PRIVACY Forum Digest Friday, 23 February 1996 Volume 05 : Issue 05 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS AT&T Cell Users at Risk: follow-up (dperetz@accessone.com) Taping Conversations (Charles R. Trew) Alzheimer's, mental defectives, and privacy (Phil Agre) "Trancendent" Privacy Legislation (Pierrot Peladeau) Netscape Navigator 2.0 exposes user's browsing history (John Robert LoVerso) Federal Court Enjoins Internet "Indecency" Provision [From EPIC Alert] (Marc Rotenberg) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 05 Quote for the day: "An *actor* as President?" -- Derek Flint (James Coburn) "In Like Flint" (1967) ---------------------------------------------------------------------- Date: Sun, 4 Feb 96 14:52:06 PST From: dperetz@accessone.com Subject: AT&T Cell Users at Risk: follow-up. dperetz@accessone.com wrote: > Want billing/payment information on someone else? > Want to run a usage analysis for the best rate plan for > another? > ATT Wireless Networks makes this possible with their > automated INFOEXPRESS (Customer Care) service. > Simply dial 1-800-782-xxxx or 1-206-389-xxxx (SEA). > Enter the target cell number and the person's zip code. > > ... > > [ Assuming this service operates as described, it > is but another example of the widespread practice > of making customer information available with > minimal or no security provisions by many entities. > > When questioned, firms implementing such systems usually > claim they can't imagine why anybody would be concerned > about the release of such information (allowing change > orders in such an environment would be *highly* unusual), > and that more "secure" systems (such as the use of PINs) > would be "too inconvenient" for the customer. Usually the > claim is also made that they've received virtually no > complaints, either! > > ... > > -- MODERATOR ] Follow-up: You are quite correct. I spoke with S.B., an INFOEXPRESS specialist. She stated they were hoping for a 4:1 'approval ratio.' Change orders are easy (yes, it was a cold phone): A) Simply get the amount of the last payment with the method described above. B) Enter the option to speak with a CSR. D: "I'm calling to see if my check for last month's bill of 61.62 posted?" CSR: "Yes it did, on January twelfth." D: "Thanks, and I'd also like to discontinue the voice-mail option. I just never use it." CSR: "Okay." . . . At this point I stopped the CSR and asked her to discontinue INFOEXPRESS instead. This can't be done. I haven't played extensively with the auto- mated c. o., but the picture is clear. I questioned the CSR about performing the c.o. without verification. I was told that because I knew last month's billing amount, it was okay. Had I not known, I would have been asked for an account number. I explained I got the amount from INFOEXPRESS: "I'll let you talk to my supervisor." Groan. ------------------------------ Date: 13 Feb 1996 15:28:15 EST From: "CHARLES R TREW" Subject: Taping Conversations [ This message is replying to a query regarding taping of teacher/parent interviews at a school. -- MODERATOR ] Your situation is an all too common one these days. However, the answer is extremely complex and you should not do any taping until you have checked in advance with a reliable attorney and the inspector general (or whatever title is used by the chief legal counsel) for your school system. Next time you should have another teacher or (preferably) an administrator if you are going to be meeting this person again. As for future situations, you may be limited by the fact that you are on public property as a public official. If you are at a private school you would definately have more room to make a recording with the administration's permission. Any calls made to you at your home are fair game and, contrary to popular belief, you do not have to inform the other party you are recording. For most practical purposes most phone calls are fair game for either party on the line, restrictions are primarily against third parties listening in unbeknownst to the other two. As I said, though you are in a sensitive spot at the office. Finally, if you decide to tape your office, home, phone, etc. *never* indicate to your subject you are going to tape them. You will all but guarantee an unpleasant discussion. If it's legal, it's your business anyway. If you are unsure you can always play the tape for your lawyer and then make a determination. ------------------------------ Date: Wed, 21 Feb 1996 15:01:34 -0800 (PST) From: Phil Agre Subject: Alzheimer's, mental defectives, and privacy Today's paper includes a very disturbing article: Gina Kolata, Research links writing style to risk of Alzheimer's, New York Times, 21 February 1996, page A7. It reports a study of autobiographies written by 93 nuns when they entered a convent early in this century, correlating their writing style with whether they got Alzheimer's disease sixty years later. The study claims that one attribute of their writing correlates very strongly indeed with their later Alzheimer's status, namely what they called "idea density" -- how many ideas were present in a given stretch of writing. It does not at all follow that people who write with fewer ideas are more likely to get Alzheimer's, since writing practices differ in different situations, and this is just one sample of people from very particular social and historical circumstances, writing in response to a very particular assignment. A more plausible conclusion, though, is the one that the scientists emphasize, namely that Alzheimer's disease is a long-standing, possibly lifelong disorder whose gross effects only become apparent in old age once the cumulative brain tissue destruction has become massive. I hope that this conclusion is false. Suppose it is true. Then it seems altogether plausible that someone will come up with a reliable clinical test for Alzheimer's that will work on people in their 20's, or even on children. The consequences of this test would be horrible. First, a large portion of the population would be walking around knowing that their brains were being progressively consumed by this incurable illness. Second, a large portion of the population would risk carrying a label -- the 21st century equivalent of terms like "mental defective" that can consign a person to second-class social existence. What employer will abstain from learning a job applicant's Alzheimer's status, particularly when the job involves training whose payback will be stretched over a long period? Will a person's Alzheimer's status become public knowledge, for example as part of their credit record? Will the kind of shallow and ineffectual "medical privacy" legislation that we're seeing in Congress this year permit Alzheimer's status information to leak out into offshore databases? It can get much worse. What happens if, as many scientists apparently expect, it turns out that Alzheimer's is inherited, or (more to the point) predictable from parents' DNA? Will whole categories of people be dissuaded from having children who are likely to be susceptible to the disease? Will those people be shamed if they do have children? Will they have to make decisions about when and how to tell their children of the condition? Precedents for these questions do exist in some diseases that affect limited populations, but Alzheimer's is much more prevalent. Someone will no doubt argue that society could vastly improve its economic performance and decrease its medical bills by discouraging people from giving birth to infants at risk from Alzheimer's. This will not be a happy day. Phil Agre, UCSD ------------------------------ Date: Thu, 22 Feb 1996 12:26:20 -0500 (EST) From: Pierrot Peladeau Subject: "Trancendent" Privacy Legislation In Privacy Forum Digest V05 #04, the Dick Mills, reacting to a Moderator article in V05 #03, asked the following question: How can we formulate privacy laws that: a) transcend the inventiveness of new technology? b) are simple and clear enough that the public and business can understand and apply the law more or less correctly in their daily lives without consulting a lawyer on every issue? A Short Answer: Yes, it is possible to formulate "trancendent" data protection laws (personnally I make a huge conceptual distinction between privacy and protection of personal information). Well drafted, such laws using generic and well defined terms could be simple and clear enough for common daily lives instances. But, because they would use generic terms there will be always some fuzziness that will call for clarification from a regulatory, orversight or judicial body. The 'economy of fuzziness' by which a legal writer tries to make proper balance in the use of generic and more precice terms is well know by jurists, especially those who are familiar with roman-german legal systems. The really interesting issue is therefore: which generic terms? The Demonstration: 1. The How: Sociologist Jean-Pierre Lemasson addressed that question in a report to the Quebec government on the problem of the use of personal information in private sector organization (Groupe de recherche informatique et droit, 'L'identitee piratee', Montreal, SOQUIJ, 1986). He proposed that a legislation could "transcend" technological changes if it was written in such a way that it grasps the LOGIC OF INFORMATION instead of trying to cope with the specific capability of one technology. So laws should deal with information and the generic logical moments of its use, not with peticular practices, procedures or technology. Lemasson did not discuss in detail his proposal but it can be explained by refering to theoretical and practical works. 2. The Why: In 'The Logic of Writing and the Organization of Society' (Cambrige University Press, 1986), social-anthropologist Jack Goody brilliantly explores the possibility to write a human history according to modes and means of communication, very much like Marx tried to write a history according to modes and means of production. His theory is that humankind has known two main modes of communication: orality and writing. The term "writing" is used in its widest meaning as to include any kind of physical supports to knowledge. Of course, many technologies has been developed to make the best of the many capabilities of writing: printing machine, computer. The latter are means that unleash some of the properties of writing, of its logic. So, following Goody's thesis, it should be possible to find basic properties of writing that "transcends" any specific capabilities of peticular means and the even more specific applications of very peticular technological tools. 3. Theoretical testing of the idea: I did explore the intuition of Lemasson along the lines drawn by Goody. First, in the making of an international comparative study of data protection legislation, I found that some legislation actually were "transcending" technical changes as other were rapidly becoming obsolete. For instance, sections dealing with computer matching (a specific procedure) were easily made inadequate to cope with new communication procedures (virtual data banks, on demand sharing on a networks, etc.). Conversely, those that were strictly written with generic terms like "communication" or "change in purpose" were capable to resist technological innovations. Another example is the difference in the writing between the Canadian and some US criminal sections dealing with wiretapping. The Canadian Criminal Code sections dealt with protection of private communication in general as their US counterparts dealt with protection a series of communication supported by specifics media. The former did not need to be amended to be applicable to every new means of communications, contrarily to latter. The second step was to theoricize a) what are the constant logical components of personal information processes disrespective of technology ["Esquisse d'une theorie juridique des proces d'information relatifs aux personnes" (1989) 34 McGill Law Journal 952], and b) what were the specific impact of informatics on this logic ["L'informatique ordinatrice du droit et du proces d'information relatif aux personnes" (1989) 1 Technologie de l'information et societe 35]. For our discussion, only a) is needed. I did find generic (or "transcendent") concepts for drafting normative texts. For instance, five generic logical moments of the personal information process were identified (collection, storage, communication, processing, decision - the last two being usually forgotten by most data protection schemes) with their related operations and procedures as well as other basics concepts. But the most interesting part is, of course, the practical applications. 4. Field testing In 1982, the Quebec National Assembly adopted the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information that applies to all government agencies, municipal bodies, educational bodies as well as health and services institutions. Article 65 states that: Every person who, on behalf of a public body, collects nominative information from the person concerned or from a third person must first identify himself and inform him (1) of the name and address of the public body on whose behalf the information is being collected; (2) of the use to which the information will be put; (3) of the categories of persons who will have access to the information; (4) of the fact that a reply is obligatory, or that it is optional; (5) of the consequences for the person concerned or, as the case of a refusal to reply: (6) of the right of access and correction provided by law... Unfortunately, this laudable section is still not respected by the huge majority of Quebec public bodies 14 years later. My explanation was that this section was imposing a specific procedure (communication of information BEFORE collecting personal information) that was difficult, and often very costly, to implement in many instances. Technology was a problem since many transactions that were previously carried out in a face to face fashion now were carried out by phone or other media that made this procedure burdensome. When was discussed Bill 68, the Act Respecting the Protection of Personal Information in the Private Sector (still the only comprehensive law of the kind in North-America), I put forward the following solution: get rid of the procedure and stick to the objective which is mandatory information of the data subjects by using generic terms: COMMUNICATION of information AROUND the time of COLLECTION. This solution was adopted, and section 8 of the Act begins as follows: A person who collects personal information form the person concerned must, when establishing a file on that person, inform him ... The results are that less than two years after enforcement of this Act, almost all the private organizations that implemented it so far have respected the notification requirement. For instance, if informing you by phone is burdensome, you will receive all the information by mail with your contract, your first billing statement or a specific communication for this purpose. There is no mandatory procedure. Each organization finds the most efficient way to inform the data subjects. Of course this is not the ideal situation where all this notification would have been made prior to collection of personal information. But this latter procedure is only easily feasible in some physical contexts and not in others. So, better have a generic obligation that is implemented that a perfect principle that is not because it better fits some means of communication than others. I could go on with other examples but I think the point is clear now. 5. Conclusion "Trancendent" data protection laws are possible as it can be demonstrate by both experience and theoritical work. But such approach is a rupture from the dominant piecemeal, sectorial, issue specific existing approach to data protection writing in the USA. In that country, the problem is certainly not a question of legal writing know-how (there is so much lawyers, this cannot be a problem) but one of real politics and legislative tradition. It is far more easier to build enough political pressures and consensus for a very peticular solution to a very specific data protection or privacy problem than for a comprehensive universal generic solution. Best regards. -- P.P. --------------------------------------------- Pierrot Peladeau Vice President, R & D, PROGESTA Inc. Editor/Redacteur en chef, PRIVACY FILES P.O.Box/C.P. 42029 Station Jeanne Mance tel : +1 (514) 990 2786 Montreal (Quebec) CANADA H2W 2T3 fax : +1 (514) 990 3085 ------------------------------ Date: Fri, 23 Feb 96 10:03:49 -0500 From: John Robert LoVerso Subject: Netscape Navigator 2.0 exposes user's browsing history [ From Risks-Forum Digest; Friday 23 February 1996; Vol. 17 : Issue 79 ] While riding home this past Wednesday (on my accident free commuter-rail line), I came up with an approach to utilize the JavaScript "feature" of Netscape 2.0 to track a user's browsing actions. The tracking happens in real time with the user's browser dutifully sending results back to a remote server, starting from the time the user visits a page with the devious JavaScript embedded in it. It can thus sniff any passwords or keys the user might use in a URL. My example version runs in a browser window that the user can see. I'm only demonstrating the vulnerability. Practically, the window can be made so small as to be invisible to the casual user. It also helps that a user isn't even informed when the HTML page they just loaded has some JavaScript code within it. Think about Netscape's new JavaScript-laden home page. The default action on startup of Netscape 2.0 is to go to that page. It could easily start off tracking your browsing actions. With the new on-line frontier being driven by advertising, the value of such a log is immense. Of course, if Netscape really wanted to do something like this, they could embed all sorts of things directly in their browser. Naturally they don't, but this is something that people often clamor about (e.g., the recent Microsoft Word and the never ending AOL controversies). As it stands, with Netscape 2.0 you cannot disable JavaScript. You can disable Java. This is an interesting choice on their part, since at least there has been a significant effort on the part of many people to justify Java's claim of security and safeness. Thousands of people have pored over the code and specifications. But, JavaScript and Java are totally different things. They share common names and syntax, but they don't share implementations. One is a byte compiled language executing in a restrictive state machine, the other is an interpreted scripting languages with vastly different properties. Compared with the thousands of people have looked at the source to Java, no one has seen JavaScript. Its specifications are defined by the implementation, which to date is solely Netscape 2.0. We're told it is "Secure. Cannot write to hard disk", which is how Java is also described. Is there enough commonality for such a comparison? It is hard to determine that a program is safe or secure after studying it. It is impossible without. My particular history tracker is the third (or fourth?) way to steal private data from a user via JavaScript. It stands out as the first one that does it in real time, reporting history as the user is browsing. In an interesting bit of irony, as I was writing the code to exploit this hole, a news article from someone at Netscape appeared noting how they has fixed 2.0 during the "beta-test" period to avoid the latest of the history stealing approaches. As it stands, JavaScript adds a viral element to HTML. I'm not sure why Netscape doesn't ship JavaScript disabled by default or why they don't alarm the user before it starts to execute, or opens up new windows. Finally, it is interesting to note that the Netscape Navigator already has the building blocks to block the execution of any JavaScript (or Java) code that doesn't come digitally signed from some trusted source. This would help provide a real safeguard against the types of attack downloaded code opens up. My JavaScript examples are at http://www.osf.org/~loverso/javascript/. John Robert LoVerso OSF Research Institute Added note: Did you ever try to teach someone the importance of keeping their ATM PIN secret, only to find that they never lock the doors to their house? A non-empty subset of the hosts who have visited my JavaScript "tracker" page run an X server with no access control enabled. [ This is but the tip of the proverbial iceberg when it comes to programs that may have the potential (either through bugs or design) for the feeding of users' private data or action histories back to remote network points without their permission. More in future editions of the digest... -- PRIVACY Forum MODERATOR ] ------------------------------ Date: 15 Feb 1996 20:12:15 -0500 From: "Marc Rotenberg" Subject: Federal Court Enjoins Internet "Indecency" Provision [From EPIC Alert] [ From EPIC Alert 3.04; February 16, 1996 ] FLASH: Federal Court Enjoins Internet "Indecency" Provision -- ACLU, EPIC, and Others Score Partial Victory in CDA Challenge A federal judge in Philadelphia has issued a partial temporary restraining order prohibiting enforcement of the "indecency" provision of the Communications Decency Act (CDA). The judge declined to enjoin those provisions of the Act dealing with "patently offensive" communications. The court agreed with the plaintiffs' claim that the CDA will have a chilling effect on free speech on the Internet and found that the CDA raises "serious, substantial, difficult and doubtful questions." The court further agreed that the CDA is "unconstitutionally vague" as to the prosecution for indecency. But the court left open the possibility that the government could prosecute under the "patently offensive" provisions The court has recognized the critical problem with the CDA, which is the attempt to apply the indecency standard to on-line communications. Nonetheless, online speech remains at risk because of the sweeping nature of the CDA. The entry of the court order is a strong indication that the "indecency" provision of the legislation that went into effect on February 8 will not survive constitutional scrutiny by a three- judge panel that has been impaneled in Philadelphia. The panel will fully evaluate the constitutional validity of the legislation and consider entry of a permanent injunction against enforcement of the new law. The temporary restraining order (TRO) was issued in a lawsuit filed by the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union and a broad coalition of organizations. EPIC is also participating as co-counsel in the litigation. The court ruling comes in the wake of widespread denunciation of the CDA, which was included in the telecommunications reform bill signed into law last week. According to EPIC Legal Counsel David Sobel, one of the attorneys representing the coalition, "The court's decision is a partial victory for free speech, but expression on the Internet remains at risk. This is destined to become a landmark case that will determine the future of the Internet." Looking ahead to proceedings before the three-judge panel, Sobel said "we are optimistic that further litigation of this case will demonstrate to the court that the CDA, in its entirety, does not pass constitutional muster." EPIC has maintained since its introduction in Congress that the ban on "indecent" and "patently offensive" electronic speech is a clear violation of the free speech and privacy rights of millions of Internet users. Comprehensive information on the CDA lawsuit, including plaintiffs' brief in support of the TRO, is available at: http://www.epic.org/free_speech/censorship/lawsuit/ [ Any actions relating to the "patently offensive" material portion of the bill are also now on hold, though depending on the results of court decisions, prosecutions under both that and the "indecent material" provisions could later extend back retroactively to the date of the bill's signing. -- PRIVACY Forum MODERATOR ] ------------------------------ End of PRIVACY Forum Digest 05.05 ************************