The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 1 August 1998 Volume 07 : Issue 13 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS PRIVACY Briefs (Lauren Weinstein; PRIVACY Forum Moderator) The Caller-ID Wars Continue (Lauren Weinstein; PRIVACY Forum Moderator) American Express cancels marketing plan (Lauren Weinstein; PRIVACY Forum Moderator) British Government Supports Voluntary Youth ID Card (Jason Ross) Watching the cameras watching you (Keith Parkins) Pharmacy freely gives out Rx info (Lewis Lorton) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 13 Quote for the day: "Anything different is good." -- Phil MacDowell (Bill Murray) "Groundhog Day" (Columbia; 1993) ---------------------------------------------------------------------- Date: Mon, 27 Jul 98 08:57 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: PRIVACY Briefs Greetings. Here are a few briefs involving privacy-related issues... --- Identity Fraud and Misrepresentation Internet Content Controls and Minors Copyright Laws FBI and Cell Phones Names, Numbers, and ID Cards ------ Identity Fraud and Misrepresentation In a limited move toward protecting personal information, a bill has been introduced in the U.S. House of Representatives which would make it a federal crime to obtain or attempt to obtain customer information fraudulently from a financial institution, i.e., through misrepresentation of one's identity. This is mainly aimed at persons who operate businesses that routinely call around to gather such information for third parties. These operations typically claim to be the customer involved, and then apply pressure to phone reps to give out data (the "oh, I forgot my password" technique). Given that so many institutions will provide masses of info with only verification like Social Security Number, mother's maiden name, zip code, and other widely disseminated data, the problem has grown to large proportions. This bill does not address the vast amounts of data on individuals bought, sold, traded, distributed, and maintained in databases legally by commercial firms, only fraudulent attempts to access certain data. --- Internet Content Controls and Minors What many are calling "CDA II" passed the Senate quietly, setting on the legislative path another attempt to control children's access to Internet sites. Unlike the original Communications Decency Act struck down by the Supreme Court, this version targets commercial web sites who distribute "harmful" material to minors. If this legislation is enacted, court challenges are inevitable. The vagueness of the term "harmful," combined with freedom of speech issues, suggests that the probability of this legislation surviving in its present form may be fairly low. In related actions, legislation passed in the Senate that would require schools and public libraries taking advantage of federal subsidies for Internet access to use (unspecified) filtering software to limit minors' access to the net. In the case of libraries, there would need to be at least one computer designated for children's use that ran the filters--computers that would be used only by adults would not need to be filtered, as I understand the legislation. However, the problems of filtering software (sometimes with "secret" block lists which appear to implement political or religious agendas) which also block political or sex-safety related sites, and other serious inherent problems with such filtering methodologies, continue to be matters of strong concern. We all know at the gut level that there is material on the net to which children should not be exposed in an unsupervised environment--or in any environment in some cases, for that matter. But people's views on what that material *is* will differ widely. --- Copyright Laws The House of Representatives' Commerce Committee has approved a bill designed to bring the U.S. into conformance with international copyright rules. After a great deal of controversy, the current legislation includes exceptions to allow for certain types of encryption research, circumvention of software security systems to protect personal information, and a two year evaluation waiting period before the implementation of broad prohibitions against reverse engineering. Whether such provisions will exist in the final bill as it moves through Congress is unclear at this time. --- FBI and Cell Phones The FBI is asking Congress to explore possible changes in existing law to allow law enforcement access to physical location data of cell phone users, without court order, under certain "emergency" conditions. As has been reported here in the PRIVACY Forum in the past, mandated 911 requirements are leading toward the the ability of cell phone carriers to track, and potentially record, the movements of all powered-on cell phones, regardless of whether or not calls are in progress. It was inevitable that this data would be desired by various parties for other purposes, in realtime and perhaps retrospectively as well, in criminal, civil, and perhaps even commercial contexts. It would seem prudent to begin a detailed examination and open discussion of these issues before making such potentially sensitive data available for any purposes beyond that for which it was originally collected--helping find people calling 911 from cell phones. --- Names, Numbers, and ID Cards ID cards have been a hot topic lately. On one hand, proposed rules from the U.S. Department of Transportation would establish uniform standards for collection and verification of Social Security Number data for state drivers' licenses. The proposal does not appear to actually require that the SSN be present on the license in human readable or electronic form, but does require collection at point of issuance and verification that the SSN is valid. Some states (like California) have been collecting SSN for driver's licenses for quite sometime, as a result of "deadbeat" parents financial responsibility legislation. The DoT is proposing the new rules to comply with recent immigration reform legislation. We see here the twin prongs of the problem--on one hand, many people are upset about undocumented persons taking jobs in this country. On the other hand, there are persons upset about being required to identify themselves in a variety of situations. These concepts can fundamentally conflict with each other at a very basic level. On a related front, the facets of a 1996 health insurance reform law that would require all persons in the U.S. to be issued "unique health identifier" numbers have been the subject of renewed controversy. This number, which might be SSN or some new number, would be used to correlate health-related data throughout the country. At least one legislator is talking about introducing legislation to repeal this provision. In both of these ID cases, it's possible to postulate some pretty grim "Big Brother" scenarios for the future. Most people react negatively and in many cases viscerally against being numbered. Of course, largely equivalent identifiers are already pretty much available on every American. Proposals that would make a bad situation even worse should certainly be avoided. Individuals should definitely make their thoughts known (pro or con) to their legislators regarding these ID card and number plans. However, rather than concentrating solely on the issue of the cards and numbers themselves, it's also important to focus on how information collected on persons will be stored, exchanged, cross-referenced, sold, and otherwise used (or abused) in both commercial and non-commercial contexts. The legal vacuum regarding the *use* of most collected data is a critical issue that needs to be addressed broadly, deeply, and immediately. --- --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Mon, 27 Jul 98 08:57 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: The Caller-ID Wars Continue Greetings. It's starting to look pretty clear--there's a new war over caller-ID, especially for California telephone subscribers. When per-call ID blocking was mandated nationally, and complete (all-call, with selective unblocking) blocking was made available in states like California, it looked like the protracted battle over caller-ID was over. Far from it. As has been discussed in the PRIVACY Forum in the past, there have been increasing reports of what some would call "high pressure" sales tactics by Pacific Bell representatives attempting to sell caller-ID services, and also attempting to convince persons to switch from complete to "selective" (per-call) blocking--the latter sends the ID on all calls by default. PacBell's latest hope to increase their caller-ID related services is the implementation of "anonymous" call blocking, which blocks incoming calls unless the caller is willing to provide the number of the phone line they are calling from (and often now the name associated with that line) to the caller. In a fascinating move, PacBell is even marketing this service to people who don't subscribe to caller-ID and couldn't see the number/name of the line calling in any case! PacBell has gotten extremely aggressive in their add-on services sales to any subscriber that calls for almost any reason--I can verify this myself. Unfortunately, reports are that they're even pushing some of these expensive services on persons who call to order low income "lifeline" plans. The problems have reached a level where the California Public Utilities Commission (CPUC) has begun looking into PacBell's sales tactics. The problems, risks, and failures associated with caller-ID services have been well documented in the past here in the PRIVACY Forum in previous issues, so there's no point to reiterating them here. But this escalation in PacBell's aggressive sales efforts seems to be correlated with their acquisition by Southwest Bell (SWB), who apparently has set very specific goals to try to drastically raise the number of subscribed "features" per telephone subscriber in California. SWB is used to much higher rates of caller-ID service penetration in their home state of Texas, where per-line complete blocking is not available. It obviously is distressing to them to have to deal with a state like California, where about half the phones lines are subscribed to complete blocking, and more than half the lines are reportedly non-published. When I recently spoke at length with PacBell spokesman John Britton, he made it clear that PacBell had every intention of marketing these services to their utmost, and suggested that the excessively high-pressure sales tactics reported by some were aberrations by individual sales representatives, not company policy. He seemed to blame the high percentage of complete blocking in California on the educational campaign that the CPUC had mandated. I asked him about a statement from the San Jose Mercury News where he was quoted as saying, "If consumers don't like it, they can stand up. They don't need a lot of pushy people at ORA [Office of Ratepayer Advocates] standing up for them." He acknowledged the essential accuracy of the quote, but admitted that, in retrospect, he perhaps should have left out that comment about the ORA. Pacific Bell certainly has a right to market their services. But given that they still operate in what amounts to effectively a monopoly position when it comes to residential local service (theoretical competition in local service notwithstanding), I think it's reasonable to hold them to the highest standard in their dealings with their subscribers in this and other areas. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Tue, 28 Jul 98 10:46 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: American Express cancels marketing plan Greetings. American Express (AmEx) has cancelled plans for a customer information marketing partnership with KnowledgeBase Marketing. The plan was reported here in PRIVACY Forum last May (V07 #09) and was subjected to broad criticism from many quarters due to concerns over AmEx cardholder privacy. AmEx says that the plan was cancelled due to concerns over profitability, not privacy issues. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Mon, 20 Jul 1998 23:03:52 +0100 From: "Jason Ross" Subject: British Government Supports Voluntary Youth ID Card The British Government has lent its support to a scheme to introduce a national identity card for teenagers, ostensibly to help stamp out the under-age purchase of alcohol, cigarettes, videos etc. The Citizen Card will be available to children of 12 and above, since that is the youngest age which needs to be confirmed in order to buy or rent 12 certificate videos. It is intended to be used until the age of 21, as many night clubs stipulate this as a minimum age. The card will bear a photograph and a hologram, and will cost five pounds to buy. Apparently up to seven million people could end up using it. The Government' Consumer Affairs Minister Nigel Griffiths was quoted as saying "I strongly support this initiative ... I am keen on anything that helps the retailer to know the age of young people they are dealing with." I can see that this card will benefit the retailers - after all many of them display signs saying 'We cannot sell tobacco to anyone who is, or appears to be, under 16 years old", and similarly with alcohol. Many of them get caught out and fined by Trading Standards officials, who, if they receive reports of the shop selling to under-age children, deliberately send under-age children to buy from the shop. They then prosecute the shopkeepers for selling to the children. Pubs and bars caught selling to under-age drinkers also face the possibility of their license to sell alcohol being revoked. This card would help them regain the trade that they lose by mistakenly turning away people who look under-age but are not. I'm sure that the fact that the customers are paying for the privilege of spending their money legitimately is appreciated as well. A similar photocard scheme featuring the holder's name and, I believe, date of birth has been in use for several years, but to my knowledge did not arouse the interest of the last Government. I have not yet found any difference between the two cards in principle, but I find the interest of the Government disconcerting. The British Government has made many noises in the past with regard to the introduction of a national ID card, to be carried by all British citizens. It always wheels out the same reasons, i.e. prevention of crime and terrorism etc. These have always been met with opposition by civil liberties groups. Could the path of this scheme be following that of the Government's TTP cryptography policy ? Initially it will be voluntary, but in a few years time it could prove to have been an easy let-in for a compulsory National ID scheme, eroding even more of the limited privacy and rights that those of us in Britain still have. It would certainly be a politically 'softer' way into a national ID scheme than that being introduced in one of the other Commonwealth countries, New Zealand (see PRIVACY Forum Digest V07 #11, "NZ to Introduce Photo-ID Drivers' Licenses" by Patrick Dunford). After all, initially no-one would be taking our rights away, we would be giving them up of our own accord. Jason Ross jason_ross@bigfoot.com ------------------------------ Date: Mon, 29 Jun 1998 18:26:11 +0100 From: Keith Parkins Subject: Watching the cameras watching you At Barry (a small town in south Wales) hidden cameras have had to be installed to keep watch on the town's CCTV [Closed Circuit Television] to record acts of vandalism against the CCTV. Keith Parkins [ It's "Candid Camera" gone mad! Where's Allen Funt when we need him? -- PRIVACY Forum Moderator ] ------------------------------ Date: Sun, 28 Jun 1998 09:11:48 -0400 From: Lewis Lorton Subject: Pharmacy freely gives out Rx info Innocently, I called my pharmacy (in a large supermarket chain) to find out how to check on some back information [in order to catch up on reimbursements from my medical plan.] I honestly expected to have to give detailed information and then show up with some sort of picture ID to get a list of prescriptions filled. Instead, to my amazement, some anonymous pharmacist asked me what I wanted to know and gave me an oral history of my prescription medications filled at that store. Amazing! This is an example of the real problem in privacy - where policy exists and isn't enforced. LL Lewis Lorton [ I don't find it amazing--it's unfortunately completely typical. Frankly, given the state of the law regarding medical information, and the "it doesn't really matter" attitude of most of the involved entities, I'd have been surprised if they *had* bothered to really perform any significant identity verification. -- PRIVACY Forum Moderator ] ------------------------------ End of PRIVACY Forum Digest 07.13 ************************