PRIVACY Forum Digest Thursday, 12 June 1997 Volume 06 : Issue 08 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- ********************************************* * PRIVACY Forum Five Year Anniversary Issue * ********************************************* CONTENTS Texas Drivers in the Privacy Pothole (Lauren Weinstein; PRIVACY Forum Moderator) Big Brother Under the Hood? (Lauren Weinstein; PRIVACY Forum Moderator) FTC Hearings Spur "Coincidental" Interest in Privacy (Lauren Weinstein; PRIVACY Forum Moderator) Hygiene Guard (Phil Agre) Government Database Access Now Issue in Japan (James Love) Wells Fargo & privacy: selling CC usage (Dan Ellis) Survey says "Censor! (Brock N. Meeks) Maine Bill Seeks to Limit Social Security Number Access (Monty Solomon) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 06, ISSUE 08 Quote for the day: "I don't do requests." -- Ben Richards (Arnold Schwarzenegger) "The Running Man" (TriStar; 1987) ---------------------------------------------------------------------- Date: Wed, 11 Jun 97 14:39 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Texas Drivers in the Privacy Pothole Greetings. In yet another example of "public record" data running amok, drivers in Texas will no doubt be pleased to learn that their names, addresses, birthdays, license plate numbers, and a variety of other data, are now publicly available on the Internet. And of course, broad searching capabilities based on a variety of criteria are included! No longer need the potential thief follow that luxury vehicle all the way back to a residence. No need for the sickie who harasses young women to follow his next lovely target all the way home. And that guy you accidently cut off on the freeway? He may not have bothered you at the time, but he can come by to "visit" you later, perhaps in the middle of the night while you're sleeping. Use your imagination for more interesting scenarios. Yes, thanks to database lookups, all of these folks could apparently just copy down your license number, then look up the address and other info at their leisure. Now, that's progress! It's not clear who bears the most blame regarding the availability of this data: the state of Texas, for considering this information to be public record, or Public Link Corp. of Dallas (www.publiclink.com), for putting it on the net as a "public service" (with more to come, we're promised). While theoretically Public Link restricts access to this database to persons with a Texas driver's license (a license number is needed to establish an access "account"), procedures for reading the information directly via web URLs, bypassing the login procedures, have already been widely disseminated around the net, along with suggested "famous Texans" for lookup. And of course, account information for accessing the database via normal login is also circulating widely. When public record data just sat on index cards in the back room of the Hooterville courthouse, it represented a minimal threat to personal privacy. But as municipalities now try to convert their databases into profit centers, that same data is becoming one of the most potent threats to individual privacy, and in some cases personal safety as well. --Lauren-- Moderator, PRIVACY Forum www.vortex.com ------------------------------ Date: Wed, 11 Jun 97 14:50 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Big Brother Under the Hood? It appears that we may now be poised on the brink of yet another automotive privacy pit. We've seen comments in the past about the range of privacy problems related to many automated toll collection systems, and about "traffic control" cameras that seem to spend an awful lot of their time pointed at other than traffic. But now come calls for airline-style "black boxes" to be installed in new cars, ostensibly in conjunction with airbags for "deployment data collection". The idea is to gather information on vehicle speeds and "other parameters" at time of impact, to better assess airbag effectiveness and problems. Those other parameters would apparently include data such as vehicle speed, whether or not occupants were wearing seatbelts, and so on. It doesn't take a great deal of imagination to visualize the next step in this particular technological chain, since there appear to be no legal restrictions on how data collected by such systems might be used. Will we next be faced with automatic reporting of vehicle speeds to roadside transponders? Or systems that automatically record "unsafe" driving practices for later readout and action? Few persons are aware that some cars on the road *already* include systems that record some of these very parameters. In fact, a current lawsuit involves an accident where the driver claims she was wearing a seatbelt at the time, but the car's black box is calling her a liar. Regardless of how one feels about promoting safer driving, do we really want to head down this particular road? If it works in the car, how about in the workplace? Or at home? As the old proverb says, the road to Hell may indeed be paved with good intentions, especially in this arena. --Lauren-- Moderator, PRIVACY Forum www.vortex.com ------------------------------ Date: Wed, 11 Jun 97 15:04 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: FTC Hearings Spur "Coincidental" Interest in Privacy OK, call me skeptical if you want. But do you find it just a wee bit suspicious that as Federal Trade Commission hearings on privacy issues get underway, we're treated to a flurry of press releases from organizations suddenly pledging their dedicated concern to individual privacy issues? First it was our old friend Lexus-Nexus, along with a number of their fellow information database service providers (not all of them, of course!). Now it's arch-rivals Netscape and Microsoft, promising nifty new software to allow web users to "control" how their personal information is gathered and used (only applicable amongst participating sites, one must assume). Could it be that these formidable enterprises are concerned that maybe, perhaps, finally, we're on the verge of taking the first baby steps towards establishing in law individual rights to control personal information? So suddenly they all come rushing out with their "the industry can police itself" arguments and pleadings, as if the entire "industry" were all one big happy family who all voluntarily followed the same rules for the public good? Almost any industry moves to improve the abominable situation regarding personal information abuse would be welcomed. But they cannot by any stretch of the imagination be considered to be a substitute for legislative actions to establish uniform standards, in federal law, that would give individuals reasonable rights to control the information they provide in the course of business and other transactions. It would be dead wrong to let industry pronouncements sidetrack or otherwise derail these hearings, studies, and particularly legislative efforts, which are crucial to helping assure that the early 21st century doesn't become a 20-year delayed version of "1984". --Lauren-- Moderator, PRIVACY Forum www.vortex.com ------------------------------ Date: Wed, 21 May 1997 07:39:12 -0700 (PDT) From: Phil Agre Subject: Hygiene Guard I'm not sure whether to report this one to Privacy Forum or Dave Barry. The 5/20/97 Wall Street Journal (page B1) brings news of a new product called Hygiene Guard. The article describes it like so: Employees wear a credit-card size badge. When entering the bathroom, a device mounted on the ceiling sends a signal to the badge and it begins to blink. To stop the blinking, the employee must pump the soap dispenser, which is wired with sensors, and then stand in front of the sink for at least 15 seconds. ... NetTech acknowledges there's no way the system can tell whether actual washing occurs -- or even whether the water is on or soap is in the dispenser. As long as the sequence is completed, the badge is cleared. If not, an infraction is logged in a central computer. The system also tips bosses to miscreants who don't enter the lavatory all day, or who use it too much. Although it's hard to take this system very seriously, it is only one of a vast number of systems being developed to track human behavior. We usually think of tracking as something very centralized, since it calls to mind metaphors of the secret police. I think it's more accurate to see tracking technologies as species that are adapted to a huge diversity of niches in the ecosystem of technology, architecture, and power relations. A machine that tracks how often someone is using the bathroom is no joke in a world where people are quite routinely compelled to defile themselves on assembly lines because the management won't let them go to the bathroom for another three hours. Phil Agre [ It certainly could be argued that if systems such as the one described were in widespread use, restroom privacy would be all washed up. -- MODERATOR ] ------------------------------ Date: Fri, 30 May 1997 13:36:44 -0400 (EDT) From: James Love Subject: Government Database Access Now Issue in Japan Last August, Kazuaki Okabe invited me to visit several cities in Japan, to discuss citizen efforts to obtain access to government databases. This is Okabe's report of the new citizens movement to obtain access to government databases in Japan. James Love | http://www.cptech.org ---------- Forwarded message ---------- Date: Mon, 26 May 1997 05:34:49 -0400 (EDT) From: Kazuaki Okabe To: Multiple recipients of list Subject: Government Database Access Now Issue in Japan "Why do we have to pay 450,000yen ($4,000) for a directory of high ranking government officials?" the argument started. Someone in the mailing list found the outrageous price for a CD-ROM containing addresses and phone numbers of officials in national, prefectural, and local governments in Japan. It is published by not a private company, but Ministry of Finance's Government Printing Office. "Outrageous!" "Unbelievable!" others shouted. Some others introduced that a CD-ROM of more than 50 volumes of United States Code is only $37. Some say, "taxpayers are ripped of by our government!" Other proposes, "we should let the U.S. government produce our government's CD-ROMs." These are some of the discussions going on in the recently established Environmental Policy Change Mailing Lists (e-forum). Created by a militant think-tank researcher Teiichi Aoyama, the Lists organizes powerful discussion and communication among civic activists, environmental consultants, researchers, journalists, and concerned government officials. While the main focus is on environmental issues, another strong focus is access to the government information, which is crucial for any serious discussion of public participation in government processes. In the discussion lists, we found: 1) Many of the government's white paper CD-ROMs are 10,000yen ($83) each. 2) A CD-ROM for securities and company reports filed with Ministry of Finance is whopping 776,699yen ($6,500). (In Japan where there is no independent Security Exchange Commission, security and company reports are submitted to the Finance Ministry. In the U.S. such data is provided for free over the Internet from EDGAR database.) 3) Subscription to satellite weather information is 1,000,000yen/month ($8,300) for binary data and 20,000yen/month ($167) for text data. The original source of its information is the government's Meteorological Agency but distributed by private agency Kishocho Shien Center. 4) The text of all Japanese laws costs 100,000yen ($830) in magnetic tape, more if you use it for home page or printed form. The equivalent U.S. Code is free on the Internet and $37 in CD-ROM format. 5) The Database for Congressional minutes (equivalent of U.S.'s Congressional Record) is only available to government agencies, not even to Congressional representatives. When James Love of Nader group Consumer Project on Technology came to Japan last summer to share his experiences of government databases access campaign in the United States, the response of the Japanese audience was more or less "the Japanese government uses only paper." Many of us thought the government database issue is far away in the future. We heard Love's message as preparation for the future. But now we found out that the issue is right here now. The issue did not exist last year because very few know the government had databases. Recently Mr. Haga of Shintoku, Hokkaido, joined the Lists. He successfully made his town council put its meeting minutes on the town's home page. This is the first case of online public access to any legislative record in Japan. People in the Lists are planning to have an open forum with government officials to discuss public access to the legislative record. In order to join the e-forum lists, send email to Aoyama at: t-aoyama@bbs.bekkoame.or.jp You and your computer have to read two-bytes code Japanese characters. -- Aki Okabe 4640 California St., San Francisco, CA94118, USA Phone: 415-387-6253, Fax: 415-379-9815 Internet: kokabe@igc.apc.org ZZS64943@biglobe.ne.jp (Japanese characters acceptable) ------------------------------ Date: Mon, 19 May 1997 10:41:25 PDT From: "Dan Ellis" Subject: Wells Fargo & privacy: selling CC usage This issue is orthogonal to the problems of supermarket banking raised by Lauren, but while we're knocking Wells Fargo.. I have a credit card attached to my Wells Fargo bank account. I greatly appreciate the ability to check the balance over the Web, which is well implemented IMO. In fact, it's about the only reason I've kept the account open after getting a little "Notice of new terms" flyer in with my bill a few months ago. 9 pages of six-point type, most of the changes were a revised arbitration mechanism and new interest rates, but an item on the last page under "CREDIT INFORMATION" caught my eye: Where previously I had agreed only to let the bank offer me services based on the account information, the revised agreement read: "You agree that the Bank may provide your name, address and other information about you to its affiliates or to third parties to provide services relating to your account or to offer other products and services." I shouldn't be shocked that Wells Fargo is thinking about selling my buying patterns as a new income stream, but I was displeased, and also fascinated that this was a new development - something they had thought too brazen or too inappropriate to write into the original contract. I wrote to them to object, but my letter has been ignored... Anybody know a good credit card company with online balance access that is sympathetic to its customers' desires for privacy? Dan Ellis. [ Wells Fargo says that they do maintain a list of persons who do not wish to have this information provided to third parties. You need to call their customer service number and explicitly ask to be added. The default (no surprise) is indeed to release the information. -- MODERATOR ] ------------------------------ Date: Thu, 15 May 1997 14:16:47 -0700 (PDT) From: "Brock N. Meeks" Subject: Survey says "Censor!" RADNOR, Pa., May 13 /PRNewswire/ -- Despite the fact that 29 percent, or nearly one-third, of all Americans access the Internet, 4 of 5 say they are concerned about what can be found, and who might find it, while cruising the Information Superhighway. In a recent nationwide telephone survey of a random sample of Americans ages 18 and older conducted by Chilton Research Services, 80 percent of respondents answered "Yes" when asked, "Do you think that the government should take steps to control access to pornographic or sexually explicit material on the Internet to protect children and teens under 18 years of age?" A significantly higher percentage of women than men favored government intervention. More than 88 percent of women invite censorship or some other action, while 71 percent of men feel such steps are warranted. Respondents were similarly divided by economic and education levels. In all demographic categories a resounding majority wants to limit youngsters' access to sexually explicit material on the Internet, but some groups feel more strongly than others. For instance, among households with incomes below $35,000 annually, 85 percent want Uncle Sam to step in. Among respondents with household incomes above $50,000 the percentage drops to 71 percent. Similarly, 9 in 10 respondents with a high school diploma or less said the government should control access, while 7 in 10 who had at least attended college want such action taken. In addition to worrying what their children might see on the Internet, Americans worry about what others might be able to learn about their private lives. Better than 5 of every 6 respondents (84 percent) said they are concerned about unauthorized or illegal access to personal and financial information through the Internet. A solid majority (65 percent) of all respondents said they were "very concerned," while another 19 percent admitted to being "somewhat concerned." Fewer than 10 percent of respondents were "not at all concerned." Those with less than a high school education and those over 65 years of age expressed less concern, possibly because these groups are not as likely as others to use the Internet. The Chilton EXPRESS telephone omnibus survey was conducted among a sample of 1,000 American men and women ages 18 and older, between April 16 and April 20, 1997. The margin of error is +/- 3 percent. Chilton Research Services, an ABC-owned company, was established in 1957. The company offers full research and consulting services to consumer products companies, business and industry, telecommunications and media, non-profit organizations and government agencies. ------------------------------ Date: Tue, 3 Jun 1997 00:38:52 -0400 From: Monty Solomon Subject: Maine Bill Seeks to Limit Social Security Number Access Excerpt from ACLU News 06-01-97 Maine Bill Seeks to Limit Social Security Number Access AUGUSTA, Maine -- What's in a Social Security number? Plenty, according to civil liberty advocates who are now trying to persuade state legislators to curb access to the nine-digit number by governmental agencies and private businesses. According to a report in the Bangor Daily News, the Social Security number has become the key identifier used by state and federal governments as well as credit card companies, banks and credit rating agencies and even hospitals to link people up with personal information. Civil liberties groups and privacy advocates fear that increasingly, personal information is being linked to the Social Security number, giving businesses and governmental agencies as well as ordinary people access to an alarming amount of personal histories and information they don't need and shouldn't have. The Maine Civil Liberties Union, for example, points to a published report last year that trade in health information has become a $40 billion-a-year business. ''Our expectation of privacy simply has been reduced in the last couple of decades,'' Bill Coogan, president of the MCLU and an associate professor of political science at the University of Southern Maine, told the News. One bill facing the Maine Legislature and likely an uphill battle would prohibit, with few exceptions, businesses and state agencies in Maine from collecting and storing Social Security numbers, the paper said. The only exemptions would be instances where Social Security numbers are required by the federal law and for employers who need to collect the numbers from employees. Rep. John Vedral III, R-Buxton, a self-described personal privacy advocate who has sponsored the bill, LD 1524, said he has seen how easily information is transferred from place to place and worries about its use and misuse. Vedral told the News that he has been asked and has refused to give his Social Security number at a car rental agency and at two Maine hospitals, but still got service, leaving him to wonder just how necessary Social Security numbers are for the businesses. He was even asked for his Social Security number to get a courtesy card at the library at USM. ------------------------------ End of PRIVACY Forum Digest 06.08 ************************