov. Information Practices and FOI (H) National Security and Law Enforcement [ ] I cannot attend, but would like to obtain symposium publications and/or tape recordings. *The registration fee is $350 (U.S.) and must be enclosed with this form to confirm your registration. The fee covers attendance at the symposium, all printed publications and the cost of two breakfasts, one lunch, and one reception (cash bar) and dinner. Full refunds will be made for cancellations received before October 25, 1995. A service charge of $50 (U.S.) will be assessed for any cancellation made between October 25, 1995 and November 2, 1995. No refunds can be made thereafter. The Aetna Conference Center has a number of comfortable and convenient rooms available at reasonable rates. If you are interested in booking a room at the conference center, please call Pam Sakow at (203) 236-6034. ------------------------------ End of PRIVACY Forum Digest 04.22 ************************