PRIVACY Forum Digest Saturday, 20 July 1996 Volume 05 : Issue 14 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Personal rights violated? (Andrew J. Mesplay) Blocking Cookies (gozer@oro.net) Re: Protection and Parental Empowerment Act (Dick Mills) "Child Molester Database" on the Web (Dave Brown) Discussion Forum on Privacy on the Internet (Berliner Datenschutzbeauftragter) Lexis-Nexis Drops SSN Sales Plan (Marc Rotenberg) Calif. Caller ID News (Beth Givens) Mountain Dew beeper promotion for children (Phil Agre) Looking for examples where video surveillance is damaging... (Steve Mann) DENVER POST: "Student Database Called Orwellian" (Peter Marshall) Automation of Contagion Vigilance - Draft ready (David Stodolsky) Videosurveillance on streets in Amsterdam (ReindeR Rustema) Genetic Screening and Privacy (Pierrot Peladeau) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 14 Quote for the day: "I promised I'd put her in the film--somewhere." -- Woody Allen "What's Up Tiger Lily?" (1966) ---------------------------------------------------------------------- Date: Sat, 15 Jun 1996 06:46:25 -0800 From: "Andrew J. Mesplay" Subject: personal rights violated? I have recently joined a group of people in Anchorage Alaska who call themselves the (A)nchorage (C)hauffeur9s (A)ssociation. We have many issues that we want to cover, one being drug testing in the workplace. We are uniquely subject to this law -- Title 11 -- which demands that we deliver a sample of urine for testing no later that two hours after being notified that we have been selected for testing. Often people are called at home. In other cases, as in my own, people have been selected simply because we were at the office of the (D)epartment (O)f (T)ransportation for other reasons. We of the A.C.A. feel that the measures that D.O.T. is taking to enforce this section of Title 11 are flagrantly unfair. Are our rights being violated? What can we do now that we have organized? How can we get representation? Thanks: Taxi Driver [ It isn't clear to me whether your concern is with the *presence* of drug testing in your environment, or strictly with the *manner* in which is has been implemented. I am not in favor of blanket drug testing of populations in non-safety-critical employment, and there are obvious concerns about test accuracies as well. However, many persons in the transportation industry are in unique positions given the trust we place in their hands when we board taxis, buses, planes, trains, etc. It seems inevitable that drug testing will continue to play a necessary role in that industry. About the best we can do is attempt to ensure that such tests, when conducted, are performed fairly and accurately, with a clear understanding that there *will* be errors and that people's lives must not be destroyed by a single positive test result. And we *must* ensure that the tested populations be defined in the narrowest necessary terms, and not permit "proliferation" to occur into other areas of employment and life where such testing can rapidly turn into a fishing expedition, not a true safety issue. -- MODERATOR ] ------------------------------ Date: Sat, 15 Jun 1996 18:11:18 -0700 (PDT) From: Runs With Scissors Subject: Blocking Cookies In Volume 05 : Issue 12, hgoldste@bbs.mpcs.com (Howard Goldstein) wrote: > One of the new features, a security feature strangely categorized as a > 'network' feature, queries the user before allowing "cookies" to be set. > I was surprised to find that every night for the last two weeks after > enabling this I've been handed a "cookie" by a site I never knowingly > visited, at http://ad.doubleclick.net . A company called "PrivNet" (http://www.privnet.com) has a product called "Internet Fast Forward" which can selectively block and/or allow cookies. It is currently in beta and works only with Netscape under a couple of flavors of MS Windows. It is available from the web site free right now. It also blocks advertisements. I am a beta tester but am not otherwise associated with the company. ------------------------------ Date: Mon, 17 Jun 1996 09:18:18 -0400 From: rj.mills@pti-us.com (Dick Mills) Subject: Re: Protection and Parental Empowerment Act In PRIVACY FORUM 05:12, Mary Ann Davidson wrote: >I believe it is a worthy goal to protect the privacy of *all* demographic >information and limit resale by direct marketers, but to propose a bill like >this on the grounds that children are 'more valuable' or 'more in need of >protection' is spurious to other groups (i.e. all the rest of us) who can make >similar claims of potential endangerment and violation of privacy. Either we >all warrant this sort of legislative protection, or none do. Please rethink that "worthy goal" Ms. Davidson. Would you make it illegal to resell the "secret" that Florida has more than its share of elderly, or that America is predominantly populated by Americans? I too consider myself a privacy advocate. Direct marketers may be our natural adversaries, but they have a right to exist and to do direct marketing. Our goal shouldn't be to exterminate them but rather to maintain a balance of power, and a core of inalienable privacy rights, while promoting the free flow of information. These goals are lofty, but they can be contradictory. Even I can't tell you the precise definition of these goals I hold dear. We should use utmost caution before advocating any kind of legislation. -- Dick Mills +1(518)395-5154 O- http://www.pti-us.com AKA dmills@albany.net http://www.albany.net/~dmills ------------------------------ Date: Sat, 15 Jun 1996 04:39:51 -0400 (EDT) From: Dave Brown Subject: "Child Molester Database" on the Web [ From Risks-Forum Digest; Volume 18 : Issue 21 -- MODERATOR ] Great World Internet Services has announced (in an off-topic posting to a newsgroup I read, incidentally) that it is keeping an on-line database of known child molesters at http://www.greatworld.com/public/--presumably for someone's information. Apart from the fact that the alleged molesters are organized by name and not by location, there is a rather alarming touch. The site invites people to add their own molesters. What a wonderful way of anonymously slandering someone. Great World's disclaimer states that "The responsibility for accuracy relies entirely with the persons posting the information." In other words, they come right out and say that their information cannot be trusted. They also maintain a list of "crooked cops"--presumably also for someone's information. Given their information-gathering methods, however, both the list of crooked cops and child molesters are highly suspect, to say nothing of being serious privacy concerns. --Dave ------------------------------ Date: Tue, 25 Jun 1996 10:51:31 -0700 From: Berliner Datenschutzbeauftragter Subject: Discussion Forum on Privacy on the Internet The International Working Group on Data Protection in Telecommunications is currently working on Data Protection and Privacy on the Internet. The Group was founded in 1983 and has been initiated by Data Protection Commissioners from different countries in order to improve Data Protection and Privacy in Telecommunications. The Secretariat of the Group is located at the Berlin Data Protection Commissioner4s Office, Berlin, Germany. At its spring meeting 1996 in Budapest the Group has agreed on a Draft Report and Guidance on Data Protection on the Internet. It was agreed to publish the Report on the Net in order to receive comments from the network community. The Secretariat of the Working Group has initiated a discussion forum located at the WWW-Server of the Berlin Data Protection Commissioner (http://www.datenschutz-berlin.de/diskus/). The comments received will be published on the server. We are looking forward to your comments on the report. Yours sincerely, Hansj|rgen Garstka (Chairman of the Group) ------------------------------ Date: 25 Jun 1996 09:33:18 -0500 From: "Marc Rotenberg" Subject: Lexis-Nexis Drops SSN Sales Plan [ From EPIC Alert 3.12 -- MODERATOR ] Following a C|NET report and an EPIC post that Lexis-Nexis is selling personal data on millions of Americans, the company announced it would stop disseminating Social Security numbers in its "P-TRAK" service. The plan had raised concerns about privacy and security, particularly among organizations that use the SSN as a quasi-authenticator. The Social Security Administration expressed support for the decision to drop the disclosure of SSNs. The Lexis-Nexis decision is the most recent instance in a recent string of cases where commercial developers have backed off plans to sell personal data following consumer objection. Recently, Yahoo dropped plans to make unlisted phone numbers available on-line, and Marketry dumped a plan to sell email addresses gathered from newsgroups. More information about the Lexis-Nexis decision is available at: http://www.cnet.com/Content/News/Files/0,16,1527,00.html http://www.cnet.com/Content/News/Files/0,16,1539,00.html [ "Unlisted" (non-published) numbers are a complex area. All that the "unlisted" designation really does in most cases is indicate that you don't want your number published in the telco phone books or available through telco-delivered directory assistance. However, name/number information is distributed by telcos (in fact, in many cases they're required to do so) to other entities involved in providing telephone and related services (an ever-expanding list), and of course your number may be collected from other sources (forms, purchases, etc.) and placed in other non-telco databases. Most likely the Yahoo plan involved these latter types of "commercial", non-telco origin databases. There are no laws that I know of that protect phone numbers in any general sense. -- MODERATOR ] ------------------------------ Date: Thu, 27 Jun 1996 18:51:13 -0700 (PDT) From: Beth Givens Subject: Calif. Caller ID News CALLER ID: THE CASE FOR CONSUMER EDUCATION by Beth Givens, Privacy Rights Clearinghouse The introduction of Caller ID to California has been an enlightening study in what happens when consumers are given adequate information to make meaningful decisions about safeguarding their privacy. The California Public Utilities Commission (CPUC) has mandated that the local phone companies educate consumers about the privacy implications of Caller ID. The CPUC has also required that the phone companies make both Complete and Selective Blocking available to consumers at no charge (called Per Line and Per Call Blocking in other states). Since March 1996, radio and TV spots as well as full-page newspaper ads have repeatedly told California consumers that Caller ID is coming in June 1996, that free blocking options are available, and that consumers can call an 800 number to choose either Complete or Selective Blocking. Bill inserts regarding Caller ID Blocking have appeared in customers' monthly phone bills. Consumer organizations have been funded to educate hard- to-reach populations. Information about blocking options has been made available in 21 languages. The results? The customer service phone lines of Pacific Bell and GTE (California's major local phone companies) have been flooded with calls. Both companies have had to hire more staff to handle the volume. And now, the California Public Utilities Commission and the Federal Communications Commission have agreed to allow Pacific Bell and GTE to delay the implementation of Caller ID in order to catch up with the onslaught. The delay will allow the phone companies to send confirmation letters to all phone customers indicating which blocking option they have selected, or been assigned by default (a CPUC requirement), and will enable the phone companies to have all their switches ready. A recent survey of Californians found that 74% of those polled knew about Caller ID and that 67% were aware there is a way to prevent the delivery of their phone number to the called party. This is a phenomenal rate of awareness for a three-month public education campaign. Unofficial sources indicate that about 50% of households are expected to have chosen the Complete Blocking (Per Line) option, in other words, maximum privacy protection. The moral of the story? The CPUC's three-part strategy has been an effective way to mitigate the privacy impacts of a new technology. That strategy is outlined as follows: Step one is to conduct a privacy impact assessment of the technology (which the CPUC did in the early 1990s). The second step is to require the entity which introduces the technology to build in privacy protection mechanisms (in the case of Caller ID, these are Complete and Selective Blocking). The third step is to require that extensive consumer education be provided to consumers to explain the privacy implications of the technology and alert them to what they can do to protect their privacy. It should be pointed out that the CPUC insisted that the educational "message" which the phone companies impart be truly educational, and not a marketing pitch. The phone companies were not allowed to offer Caller ID until their plans were approved by the CPUC. The CPUC gathered together a team of consumer advocates who reviewed phone company plans and educational materials. It also hired an outside evaluator, Professor Brenda Dervin, an expert in public communication campaigns from Ohio State University's Department of Communication, to critique Pacific Bell's education plan. Many of these individuals' suggestions were incorporated into the education campaign. The dark cloud on the horizon of this relatively sunny scene has been the Federal Communications Commission (FCC). The California Public Utilities Commission had originally required the phone companies to automatically provide Complete Blocking to all households with unlisted/unpublished numbers -- about 50% of California households. The CPUC reasoned that since these households were already paying a monthly fee to keep their phone numbers private, they would no doubt want the Complete Blocking option and should therefore not have to expressly request it. But the FCC pre-empted the CPUC and established the weaker privacy measure, Selective Blocking, as the nationwide blocking standard. (Selective Blocking is called Per Call Blocking in other states. Callers must enter *67 before dialing each and every call in which number blocking is desired.) Court rulings upheld the FCC's position. The FCC's decision is unfortunate. The California Public Utilities Commission had undergone an exhaustive technology assessment process, spanning several years. The CPUC's analysis took into account the unique nature of California -- for example, the fact that the state has the highest percentage of unpublished numbers in the country, and that the California constitution has an exceptionally strong right-to-privacy clause. The FCC's rather weak argument, that Caller ID with a Per Call Blocking standard is good for the economy, has prevailed over a much stronger body of evidence. In the absence of honoring California's technology assessment process, the FCC would do well study the state's consumer awareness campaign and its successful results. California has demonstrated that a proactive consumer awareness campaign can go a long way to lessen the potentially harmful effects of a new technology. There have been a couple interesting sidelights to California's Caller ID awareness campaign. The first involves the public's massive response to the consumer awareness campaign and the apparent inability of Pacific Bell to cope with the flood of requests for Complete Blocking. Many consumers who had requested the maximum blocking option received letters from the phone company stating erroneously that they had opted for Selective Blocking, the weaker measure. Confusion reigned. As a result, Pacific Bell decided to delay its Caller ID implementation date until the matter is cleared up. The second sidelight involves 800 and 900 numbers. The Caller ID educational materials have pointed out that blocking does not work with 800 and 900 numbers because a different technology, called Automatic Number Identification (ANI), is involved. Most consumers are not aware that when they call 800 numbers, they are transmitting their own phone numbers. Many contacted the phone company, CPUC, Privacy Rights Clearinghouse and other consumer organizations to indicate their outrage about ANI and to express frustration at not being able to block their phone numbers on those calls. This only goes to underscore a point made earlier: Consumer education works. When consumers are given adequate information about the privacy implications of a technology, they take action. Let's hope that what California has learned from this unprecedented consumer awareness campaign is applied to other situations where communications technologies have the potential to threaten personal privacy. Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 http://www.acusd.edu/~prc [ As I've mentioned in the past, the issues surrounding "caller-ID" (or more properly "ANI") as it relates to 800 numbers are somewhat complicated, since they are essentially collect calls and can be (and often are) subjected to (expensive) abuse by callers. There are some possible middle-grounds for enhancing caller privacy and still protecting the entities paying for the 800 (and now, 888) numbers, but this is an area where more study is required. -- MODERATOR ] ------------------------------ Date: Sun, 30 Jun 1996 18:35:19 -0700 (PDT) From: Phil Agre Subject: Mountain Dew beeper promotion for children The 6/27/96 New York Times (advertising column, in the business section, by David Barboza) reports that Pepsico is rolling out a new promotion aimed at young drinkers of the heavily caffeinated soda Mountain Dew. If they send in 10 proofs of purchase and $30 plus shipping, they get a beeper and six months of free air time. The catch is that each beeper owner will be paged weekly and invited to call a toll free phone number that will describe a contest and advertise Mountain Dew. Advocates for children are reported as being very upset indeed; the marketers are reported at being very pleased at this "ultimate in one-on-one marketing". I particularly enjoyed one Mountain Dew marketer's attempt to reframe the issue this way: "We're not using the beepers as an intrusive device to advertise to consumers. We're allowing them to enter a world with a brand that fits their life style." The "world", by the way, is called the Mountain Dew Extreme Network. I have to say that this article supplied my full weekly requirement for mixed horror and fascination. It's brilliant. On one level it's just an extension of advertiser-supported media to a medium that had been overlooked. One could imagine a stock broker subsidizing investors' pagers and paging them weekly with a stock tip, for example. But it's young people that Mountain Dew is after, and the article makes no mention on restrictions on minors getting ahold of commonly used drug-dealing equipment without their parents' consent. It's also important to see just how rudimentary the Mountain Dew scheme is, compared to the fully elaborated model of one-to-one (not "one-on-one") marketing that one finds in the marketing literature. The next step might be to personalize interactions through the beepers based on demographic information and purchase histories. If the beepers could be tracked like cellular phones, and if Mountain Dew made it a condition of the offer that they be allowed access to the tracking data, then all sorts of excellent tailoring of marketing messages would be possible. Several companies, or one large company marketing many products to similar market segments, could team up to subsidize the pager together, programming their marketing messages based on models of consumer behavior and information on specific consumers. I can't say that I'd be impressed with a grown-up who would sign up for such a thing, but I can't say that I'd feel right about stopping them either. Children, however, are another matter. Phil Agre ------------------------------ Date: Wed, 3 Jul 1996 03:38:50 -0400 From: Steve Mann Subject: Looking for examples where video surveillance is damaging... I'm looking for examples where video surveillance has been found to be damaging to health or the like, either specific studies or specific examples (e.g. such as perhaps where a corrupt security guard stocked a victim using surveillance, or the very real use of "traffic" cameras in China to round up and detain or execute activists), and examples where illegal surveillance or questionable surveillance has been encountered (e.g. women's change room at Holy Cross hospital and Sheraton employee changerooms). Video surveillance cameras are presented as "public safety" devices, but I'm looking for at least a few examples where they have caused deaths, or at least had undesirable health effects. Mere "privacy" seems to be a weak argument when talking to anyone involved in the surveillance industry, but if for example, those responsible for installing a network of surveillance cameras could be legally held accountable for any damage caused by their system, it might make them more carefully balance the benefits versus the costs to society. The example that comes to mind is the 200 or so cameras the government's installing in Baltimore to keep a close watch on citizens' activities. The problem here, of course, is that by appealing to legal arguments, we're asking government to stop itself (maybe there's some other argument we can appeal to --- I'd welcome some input). Please email me specific examples, with indication as to whether or not it is fine to disclose the example. I'm trying to put together a video privacy WWW page, and also results would be distributed to the video-privacy mailing list (email video-privacy-request to join). Email examples/incidents, etc to: steve@media.mit.edu [ Here in Los Angeles, some questions have been raised about the large numbers of remote cameras that have been installed along freeways and especially at surface street intersections in the vicinity of freeways, usually on very high mountings. The official word is that these are all for traffic flow analysis related to the freeways and the surrounding environs, not for general law enforcement. But there are indeed areas in L.A., and elsewhere in the country, where segments of the populace are actively lobbying for the installation of law enforcement cameras, ostensibly for control of drug sales, prostitution, and related activities. In one case, merchants put up signs announcing that the entire area was under surveillance with video cameras, and were outraged when the press reported that the camcorders that were going to be used for this purpose (by the merchants) hadn't been funded or installed yet. The merchants claimed that the mere presence of the signs had cut down on local crime... -- MODERATOR ] ------------------------------ Date: Thu, 4 Jul 1996 11:24:04 -0700 (PDT) From: Peter Marshall Subject: DENVER POST: "Student Database Called Orwellian" Student database called Orwellian Colo. plan a threat to privacy, critics say Janet Bingham Denver Post Education Writer 06/30/96 Denver Post A-01 (Copyright 1996) [ Distributed with permission of THE DENVER POST; www.denverpost.com -- MODERATOR ] Imagine a researcher punching a button on a computer and pulling up most of your child's school history without your consent - schools attended, disciplinary records, physical or emotional disabilities and more. It could happen under proposals before the Colorado Board of Education that for the first time would centralize certain information about Colorado's 656,000 public school students. Districts would furnish the information via the Internet to the education department, accompanied by student name and Social Security or other identifying number. [....] Colorado is among a growing number of states that are creating electronic networks for student records. Both critics and advocates foresee the evolution of a national network that would allow electronic exchange of records among schools, social services, health and law enforcement agencies, colleges, the military and even employers. But some fear that even the embryonic system being proposed in Colorado could threaten privacy; they say legal loopholes open the possibility that personal information could be collected and shared without the consent of students and their parents. "Brick by innocent brick, the edifice of lifelong electronic student dossiers is being constructed without any recognition by the general public of what is being done," wrote Gordon Cook, a New Jersey-based privacy advocate, in a recent report. Cook publishes a newsletter and reports on privacy issues on the Internet. "Privacy issues are debated politely from the sidelines," Cook wrote, "while the technology juggernaut moves inexorably forward as children entering kindergarten are asked for their Social Security numbers." [....] Others remain wary: "I'm an advocate of data banks and using the power of technology to work through a lot of the paper shuffling we used to do," said Dick Weber, head of the Colorado Association of School Executives. "But there's a limit here. When it moves to individualizing and centralizing personal data by name and Social Security number, I have a problem with that," he said. "When you start tracking people from district to district or place to place, you have a point of intrusion into people's lives that I would have difficulty with. ... It starts to smack of Orwell a little too much." [....] Information would include emotional, physical or mental disorders that result in a child's placement in special education programs; participation in gifted and talented or remedial programs; expulsion and suspension history; type of school attended; transfer to or from a private school or home school; residence in mental health, correctional or detention facilities; or other factors indicating whether a student attends his normal district school. The names and identification numbers would allow a central computer to track individual students from year to year, from school to school and from district to district. [....] State board of education member Patti Johnson doesn't oppose letting districts send statistical summaries electronically to the department. But she said that can be done without including student identification. She would let schools send student records electronically to other schools - but only with family consent. "Individual data should not be released outside the building unless the student or parent requests it," said Johnson, who is a parent. [....] Individual student records are protected under federal privacy laws and cannot be made available to the public without parental consent. But a student's disciplinary records may now be shared with officials in other educational institutions without parental notification. And critics noted that privacy laws already permit other exceptions: School records can be disclosed without parental consent to school accrediting agencies and organizations "conducting studies on behalf of education agencies or institutions. The records can also be released without consent to another school, school district or postsecondary institution where th student was enrolled or intends to enroll; agencies in the state's juvenile justice system; "authorized representatives" of the U.S. comptroller general, the U.S. secretary of education and the state department of education; and state education officials "with a legitimate educational interest in the records." Critics say that list can be broadly interpreted. But the state board could adopt its own, more restrictive policy, Johnson said. Information has historically been difficult to collect because it was scattered and reports weren't standardized, so large-scale breaches of privacy were rare. "The more people who have access to such information, the more chances for breaches of confidentiality," Johnson said. Even the consulting firm that recommended a centralized data system for Colorado and several other states acknowledges that the growing practice of using Social Security numbers to identify students poses a danger. There is "the potential for developing a database that contains massive amounts of information, making individuals subject to computerized matches and searches without their awareness or consent," said the report from CTMG Inc. A parent cannot legally be required to give a student's Social Security number; the state would have to come up with an alternate identification number for those who decline. [....] But Weber warns of letting students "be dogged by an electronic pit bull" - a record that follows them forever and may limit their ability to start over in a new environment. In Seattle, privacy advocate Janeane Dubuar worries about where student information ends up. In that state, she said, high school graduates from 36 school districts are being tracked into college, the military and the workplace - without their consent - using Social Security numbers. Dubuar, a member of the Seattle Chapter of Computer Professionals for Social Responsibility, also points to an incident in Kennewick, Wash. Behavioral information on 4,000 children was sent, with names, to a psychiatric care center that contracted with the district to screen for "at-risk" students who might benefit from its programs. The data, she said, was sent without parents' knowledge. Colorado board member Johnson wants to make sure similar things can't happen here. "If Colorado is to be in the forefront of computerized data exchange in order to streamline the process of budgeting and reporting, it must also be in the forefront of concerns about our right to privacy." ------------------------------ Date: Thu, 4 Jul 1996 23:27:13 +0200 From: DavidS@dk-online.dk (David Stodolsky) Subject: Automation of Contagion Vigilance - Draft ready I now have ready a prepublication draft of "Automation of Contagion Vigilance", which will appear in Methods of Information in Medicine. The paper is directed toward the AIDS problem, but the approach is also applicable to computer viruses and other contagion type processes. Requests for the lastest version go to: DavidS@dk-online.dk dss ------- Automation of Contagion Vigilance David Stodolsky DavidS@dk-online.dk Abstract The very long latency between HIV infection and the appearance of AIDS imposes extensive information processing requirements on partner notification efforts. The apparently contradictory needs of maintaining the right to privacy of infected persons, while simultaneously providing information to persons at risk of infection, impose severe security requirements. These requirements can be satisfied by a Contagion Management System based upon networked personal computers of a kind now becoming available. Security of information is based upon cryptographic protocols that implement anonymous partner notification (contact tracing) and privacy preserving negotiation. The proposed scheme has the following properties: (a) Contact tracing is automated, (b) contacts remain anonymous, (c) sensitive information is kept private, and (d) risk-conscious users act as if sensitive information was public. Optimal health protection can thus be obtained while securing informational rights. Here are main and sub headings for the files with page numbers (double spaced lines): 1) Automation of Contagion Vigilance Document Structure 4 Definitions 5 Individual Rights and Public Health 8 Partner Notification using Distributed Databases 10 Classes of Transmissible Agents 11 Informational agents demanding attention 11 Informational agents processible by machine 12 Communicating Diagnostic Information 13 Anonymous partner notification 13 Secure partner notification 17 Secure and anonymous partner notification 19 Possible Application Development 23 Rationale and Summary 25 2) Appendix: Privacy Preserving Negotiation. Conditional Privacy 1 Single Stage Models 2 An ideal physical model 3 Asymptotically secure models 3 Amount of information released 4 Protocol implementation. 5 A Multistage Model 6 Risk of Compromise 10 ------------------------------ Date: Mon, 8 Jul 1996 21:42:51 +0200 From: rrr@dds.nl (ReindeR Rustema) Subject: Videosurveillance on streets in Amsterdam A new phenomenon has just been discovered by the police. In the Red Light District in Amsterdam, the Netherlands, the owners of the prostitutes' windows have installed a network of video surveillance camera's pointed at the street. Recently the police decided to do a large scale raid in a certain street because of suspected hard-drugs wholesale, traffic in and abuse of foreign (illegal) women etc. Too bad for the authorities but the arrival of the policeforce had been on the videomonitors of the pimps, criminals and drugdealers minutes in advance. Potentially threatening for the privacy of passers-by this isn't much of an issue. The criminals can't make money with that. (Wholesale in harddrugs and traffic in women is much more profitable as long as drugs and prostitution is illegal). The authorities can't do much against these camera's besides taxing them. The Privacy Chamber in our country reacted that the law requires that the public should be warned against surveillance cameras. The cameras will stay, they'll just get a warning sign next to it like you see them in supermarkets. ReindeR (BTW. this criminal square kilometre in downtown Amsterdam is not particularly unsafe. It attracts thousands of tourists each week. It's in the self interest of the criminals to keep it quiet so the police won't be given a reason to turn their businesses inside out. That's why the cameras are there.) ------------------------------ Date: Thu, 11 Jul 1996 11:22:19 -0400 (EDT) From: Pierrot Peladeau Subject: Genetic Screening and Privacy In the June 15 issue of Privacy Forum Digest (vol. 5, #12) Phil Agre comments a London Sunday Times article entitled "Mass screening for 'delinquency' gene planned". He concludes: "The privacy issue here concerns labeling. Someone who has been diagnosed as possessing certain genetic traits is at risk of being stereotyped as a potential aggressor (or whatever the gene is supposed to code for) even if no such traits have been exhibited. Such a diagnosis could easily stigmatize a person for life." The danger is even greater since the vast majority of physical illnesses (not to mention behavioral problems) are polygenic and multifactorial. This means that neither genes nor environment nor behaviors cause disease, i.e. a study of a particular genetic (or environmental or behavioral) agent cannot hope to reaveal the cause of the prevalent cases of a disease. Also, full knowledge about an individual's genetic make-up will not be adequate to explain the onset, progression, or severity of disease. Each case is the consequences of interactions between a particular combination of genetic and environmental agents. Only in very rare illnesses affecting very small portions of the population is there any direct link between a single gene and an illness. Lets take atheriosclerosis, a very common disease. In US, 600,000 died from it in 1990 with more than 6 millions with symptoms. The vast majority of US citizens are likely to carry one of the suspected genes. There are as many as 200 identified genes (which location are known) that are candidates as susceptibility genes. But there are a lot of other factors like smoking, exercices, stress that also play a great role, in fact often a greater role. So, a person could have many of the identified genes and never develop the illness (or likely to develop the illness at age of 120, which makes no difference in practice). Conversely, a person having little of those genes but living in a bad environment with unappropriate habits could develop atheriosclerosis. If this is true of most physical illness, imagine what it is about psychological or behavioral inadequacies. So, from completely false assumptions of the relations between genes and illnesses, bureaucracies could begin, not only to stigmatize, but also discriminate and intefere with people's lives. For instance, knowing that a person has susceptibility genes to atheriosclerosis, health care insurers could require a control over this person's habits or environment or else, it would not cover care expenses. Since we are ALL carriers of genes for some polygenic disease, this kind of logic could affect everyone of us, not only small minorities. The danger is even greater when we speak of behavioral inadequacies in which the State, the school system and employers also have a stake. It is important to criticize those schemes at their roots, which is a profound misunderstanding of the complexity of the reality of polygenic and multifactorial diseases. So the privacy issue is not only labeling which is only a starting point. The issues are also about social control, public and individual knowledge about one's genetic profile and thus autonomous and/or heteronomous control over one's life. The case reported by Phil Agre showed that magical thinking in the use of some technology has taken the upper hand over understanding the complexity of deliquency. This helps in making "nature" responsible of the problem instead of the political, social and economical authorities that do have a responsibility on the "environmental" side of the "disease". [I borrowed the medical knowledge from the works of Charles F. Sing of the University of Michigan Medical School he presented at some seminars of a research project on the complexity of the ethical, legal and social issues related to polygenic and multifactorial disease in which I participated as a privacy expert.] ____________________________________________________________________________ Pierrot Peladeau Vice President, R & D, PROGESTA Inc. Redacteur en chef/Editor, PRIVACY FILES C.P./PO Box 42029 Succursale Jeanne Mance tel : +1 (514) 990 2786 Montreal (Quebec) CANADA H2W 2T3 fax : +1 (514) 990 3085 ------------------------------ End of PRIVACY Forum Digest 05.14 ************************