PRIVACY Forum Digest Friday, 9 February 1996 Volume 05 : Issue 04 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Privacy legislation (Dick Mills) Tape recording conversations (David J. Coles) Telecomm Bill and Indecency (Neal J. Friedman) Internet Censorship Lawsuit (David Sobel) Access to DMV records by rental car companies (Paul Robinson) E-mail Privacy Policy (Joe Short) Privacy Files ABSTRACTS (Pierrot Peladeau) Call for Papers (Winn Schwartau) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 04 Quote for the day: "Who said anything about heaven? ... this IS the other place!" -- "Pip" (Sebastian Cabot) "The Twilight Zone" (original version: 1959-1964) Episode: "A Nice Place to Visit" ---------------------------------------------------------------------- Date: Mon, 29 Jan 1996 12:46:24 -0500 From: rj.mills@pti-us.com (Dick Mills) Subject: Privacy legislation In Privacy Forum Digest V05 #03, the MODERATOR wrote Assuming this service operates as described, it but another example of the widespread practice of making customer information available with minimal or no security provisions by many entities. When questioned, firms implementing such systems usually claim they can't imagine why anybody would be concerned about the release of such information... It is unlikely that such systems can be effectively controlled without new privacy legislation. What would such legislation look like? As I understand it, the traditions in privacy law are based on the concept of "reasonable expectations" of privacy. As the very case you comment on illustrates, we all have wildly divergent views of what is reasonable in each scenario. The accelerating pace of technology creates so many new and novel scenarios every day, that I despair at the thought of having to resolve reasonableness disputes case by case in front of a judge. Before the ink is dry on one case, a hundred new scenarios will pop up. Even a hundred Judge Wapners, each disposing of one case every 10 minutes couldn't keep up :) How can we formulate privacy laws that: a) transcend the inventiveness of new technology? b) are simple and clear enough that the public and business can understand and apply the law more or less correctly in their daily lives without consulting a lawyer on every issue? -- Dick Mills +1(518)395-5154 AKA dmills@albany.net http://www.albany.net/~dmills [ It is indeed a difficult area! I submit that a starting point is to determine to what extent information collected by an entity in the course of providing a business or information transaction is "owned" by that entity. Do they (or should they?) have unlimited rights to use that information internally for marketing and other purposes? Should they be unconditionally free to sell that information to other organizations, and/or provide it to third party databases? What recourse, controls, or choices should the person about whom the information was collected have regarding these matters? If we can establish these and related general points, it may be much easier to deal with specific cases. -- MODERATOR ] ------------------------------ Date: Tue, 30 Jan 1996 17:23:56 -0500 From: DJC1143@aol.com Subject: tape recording conversations I am a teacher in a large school system. Recently I had a conference with a very abusive parent. The tone and actions of this parent were very threatening to me. I feel I need some protection at future conferences. Is it legal for me to tape record future conferences with this parent? Is it legal to do so without his knowledge? Must I inform him in advance if I intend to tape the conference? If he refuses, may I still legally tape the conference? I am required by my superiors to have these conferences with anyone who signs up for them. I feel that I have no recourse when a parent can change or twist anything that is said and I as a teacher can't prove otherwise. I have been teaching 25 years and this kind of thing has never happened to me before. Sincerely, David J. Coles djc1143@aol.com ------------------------------ Date: Fri, 2 Feb 1996 17:11:29 -0500 (EST) From: Neal J. Friedman Subject: Telecomm Bill and Indecency MEMORANDUM TO: All Internet Clients DATE: February 2, 1996 RE: Telecommunications Act Imposes Controls on Indecent and Obscene Content on the Internet and Online Services The newly-enacted Communications Decency Act of 1996 states that it is the policy of the United States to "promote the continued development of the Internet and other interactive computer services." But, for the first time, it puts the federal government in the business of regulating the Internet and online services. The legislation does not go as far as some had feared, but further than others had hoped. The statute prohibits the use of interactive computer services to make or make available an indecent communication to minors. It defines indecency as: "any comment, request, suggestion, proposal, image, or other communication that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs." This definition has been upheld in other cases involving the broadcast media. The bill's supporters expect that it will withstand the inevitable Constitutional challenge. Indeed, Congress provided that any challenge should first go to a special three-judge panel and then directly to the Supreme Court. The Conference Committee Report accompanying the bill argues that the new indecency prohibition will "pose no significant risk to the free-wheeling and vibrant nature of discourse or to serious literary, and artistic works that can be currently found on the Internet, and which is expected to continue and grow." The language requires that the communication must be knowing and specifically exempts online service providers who merely provide access to the Internet. The Conference Report states that the intent is to focus on "bad actors and not those whose actions are equivalent to those of common carriers." This is good news for those service providers who only host content for others and exercise no control over the content. But, the legislation goes on to state specifically that it is not the intent of Congress to treat online services as common carriers or telecommunications carriers for other purposes. If the online services were to be considered as common carriers, they would be insulated from liability for any content on their systems. Thus, the question of liability of online services for defamation and copyright and trademark infringement remains unclear. The legislation also provides a "Good Samaritan" defense for service providers who have taken "in good faith, reasonable, effective and appropriate actions under the circumstances to restrict or prevent access by minors" to prohibited communications or have restricted access to indecent content by means of a verified credit card, debit account, adult access code, or adult personal identification number. The role of the Federal Communications Commission is restricted under the new law. The FCC is only permitted to describe measures that are reasonable, effective and appropriate to restrict access to prohibited communications, but it cannot give its approval to such measures nor can it penalize any service provider for failing to use the measures. The new law also prohibits states from exercising control over content of online services. States can control content entirely within their borders so long as the control is not inconsistent with the federal law. Some state legislatures had, in reaction to publicity over alleged pornographic and indecent content online, considered bills that would have put tight restrictions on content. The full text of the entire Telecommunications Act of 1996, incorporating the Communications Decency Act of 1996, and the Conference Report are available on our World Wide Web site: http://www.commlaw.com. Sincerely yours, PEPPER & CORAZZINI, L.L.P. By:___________________________ Neal J. Friedman Neal J. Friedman | Pepper & Corazzini, LLP |Voice: njf@commlaw.com | 1776 K Street, N.W. | 202-296-0600 Telecommunications| Suite 200 |Fax: & Information Law | Washington, D.C. 20006 | 202-296-5572 [ The Conference Report and full text of the enacted Telecom Bill are also available in the PRIVACY Forum archive. They each run between 300K and 400K in length. One thing I can say for certain about the Telecom Bill--it will have effects and ramifications that cannot be accurately predicted. More competition? Massive media concentration? Lower rates? Higher rates? Greater communication? Censorship? The court battles have already begun (see next message). Regarding the "Communications Decency" aspects of the legislation, neither the absolute prohibitions written into the existing act, nor the concept of 100% uncontrolled and totally anonymous access on demand by anyone to all information, seem likely to be practical. My personal view is that the twin goals of protecting minors and allowing "anonymous" access to information by adults could be met through a properly designed public-key based authentication system. But we have to start talking *to* each other, rather than past each other, before we can make any real progress. -- MODERATOR ] ------------------------------ Date: 6 Feb 1996 16:10:17 -0500 From: "David Sobel" Subject: Internet Censorship Lawsuit A press conference will be held in Washington, DC, on Wednesday, February 6, to announce a broad-based constitutional challenge to the recently-enacted "Communication Decency Act." The case will be litigated by the American Civil Liberties Union and co-counsel from the Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF). More than a dozen organizations will participate as plaintiffs. The press conference will be held at 10:30 a.m. at the ACLU's Washington Office: 122 Maryland Ave., N.E. Washington, DC (across from the U.S. Supreme Court) EPIC will issue the following statement at that time: ================================================================== For Release: Contact: February 6, 1996, 10:00 a.m. David L. Sobel (202) 544-9240 Internet "Indecency" Legislation: An Unconstitutional Assault on Free Speech and Privacy Rights Washington, DC - The Electronic Privacy Information Center (EPIC) will participate as both plaintiff and co-counsel in litigation to challenge the so-called "Communications Decency Act." The lawsuit will be filed in Philadelphia soon after the President signs the telecommunications bill containing the Internet "indecency" provisions. EPIC joins the American Civil Liberties Union and more than a dozen other organizations in challenging this ill-advised and unconstitutional attempt to impose governmental content regulation on emerging global electronic media. The legislation's vague "indecency" standard will have an obvious impact upon the free speech rights of millions of Americans who use computer networks to receive and distribute information. Less apparent is the assault on privacy rights that the legislation will engender. To avoid potential criminal liability under the "indecency" provision, information providers would, in effect, be required to verify the identities and ages of all recipients of material that might be deemed inappropriate for children. The new statutory regime would thus result in the creation of "registration records" for tens of thousands of Internet sites, containing detailed descriptions of information accessed by particular recipients. These records would be accessible to law enforcement agencies and prosecutors investigating alleged violations of the statute. Such a regime constitutes a gross violation of Americans' rights to access information privately and anonymously. Less than a year ago, the Supreme Court upheld the right to anonymous speech in McIntyre v. Ohio Elections Commission.. EPIC believes that the Court's rationale in that case applies with even greater force to the Internet "indecency" provisions. The Court noted that The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible. ... Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation -- and their ideas from suppression -- at the hand of an intolerant society. Whether the anonymous individuals visiting sites on the World Wide Web are seeking information on teenage pregnancy, AIDS and other sexually transmitted diseases, classic works of literature or avant-garde poetry, they enjoy a Constitutional right to do so privately and anonymously. The Communications Decency Act seeks to destroy that right. EPIC is confident that upon review of the legislation and its impact upon free speech and privacy rights in emerging electronic media, the courts will invalidate the measure as fundamentally at odds with the Constitution. _________________________ The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, Internet censorship, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government, a non-profit organization established in 1974 to protect civil liberties and constitutional rights. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. - 30 - ================================================================== ------------------------------ Date: Fri, 09 Feb 1996 11:53:48 EST From: Paul Robinson Subject: Access to DMV records by rental car companies According to a report over the radio, a little-noticed provision of one of the crime bills which have come out allows a rental car company to check your driving record. According to the report, two or three incidents - an accident or certain types of tickets - is enough to cause you to be blacklisted. Where are the problems in this? 1. There is no announcement of this practice; you're not likely to find out until you get to the counter and can't rent a car. 2. There is no appeals process available. 3. There is no means available to provide for corrections or to determine where or how the error occurred in the event you are caught short by this happening. 4. No consideration is made as to the severity of the offenses or whether you were even at fault in the accident; if the information is there, you walk. Questions: 5. What proof do we have that those who are inquiring into the database are authorized to do so, that they are actually looking up the record for that customer, and what privacy protections do we have against unauthorized inquiries? Do we have the right to password-protect our own account? 6. What protections do we have against the risk of erroneous data in a report? 7. Is this the same data as is available at a DMV or DPS office, and if not, in what way is it different? 7. Are there rights under law to get errors corrected? For damages for inconvenience due to errors? Any right to collect damages for misconduct if knowingly false information is placed in a database? Or for failure to timely followup inquiries and remove errors? Government agencies are not known for speed in action unless, like with large organizations, damages and fines are available to those who are injured due to error, negligence or misconduct. Advice: 1. Whenever making a reservation for a car at a rental agency, book it with multiple agencies, then once you have the car, cancel or reschedule the ones not needed. (I do this because I have been extremely inconvenienced when there are conditions imposed at the rental counter I couldn't meet when I'd booked a car and made plans weeks in advance; if I had known about them beforehand I could have done something about them.) 2. If you get caught short in any circumstances, try another agency if (as is usually the case) asking for a supervisor doesn't help. 3. When making a reservation, ask if they do checking of one's driving record. If they do, and you want or must use that particular agency, then ask them to check your record in advance so you can know if there are any problems. 4. Get a copy of your driving record so you can know if there are any errors or inaccurate reports. In Maryland, where I live, a 3-year report costs $5 if uncertified, and $8 if certified; a full-report of everything on file is $10 and $15, respectively. (My report showed nothing at all.) 5. The above could also apply to certain issues regarding credit reports, for the same or similar reasons. Paul Robinson ------------------------------ Date: Tue, 06 Feb 1996 17:55:50 -0500 From: Joe Short Subject: E-mail Privacy Policy Hello, I need to find information concerning employee e-mail privacy, and related issues. As the LAN Manager, I have been asked to draw up a company policy defining the corporate legal view with regard to privacy of employee e-mail. The corporate board would like to make legal the practice of monitoring employee's e-mail. We had a situation that involved a manager reviewing the e-mail of an employee that had just been given notice of termination, effective 2 weeks after the incident. The employee complained, the manager apologized, and the employee has since left the company. I found references to the Electronic Communications Privacy Act (ECPA) of 1986 which explicitly prohibits the above actions by the manager unless written consent was given by the employee. I now need to find the ECPA document to back up my initial references. I assume that the board wants to be assured that employees will 1) use office e-mail for business purposes, and 2) make the employee aware that his/her e-mail can and may be monitored at any time. The employee will be asked to sign a consent form upon being granted an e-mail account. I have been in secure environments in the past that had guidelines explaining that other forms of communications may be monitored, but this is the first time I have dealt with e-mail privacy/security. What type of precedents have been set in this area? If this area has been covered in the past on this list, please refer me to the appropriate archives. I would also appreciate it if anyone can point me in a direction to find the ECPA and other relevant documents. This is not my area of expertise, and I do not want to make the mistake of putting together a hastily-built and unresearched policy! Thanks for your help!! -- Joe Fuentez Systems Concepts, Inc. 11781 Lee Jackson Highway Suite 700 Fairfax, VA 22033 URL: http://www.fuentez.com Voice: (703)273-1447 Fax: (703)273-2972 [ The PRIVACY Forum archive can be accessed via ftp.vortex.com, gopher.vortex.com, or www.vortex.com. The latter of the three access routes also provides keyword searching of the entire archive. -- MODERATOR ] ------------------------------ Date: Wed, 7 Feb 1996 10:31:22 -0500 (EST) From: Pierrot Peladeau Subject: Privacy Files ABSTRACTS ABSTRACTS and keywords of the contents of current issues of Privacy Files are now available through a list server. Privacy Files (ISSN 1203-3225), published 10 times a year, is a newsletter cum professional magazine. As a newsletter, it is a source of information of interest to those dealing within or with the Canadian personal informational space. As a magazine, it presents the opinions and analyses of professionals, academics and other experts on managing social, legal, ethical, technical, administrative issues related to personal information processing and privacy protection. To receive Privacy Files Abstracts, send the message: "Add me to 'Privacy Files Abstracts' list < your name >" to: privacy.files@progesta.com [ ABSTRACTS est aussi disponible en francais. Pour s'abonner envoyez le message "Ajoutez-moi a la liste 'Sommaires de Privacy Files' < votre nom >" a: privacy.files@progesta.com ] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * PRIVACY FILES office/bureau * * 1788 d'Argenson, Ste-Julie (Quebec) CANADA J3E 1E3 * * tel : +1 (514) 922 9151 fax: +1 (514) 922 9152 * * tel : (toll free/sans frais: Canada & US): (800) 922 9151 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: Wed, 31 Jan 1996 22:08:03 -0500 From: winn@Infowar.Com Subject: Call for Papers ***** CALL FOR PAPERS ***** Please feel free to distribute this widely. I first want to thank the thousands of people who have been so incredibly supportive of my work over the last several years, and who have helped the public debate on Information Warfare gain and sustain the momentum we have all created. As a result of the continued interest in the subject, my publisher has asked if I would create a 2nd. Edition with substantial updates to the original "Information Warfare" which was published in 1994. I told them that the new revised edition should include much of the thinking that has evolved on the topic in the last couple of years. Believe it or not, they agreed! So, I am asking (begging? :-) for a couple of things. 1. We want to include a comprehensive Appendix "D" to include references and bibliographic information for those already in and for those entering the field. We would greatly appreciate any and all types of references that you feel will be useful for students of Infowar today and in the future. The kinds of material we hope to include are: - Web sites, mailing lists, usenet, etc. - Monographs and their source - Published papers and their source - Books with publisher, author, date, ISDN (oops, ISBN) price and a one sentence commentary. - Global resources on the subject. - Courses (civilian, military, etc.) - Organizations, private and gov't. We will also add a credit/acknowledgments page for all of the Information Warriors who have assisted in this effort. Please supply name, title (or rank) contact info, and affiliation as you want it to appear in the book. (If you don't want your name or affiliation to appear, please so indicate and we will honor your request. (Honest . . . .) Ideally, we will need to have a hard copy of the materials that we reference. PLEASE RESPOND TO BETTY@INFOWAR.COM 2. In order to portray the current thinking of Infowar from its many facets, I am also looking for short commentaries on your particular take on Infowar - and heavens knows there are so many . . . perhaps googols! I would like to include a large number of 500-800 word overviews, or executive summaries of topics of interest to you, comments on my work, or perhaps on the efforts that you or your org are putting into the field. I am hoping to find a balance between the civilian viewpoints and military and international ones so that students and readers can see just how much work in occurring in the field. Organizations like AFIWC and DISA (and so on) are invited to submit a similar overview of their efforts in addition to individual submissions. It is not necessary to agree with me (that would be heresy in some cases :-)) but let's be civil about it, OK? The purpose is to get the neurons vibrating and moving the field forward. If you take issue with, or relate to specific items/topics/comments in "Information Warfare" please note page number so we can tie it all together thematically. There will be suffixes to each chapter, and I am hoping that many of the responses will comment on or add to each of the chapters. As for credit, we will list your name, contact info, affiliation etc., along with your particular contribution. With each submission, please just say something like, "I hereby give Winn Schwartau, Interpact, Inc., and Thunders Mouth Press non-exclusive permission to use this work." That keeps the publisher happy and still lets you own your own words. If it's a personal opinion, and not an official one of your organization, a simple disclaimer like, "these are the opinions of the author, and not necessarily those of my organization." We will provide a general suffix disclaimer to that effect anyway. If it is the official view of your org, then please indicate so clearly, so we may make an accurate distinction. If we decide to edit your piece substantively, we will run it back to you for approval before printing. All we will ask is a timely return. To get your brain thinking on the kinds of topics I am looking for: - Civilian Defense - "This is an act of War" - "This is not an act of War" - Infowar as an alternative to conventional conflict. - Non-lethal conventional warfare - Enhancing military efficiency with Infowar - PsyOps as Infowar - Hackers: A National Resource Please consider all three Classes of Infowar when deciding what you want to say. Since you only have 500-800 words to say it, I suggest that it be clear, concise and to the point. Controversy is good. But just as good is if your comments are thought provoking and stimulate additional discussion about your subject. For each contribution we accept, (and there will be a lot we will!) we will provide a free copy of the new revised "Information Warfare: Revised Edition" (or whatever they decide to call it.) PLEASE RESPOND TO: BETTY@INFOWAR.COM 3. We have already received a large number of short "pull quotes" of one or two sentences for the cover and inside covers where we give full attribution. If anyone is so inclined, we are looking for a few more that comment on the existing works. PLEASE RESPOND TO BETTY@INFOWAR.COM 4. Robert Steele at ceo@oss.net has agreed to help me pull together a "Who's Who" of Information Warfare. Please supply names, contact information and brief biographies to him at CEO@OSS.NET. Again, I want to thank everyone out there for their support, and I look forward to seeing what everyone has to say. Please send your input to BETTY@INFOWAR.COM no later than February 29, 1996. Feel free to distribute this widely and/or post as you see fit. Winn Schwartau Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn@InfoWar.Com ------------------------------ End of PRIVACY Forum Digest 05.04 ************************