Date:       Mon, 11 May 92 16:23:22 EST
Errors-To:  Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From:       Computer Privacy Digest Moderator  <comp-privacy@PICA.ARMY.MIL>
To:         Comp-privacy@PICA.ARMY.MIL
Subject:    Computer Privacy Digest V1#019

Computer Privacy Digest Mon, 11 May 92              Volume 1 : Issue: 019

Today's Topics:				Moderator: Dennis G. Rears

                         Census Bureau Database
                    "IF you have nothing to hide..."
                            Re:  TRW Reports
                         Re: Is e-mail private?
                          Re: Is e-mail private?
          Re:  E-mail privacy should be independent of carrier.
          Re: E-mail privacy should be independent of carrier.

     The Computer Privacy Digest is a forum for discussion on the
   effect of technology on privacy.  The digest is moderated and
   gatewayed into the USENET newsgroup comp.society.privacy
   (Moderated).  Submissions should be sent to
   comp-privacy@pica.army.mil and administrative requests to
   comp-privacy-request@pica.army.mil.
       Back issues are available via anonymous ftp on ftp.pica.army.mil
  [129.139.160.200].
----------------------------------------------------------------------

Subject: Census Bureau Database
Date: Sat, 9 May 92 9:22:26 CDT
From: "Eric J. Johnson" <null!eric@sparky.imd.sterling.com>


Here's another database that we may be overlooking wrt privacy
concerns.  In the past, I have worked with the U.S. Census Bureau's
household database, which contains all sorts of information about
the households in a particular census block and tract.  It contains
stuff like number of cars owned, number of toilets, income figures,
and all of the answers to those innocuous little questions Americans
are required to answer about themselves on their Census forms.
All available on tape from your friendly government.  The tapes I
have received are massaged to contain no personal information, but
it is quite straightforward to combine the household database with
the United States Postal Service Zip+4 database (free on tape from
the USPS) and your local telephone directory ($$ on tape from most
RBOCS with non-pubs excluded) and voil`a we have your name, address,
phone number and a rather good profile of your household to assist
in targeted mailings and calls.  The possibilities are endless!

For example, if I already happen to own a few mailing lists,
I can filter them through this database and produce a more exact
match of the type of household I am trying to target.  As far
as reducing junk mail is concerned, this may not be all bad.
But say I am a bank out looking for new customers, or better yet, the
bank/credit card processor which already has a financial records
on you...

Think of the tool this is for law enforcement.  All the government
has to do is develop a demographic profile of a particular
type of criminal, produce a list of the most likely suspects in
a particular area (zip+4 resolves down to a single side of a single
city block) and target them for closer scrutiny.  And you provided
them the information that made this possible on your Census form!

A story I was told by one of the marketers out hawking an on-line 
database of this type I helped develop (about five years ago) tailored
for the banking community might help illustrate the appeal of this
sort of tool.  The demo was pretty simply, a portable PC with an
overhead projector adapter connected remotely to a database machine.
The marketer would ask a member of the audience for their zip code.
They would the enter a simple SQL command to retrieve (in a couple
seconds) the household demographic info for the particular
person's household.  The marketer would then read off the demographic
profile to a stunned audience.  There was at least one person who
stood up during the demo yelling that there was no way such private
information could be available!  I'll bet that person's company was
one of the first in line to purchase the service, though.

What got me started writing this article was a conversation I had
a few days ago with a genealogy fan in my office.  I had tacked
up on the wall of my office one the many articles flying about 
regarding all the information available to someone with your SSN.
He read the article and told me that he could get much more 
information through an area genealogical society, which has been
tracing families through dial-up access to the Census Bureau's
computer.  It seems they have access to individual's personal records.

I wonder who else does...

-- 
Eric J. Johnson
UUCP: eric@null.uucp
The opinions expressed in this article are those of the author and in
no way reflect the will of Landru.  (or U S WEST Communications)

------------------------------

From: The Jester <ygoland@edison.seas.ucla.edu>
Subject: "IF you have nothing to hide..."
Date: 9 May 92 19:49:17 GMT


One of the reasons that many people are against 'intrusive' laws is
because they disagree with the rational "If you have nothing to
hide, then you don't need to worry." However what I have failed to
see is a single cogent explination of WHY the rational of "If you
have nothing to hide, then you have nothing to fear" is a bankrupt
one. Would anyone care to provide a concise explination of WHY the
previously mentioned rational is wrong? And please, though examples
are useful for illustration of a point, they do not make one.
					The Jester
--
			The Jester
"You can lead a herring to water, but you have to walk really fast,
or he'll die."-Stolen from my Evil Mistress (TM)
               NWILSON@MIAVX1.ACS.MUOHIO.EDU

------------------------------

From: James Davies <jrbd@craycos.com>
Subject: Re:  TRW Reports
Date: Sun, 10 May 92 04:42:06 GMT
Apparently-To: <comp-society-privacy@uunet.uu.net>

In article <comp-privacy1.17.3@pica.army.mil> zimmer@gw.wmich.edu writes:
>
>Montgomery Wards, when successfully soliciting business over the phone 
>with you, does ask for private information you've previously supplied 
>them to verify you are who they think you are.

It's been my experience that most organizations use the same piece of
"private information" for verification -- your mother's maiden name.
This is about as secure as using your social security number in some sense,
in that someone who cared could easily find it out with a little research.

AT&T asked for this when I called their Universal Card 800 number with 
a change request last week.  I've been tempted to make up a different
"mother's maiden name" for each organization that asks (including, in the
past, various utility companies and banks), but I worry that I'll forget it
and they won't have any way of resetting my "password" (after all, your
mother's maiden name isn't supposed to change, right?).

------------------------------

From: sbyers@crash.cts.com (Steve Byers)
Subject: Re: Is e-mail private?
Date: Sun, 10 May 1992 23:45:05 GMT

>Continuing the discussion on whether e-mail is "private," our esteemed
>Moderator wrote:
> ... On a different note I seem to recall federal
>legislation some years back that made interception of email a federal
>offense.  Does anyone know anything about that? _Dennis ]

I'm surprised you guys don't have this already.  I picked it up a few
months ago on alt.privacy.  I have included the whole article below
(including the header) in case you want to look up the thread yourself.

[Note to moderator:  I realize this is a bit long, so feel free to edit
 it in any way you see fit.]

		-------- begin included article --------


#From: riddle@hoss.unl.edu (Michael H. Riddle)
#Subject: Re: E-mail Privacy
#Date: 29 Mar 91 17:15:17 GMT

In <1991Mar29.082317.14316@vpnet.chi.il.us> louisg@vpnet.chi.il.us (Louis Giliberto) writes:

>To what extent should E-Mail be private?  I believe that the general consensus
>is that it should be viewed as private, and not intentionally looked at.  It
>is common in performing maintainence funvtions that some mail may accidently
>be seen, but in general E-Mail should not be wilfully read.

Correct so far.

>This brings up a problem though (digression time!).  If, as recent events
>have shown, a system operator can lose his computer if illegal messages
>are passed through E-mail without his knowledge, then does he have a right
>and/or responsibility to monitor E-mail?  

At a minimum, the person or entity providing the service has a right to
report evidence of illegal acts occurring on the system.

>Without protecting the sysop/administrator from responsibility for what passes
>through his machine, he may have to take unorthodox steps to cover his hide.
>This confuses the issue greatly, and brings responsibility and privacy into
>conflict with one another.

>For if the law states that he IS responsible for the mail in his system, and
>there is another law which guarantees the privacy of E-mail, the two become
>at odds with each other.  Can this be resolved?  I think this is
>an important point to consider.

The Electronic Communications Privacy Act of 1986, codified at 18 U.S.C.
2701 et seq., attempts to strike this balance.  Since this is the law, it
is the required starting point for any intelligent discussion of the
subject.  If the current law has flaws, then means exist to get it changed.

The following are the principal parts that apply to this area:

  CHAPTER 121.  STORED WIRE AND ELECTRONIC COMMUNICATIONS AND 
                  TRANSACTIONAL RECORDS ACCESS 
 
s 2701.  Unlawful access to stored communications
 
(a) Offense. Except as provided in subsection (c) of this section
whoever
 
    (1) intentionally accesses without authorization a 
facility through which an  electronic communication service is 
provided; or 
 
    (2) intentionally exceeds an authorization to access that 
facility; and thereby obtains, alters, or prevents authorized 
access to a wire or electronic communication while it is in 
electronic storage in such system shall be punished
as provided in subsection (b) of this section.
 
(b) Punishment. The punishment for an offense under subsection (a)
of this section is- 
 
    (1) if the offense is committed for purposes of commercial 
advantage, malicious destruction or damage, or private commercial
gain
 
      (A) a fine of not more than $ 250,000 or imprisonment for
not more than one year, or both, in the case of a first offense 
under this subparagraph; and
 
      (B) a fine under this title or
imprisonment for not more than two years, or both, for any 
subsequent offense under this subparagraph; and
 
    (2) a fine of not more than $ 5,000 or imprisonment for not
more than six months, or both, in any other case. 
 
(c) Exceptions. Subsection (a) of this section does not apply with
respect to conduct authorized- 
 
    (1) by the person or entity providing a wire or electronic 
communications service; 
 
    (2) by a user of that service with respect to a communication
of or intended  for that user; or 
 
    (3) in section 2703, 2704 or 2518 of this title. 
 
  CHAPTER 121.  STORED WIRE AND ELECTRONIC COMMUNICATIONS AND 
                  TRANSACTIONAL RECORDS ACCESS 
 
s 2702.  Disclosure of contents 
 
(a) Prohibitions. Except as provided in subsection (b)- 
 
    (1) a person or entity providing an electronic communication 
service to the public shall not knowingly divulge to any person or
entity the contents of a communication while in electronic storage
by that service; and
 
    (2) a person or entity providing remote computing service to
the public shall not knowingly divulge to any person or entity the
contents of any communication which is carried or maintained on
that service-
 
      (A) on behalf of, and received by means of electronic
transmission from (or created by means of computer processing of
communications received by means of electronic transmission from),
a subscriber or customer of such service; and
 
      (B) solely for the purpose of providing storage or computer
processing services to such subscriber or customer, if the provider
is not authorized to access the contents of any such communications
for purposes of providing any services other than storage or
computer processing. 
 
(b) Exceptions. A person or entity may divulge the contents of a
communication-
 
    (1) to an addressee or intended recipient of such
communication or an agent of such addressee or intended recipient;
 
    (2) as otherwise authorized in section 2517, 2511(2)(a), or
2703 of this title; 
 
    (3) with the lawful consent of the originator or an addressee
or intended recipient of such communication, or the subscriber in
the case of remote computing service; 
 
    (4) to a person employed or authorized or whose facilities are
used to forward such communication to its destination; 
 
    (5) as may be necessarily incident to the rendition of the 
service or to the  protection of the rights or property of the 
provider of that service; or
 
    (6) to a law enforcement agency,
if such contents- 
 
      (A) were inadvertently obtained by the service provider; and
 
      (B) appear to pertain to the commission of a crime. 


--
            <<<< insert standard disclaimer here >>>>
riddle@hoss.unl.edu                  |   University of Nebraska 
postmaster%inns@iugate.unomaha.edu   |   College of Law
mike.riddle@f27.n285.z1.fidonet.org  |   Lincoln, Nebraska, USA


------------------------------

Date:      Mon, 11 May 1992 11:28:03 EDT
From:      Stacy Veeder <SBVEEDER%SUVM.bitnet@cunyvm.cuny.edu>
Subject:   Re: Is e-mail private?

Jyrki Kuoppala <jkp@cs.hut.fi> writes:

>It is illegal, just as it is illegal to tap into people's phones.
>However, there's a small hole in the law - it's illegal only when the
>email is "in transit" and nobody really knows what that means.  That's
>going to be changed to cover all email.

>//Jyrki

I'm afraid this is inaccurate.  The Electronic Communications Privacy Act
of 1986 covers electronic mail both in transit _and_ in storage.  Moreover,
the ambiguities in the law, as it is now written, are not in how "in transit"
is defined (see 18 USC 2510 et seq.), but rather in the level of privacy
protection (if any) covering e-mail that passes through gateways connecting
public and private networks.

Stacy B. Veeder
Bitnet:   SBVEEDER@SUVM.BITNET
Internet: sbveeder@suvm.acs.syr.edu

DISCLAIMER:  I am not a lawyer, just a layman following legal and other
             developments in the area of e-mail privacy.  If you need
             legal advice, contact an attorney.

------------------------------

Date:     Sun, 10 May 92 21:10:45 EDT
From:     Brinton Cooper <abc@brl.mil>
cc:       Bob Weiner <rsw@cs.brown.edu>
Subject:  Re:  E-mail privacy should be independent of carrier.


Bob Weiner <rsw@cs.brown.edu> writes, in response to my posting on
whether one has an expectation of privacy in e-mail:


> The ignorance that yields this kind of widespread corporate view on
> information privacy comes from a biased analysis that asks only "What
> can we do with this technology?" not "What should we do, given what we
> know we can do?"

The poster's question was whether there IS an expectation of privacy,
not whether there SHOULD BE.  I addressed this question and did not
state my position on it's correctness.  I believe that, taken to the
presently-constituted Supreme Court, the "corporate view" would
prevail.   (Incidentally, I do not hold corporate views.  I have no
connection with any corporations.)

> No such right has been widely recognized in our electronic mediums
> such as e-mail within a private network, even though it should be easy
> to recognize the direct parallels to both paper mail and telephony.  A
> call that goes from one extension of a PBX to another of its
> extensions never passes through any "common carrier" network, yet I am
> fairly certain, it is protected in the same way, because we recognize
> that there is more to the issue at stake than just the status of the
> carrier that transfers the signals.

We may recognize it, but the  machines' owners may not.  In any case,
the machines' owners can, in fact, get access to any file on the
machine.  Do you expect an employee to obtain a federal court injunction
denying a machine's owners access?

> So answers to issues of privacy that we can socially tolerate are not
> to be found in asking questions such as "who's equipment was involved"
> but only in "who were the conversants," "what was the conversation
> on," "in what capacity was the conversation held," etc.

I rather like the concept embodied in the last three "questions," but I
believe that, in the present climate, they represent only wishful
thinking.  

_Brint


------------------------------

From: Steve Barber <cmcl2!panix.com!sbarber@uunet.uu.net>
Subject: Re: E-mail privacy should be independent of carrier.
Date: Mon, 11 May 1992 01:35:10 GMT

In <comp-privacy1.17.1@pica.army.mil> rsw@cs.brown.edu (Bob Weiner) writes:

>No such right has been widely recognized in our electronic mediums
>such as e-mail within a private network, even though it should be easy
>to recognize the direct parallels to both paper mail and telephony.  A
>call that goes from one extension of a PBX to another of its
>extensions never passes through any "common carrier" network, yet I am
>fairly certain, it is protected in the same way, because we recognize
>that there is more to the issue at stake than just the status of the
>carrier that transfers the signals.

While I agree that "personal" communications made from the place of business
ought to be private, when made by telephone they just aren't.  Courts have
ruled that companies may listen into employee phone calls, since, after all
the company owns the PBX.  Sigh.  Privacy activists (and workplace rights
activists like 9to5) are busting their guts just to get companies to
even *notify* employees about surveillance policies.  Getting them to 
stop monitoring is a long way off.  Solution?  Get a cellular phone and
take it to work.  Get one with a modem and jack into the internet via a
public access host that ensures your privacy by contract or statute (i.e.
the ECPA of 1986), from your own laptop.  Ridiculous?  Sure.

-- 
Steve Barber                                             sbarber@panix.com
"The direct deed is the most meaningful reflection." - Bill Evans
The above is not a legal advice. It is, at best, a discussion of
generalities. Consult your attorney before acting in a specific situation.


------------------------------


End of Computer Privacy Digest V1 #019
******************************