The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 13 February 1999 Volume 08 : Issue 03 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Computer Serial Numbers: Pentiums Not Required! (Lauren Weinstein; PRIVACY Forum Moderator) Stolen Lives: Identity theft (David Brownell) eBay's Very Open Trading Policies (Mike O'Brien) Domestic Violence (Phil Agre) Boxed In: Why US Privacy Self Regulation Has Not Worked (Joseph M. Reagle Jr.) ALAWON v8, n7 - Filtering Bill Introduced (ALAWASH E-MAIL) Supermarket Tracking Cards / Professional Jurors (Mike O'Brien) Interesting US Supreme Court case (John R Levine) New California laws for 1999 (Kevin Maguire) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 03 Quote for the day: "Wrong thinking is punishable. Right thinking will be as quickly rewarded." -- The Keeper (Meg Wylie) "Star Trek": Original Pilot Episode: "The Cage" (Desilu; 1964) ---------------------------------------------------------------------- Date: Sat, 13 Feb 99 11:29 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Computer Serial Numbers: Pentiums Not Required! Greetings. By now most of you are probably familiar with the barrage of stories relating to Intel's annoucement of a "serial number" in their new line of Pentium processor chips, and the controversies that immediately emerged. Given all that's already been written about the pros, cons, reliability issues, uses and abuses of such a system, there's no need to rehash it all here. But there is one point I'd like to emphasize. The ability to create and interrogate a totally or reasonably unique identity for a given piece of computer hardware has long existed, and need not be dependent on the presence or enabling of a chip serial number. And since all such procedures rely on software to transmit that information, all are ultimately subject to potential modification or disruption. Outside of the PC world, various other computer platforms have long included dedicated readable machine serial numbers. Any PC with an installed Ethernet adapter contains a unique ID which can be easily interrogated. It's also possible to "fingerprint" any system via values in system ROMs, disk firmware interfaces and layouts, operating system or application software IDs, or any manner of other parameters which can be combined in creative manners. Some of these can be changed by the user of course, but a CPU chip can usually be replaced as well. Techniques like these are already used by some software packages as an anti-piracy measure. So whatever good or ill that we perceive to be associated with unique identification of computer systems, it's important to note that most of the same factors are present regardless of whether or not a particular CPU chip is in use or a specific chip serial number capability enabled. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sat, 06 Feb 1999 11:40:40 -0800 From: David Brownell Subject: Stolen Lives: Identity theft The January 26 1999 edition of the San Jose Mercury News has an article about identity theft. Titled "Stolen Lives, How to Avoid Being a Victim of Identity Fraud", the article presents several case studies; it's a relatively long article (2400 words in the on-line version for $2, plus pictures). Of particular interest were interviews with some people whose identies had been stolen. In effect, they had been made the victim in multiple ways ... first by having their credit records ruined, second by having the credit bureaus refuse to correct the false information they were recording, third by employers not being supportive of the months or years it can take to recover from such a theft, fourth by courts and police departments holding that it was financial institutions which were the primary victims, and unfortunately much more. It's clear that such theft is facilitated by sloppy practices on the part of credit issuing agencies. In one case, they did not even consider the fact that the person applying for credit had a different age, size, residence, and race from the person whose credit record was used. (Yet they were held to be the victim ... hmm.) However, it's also clear that credit reporting agencies haven't been doing their jobs in making sure the information they report is correct. (I was wishing that the EU privacy regulations were in effect ... making this their legal responsibility, rather than at best a good-neighborly thing.) Mari Frank is a Laguna Niguel attorney who wrote a manual on coping with identity theft. www.identitytheft.org has more info on that. There is now US federal legislation which makes identity theft a felony, as it has been for a while in ten states including California. California's legal infrastructure is already in place, which will help victims since it requires credit bureaus and lenders to fix their records given a police report of the crime. - Dave ------------------------------ Date: Mon, 1 Feb 1999 13:07:16 -0800 From: "Mike O'Brien" Subject: eBay's very open trading policies eBay is instituting a new User Agreement, binding on everyone who uses eBay in about 25 days, which says a few hair-raising things. It references a new Privacy Policy which is even more hair-raising. The new Privacy Policy says: Unfortunately, due to the existing regulatory environment, we cannot ensure that all of your private communications and other personally identifiable information will never be disclosed in ways not otherwise described in this Privacy Policy. By way of example (without limiting the foregoing), we may be forced to disclose information to the government or third parties under certain circumstances, or third parties may unlawfully intercept or access transmissions or private communications. Well, that sure sounds practical and fair enough. However, this paragraph goes on to say: Further, we can (and you authorize us to) disclose any information about you to law enforcement or other government officials as we, in our sole discretion, believe necessary or appropriate. Therefore, although we use industry standard practices to protect your privacy, we do not promise, and you should not expect, that your personally identifiable information or private communications will remain private. A paragraph or two above this, it also says: eBay cooperates with all law enforcement inquires and with all third parties to enforce their intellectual property or other rights. Therefore, members of the eBay Legal Buddy Program (which includes local, state and federal law enforcement) can request your UserID, name, street address, city, state, zip code, country, phone number, email and company information. For more information about the Legal Buddy Program, email buddy@ebay.com. I dug into this some. Apparently, all you have to do is sign a form that says you own copyright or trademark interests in something or other, and based solely on this claim, eBay will disclose to you all the information they have on anybody whom you claim is selling something in violation of your rights. This stuff was all instituted because eBay was catching heat about allowing the sale of fraudulent "knock-off" items. I don't know about you, but the cure looks worse than the disease. I'm all for complying with subpoenas and warrants, but this all looks to me like all you have to do is CLAIM to represent a law enforcement agency or a "Content Owner", and their books are open for your easy inspection. Mike O'Brien ------------------------------ Date: Sun, 7 Feb 1999 20:43:54 -0800 (PST) From: Phil Agre Subject: Domestic Violence The state of California has started a program to protect victims of domestic violence from being tracked down by their assailants using public records and the like. Measures include confidential voter registration records and a state-provided post office box whose contents are regularly forwarded by state workers to the victim's real location. (Reference: Carl Ingram, New program to help domestic violence victims, Los Angeles Times, 7 February 1999, page A13. The article also claims that "[t]he era of hacking electronic databases further compounds the difficulties of victims", without providing evidence that is hacking rather than deception or corruption that causes information about the victims to be revealed.) We shall see how well the law works. If it is not sufficient, a next step would be to strengthen a victim's ability to recover damages from an organization that reveals personal information to someone who shouldn't have it. Phil Agre ------------------------------ Date: Mon, 18 Jan 1999 10:23:47 -0500 From: "Joseph M. Reagle Jr." Subject: Boxed In: Why US Privacy Self Regulation Has Not Worked http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html Joseph M. Reagle Jr. Resident Fellow, Berkman Center for Internet & Society, Harvard Law School Its easy to answer that efforts -- to date -- for Internet privacy self-regulation have not worked in the US. However, to ask the question itself is not so easy. What does effective privacy protection and self regulation mean? How do we know when its working? In an attempt to frame this issue, the Department of Commerce has issued two drafts and held a public meeting last summer with the theme of "Thinking Out of the Box." Little progress had been made on the most important aspect of self regulation: enforcement and user remedy. The crux of the problem is not a need to think out of the box, but to think about the box we are in. By this I mean the history and incentives that motivate present day behavior: Self Regulation by Sustaining User Ignorance This regulatory approach operates when market players suppress business practices (or reports thereof) that alarm a majority of the citizenry. Problems which are pointed out by the FTC, advocacy groups, or the media can sometimes result in improvements by the targeted company. Occasionally, a coalition of companies may find the scrutiny to be loathsome enough to exceed their legal obligations and uniformly reform the industry's practices. Given the number and diversity of services on the Web, such efforts are doubly difficult. Enforcing Norms May Violate Anti-Trust Antitrust law attempts to mitigate a dominant company, or set of companies, from colluding in order to suppress competition. This includes attempts at price fixing and excluding rivals by raising barriers of entry within a market. Consider the proposal that Internet companies that are part of a self-regulatory program adopt a consistent set of privacy procedures and that those procedures must be reviewed by external privacy audits. This could be construed as raising a barrier to entry in the ecommerce market for those companies that cannot readily afford such processes. Being a Good Actor Increases Liability Outside of a few specific sectors (credit reporting, video rental records, etc.) there are very few limits on what one can do with information solicited, garnered, or inferred about users. In fact, by disclosing one's privacy practices, one is substantiality increasing one's liability without any noticeable or immediate benefit. In this context, I find it remarkable that any company has made substantive disclosures beyond the useless "We may share your information with partners and affiliates who wish to provide you with complementary products or services," and laud those that have. Privacy is Expensive It costs to be proactive on privacy. Companies concerned with privacy may turn away from business practices their less principled competitors jump at, or devote significant resources to supporting self-regulatory or technical programs. Regulatory actions (self or statutory) are not cheap. The cost of privacy when placed in the broader context of user satisfaction, fraud reduction, and user confidence in the Web is worthwhile, however the cost is uncertain and poorly distributed. Given the above constraints, it is not surprising that self regulatory efforts have not advanced further. The efforts to date are simply not sufficient to overcome these significant pre-existent disincentives towards a self regulatory program. For progress to be made, we need enforceable rules regarding a baseline of acceptable behavior that cast pro-privacy policies as an advantage rather than a liability. References Elements of Effective Self-Regulation for Protection of Privacy Privacy and Electronic Commerce. Introduction to Antitrust Terms Antitrust Guidelines for the Licensing of Intellectual Property. April 6, 1995 Issued by the U.S. Department of Justice and the Federal Trade Commission These Guidelines supersede section 3.6 in Part I, "Intellectual Property Licensing Arrangements," and cases 6, 10, 11, and 12 in Part II of the U.S. Department of Justice 1988 Antitrust Enforcement Guidelines for International Operations United States v. IBM, 1975-I. Trade Cas. (CCH) Sec 60,104 (S.D.N.Y. 1974) (amending complaint). Sherman Antitrust Act of 1890, 15 U.S.C. 1. Clayton Act, 15 U.S.C. 12 Federal Trade Commission Act, 15 U.S.C. 41 Regards, http://web.mit.edu/reagle/www/home.html Joseph Reagle independent research account ------------------------------ Date: Fri, 22 Jan 1999 17:56:53 -0500 From: "ALAWASH E-MAIL (ALAWASH E-MAIL)" Subject: ALAWON v8, n7 - FILTERING BILL INTRODUCED ALAWON: American Library Association Washington Office Newsline Volume 8, Number 7 January 22, 1999 In this issue: Sens. McCain, Hollings Introduce Filtering Bill Sen. John McCain (R-AZ), chair of the Senate Commerce Committee, and Sen. Ernest Hollings (D-SC), ranking minority member of the Senate Commerce Committee, have introduced The Children's Internet Protection Act, S. 97. The bill would require filtering and blocking software to be used by any school or library receiving E- rate discounts. According to the S. 97, libraries would be required to use a filtering system on one or more of their computers so that at least one computer will be "appropriate for minors' use." Schools receiving universal service discounts -- also known as the E-rate -- would be required to use filtering or blocking software on all of their computers. The Children's Internet Protection Act appears to be very similar to the bill that Sens. McCain and Hollings cosponsored last year. ALA, the EdLiNC coalition and others did not support that bill. "As Internet use in our schools and libraries continues to grow, children's potential exposure to harmful online content and to those who seek to sexually abuse children will only increase," Sen. McCain said in a January 20 statement. "Perhaps most important, this legislation will not censor what goes onto the Internet, nor will it censor what adults may see, but rather filters what comes out of it onto the computers our children use outside the home." "This legislation is an important step in the battle to protect children from the dark side of the Internet," said Sen. Hollings. "Children should be protected from stumbling onto indecent material while using the web for legitimate purposes and this bill will go a long way in obtaining that goal." A summary, provided by the Senate Commerce Committee, of The Children's Internet Protection Act, S. 97 is as follows: ------- Schools would have to certify with the FCC that they are using or will use a filtering or block system on computers with Internet access so that students will not be exposed to harmful material on the Internet. A school will not be eligible to receive universal service support for Internet access unless they do this. In order to be eligible for universal service, libraries would only have to certify that they are using a filtering or blocking system for one or more of their computers so that at least one computer will be suitable for minors' use. School and library administrators are free to choose any filtering or blocking system that would best fit their community standards and local needs. In providing for universal service discounts for Internet access, no federal governmental body can make any qualitative judgements about the system nor the material to be filtered that the school or library has chosen. ------- Rep. Bob Franks (R-NJ) also introduced a similar bill to S. 97 in the House of Representatives this week. In the 105th Congress, two similar bills, S. 1619 and the Sen. Franks-sponsored H.R. 3177, were unsuccessful. ALAWON readers will recall that last congressional session, alternative language was proposed by Sen. Conrad Burns (R-MT) and others to require local Internet use policies rather than blocking or filtering software. ALA and others argued that, if there were to be any federal legislation passed in this arena, the Burns approach was preferable. Advocates are working to see if such an alternative can again be introduced. Emphasizing control at the local level through local use policies (LUPs) would be consistent with the need to have all such content and curriculum decisions made at the local level. ALA will review S. 97 in more detail. Many issues are raised, including when it would become effective and how it would impact the libraries and schools just now receiving their E-rate commitment letters. The application process for the second year of the E-rate has also just begun. Further news about the Children's Internet Protection Act will be forthcoming as it becomes available. ****** ALAWON (ISSN 1069-7799) is a free, irregular publication of the American Library Association Washington Office. All materials subject to copyright by the American Library Association may be reprinted or redistributed for noncommercial purposes with appropriate credits. To subscribe to ALAWON, send the message: subscribe ala-wo [your_firstname] [your_lastname] to listproc@ala.org or go to http://www.ala.org/washoff/alawon. To unsubscribe to ALAWON, send the message: unsubscribe ala-wo to listproc@ala.org or go to http://www.ala.org/washoff/alawon. ALAWON archives at http://www.ala.org/washoff/alawon. ALA Washington Office, 1301 Pennsylvania Ave., N.W., Suite 403, Washington, D.C. 20004-1701; phone: 202.628.8410 or 800.941.8478 toll-free; fax: 202.628.8419; e-mail: alawash@alawash.org; Web site: http://www.ala.org/washoff. Editor: Lynne E. Bradley; Managing Editor: Deirdre Herman; Contributors: Phyllis Albritton, Mary Costabile, Adam Eisgrau, Carol Henderson, Peter Kaplan, Claudette Tennant and Rick Weingarten. ------------------------------ Date: Thu, 21 Jan 1999 14:22:51 -0800 From: "Mike O'Brien" Subject: Supermarket Tracking Cards / Professional Jurors Two items in the latest digest moved me to respond: 1) Concerning supermarket consumer tracking systems: These people are willing to pay far, far more than "twenty cents off a jar of mayo." Those who have not used these systems are probably unaware of just how much. I have the best of both worlds: My housemate does all our shopping, and he self-confessedly has no life to spy on. Between the 5%-off-your-entire-order coupons, the 10%-off-your-entire-order coupons, the 2/3 off specials, the free Thanksgiving turkeys and the free Easter hams, we save several hundred dollars per year off our grocery bill. These savings are predicated on accumulated use of the SAME ID tag, so the "card-swapping club", while an attractive notion, wouldn't allow these savings. Frankly, while the accumulation of customer data seems off-putting, the savings are so huge that even the privacy-conscious might think twice. They're willing to pay big bucks for the info. 2) On professional jurors: I had the privilege of growing up (in Western Pennsylvania) in one of the most corrupt judicial districts in the country. The daily course of conduct in my small-town country seat was so openly corrupt, and had been so for so long, that when labor leader Jock Yablonsky went and got himself assassinated, the national spotlight thrown on the trial of the accused assassin caused the entire legal population of the city to scurry around like bugs under a suddenly lifted rock as they all tried to remember how this stuff was actually supposed to be done. We had professional jurors. They consisted of a population of gentlemen of leisure and undetermined means who hung out in back of the courthouse next to the jail. When a trial was called for, a sufficiency of them were rounded up and routinely sworn in with little questioning and no objection by either side. They duly deliberated and returned a verdict. So professional and reasonable were they in their attitude that if the judge didn't care for the verdict, he would send them out again for further deliberations, after which they would duly return an opposing point of view. I've seen professional jurors. I prefer road kill. Mike O'Brien ------------------------------ Date: Mon, 25 Jan 1999 21:49:08 -0500 (EST) From: John R Levine Subject: Interesting US Supreme Court case The supremes agreed today to hear this case. Los Angeles Police Dept. v. United Reporting Pub. Corp. No. 98-678 Court below: 146 F.3d 1133 (9th Cir 06/25/98) At issue in this freedom of information case is whether a private publishing company may provide the names and addresses of recently arrested individuals to their clients for a fee. Prior to July 1996, California Code Section 6254 stated that state and local law enforcement agencies shall make public the full name, current address, and occupation of every individual arrested by the agency. In July of 1996, California amended the Code to prohibit the release of arrestee addresses to people who intend to use those addresses for commercial purposes. United Reporting Publishing Corporation had been providing the names and addresses of recently arrested individuals to their clients under the old version of the statute. United reporting filed a complaint seeking declaratory judgment and injunctive relief on the grounds the amendment was unconstitutional under the First and Fourteenth Amendments. The court below held that the Code amendment violates the holding in Central Hudson Gas and Elec. Corp. v. Public Service Comm. of NY, 447 US 557 (1980), in that it does not directly and materially advance the government's interest in protecting privacy and tranquility of its residents. ------------------------------ Date: Wed, 20 Jan 1999 16:23:32 -0800 From: Kevin Maguire Subject: New California laws for 1999 I found the following items reported in the Los Angeles Times Jan. 1 issue, in an article highlighting new California laws for 1999: - Unless they have obtained a court order, employers may not use audio or video recording devices to eavesdrop on employees in restrooms, locker rooms or other areas where employees change clothes. (AB 2303 by Assemblyman George Runner Jr., R-Lancaster) - Employers may not discriminate against healthy individuals who have a genetic predisposition to a disease. (SB 654 by Sen. Patrick Johnston, D-Stockton) - Before they are released from prison, people convicted of manslaughter, kidnapping, mayhem, torture and felony spousal abuse must provide DNA samples, which will be added to the state DNA database. Previously, only sex offenders and people convicted of murder and felony assualt and battery had to provide samples. (AB 1332 by Assemblyman Kevin Murray, D-Los Angeles) - Senders of spam must provide a return toll-free number or e-mail address and stop sending the unsolicited mail if the recipient asks them to cease (AB 1629 by Assemblyman Gary Miller, R-Diamond Bar, and AB 1626 by Assemblywoman Debra Bowen, D-Marina del Rey). [ KM: AB 1629 specifically refers to advertising, not unsolicited bulk email. AB 1626, according to the California Senate website, has nothing to do with email. ] - It is now a misdemeanor to place an electronic tracking device on a person or the person's property, such as a car. Law enforcement agencies are exempt from the law. (SB 1667 by Sen. John Burton, D-San Francisco) [KM: I checked the text of this bill. It includes an exception for devices placed with the consent of the owner, lessor or lessee of the property as well as devices lawfully employed by law enforcement. And it opens with: SECTION 1. The Legislature finds and declares that the right to privacy is fundamental in a free and civilized society and that the increasing use of electronic surveillance devices is eroding personal liberty. The Legislature declares that electronic tracking of a person's location without that person's knowledge violates that person's reasonable expectation of privacy. Which is nice. ] - Kevin Maguire -- Required disclaimer: I'm not speaking for JPL, Caltech, or NASA. ------------------------------ End of PRIVACY Forum Digest 08.03 ************************