The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 20 February 1999 Volume 08 : Issue 04 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Confidential Patient Data Accidently Released to the Web (Lauren Weinstein; PRIVACY Forum Moderator) Driver's License Photos and "Data Creep" (Lauren Weinstein; PRIVACY Forum Moderator) GAO Report on Govt/Comm Use of SSN (Peter Marshall) More on eBay "privacy" (Christopher M. Conway) Announcement: CFP 99 April 6-8, Washington, DC (Dave Banisar) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 04 Quote for the day: "Ask me no questions and I'll tell you no lies." -- Elaine Zacharides (Margaret Hamilton) "13 Ghosts" (William Castle Productions; 1960) ---------------------------------------------------------------------- Date: Sat, 20 Feb 99 10:54 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Confidential Patient Data Accidently Released to the Web Greetings. What would happen if information from computers containing confidential patient data at a major medical center found its way into a publicly available search engine? What if it were more than 18 Megabytes of patient data? This isn't an academic question. It recently happened at the University of Michigan Health System, and it's a clear illustration about what can happen when unencrypted confidential information is moving between medical operations and their outside vendors. The PRIVACY Forum recently received e-mail from a generically named e-mail address (no actual name was provided) at one of the popular "free e-mail" services, from a person claiming to have stumbled across vast amounts of patient name, address, phone and some other data while doing an HMO search on a University of Michigan Health System public web search page. This person provided a couple of web URLs, and expressed concern that they hadn't been able to reach anyone there about this issue. I offered to look into it. The URLs were indeed valid at the U. of Mich. Health System. They led to what appeared to be large amounts of patient data--primarily names, addresses, phone numbers, and patient IDs (which in this case, and contrary to the norm, were *not* equivalent to Social Security Numbers). One of the referenced files was over 18 Megabytes of text--my web browser kept freezing up trying to handle a single page of such a length. While I hoped that the data wasn't real--that it was dummy test data or something similar, I had to assume that there was a good chance it was valid. My first concern was to determine if this was a genuine problem, and if so with the protection of those patients by closing this hole. I called in to the main U. of Mich. Health System number (found on their home web page) and within a few minutes had reached people who understood what I was talking about. They were interested, polite, and moved swiftly--within an hour or so the access was apparently closed. Then followed a number of individual calls and a conference call from various administrative, technical, and legal folks at U. of Mich. It turns out that the data was indeed real. It was logging data files from runs involving an outside vendor, that should not have found their way into an environment where their search engine would have indexed it or where the public could have found it. The University thanked me for informing them of the problem, which they claimed didn't exist for more than a couple of days before it came to my attention. However, the story is actually a bit more complicated. The University representatives felt strongly that nobody could have originally found that data on public URLs unless that person was on the "inside" of the medical center staff. While I of course have not revealed the e-mail address of the party who had written to me originally, the University felt that they had independently identified this person within their staff via analysis of the logs recording access to those files. They expressed concern that this person had (they believe) tried to "go public" with the information without taking steps internally to inform them of the problem, and they appeared to be looking into various disciplinary and/or legal actions to possibly be taken against them. I have no way to know if the party they're talking about is the same person who contacted me, or what that person's motives might actually have been, but I find this emphasis on possible punishments targeted at that person to be disturbing. I brought up the issue of encryption as a possible means to help avoid problems like this in the future. I got the impression that they had discussed that in the past and had ruled it out as "impractical" at this time in their opinion. I also strongly urged that they take steps to notify patients whose data was exposed, since there's no way to know where copies of that data might have been sent by other parties, however few they might have been, who had accessed them via those public URLs. The last I heard from the medical centers' representatives, they were working on some sort of plan to notify patients' doctors privately of the problem, but apparently no public statement was planned as far as I know. The actual potential damage done to patients by the exposure of that data, in this case, was probably comparatively minimal. Luckily, the particular files involved didn't contain even more detailed data, and were apparently not widely accessed. But this should serve as a loud and clear wakeup call. With the increasingly enormous amounts of medical data being moved between public and private entities, these sorts of technical "glitches" can have major implications. You can't get the data genie back into the bottle. With so many organizations rushing to bring up web interfaces and virtual "storefronts," the likelihood of confidential or hazardous data crossing the boundary into public view is ever increasing. In the rush to cyberspace, it's easy for some to forget that real people, and real lives, are involved. Things do go wrong, but technical glitches at major, publicly accessible web sites are not *excuses* for releasing personal data that individuals have every right to expect will be maintained in confidence. In my opinion, it's largely a matter of priorities. And ultimately, it's society that needs to set and enforce those priorities in this area. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sat, 20 Feb 99 11:01 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Driver's License Photos and "Data Creep" Greetings. "Data Creep" is a term I use to describe the tendency for data collected for one purpose to be desired by, released to, and used by, various parties for other purposes. We've seen a multitude of examples in the past involving medical data, auto toll information, cellular phone location data, and so on--the list is impressive. The latest furor over the selling of driver's license photos is yet another example, with some interesting new twists. A small New Hampshire firm called Image Data LLC has been promoting their "TrueID" system to flash pictures of customers on small displays at point of sale, to help verify check and credit card transactions. They bought more than 22 million such photos from South Carolina, Florida and Colorado (and at discount prices too, possibly as low as a penny each in some cases!) After some public reports and negative public reaction to this system began circulating, there have been various actions taken by some state officials to try prevent further release of photos and/or to demand return of the photos already released. Lawsuits and court battles are already underway. Adding fuel to the fire was the revelation that Image Data's project was partially funded by over a million dollars of federal funds and Secret Service technical assistance, which was offered after a number of Congressmen expressed interest in the broader applications of the system. While most observers had thought that the company was promoting its product only to help stop credit card and check fraud, other applications such as fighting terrorism, various identity-related crimes, immigration abuses, and related areas were apparently the impetus for the federal funding. It is reported that state officials who had worked with the company were unaware of this aspect of the project. Some have argued that the system is no more obtrusive than someone showing their driver's license when they want to cash a check. But there is a fundamental difference between voluntarily showing an ID as part of a transaction (even if the transaction won't be completed unless the ID is presented) and being forced to participate in systems where images or other biometric data are being bought and sold at what amounts to a personal information swap meet. There could be a silver lining to this story. It appears that it has triggered new moves in some states to restrict their sales of personal information--maybe. At the same time that proponents of the TrueID system argue what a benefit it will be to consumers, it is noteworthy that individuals are almost never asked if they wish to participate in these programs. The reason why is obvious--it's the same reason that the direct marketing folks don't want opt-in programs for direct mail. There is a strong tendency to just avoid asking the question in the first place, when you know that most people are going to answer no! --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Thu, 18 Feb 1999 12:37:27 -0800 From: Peter Marshall Subject: GAO Report on Govt/Comm Use of SSN Date: Tue, 16 Feb 1999 23:54:33 -0500 Reply-To: IRE-L@showme.missouri.edu From: "Tim Wise" To: "IRE-L List Service" Subject: GAO Report on Govt/Comm Use of SSN February 16, 1999 The General Accounting Office (GAO) today released the following: REPORTS: 1. Social Security: Government and Commercial Use of the Social Security Number Is Widespread GAO/HEHS-99-28, Feb. 16. To obtain copies of GAO reports or testimony, the press only may call 202-512-4800. Others should call GAO's Document Distribution Center, 202-512-6000. This GAO report may be of special interest to many on this list. Tim Wise ------------------------------ Date: Mon, 15 Feb 1999 10:38:34 -0700 (MST) From: "Christopher M. Conway" Subject: More on eBay "privacy" It should also be noted that eBay on the one hand claims that they make no effort to verify user information, and that users may not hold them liable for false information about other users; and, that, on the other hand, they will terminate users that do not provide verifiable information. Sounds to me like they want to have their cake, and eat it too... Far worse, actually, is that they claim that your personal information is only available to "registered users." They fail to note that "registered users" can include anyone and everyone who has an email address which is usable for the minute or so that registration takes. You see, registration consists of entering personal information (on an unprotected page, unless they've changed that quite recently) which is not verified in any way (how *can* it be); they send an email confirmation to the email address you give, with a codeword; and then you enter that code word into a web page, and Voila! You're a registered user, with the right to peruse personal information (including phone number and address) of any other registered user in their system. Oh, and they do "adult verification" by requiring a credit card number. There is, of course, no way of knowing that the card holder is actually an adult (many children get cards based on their parents' accounts now). Plus, there's no way of telling whether the card number given *belongs* to the registrant (there's no mapping between card number and names; I've tried putting in bogus information, and succeeded), so that a minor could put in their parents' card number (how hard is it for a minor to get a quick look at the monthly statement, or a receipt?), not to mention other card numbers gathered other ways. So, all they do is figure out if the card is a valid one, regardless of where it comes from. Further validation is not done; I've used a card number for debit card for a closed account successfully. (I don't know if this would work if the card number is initially entered while invalid.) Oh, and one final warning-- I tried to talk some sense with their "safe harbor" people, and, then, finally, the company founder; with the result that they retaliated against me, permanently deregistering my account for not allowing them to publish my unlisted telephone number. They had received no complaints about me, I'd just made myself a target by daring to criticize their policies. There's a reason why my .sig at home contains the line "EBay violates your privacy-- email me for details." I am currently pursuing an action with TrustE to get eBay's certification yanked due to their bogus privacy "protection." -- Christopher M. Conway U*IX and C Guru cmconwa@sandia.gov wombat@prickly-wombat.com ------------------------------ Date: Sat, 20 Feb 1999 15:01:54 -0500 From: Dave Banisar Subject: Announcement: CFP 99 April 6-8, Washington, DC [Circulate until March 15, 1999] Register now for the cyber event of the year: C COMPUTERS, FREEDOM, AND PRIVACY F THE GLOBAL INTERNET P 9 WASHINGTON, DC 9 Omni Shoreham Hotel . April 6-8, 1999 O R G For almost a decade, the conference on Computers, Freedom and Privacy has shaped the public debate on the future of privacy and freedom in the online world. Register now for the number one Internet policy conference. Join a diverse audience from government, industry, academics, the non-profit sector, the hacker community and the media. Enjoy the U.S. Capital in the Spring at one of Washington's premier hotels. * Keynote speakers include Tim Berners-Lee (Director, World Wide Web Consortium), Vint Cerf (President, Internet Society), Congressman Ed Markey (sponsor of "The Electronic Bill of Rights Act"), Congressman Ron Paul (sponsor of the Freedom and Privacy Restoration Act), Henrikas Yushkiavitshus (Associate Director, UNESCO) * Lively and thought-provoking panels on -- "the Creation of a Global Surveillance Network," "Access and Equity on the Global Internet," "Anonymity and Identity in Cyberspace," "Free Speech and Cyber Censorship," "Is Escrow Dead? And what is Wassenaar?", "Self-Regulation Reconsidered" and more * Tutorials -- "The Electronic Communications Privacy Act" (Mark Eckenwiler); "Cryptography: Basic Overview & Nontraditional Uses" (Matt Blaze and Phil Zimmermann), "Free Speech, The Constitution and Privacy in Cyberspace" (Mike Godwin), "Techniques for Circumventing Internet Censorship" (Bennett Haselton and Brian Ristuccia) Early Registration Deadline - March 15, 1999 -------------------------------------------- Register on-line at http://www.regmaster.com/cfp99.html or call +1 407 628 3602. Registration inquiries may also be sent to mann@regmaster.com. - Mark the dates - April 6-8, 1999 - Note the place - Washington, DC - Make your hotel reservations. See you at CFP99. For more information about CFP99, visit http://www.cfp99.org/ or call +1 401 628 3186 Sponsored by the Association for Computing Machinery ------- David Banisar (Banisar@epic.org) * 202-544-9240 (tel) Electronic Privacy Information Center * 202-547-5482 (fax) 666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.epic.org Washington, DC 20003 * PGP Key http://www.epic.org/staff/banisar/key.html ------------------------------ End of PRIVACY Forum Digest 08.04 ************************