The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Sunday, 27 September 1998 Volume 07 : Issue 16 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS A New Twist on Caller ID from Ameritech (Lauren Weinstein; PRIVACY Forum Moderator) Drivers' Licenses and Social Security Numbers Update (Lauren Weinstein; PRIVACY Forum Moderator) Netscape Privacy Update (Lauren Weinstein; PRIVACY Forum Moderator) Surveillance Article in "The Information Society" (Gary Marx) Huntington Bank Policies (David Lesher) Cookies (David Kulp) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 16 Quote for the day: "Would you care to join me in watching the supernova? It is a once in a lifetime experience." -- Kai (Michael McManus) "Super Nova: Tales From a Parallel Universe" (Time Film und TV Produktion GmbH/Salter Street Films; 1997) ---------------------------------------------------------------------- Date: Fri, 25 Sep 98 12:24 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: A New Twist on Caller ID from Ameritech Greetings. Ameritech is introducing a novel extra cost add-on for their customers who already are subscribing to Calling Number ID (CNID). The service, with the somewhat generic name of "Privacy Manager," appears to be positioned as an alternative to "traditional" Anonymous Call Blocking (ACB). I've discussed ACB and its problems in this Forum in the past. ACB forces callers to disclose the number they are calling from (and often the name associated with that phone account) in order to complete a call. Since anybody can be making a call using any phone, CNID data really only provides information regarding *where* the person is who is calling, not *who* the person is. Ameritech's Privacy Manager, like Anonymous Call Blocking, is being publicly positioned as an anti-telemarketing service (this despite the fact that Ameritech itself does its own telemarketing). Instead of simply blocking an unidentified call as ACB would, Privacy Manager diverts the caller to a recording which asks them to vocally identify themselves. If they don't respond, the system terminates the call. If the caller provides some vocal input, the system then rings the subscriber, and plays the brief recorded caller input. The subscriber can then choose to accept the call, reject it, or reject and play a recording ordering the caller to put the subscriber on their permanent no-call list. A no-answer condition results in the caller being diverted to voicemail. I assume that the caller isn't charged for the call unless there is acceptance or diversion to voicemail, even with the longish holding times that could result, but this isn't clear from available information right now. The service has some interesting aspects, and some obvious problems. Would subscribers who are so hot under the collar about unidentified calls in the first place even want to have such calls ringing them for their decision? It seems likely that most such persons would choose anonymous call blocking, where available, even though it is a fundamentally flawed concept in most respects. And even though Ameritech claims the "put subscriber on your no-call list" recording is legally binding, one has to wonder how effective such a mechanism would be in the face of the large amounts of phone number "churn" that characterize most areas today--numbers are constantly changing hands. All that having been said, the Privacy Manager concept (which Ameritech is trying to patent, by the way) has one significant positive aspect. It does provide a way for callers to identify *themselves* rather than the phone number and/or account name where they are calling from. One of the main arguments against calling number ID is that it forces the caller to reveal unlisted numbers, internal numbers, or the location where they are at the moment (doctor's office? Friend's house?) This is information which is typically none of the business of the person being called. But Privacy Manager, by allowing for a vocal identification instead of a number/account name ID, avoids this particular problem. Whether people will really be willing to continue paying more and more fees for these various Caller ID features remains to be seen. As I mentioned, Caller ID services are often marketed primarily as a telemarketing blocking service. It appears certain that many telemarketers will react by simply unblocking their IDs, and perhaps calling from outgoing lines which aren't answered for incoming calls and/or are associated with innocuous sounding account names. In the long run, such actions would render much of the promoted value of Calling Number ID for telemarketing blocking largely moot. It's clear that the various battles regarding Caller ID are still really only in their infancy. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sat, 26 Sep 98 20:25 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Drivers' Licenses and Social Security Numbers Update Greetings. Back in PRIVACY Forum Digest V07 #13; (http://www.vortex.com/privacy/priv.07.13), I reported on the proposal by the National Highway Traffic Safety Administration (U.S. Department of Transportation) to impose a number of requirements relating to Social Security Number collection/verification/display for state-issued drivers' licenses. It now appears that reaction to this proposal from most state officials has been quite negative. In light of this and other concerns, even the American Association of Motor Vehicle Administrators (AAMVA) which has supported the plan, has announced that it is rethinking its position, and the comment period for the proposal has been extended to Oct 2, 1998. The general consensus is that the plan is now unlikely to move forward in its current form. Of course, interested parties should continue to make use of the comment period to make their feelings known on all sides of this issue. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sat, 26 Sep 98 20:34 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Netscape Privacy Update Greetings. The saga regarding privacy issues relating to Netscape Communicator versions 4.0.6 and the 4.5 pre-release continues. I've discussed this previously in PRIVACY Forum Digest V07 #14 and #15; (http://www.vortex.com/privacy/priv.07.14, and http://www.vortex.com/privacy/priv.07.15). As you may recall, in our last chapter I reported a serious communication problem I was having with Netscape--the inability to get further responses from them regarding these privacy issues after an initial conversation. I'm pleased to report that I am now back in contact with Netscape managers with appropriate levels of responsibility and focus, and I hope to soon have new substantive information about the privacy matters I've previously discussed. In the meantime, an apparently valid e-mail address for sending privacy-related concerns to Netscape has now surfaced: privacy@netscape.com. Unlike some previous addresses provided to me by Netscape, I have been assured that this address will not result in an automated response, and that it is regularly read by a live human being! I'll of course be reporting back as information and developments warrant. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Thu, 17 Sep 1998 10:17:08 -0700 (PDT) From: gary marx Subject: Surveillance Article in "The Information Society" The following article appearing in "The Information Society," July-Aug. 1998 and available on the web page below may be of interest to subscribers. "Ethics for the New Surveillance"--The abstract follows: The Principles of Fair Information Practice are almost three decades old and need to be broadened to take account of new technologies for collecting personal information such as drug testing, video cameras, electronic location monitoring, and the Internet. I argue that the ethics of a surveillance activity must be judged according to the means, the context and conditions of date collection, and the uses/goals, and suggest 29 questions related to this. The more one can answer these questions in a way that affirms the underlying principle, the more ethical the use of a tactic is likely to be. Four conditions are identified that, when breached, are likely to violate an individual's reasonable expectation of privacy. Respect for the dignity of the person is central factor and emphasis is put on the avoidance of harm, validity, trust, notice and permission when crossing personal borders. Gary T. Marx home page: http://socsci.colorado.edu/~marxg/garyhome.html ------------------------------ Date: Mon, 7 Sep 1998 22:17:27 -0400 (EDT) From: David Lesher Subject: Huntington Bank Policies Huntington Banks sent around a "Customer Information Privacy Statement"... They claim "Your Privacy is the Huntington's Priority" but: one exception to their "we won't" is sec. 6.4: If the customer does not opt out.... another is "It is commonplace {....} to share information with customer reporting agencies." {This appears to mean credit rumor agencies...} And they discuss how they will use your data internally, semi-internally, & externally, unless you complain. They also give an address {POB 1558 43216} to write to, but it appears you must write 4 or 5 separate letters to cover all the ways they admit your privacy is NOT their priority. You can call 800-294-5809 to discuss this with them. Don't do so from home, though.... [ That's an (unfortunately) pretty typical situation. I really wouldn't be too concerned about calling them from home--odds are your home phone number is already on any number of bank documents. I would seriously doubt that any "capture" of caller ANI phone number data would be used in this sort of situation. -- PRIVACY Forum Moderator ] ------------------------------ Date: Sun, 6 Sep 1998 10:18:38 -0700 (PDT) From: dkulp@cse.ucsc.edu (David Kulp) Subject: Cookies The cookie "problem" has come up often in privacy discussions. While it is wise to be aware and in control of the distribution of private information, it is worth noting that the cookie technology is nothing really new. To be precise, a user's "movement" through a web-site may be tracked without the use of cookies (by embedding state information in URLs), but using cookies is an easier way of tracking such information. This includes common conveniences such as remembering passwords, recently entered information, previously visited pages, etc. What cookies offer in addition to URLs is the ability to track the same user from visit to visit. The state information that a site embeds in URLs is lost when a site is revisited, but a cookie is retained between visits. (A user can essentially thwart this by regularly removing their cookies file.) In any case, arbitrarily accepting cookies is likely a waste of time. Intuitive guessing about accepting or rejecting a cookie named "advertisingtracker" (malicious, intrusive) versus one called "lastlookupcitystate" (convenient) in no way guarantees the proper use of your personal information. Furthermore, accepting cookies from the same site as the page being viewed and rejecting cookies from other sites (a preference option for Netscape Navigator), does not keep site administrators from sharing your information with another site. For example, a recent news article announced the collaboration among several internet sites with plans to share tracking data. In summary, cookies offer no major advance in personal information monitoring compared to other "server-side" methods that cannot be controlled by the user. Arbitrary filtering of cookies is not particularly effective. Other methods exist for tracking user trends among multiple sites that do not use cookies. Therefore, a privacy advocate's concern should be directed foremost to the establishment of privacy policies for all sites, and less emphasis on the cookie technology itself. David Kulp ps. An authoritative bulletin from the Computer Incident Advisory Capability can be found at http://www.ciac.org/ciac/bulletins/i-034.shtml ------------------------------ End of PRIVACY Forum Digest 07.16 ************************