Date: Mon, 18 May 92 17:01:34 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#029
Computer Privacy Digest Mon, 18 May 92 Volume 1 : Issue: 029
Today's Topics: Moderator: Dennis G. Rears
Re: Privacy and Law and Order (Long)
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
IF you have nothing to hide
Privacy in video rental records?
Re: What's to hide?
Re: "IF you have nothing to hide..."
An answer to "IF you have nothing to hide..."
Re: "IF you have nothing to hide..."
Caller ID decision
European Unification & Information Security
Papers of interest to readers
re: Is Email Private--NOT!
Re: Is e-mail private?
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
From: Emmett <icsu8249@cs.montana.edu>
Subject: Re: Privacy and Law and Order (Long)
Date: 14 May 92 03:29:14 GMT
In article <comp-privacy1.18.3@pica.army.mil> John Higdon <john@zygot.ati.com> writes:
>> From: Conrad Kimball <cek@sdc.boeing.com> writes:
>
>> If I was given the option of selecting my line's default to be either
>> blocked or unblocked, with a '*' code to temporarily reverse the
>> default, I'd be a happy camper.
>
>Is this what it would take to satisfy you on the whole matter of CNID?
>This comes under the heading of "feature implementation" and is so
>trivial as be not worth mentioning, yet is would be, for you, the
>salvation of CNID. Incredible.
>
Key words there are 'for you'. As for the 'feature implementation'
argument, when is the last time you tried to get something changed
after you accepted delivery? It's always made sense to me to get it
right the first time. The fact that there is a controversy over
this issue at all should show you that not everyone believes it
would be offered as a feature.
[ Argument that privacy shouldn't be given up now that we have it, deleted ]
>And that, dear sir, is exactly why you and millions like yourself can
>get credit cards, debit cards, instant store accounts, bank lines of
>credit, property sale closures in days instead of months, and all of
>the financial conveniences that are taken for granted these days. Do
>you think that all of these companies and financial institutions would
>just hand you the money if they knew nothing about you? In Smalltown,
Do you think I would get letters about 'Terrific new products we're
just absolutely positve you'll love hearing about, even when we send
you yet another copy of this letter with a TENTH variant of your name
on it.' if they new nothing about me??
>after you had lived there for about ten years, Mr. Smith might just
>open a store account for you with a small limit. After another ten of
>showing a good payment history (as observed and recorded by Mr. Smith)
>you might get your limit raised. Of course all of this credit is only
>good at one place: Mr. Smith's.
>
>Today, your credit is portable and easily obtained at new locations.
>How did YOU think that it was possible to walk into a store for the
>first time in your life and open an account? Magic?
>
>> Must we tolerate (nay, even aid and abet!) repeats of the shoddy history
>> of credit bureaus such as TRW, in which the worst problem is not so much
>> that they have a lot of data (which some would argue is a problem in
>> itself), but rather that so much of the data they have is incorrect,
>> and use of which can seriously damage people.
>
>Then it should be corrected. I have done this myself; it is not hard.
>Without this extensive database, we would be forced back into a
>cash and carry society. While some may approve of that, there are many
>more who would not.
>
Your argument is that you and others who share your opinion feel you
would be inconvenienced if you were forced into a situation not of
your choosing or of your liking. Guess what my argument is.
>> Some people have raised concerns
>> about lifestyle data being fed to insurance companies, which being *very*
>> highly motivated to reduce risk, raise rates or refuse coverage in
>> situations that do not in fact warrant it. And, when they raise your
>> rates or refuse you coverage, how are you to know the basis for their
>> unjust decision?
>
>Try asking. Someone, somewhere started the "truism" that "they" are
>unreachable, untouchable, and have unlimited power. I have received
>such things as notices of cancellation and simply called the company to
>get an explanation. In some cases, after discussing the matter, the
>cancellation was rescinded. I am surprised that you give people so little
>credit for being able to pick up a phone or write letters of inquiry.
Why is this my responsibility?? These people are paid quite handsomely
for providing information that is presumed accurate by their customers.
Extending your line of reasoning leads to the argument that if I choose
to eat food that has been shipped to a grocery store in a truck, then I'm
responsible for doing maintainance work on the truck.
>Of course, failing to mention those avenues of redress gives more
>weight to your argument. And speaking of weight:
>
>> - The greenhouse effect.
>
>> - Smoking.
>
>> - Logging
>
>What do these things have to do with privacy? Is the implication that
>the consequences are on a par with these things? Is this the only way you
>can make your argument seem non-trivial? The most serious privacy
>violations that could occur in modern society will not kill, mame, or
>even cause much more than a minor annoyance or inconvenience. We are
>not talking disasterous global climate changes here. We are not talking
>500,000 deaths a year. We are not even talking about endangered
>species.
>
No, we're talking about minor annoyances and inconveniences. Frankly,
given a choice I'd just as soon avoid them. Besides, it's at least
as important to me as the issue of death from smoking (I don't smoke)
and will impact me personally a lot more than spotted owls (I doubt
I'll encounter a significant number of spotted owls in my liftime,
but I'm pretty sure I haven't seen the last of the annoyances and
inconveniances. Besides [ my turn to be dramatic ], falling two
feet is pretty minor by itself, but if they happen to be the last
two feet of a hundred foot drop, the results are noticable.
[ Bluster about things I consider irrelevant deleted ]
>
>There is someone who asserted in print that we are all going
>to get cancer because of electrical transmission lines. I would guess
>that you must be in favor of shutting down our electrical grid until
>someone proves him wrong. Never mind that it would disrupt our whole
>way of life, destroy the economy, and literally make it impossible for
>people to live in our cities. But we cannot take any chances now, can
>we?
>
Until you hit the bit about shutting down the cities, you weren't doing
too badly there. Shut 'em down says I. :-)
>So it is with privacy. A few very noisy people are running around
>announcing the death of all we hold near and dear because some nasty
>people can find out our little secrets. Shall we return to green visors
>and ledger paper until the theorists can come to a conclusion one way
>or another? Does it really matter?
>
For someone who was just complaining about making sweeping statements
just for effect, don't you think this is a bit much??
Personally I see it as a bandage. I'd rather do away with the nasty
people that can 'find out our little secrets'. As far as I'm concerned
it does matter.
If it were an ideal world, I can't think of anything I've personally done
in the privacy of my own home that I would really care one way or another
if the world knew about (a few things that might disturb my mother, but
such is life). Unfortunately, there are a lot of people in the world (and
even in Montana) who possess value systems that I choose not to subscribe
to. Some of them have the clout to be more than minor annoyances.
You used the metaphor of Smalltown, USA. In Smalltown, there was only
one Mrs. Grundy, if you include Tinytown and Diminuitive-ville to the
list we're talking about at least three Mrs. Grundys. How many do you
suppose live in the New York or LA areas alone? Can you really blame
me for not wanting to be forced to deal with them??
>
>--
> John Higdon | P. O. Box 7648 | +1 408 723 1395
> john@zygot.ati.com | San Jose, CA 95150 | M o o !
--
Larry Emmett v 'Computers are a lot like the God of the
Internet:icsu8249@cs.montana.edu /o\ Old Testament. A whole lot of rules
Bitnet: icsu8249@MtsUnix1.bitnet --- and no mercy.' -- Joseph Campbell
------------------------------
From: David Karr <karr@cs.cornell.edu>
Subject: Re: "IF you have nothing to hide..."
Date: 14 May 92 16:28:24 GMT
Source-Info: From (or Sender) name not authenticated.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|||||||||||||||||||||||||||||||||||||||
In article <comp-privacy1.19.2@pica.army.mil> ygoland@edison.seas.ucla.edu (The Jester) writes:
>Would anyone care to provide a concise explination of WHY the
>previously mentioned rational is wrong?
Because everyone has something to hide from someone. Even you. (Or do you
claim there is NOTHING you ever do that you would be ashamed for me to have
a videotape of?)
>And please, though examples
>are useful for illustration of a point, they do not make one.
And, pray tell, why not? Suppose I tell you that it's a bad idea to shove
paper clips into live electrical outlets with your bare fingers. Suppose
you don't believe me. Suppose I then suggest you try it and see, and you
do, and you get a shock. Now the shock would just be an example illustrating
my point, not exactly a mathematical argument, yet I think it would make the
point pretty well, don't you?
-- David Karr
------------------------------
From: "Daniel E. Platt" <platt@watson.ibm.com>
Subject: Re: "IF you have nothing to hide..."
Date: 14 May 92 20:09:34 GMT
Disclaimer: This posting represents the poster's views, not necessarily those of IBM
Source-Info: From (or Sender) name not authenticated.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|||||||||||||||||||||||||||||||||||||||
In article <comp-privacy1.25.3@pica.army.mil>, emba-news.uvm.edu!cavrak@kira.uvm.edu (Steve Cavrak) writes:
|> "If you have nothing to hide, you have nothing to fear"
|>
|> - sounds like an opening line by the KGB, CIA, FBI, Stassi, or you name
|> your favorite terrorist group,
|>
|> - sounds like an incorrect inversion of, "if you are fearful, you must
|> be hiding something" - i.e. you are the cause of your own fear.
|>
|> -
|> ------------------------------------------------------------------------
|>
|> HEY !@
|>
|>
|> - I have the right to an unlisted phone number
|>
|> - I have the right not to have a telephone at all
|>
|> - I have the right not to carry identification
|>
|> - I have the right to travel without telling anyone where I am going
|>
|> - I have the right to carry money
|>
|> - I have the right not to carry money
|>
|> - I have the right not to be searched WITHOUT DUE CAUSE.
Not if you ride a public bus.
|>
|> HEY!
|>
|> This is America. These are the rights that make it so.
This must not be America any more (we seem to have ceded our rights
when we supported candidates who felt the police powers had suffered,
and put in supreme court justices who agreed).
|>
|> We don't need to apologize for them, we need to celebrate them, to
|> assert them.
We need to get them back.
|>
|> Geez.
|>
|> Steve
|>
|> [Moderator's Note: Do you really have a right to an unlisted phone
|> number? What type is it? God Given, constitutional, moral, or another
|> type of right? What entity gave you this right. Constitutional rights
|> only apply to what the government does to its citizens not what private
|> entities does to citizens. What about the "right" of the Telephone
|> Company to give you service on it own terms. It is TPC that gives you
|> phone service and it is their number not yours. It is only for your
|> use while you pay for the service. _Dennis]
------------------------------
From: Carl Ellison <cme@ellisun.sw.stratus.com>
Subject: Re: "IF you have nothing to hide..."
Date: 14 May 92 20:18:56 GMT
The proposition behind the trick question is that the government has the
right to spy on us without being equally open and transparent to all
citizens in return.
The flaw is that this proposes a two-class system with the people in the
second-class role. That is reversed from the basis of this country.
Knowledge is power and in our democracy, the power lies in the people not
in the government. It is therefore vital that the government have a
minimum of knowledge about the citizens and that the citizens have a
maximum of knowledge about the government.
Result: prohibit encryption technology in the hands of the government; give
it to the individual citizens only.
After all: aren't we happy that Ollie North's criminal activities were
available for public examination?
------------------------------
From: "Richard A. Schumacher" <schumach@convex.com>
Subject: Re: "IF you have nothing to hide..."
Date: 15 May 92 01:30:02 GMT
>In article <comp-privacy1.19.2@pica.army.mil> ygoland@edison.seas.ucla.edu (The Jester) writes:
>>One of the reasons that many people are against 'intrusive' laws is
>>because they disagree with the rational "If you have nothing to
>>hide, then you don't need to worry." However what I have failed to
>>see is a single cogent explination of WHY the rational of "If you
>>have nothing to hide, then you have nothing to fear" is a bankrupt
>>one. Would anyone care to provide a concise explination of WHY the
>>previously mentioned rational is wrong?
(BTW: The word is "rationale".)
Because people disagree, sometimes violently, about what is worth
hiding. For example, one person might go to absurd lengths to prevent
people from learning the details of how he masturbates even though most
people would probably find it uninteresting. For another example,
many people do not want their tax returns made public even though
they might not reveal anything which is, strictly speaking, illegal.
Is the point now clear? (If you have no emotional need for privacy,
or no appreciation for the need in others, then I suppose that no
argument against the "nothing-to-hide" doctrine will have any force
for you.)
------------------------------
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: "IF you have nothing to hide..."
Date: 14 May 92 20:18:56 GMT
Organization: Stratus Computer, Software Engineering
The proposition behind the trick question is that the government has the
right to spy on us without being equally open and transparent to all
citizens in return.
The flaw is that this proposes a two-class system with the people in the
second-class role. That is reversed from the basis of this country.
Knowledge is power and in our democracy, the power lies in the people not
in the government. It is therefore vital that the government have a
minimum of knowledge about the citizens and that the citizens have a
maximum of knowledge about the government.
Result: prohibit encryption technology in the hands of the government; give
it to the individual citizens only.
After all: aren't we happy that Ollie North's criminal activities were
available for public examination?
------------------------------
From: platt@watson.ibm.com (Daniel E. Platt)
Subject: Re: "IF you have nothing to hide..."
Date: 14 May 92 20:09:34 GMT
Organization: IBM T.J. Watson Research Center
Disclaimer: This posting represents the poster's views, not necessarily those of IBM
In article <comp-privacy1.25.3@pica.army.mil>, emba-news.uvm.edu!cavrak@kira.uvm.edu (Steve Cavrak) writes:
|> "If you have nothing to hide, you have nothing to fear"
|>
|> - sounds like an opening line by the KGB, CIA, FBI, Stassi, or you name
|> your favorite terrorist group,
|>
|> - sounds like an incorrect inversion of, "if you are fearful, you must
|> be hiding something" - i.e. you are the cause of your own fear.
|>
|> -
|> ------------------------------------------------------------------------
|>
|> HEY !@
|>
|>
|> - I have the right to an unlisted phone number
|>
|> - I have the right not to have a telephone at all
|>
|> - I have the right not to carry identification
|>
|> - I have the right to travel without telling anyone where I am going
|>
|> - I have the right to carry money
|>
|> - I have the right not to carry money
|>
|> - I have the right not to be searched WITHOUT DUE CAUSE.
Not if you ride a public bus.
|>
|> HEY!
|>
|> This is America. These are the rights that make it so.
This must not be America any more (we seem to have ceded our rights
when we supported candidates who felt the police powers had suffered,
and put in supreme court justices who agreed).
|>
|> We don't need to apologize for them, we need to celebrate them, to
|> assert them.
We need to get them back.
|>
|> Geez.
|>
|> Steve
|>
|> [Moderator's Note: Do you really have a right to an unlisted phone
|> number? What type is it? God Given, constitutional, moral, or another
|> type of right? What entity gave you this right. Constitutional rights
|> only apply to what the government does to its citizens not what private
|> entities does to citizens. What about the "right" of the Telephone
|> Company to give you service on it own terms. It is TPC that gives you
|> phone service and it is their number not yours. It is only for your
|> use while you pay for the service. _Dennis]
------------------------------
From: James Davies <jrbd@craycos.com>
Subject: Re: "IF you have nothing to hide..."
Date: Fri, 15 May 92 20:15:03 GMT
In article <comp-privacy1.26.5@pica.army.mil> ygoland@edison.seas.ucla.edu (The Jester) writes:
>
>There have been several posts regarding my quest for a definitive
>statement regarding WHY the concept of "if you have nothing to hide
>then you have nothing to fear" is wrong. However these posts have
>consistently ignored the point I ended my post with, that examples
>do NOT make a point, they only illustrate one. The responses seen so
>far have been examples and lots of them, some good, some not, but
>examples none the less. So far no one has been able to write a
>concise explination of WHY they feel that this idea is wrong. We are
>all in agreement that the statement IS wrong. Why is everyone
>(myself included) having so much trouble comming up with a short,
>direct, statement of why?
My private affairs are my business, not the government's.
I see no reason to elaborate on this view.
------------------------------
From: Charlie Mingo <Charlie.Mingo@p4218.f70.n109.z1.fidonet.org>
Date: Fri, 15 May 1992 21:00:01 -0500
Subject: IF you have nothing to hide
mc/G=Brad/S=Hicks/OU=0205925@mhs.attmail.com writes:
> If admitting that you want privacy equals an admission that you have
> "something to hide", then by definition the people who seek privacy
> are admitting that they have something to hide. Compelling them to do
> this as a matter of law would violate the 5th amendment to the U.S.
> Constitution, and is generally recognized as tacky elsewhere.
As a general matter, this is not true. The Fifth Amendment only
protects against forced incrimination as part of a criminal or
quasi-criminal (eg, legislative committee) proceeding. It is far too
narrow a provision to support the concept of "privacy" you are trying
to establish.
The Fifth Amendment does permit the government to force you to
disclose things outside of the courtroom which may tend to incriminate you.
For example, the US Treasury requires people transferring over $10,000
into or out of the country in cash or bearer form to report this, and
the sole reason for the reporting is to detect money laundering. No
court has ever recognized a Fifth Amendment defense for a person charged
with failing to report money transfers.
There are countless instances where we are required to report
on ourselves (taxation, customs declarations, etc.) where the information
provided may expose us to criminal liability. The Fifth Amendment is
designed as a protection against tortured confessions, not against
non-criminal reporting requirements.
------------------------------
From: Charlie Mingo <Charlie.Mingo@p4218.f70.n109.z1.fidonet.org>
Date: Fri, 15 May 1992 21:09:30 -0500
Subject: Privacy in video rental records?
"Mark P. Neely" <NEELY_MP@darwin.ntu.edu.au> writes:
> ___ State Attorney John Tanner (Volusia Co, FL) has subpoenaed the
> rental records of two video shopkeepers to identify the individuals
> who rented one of four named explicit films.
>
> Ostensibily, the customers are only wanted as potential witnesses.
> Tanner states that he does not intend to prosecute any citizen whose
> name might be on this list. Both store owners are resisting, citing
> customers' rights to privacy. Tanner maintains people who rent
> material have no expectation of privacy.
Did this take place in the US or Australia? I believe there is
a federal law prohibiting the release of video rental records enacted
after the confirmation hearings for Judge Robert Bork for the US Supreme
Court in 1987.
During the hearings, a local free paper (DC's _City Paper_) managed
to obtain a list of Bork's rentals (nothing very interesting -- lots of
1940's-era B classics), and tried to make something of it.
During the Thomas confirmation hearings in 1991, one of the major
unanswered questions turned out to be whether the Judge was familiar
with certain porno movie stars, a question which could easily be answered
by checking the local video stores. Fortunately, the Judge's records
were safe from prying eyes, and he now sits upon the Court.
------------------------------
From: Bryan Morse <morse@cs.unc.edu>
Subject: Re: What's to hide?
Date: 15 May 92 21:34:10 GMT
In article <comp-privacy1.23.2@pica.army.mil> michael.scott.baldwin@att.com writes:
>As has been mentioned, the Supreme Court (Bowers v. Hardwick) does not see
>any privacy right in the Constitution, and even invoked Judeo-Christian
>teachings to support laws that invade our privacy. And these laws are
>not trifling: in Georgia, sodomy is a FELONY with up to 20 YEARS in jail.
Wasn't this the case where the police officer had a warrant (based
on other charges), was allowed entry by another member of the household,
and then witnessed the "felonious" act through a partially open doorway?
What made this such a landmark case was that it was a rare opportunity
to test such laws. They usually don't come up because enforcement is
so difficult (due to laws regarding privacy). This made for a perfect
test case because the officer did *not* violate the privacy of the
individuals when witnessing the illegal act.
The court upheld the position that the officer legitimately entered
the house (for other reasons, remember) and therefore did not violate
anyone's privacy. They also upheld the Georgia law. The outcome
of this is not a wholesale loss of privacy. What the court basically
said was that laws regarding "private" conduct were permissible,
but reemphasized that the enforcement of such could not invade privacy.
In other words, it is not the law itself that invades privacy, but the
enforcement of it. In cases like this where the enforcement does not
invade privacy, the law can be applied.
(Okay, so this is getting away from the technical aspects of the
group, but this is the second time I have seen this case misapplied
here in the last week.)
--
Bryan Morse University of North Carolina at Chapel Hill
morse@cs.unc.edu Department of Computer Science
------------------------------
From: egdorf@zaphod.lanl.gov (Skip Egdorf)
Subject: Re: "IF you have nothing to hide..."
Organization: Los Alamos National Laboratory
Date: Fri, 15 May 1992 23:51:19 GMT
In article <comp-privacy1.19.2@pica.army.mil> ygoland@edison.seas.ucla.edu (The Jester) writes:
> One of the reasons that many people are against 'intrusive' laws is
> because they disagree with the rational "If you have nothing to
> hide, then you don't need to worry." However what I have failed to
> see is a single cogent explination of WHY the rational of "If you
> have nothing to hide, then you have nothing to fear" is a bankrupt
> one. Would anyone care to provide a concise explination of WHY the
> previously mentioned rational is wrong? And please, though examples
> are useful for illustration of a point, they do not make one.
There are two main reasons that I can see:
1. Everyone has something to hide. Did you just buy something for a
Lover on your credit card and don't want your spouse to know? Are
you <ethnic> in an <ethnic>-intolerant area?
From basic logic 101: "IF a -> b" When "a" is FALSE, then "b" is true.
A false premise implies any conclusion. This is one of the more important
and least intuitive satetments of logic. Your basic premise is false.
2. Even if I had nothing to hide, the real-life data-collectors are very
inacurate. How many folks have been sending in to TRW lately to see
just how much stuff the had to have removed from their credit records?
Either by accident or malice, false information can be very damaging.
I believe that I have suggested that BOTH your premise and conclusion are
false. Your false premise allows me to state that your <statement> is TRUE
regardless of the conclusion. Hence, there is absolutley NOTHING wrong with
the statement "If you have nothing to hide, then you don't need to worry."
It is perfectly TRUE.
How do we discuss this from this point?
Skip Egdorf
hwe@lanl.gov
------------------------------
From: Len Charest <charest@ai-cyclops.jpl.nasa.gov>
Subject: An answer to "IF you have nothing to hide..."
Date: Sat, 16 May 1992 00:14:58 GMT
In article <comp-privacy1.26.5@pica.army.mil>, ygoland@edison.seas.ucla.edu (The Jester) writes:
|>
|> There have been several posts regarding my quest for a definitive
|> statement regarding WHY the concept of "if you have nothing to hide
|> then you have nothing to fear" is wrong. However these posts have
|> consistently ignored the point I ended my post with, that examples
|> do NOT make a point, they only illustrate one. The responses seen so
|> far have been examples and lots of them, some good, some not, but
|> examples none the less. So far no one has been able to write a
|> concise explination of WHY they feel that this idea is wrong. We are
|> all in agreement that the statement IS wrong. Why is everyone
|> (myself included) having so much trouble comming up with a short,
|> direct, statement of why?
Perhaps you missed this...
In article <comp-privacy1.23.2@pica.army.mil>, michael.scott.baldwin@att.com writes:
|> Let me try, without using examples: the definition of what it is that you
|> have to "hide" rests with the government, not you. If the legal system
|> creates bankrupt laws that make your private life punishable, then you end
|> up hiding and fearing for simply living your life and pursuing your own
|> happiness.
BTW, I assume that since "we are all in agreement that the statement is wrong", you were just playing devil's advocate in your original post vis a vis your 'nom de net', Mr. Jester.
..................................................
Len Charest, Jr.
JPL Artificial Intelligence Group
charest@aig.jpl.nasa.gov
------------------------------
From: "Michael T. Palmer" <palmer@isye.gatech.edu>
Subject: Re: "IF you have nothing to hide..."
Date: 16 May 92 04:04:40 GMT
ygoland@edison.seas.ucla.edu (The Jester) writes:
>There have been several posts regarding my quest for a definitive
>statement regarding WHY the concept of "if you have nothing to hide
>then you have nothing to fear" is wrong. However these posts have
>consistently ignored the point I ended my post with, that examples
>do NOT make a point, they only illustrate one. The responses seen so
>far have been examples and lots of them, some good, some not, but
>examples none the less. So far no one has been able to write a
>concise explination of WHY they feel that this idea is wrong.
Bullshit. I have seen at least four posts which contain no examples,
but state clearly how the concept of "If you have nothing to hide..."
violates the basis of our legal system; i.e. that you are innocent
until proven guilty (with all the attendent regulations concerning
probable cause for searches and seizures).
True, many people have chosen to respond with examples, but I challenge
you to find a single "example" or "case study" in even my own earlier
response. I have seen several well-constructed *arguments* (not
examples) better than my own in later postings as well. Please, pretty
please, take the time to actually read the responses you get to questions
that you post. My apologies if you did read them all. But if you did,
I cannot fathom how you could claim that nobody explained why this was
wrong. I'm not trying to start a flame war. Honest. But if you
(re)read the previous responses I think you'll find that your question
was indeed answered.
Note to the moderator: You may edit the first word of this if you feel
you absolutely must (use asterisks for the vowels or something). And
then please remove this note to you. Thanks.
--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23665
Temporarily a Techie: Center for Human-Machine System Research, Georgia Tech
Voice: 404-894-4318, FAX: 404-894-2301, Email: palmer@chmsr.gatech.edu
------------------------------
Date: Sat, 16 May 1992 10:12:38 GMT
From: "Mark P. Neely" <NEELY_MP@darwin.ntu.edu.au>
Subject: Caller ID decision
Pulled this one from a mailing list...
Mark N.
Subj: PRIVACY WINS OVER CALLER ID in the State of Washington
Sender: Activists Mailing List <ACTIV-L@UMCVMB.missouri.edu>
>From the Seattle Post-Intelligencer, March 26, 1992 -
PRIVACY WINS OVER CALLER ID
Phone companies must offer free blocking service
P-I Staff and News Services
OLYMPIA - Telephone companies offering caller-identification service must
also offer callers - free of charge - the ability to block display of their
number or location, a state commission ruled yesterday.
The ruling by the Utilities and Transportation Commission came over
vigorous protest from telephone companies seeking to provide caller-ID
service, which uses special phones equipped with display monitors to
identify the source of incoming calls.
The companies said an offer of free line-blocking, or automatic blocking
of the caller's name or number, would doom caller-ID service.
"Washington has just adopted the most constrictive and conservative
regulation on called ID in the nation.," said Lisa Bowersock, spokeswoman
for US West in Seattle.
Companies such as US West wanted permission to charge a monthly or flat
rate for a line block, while offering a "per-call" blocking ability for
free.
They said they believe a fee for line-blocking - $2.50 a month was
mentioned - would sift out those who do not care if they are identified.
At least one company, GTE Northwest, said it would not operate in
Washington if the commission adopted the rule approved yesterday.
US West is currently installing the system in Denver and Phoenix, then
will look at expansion into other areas. Bowersock said. "With today's
ruling, Washington will have a very low priority", she said.
"There's no incentive for the company to introduce the service," she
added. "The regulations adopted today won't even allow companies to recover
the costs of line-blocking for individual customer".
Caller ID is not available now in Washington, though the commission next
month will consider a request from Pacific Telecom Inc. to offer the service
in the Gig Harbor area.
Caller ID is seen by some law enforcement officials and other as a means
of identifying the source of harassing or obscene telephone call.s Those
resisting the technology say it raises concerns about callers' privacy
rights.
In hearings around the state, people said they wanted their privacy
considered before the needs of advancing telephone technology, commission
Chairwoman Sharon Nelson told telephone officials at yesterday`'s
proceedings.
The 1991 Legislature approved a change in the state's privacy statute
permitting caller ID service after the commission pledged to protect the
privacy of callers.
"We made a promise in good faith," said Commissioner A.J. Pardini before
the three-member panel voted unanimously for the regulation.
But telephone officials said the commission was going too far when it
refused to allow a fee for line-blocking service.
If line-blocking is free, they said, people who buy caller-ID equipment
will get too many calls in which identifications are blocked and will not
sufficiently benefit from the service to make it viable.
That remains to be seen, the commission countered. "There are too many
unknowns," said Commissioner Richard Casad. He added that the best course
was to come down on the side of callers.
Industry officials argued that free per-call blocking service - in which
the called dials three digits before making the call - has worked well in
other states and provides enough protection for those who do not want their
number disclosed.
The Washington Association of Sheriffs and Police Chiefs and the
Washington State Patrol both said they favored charging for the line-block
to ensure it was not overused. Law enforcement is a major supporter of
caller-ID technology, believing that when it is widely used the incidence of
harassing and obscene telephone calls will fall.
------------------------------
Date: Sat, 16 May 1992 10:15:55 GMT
From: "Mark P. Neely" <NEELY_MP@darwin.ntu.edu.au>
Subject: European Unification & Information Security
EUROPEAN UNIFICATION '92 IMPACTS ON INFORMATION SECURITY
Sanford Sherizen, Ph.D.
Published in __Computers & Security__, 10 (1991) 601-610
NOTE: This article is adapted with permission from the author's __Information
Security in Financial Institutions: How to Reduce the Risk of Computer Crime__,
Dublin, Ireland and London, England: Lafferty Publications Ltd, 1989.
Abstract
The unification of Europe at the end of 1992 will create information
security challenges. The Single European Market will serve as a major landmark
for the restructuring of Continent-wide institutions and services. There will
be major changes in European finance, governance, and technology.
Unification decisions will lessen existing controls and restrictions
over financial processing as well as create new conditions where controls and
restrictions have not been anticipated. In either of these cases, computer
crimes may well increase as a consequence of the Single European Market.
This article will discuss the impact of Unification '92 on the
protection of information. While much attention has been paid by security
experts to the development of the Information Technology Security Evaluation
Criteria (ITSEC), other important but less direct decisions are being made that
are related to information security. The Unification '92 decisions that will
be outlined could turn out to be of great importance in determining the nature
of information protection in the Post-1992 Era.
Many EC directives and decisions, some of which are not specifically
treated or labeled as information security, will substantially affect what
protections will be possible as well as necessary. The major categories of
these directives and decisions are:
(1) Technical decisions on the use of computer and communications
technologies
(2) Legal decisions on how financial errors, crimes, and disagreements
are defined and how they will be resolved
(3) Political and public policy decisions on the general economy and
the regulatory constraints applied to financial services
operations, services, and products.
Illustrations of these categories will be drawn from important EC
decisions. These will include decisions on stimulating European information
services, auditing standards and requirements, money laundering controls, open
borders, and electronic data interchange (EDI).
INTRODUCTION
The Single European Market will serve as a major landmark for the
restructuring of Continent-wide institutions and services. The end of 1992 will
see the creation of major changes in European finance, governance, and
technology.
In a similar vein, the unification of Europe will create information
security challenges. Unification decisions will lessen certain existing
controls and restrictions over financial processing as well as create new
conditions where controls and restrictions have not been anticipated. In either
of these cases, computer crimes may well increase as a consequence of the Single
European Market.
This article will discuss the impact of Unification '92 on the
protection of information. While much attention has been paid by security
experts to the development of the Information Technology Security Evaluation
Criteria (ITSEC) and the Proposal for a Decision of the European Commission on
Information Security \1, other important but less direct decisions are being
made that are related to information security. The Unification '92 decisions
that will be outlined in detail in this article could turn out to be of great
importance in determining the nature of information protection in the Post-1992
Era.
In order to understand the more general ways in which the emergence of
the Single European Market will affect information protection, consider how
extensively EC proposals will affect information. A large number of the EC
directives are in some manner information-related, affecting the production,
processing, and/or servicing of information, including:
Selected EC Proposals Related to Information \2
Standards, Testing, and Certification
Telecommunications
Regulations of Company Behaviors
Mergers & Acquisitions
Trademarks & Copyrights
Accounting Operations Across Borders
Protection of Computer Programs
Changes in Government Procurement Regulations
Extension of EC Law to Telecommunications
Harmonization of Regulation of Services
Banking & Mutual Funds
Information Services
Insurance
Securities
Electronic Payment Cards
Liberalization of Capital Movements
Long-Term Capital, Stocks
Short-Term Capital
EC decisions are forming the larger context for information protection,
with information security being "interpreted" by factors quite different from
those that traditionally influenced its functions and objectives. Those
concerned with providing adequate safeguards over information will increasingly
have to understand these other forces in order to prepare for a new, more
complex information security.
TECHNICAL, LEGAL, AND POLITICAL/PUBLIC POLICY IMPACTS ON INFORMATION SECURITY
Since banking is a central institution in society and banks will be
especially influenced by the Single Market, banking operations will be used as
examples throughout this article. Clearly, however, the EC '92 impacts will
apply well beyond banking alone.
In our judgement, the advent of a single European banking market...may
eventually be recorded in the annals of bank history as the single most
important banking event of the twentieth century. \3
The Second Banking Directive and other EC bank-specific decisions are
extremely important to European bankers. These define the banking industry and
many of its central functions. Yet, equal in importance to the Directive are
other directives and decisions that will substantially affect banking but may
not be labeled as being bank-related.
Often, these decisions are technical decisions, such as computer and
communications technical standards that support information security and privacy
protections. Other decisions have indirect implications for information
security and privacy, such as banking requirements for structuring money
transactions and financial standards.
The major categories of these other important bank-related issues are: �
(1) TECHNICAL issues. The nature and shape of communications and
information systems are not solely determined by companies and the marketplace.
Rather, compatibility and interconnectivity of these systems evolve from a
variety of technical decisions on standards and certification. Technologies
emerge into a slowly evolving set of regulatory policies set by governments and
national as well as international standards created by technical bodies.
Banks are heavy users of these technologies and are affected by these
decisions on technical matters. Banks are involved in many of the standards
committees and in political and advisory attempts to influence regulatory
policies.
IMPACT OF EC TECHNICAL DECISIONS: HOW BANKING PRACTICES CAN BE ACHIEVED THROUGH
THE USE OF COMPUTER AND COMMUNICATIONS TECHNOLOGIES, HOW BANKING RISKS WILL BE
MINIMIZED, AND FINANCIAL TRANSACTIONS WILL BE PROTECTED
(2) LEGAL issues. There are a large number of legal decisions that
establish rules of conduct and resolution of disagreements for individuals,
companies, and nations. Multiple powers and jurisdictions establish such
decisions, including the EC, Member States, and international legal bodies. In
the context of the Single European Market, legal directives and decisions are
being made on intellectual property protections, copyright agreements, trade
secrets, criminal laws, extradition agreements, bank secrecy laws, and similar
issues. Banks are directly and indirectly affected by these legal decisions.
IMPACT OF EC LEGAL DECISIONS: HOW BANKING ERRORS, CRIMES, AND DISAGREEMENTS ARE
DEFINED AND HOW THEY WILL BE RESOLVED
(3) POLITICAL AND PUBLIC POLICY issues. These issues are macroeconomic
and social structural decisions. They include laws concerning the use and
ownership of information, supports for the distribution of economic and
technical resources, definitions of acceptable corporate structures and business
practices, and developments in international trade and international
telecommunications regulation.
For banks, these are essential considerations that affect the
environment within which banking services operate.
IMPACT OF EC POLITICAL AND PUBLIC POLICY DECISIONS: HOW BANKING WILL FUNCTION
WITHIN THE GENERAL ECONOMY AND THE REGULATORY CONSTRAINTS APPLIED TO BANK
OPERATIONS, SERVICES, AND PRODUCTS, AND PUBLIC CONFIDENCE WILL BE FOSTERED
It should be noted that the impact of the Single European Market can be
positive and/or negative. For example, the telecommunications changes will
improve the clarity and efficiency of certain nation's phone systems and
possibly improve security controls. On the other hand, opportunities for
computer crime might be increased as the ability of criminals to electronically
move across national borders increases the ability to find targets of
opportunity.
Thus, the 1992 Unification is both an opportunity for banks as well as a
potentially disastrous situation. The technical, legal, political/public policy
considerations of EC '92 that have been outlined underlie more specific
decisions that the EC has taken.
EXAMPLES OF EC DECISIONS AFFECTING INFORMATION SECURITY
EC actions to respond to computer crime have generally been technical in
nature (as with telecommunications standards), specific to a technological
development (as with EDI or credit card issues raised by the Inter-Service Group
on New Means of Payment), and/or specific to a particular legal issue
(copyright, privacy, etc.). Proposed European security standards, referred to
as the international technology security evaluation criteria (ITSEC), could also
become EC-wide standards, affecting the banking industry in particular.
The major categories that have been outlined encompass a large number of
other, more specific EC decisions and concerns affecting information security.
In order to provide specific information concerning the impact of the Single
Market Unification on information and to direct attention to major developments
that are related to information security, several specific examples of
Unification '92 developments that affect information security will be presented.
THE EUROPEAN INFORMATION SERVICES
The EC has moved to establish an information market and to improve
conditions for the transmitting and accessing of information services. The EC
has approved a plan of action for setting up an information services market.
The major objectives for this market were to stimulate and reinforce the
competitive capability of European suppliers of information services and to
promote the use of advanced information services in the Community within the
context of a world market.
EC activities are to harmonize legal, administrative, and technical
requirements for the establishment of an information market and to establish
greater standardization and simplification. In essence, the establishment of
the information market will involve an overhaul of communications as it
currently exists in the Member States.
The EC hopes to open telecommunications to more competition in its
attempt to liberalize and harmonize the 12 national telecommunications markets.
At present, the 12 national PTT systems are divided by mismatched technical
standards and licensing requirements, entrenched government monopolies, and
protectionist procurement policies. The EC Commission has generally advocated a
market-oriented approach to replace state monopolies for value-added services
such as facsimile and electronic mail and for some types of telecommunications
equipment. Deregulation and privatization of the telecommunications sector in
many EC countries will open previously closed markets to competition.
In June 1989, the EC Commission announced that it would proceed with a
telecommunications service Directive. That approach allows the EC Commission to
implement the Directive without the prior approval of the member state
governments. The plan adopted by the Commission will force Member States to end
their monopolies on all telecommunications services except real-time, switched
voice, and telex, as well as provision of the underlying network infrastructure.
In principle, this decision will eventually permit competition in computer
communications, electronic mail, facsimile transmission, and videotex services.
The technical information services decisions that will structure the
information market have great implications for banking. Technical information
services decisions will determine how banking practices will be able to be
achieved as well as how information security and privacy can minimize risks in
data processing.
Certainly, there is no guarantee that the technical legislation will
provide sufficient data security or privacy protections. The experience in the
United States suggests that the divestiture or deregulation of phone services
can affect businesses' ability to protect against attacks on their telephone
systems and on the creation of business interruption problems. Information
services may become highly developed and readily available, both for purposes of
banking as well as for the use of those who wish to make unauthorized
withdrawals.
AUDITING STANDARDS AND REQUIREMENTS
With the adoption of the 4th Directive on annual accounts and the 7th
Directive on consolidated accounts, the EC has laid down a basic framework for
accounting and financial reporting throughout the Community. In addition,
specific rules for financial reporting by banks and insurance undertakings have
been or are being elaborated.
Banking and other financial services will be particularly affected by
these actions. The EC felt a lack of progress in other efforts at modernizing
accounting rules needed to be addressed beyond the Member State or accounting
organization levels. Pressure for this modernizing partially came from the fact
that banks have received a growing amount of public attention concerning secrecy
and money laundering and increased accounting scrutiny has been called for.
Finally, consumer/customer protection, quite specifically around credit and
other banking operations, is another objective that the EC considers as
important to establish prior to the end of 1992.
Accounting rules and standards harmonization are essential to the EC
internal market effort. Company law harmonization is specifically provided for
in the EEC Treaty (Article 54, sub 3, littera g) by
...(C)oordinating to the necessary extent the safeguards that, for the
protection of the interests of members and others, are required by
Member States of companies or firms with a view to making such
safeguards equivalent throughout the Community.
The scope of application of the Directives is not limited to companies
whose shares are listed on a stock exchange or to companies that have turned to
the capital markets to obtain resources. In principle, the accounting
directives apply to all limited liability companies in the Community. As a
result, most undertakings involved in intra-Community trade are covered by the
harmonization. For all Member States, the harmonization has resulted in the
incorporation of accounting standards into legal rules. These efforts are
intended to develop comparability and equivalence of financial information
provided by limited liability companies.
In summary, there will be an EC-wide set of regulations that will
structure accounting rules and company law harmonization. For banks, this will
affect the business environment within which banking operations function as well
as create new regulatory-type restraints to be placed on many banking decisions
that will be open to audit reviews. Whether this will improve the importance of
auditors or lead to an increase in EDP audit reviews of system controls is not
evident. Requirements for audits and tightening of the rules that apply to the
independence of the audit will determine the strength of the auditing rule
changes.
EUROPEAN MONEY LAUNDERING CONTROLS
One major crime-related and bank-specific topic that the EC and other
international organizations have addressed is money laundering. � Central
aspects of the Single European Market, such as the single financial market and
the free flow of people, could create conditions conducive to money laundering.
Internationalization of economies and financial services are opportunities that
are seized by money launderers to carry out their criminal activities, since the
origin of funds can be better disguised in an international context.
For banks, the impact of anti-money laundering will be direct. These
legal issues will put banks at significant risk in the event that they do not
sufficiently review money sources. Also of great significance is that the
regulations will require bank officials to have direct working relationships
with law enforcement officials in combatting laundering.
There are a number of moves both within the EC and internationally to
restrict money laundering activities by banks. Bilateral agreements have been
suggested to change bank secrecy laws (such as in Switzerland) in order to
reveal laundering actions. Banking associations (as in Italy) have established
regulations to restrict money laundering efforts.
In January 1990, Sir Leon Brittan, the EC Commissioner responsible for
competition and financial services, announced that the EC would adopt measures
urging its members to enact legislation to combat money laundering and to follow
up with mandatory measures. At that time, only a few of the Member States had
laws that treated money laundering as a crime.
The Community, he said, has accepted
...(T)he responsibility to impede launderers from taking advantage of
the single financial market, and of the freedoms of capital movements
and supplying of financial services that this financial area involves to
facilitate their criminal activities. Lack of Community action against
money laundering could lead Member States, with the purpose to protect
their financial system, to adopt measures that could be inconsistent
with the completion of the Single Market.
The EC participated in discussions, and the EEC was one of the
signatories to the UN Convention Against Illicit Traffic in Narcotic Drugs and
Psychotropic Substances adopted on the December 19, 1988 in Vienna. This
Convention provides, among other points, that the States adhering to it shall
criminalize a series of conducts related to drugs as well as money laundering.
International cooperation is expected in such areas as confiscation and seizure
of criminal proceeds, international judicial assistance, and prohibition of
invoking banking secrecy in order to avoid investigations under the scope of the
Convention.
The Directive specifies the need to identify customers and beneficial
owners, due diligence requirements for credit and financial institutions,
cooperation between credit and financial (and supervisors) and judicial or law
enforcement authorities competent for criminal matters, and the establishment of
procedures of internal control and training programs by credit and financial
institutions.
Quite likely, this attempt to find a balance between an open market for
currency transactions and restrictions over money laundering will continue to be
a prominent issue in the EC, even after 1992. Regardless of how the issue
evolves, it has become a touchstone for determining how bank financial
transactions can be acted upon.
OPEN BORDERS, CRIME CONTROLS, AND INTELLIGENCE SHARING
Related to the fight against money laundering but important in its own
right is the issue of allowing the free flow of people and goods across borders.
For banking, the importance of this political and public policy decision is
that banking operations will have to be protected from gatherings of criminals
intent on coordinated computer crime attacks. The opening of the borders will
have to be joined with increased protections against electronic means that can
allow borders (and banks) to be penetrated. There may also be a need for
cooperation between bank security and intelligence agencies that are collecting
information on potential crimes and other planned acts of violence.
The Schengen Accord on open borders is an attempt to balance the
potentially contradictory goals of open borders and crime control restrictions,
particularly in fighting drugs distribution. Prior to the Schengen and similar
agreements, drug trafficking restrictions resided primarily at the State level,
often concentrating on police operating at border controls. The Schengen Accord
builds on previous EC actions against drugs, including the establishment of an
information system or data network to share information about suspected
criminals and other police intelligence. The Trevi Group, a multi-nation effort
that focuses on the fight against terrorism, drug trafficking and organized
crime, proposed a legal regime on European information technology for
identifying and controlling criminals, particularly international terrorists and
drug dealers.
Belgium, which at the time of the signing did not have a law protecting
access to electronic data kept on file about its citizens, promised to pass new
legislation before the Agreement came into full effect. Other European nations
will be brought into negotiations quite soon in order to expand the Agreement's
provision to larger areas of the Continent.
While aspects of open borders are not new in Europe, risks of crime and
terrorism may be increased. This particular set of directives and agreements
may come to haunt the EC if there is an increase in terrorism, bank crimes,
illegal immigration, and other problems that are of major interest to the
public. As with EC money laundering efforts, banks will have to become more
proactive in their ability to anticipate and respond to coordinated
international criminal acts against financial systems.
ELECTRONIC DATA INTERCHANGE
Unknown a decade ago, uncommon a year ago, EDI payment systems are
coming of age. No single development holds more potential to change the nature
of corporate banking.
Electronic Data Interchange is indeed a significant factor in banking as
well as for other businesses. European banks will either become an established
force in EDI or lose their EDI role to the value added networks, which will
allow companies to bypass banks in making and receiving electronic payments.
Regardless of the outcome, EDI will be a major financial force in EC '92.
Banks will also have to face the legal and security complexities of EDI,
as has the EC. The EC, in recognition of the importance of EDI, established
TEDIS (Trade Electronic Data Interchange Systems) as a Community action plan.
The objectives of TEDIS are:
To avoid a proliferation of closed trade EDI systems and the widespread
incompatibility that this entails;
To promote the creation and the establishment of trade EDI systems that
meet the needs of the users, in particular small and medium-sized
enterprises (SME's);
To increase the awareness of the European telematic equipment and
services industry to meet users' requirements in this area;
To support the common use of international and European standards, where
these exist, and in particular the recommendations of the UN/ECE with
regard to international trade procedures.
TEDIS encourages the implementation of EDI standards, the improvement of
the European telecommunications infrastructure, the promotion of adequate
security measures, and appropriate harmonization of national laws.
In addition, the EC has explored the security and legal aspects
necessary to ensure EDI functionality. Two expert workshops were held in
Brussels in June, 1989, and a number of insights and recommendations have been
transmitted to the EC. Further refinement and the development is anticipated.10
Banks will have to continue to evaluate their role in EDI and whether
the market conditions require bank involvement. EC and industry technical,
security, and legal decisions that are now being decided upon will affect
banking operations. If banks become directly involved in EDI, they will be
affected in a direct manner by EC '92 decisions. In the event that banks do not
participate in EDI, they will still be affected by these decisions but in an
indirect fashion. Those indirect impacts will stem from EDI's importance, which
will result in an expansion of decisions about EDI to other financial
activities. It can be anticipated that the structuring of financial reporting
requirements determining EDI operations and the development of security
standards for EDI, including user authentication and digital signatures, will
become necessary for banks to accept under other EC directives.
CHANGES IN LEGAL RULES AND STRUCTURES
Banks, as well as other institutions, will find a variety of new legal
requirements that will have to be met under EC rules. These requirements may
replace national laws that, under current circumstances, were more conducive to
certain current banking and financial practices.
Outside of the computer and communications arena, new common rules to
decide questions of jurisdiction and enforcement of judgements in civil and
commercial matters will apply throughout the EC. These new legal rules are
already in application among Member States. At a special convention of the
Community's justice ministers in San Sebastian on 26 May, 1989, all of the EC,
with the exception of the United Kingdom, Germany, and Ireland, had decided to
speed up the transmission of extradition demands.
Nevertheless, criminal law and procedural law are increasingly being
tested in response to computer-related problems, particularly when they become
international. Even if one country satisfactorily solves complex legal problems
of the computer networks and persons under its own jurisdiction, it may still be
unable to take action when a computer harm occurs involving a network or a
person "located" in another nation.
Other important computer-related legal areas attended by the EC
Commission cover the protection of intellectual property, including trademarks,
patents, and copyrights. These property rights have traditionally come under
the jurisdiction of the individual Member States. The EC has been attempting to
harmonize the laws by expanding the scope of products covered and the
enforcement of laws to the same level throughout the Community. Efforts are
also accelerating to create a Community Trademark and a Community Patent as well
as to achieve a common level of copyright protection for computer programs.
Clearly, the legal changes that will develop due to the Single European
Market will affect banking. As banking and computer/communications-related laws
are applied Community-wide, regulations will increasingly determine how banking
errors, crimes, and disagreements affecting essential aspects of banking will be
resolved. The law, as well as the types of difficulties in fully extending its
reach that have been discussed in this section, will have a direct impact on how
banking services will function and banking will advance in the EC '92 period.
DATA PROTECTION, PRIVACY, AND COMPUTER CRIME LAW REQUIREMENTS
EC directives on data protection, privacy, and computer crime will also
have a direct impact on unified banking as well as the formation of the
important information services market. These directives will become important
factors in defining information security standards and, particularly for banks,
in determining how sensitive information can be collected, changed, transmitted,
and stored.
Computer crime laws and privacy protections also affect business
operations. At least 20 industrialized nations have some form of computer
crime, privacy, and/or software protection law. Recently, computer crime was
listed as one of the priority legal issues identified in the plan of action for
setting up an Information Services Market.
A similar situation exists for privacy protections. At least 16 Western
countries have passed or prepared special legislation against infringements of
privacy and at least another 13 countries have bills pending to establish or to
amend privacy protections.
The Council of Europe has taken a leadership role by preparing various
white papers and calling ministerial meetings on data protection, privacy, and
computer crime laws. Yet, as of early 1990, approximately half of the Member
States have as yet ratified the Council of Europe Convention on Data processing
regarding data protection for individuals.
At a conference in Luxembourg in late March, 1990, EC Director General
Michel Carpentier said that there is pressure for a more "decisive" approach
from the Commission in the form of more stringent harmonization of legislation
in the Member States. This pressure is being generated, among other things,
from the growth in electronic information services and the setting up of
Community-wide networks. According to the Director General, these new
technologies and services have social and economic ramifications. The
Commission is concerned with protecting privacy and personal data while, at the
same time, encouraging the growth of information services. The problem to be
addressed is how to reach a proper balance between privacy and use of data.
Filippo Pandolfi, Commissioner of Science and Research, says that he fears that
modern telecommunications technology means there is a greater risk that
sensitive information will be misused or stolen. �
In the middle of 1990, the Commission proposed a package of legislative
measures on the issue of data protection. These included:
Companies must follow standard procedures designed to ensure that
information about an individual is not improperly gathered or disclosed.
Individuals are given the ability to suppress automatic number
identification and require carriers to notify users when calls are
forwarded to another number.
The EC will join the Council of Europe in the development of
pan-European personal data protection standards.
A directive will be developed that will outline minimum security
standards for information systems.
EC officials acknowledge that it could be a long time before these
proposed new regulations are enacted, if they are adopted at all. These
Directives could substantially restrict direct marketing companies that utilize
personal data for marketing purposes as well as the collection of information
for sale by banks and other organizations.
Banks will be among the major institutions to be regulated under EC data
protection, privacy, and information security rules. There is no doubt that
even if these EC directives are not accepted by the Member States by 1992, the
first major publicized incident where computer crime occurs or privacy has been
violated will become the impetus for quick and far reaching EC legislation.
Banks should actively review these EC activities to determine how banking
services and product will be affected.
PREPARING FOR THE COMPLEXITIES OF LAW, TECHNOLOGY, AND BANK INFORMATION SECURITY
In order to face these legal, technological, and information protection
complexities, organizations will have to expand their perspectives on security.
The material discussed in this article suggest that information security must
become part of an organization's strategic planning. Information security is no
longer simply a locking down and locking out process. Increasingly, it
influences and is influenced by central social, political, and technical
considerations. The Single European Market may turn out to be one of the major
case studies of this trend.
BIBLIOGRAPHY
1 Commission of the European Communities, Proposal for a Decision of the Council
in the Field of Information Security [INFOSEC], Communication of the Commission
to the Council and the European Parliament, COM(90) 314 final, Brussels,
03.07.90.
2 Adapted from the U.S. Department of Commerce, List of European Community 1992
Directives and Proposals, and various other publications from the Single
Internal Market Information Service, International Trade Administration, U.S.
Department of Commerce, various dates.
3 Thomas H. Hanley et al., European Banking Integration in 1992: The competitive
Challenges Facing U.S. Multinational Banks, New York: Solomon Bros., June 1989,
1. For a brief history of the liberalization of banking services and a general
discussion of the overall changes in the Single European Market program,
excellent sources of information are "European Commission Prepares the Way for
Changes," European Banker, April 24, 1989, 11-12 and The European Financial
Common Market, an official publication of the EC, Periodical 4/1989.
4 For a general perspective on these and related issues, see U.S. Congress,
Office of Technology Assessment, Critical Connections: Communications for the
Future, OTA-CIT-407 (Washington, DC: U.S. Government Printing Office, 1990).
This report is an evaluation of the choices facing the United States in
enhancing communication technologies.
5 Peter Greiff, "Companies Must Wait Until End of '92 to Cash in on EC
Telecommunications," Wall Street Journal, February 2, 1990.
6 Karel van Hulle, "Accounting and Financial Reporting in the European
Community: Quo Vadis?" Der Schweizer Truehander, November 1989, 519-522.
7 For more information on this topic, see "Panama is Resisting U.S. Pressure to
Alter 'Inadequate' Bank Laws", New York Times, February 6, 1990, A1,D24,
Sanford Sherizen, "Are You Ready For a New Game Plan?", Bank Systems and
Technology, June, 1990, 44,45.
8 This and other specific discussions about controlling money laundering are
found in the Proposal for a Council Directive on Prevention of the Financial
System for the Purpose of Money Laundering-COM(90) 106 final-SYN 254, Brussels,
23 March 1990.
9 Steve Ledford, "EDI and Banks: The Odd Couple?", Electronic Payments
International, February 1990, p. 2.
10 Commission of the European Community, TEDIS Factsheet, DG XIII,
Telecommunications, Information Industries and Innovation, Brussels, 1989.
11 Wall Street Journal, July 20, 1990, p. A9.
------------------------------
Date: Sat, 16 May 1992 10:32:01 GMT
From: "Mark P. Neely" <NEELY_MP@darwin.ntu.edu.au>
Subject: Papers of interest to readers
Here are a list of some files stored at sulaw.law.su.oz.au (pub/law directory)
which might be of interest to readers of this mailing list.
Mark N.
Law.Privacy - _Computer Privacy v. First & Fourth Amendment_
by Michael S. Borella
Email-Privacy-Law.txt
- _The Electronic Communications Privacy Act of 1986_
(United States)
Email.Privacy - Misc. quotes from US cases involving privacy
Tempest.Law - _Eavesdropping on the Electromagnetic Emanations of
Digital Equiptment: The Laws of Canada, England and
the United States_
by Christopher Seline
ecpa.layman - _The Electronic Communications Privacy Act of 1986:
A Layman's View_
by Michael H. Riddle
ecpa.amendment.bill - A Bill to Amend the ECPA 1986 (transcript)
elec.rights - _Citizens Rights and Access to Electronic Information_
Ascii version of a booklet distributed by the American
Library Asscociation conference.
by Dennis J. Reynolds (editor)
foia_computer - Computer Friendly FOIA? Data-Access laws may be Updated.
by George Lardner Jr, Washinton Post Staff Writer
kapor - Free Speech and Privacy Online
by Mitch Kapor & John Perry Barlow
Telephone_Privacy
- Telephone Privacy in the 1990's
by Mark Rotenberg, Computer Professionals for Social
Responsibility
privacy_legis - Simons' Electric Privacy Bill (S.516)
To prevent potential abuses of electronic monitoring in the
workplace
alcor1 - Article: "Alcor files suit over electronic mail siezure"
by David Bloom, The Press Enterprise
alcor2 - Court Filing: Complaint for Declaratory Relief and Damages
(Under the ECPA)
alcor3 - Notice of Motion and Motion to Dismiss Complaint for Declaratory
Relief and Damages
alcor4 - Reply to Motion to Dismiss
alcor5 - Reply to Reply and Judges' ruling
alcor6 - Article: "Email privacy case settled"
alcor7 - Defendant's Memorandum of Point and Authorities in support of
their motion to dismiss
alcor8 - Full text of the ECPA suit
cubby-against-compuserve
- The Compuserve Case: A Step Forward in First Amendment
Protection for On-Line Services.*
by Mike Godwin
* Appearing in EFFector Online, Jan 7 1992, Vol.2 No.3
telecommunications.bill
- Amendment to the _Communication Act_, entitled _The Telecommunication
Act_.
------------------------------
Date: Sat, 16 May 92 13:40:49 -0400
From: "Mark W. Eichin" <eichin@athena.mit.edu>
Subject: re: Is Email Private--NOT!
> Now that you've got me worried. . . . I'm on a machine that is part of MIT's
> project athena, and the Kerberos authentification system. My mail may not
Well, actually, you're *using* software *developed by* MIT's
Project Athena. (Project Athena was 8 years of funding which is over;
it is no longer a Project, but a part of MIT Information Systems...)
(I'm pretty sure that Athena and Kerberos are both trademarks of MIT.)
> be private, but do I have an assurance that I am the only one who can send
> mail with my name on it?
None at all. (I could have sent *this* message with your name
on it, and wouldn't have even had the Source-Info tag that your
message did...)
> Or can someone forge my name on a piece of mail and
> send it without the reciever getting a notice that the mail is not authentic,
> and therefore suspect of forgery? This may be read as "Is Athena more secure
> than other systems" if you'd like to give me a general answer. . . .
Kerberos provides the tools to perform authentication over an
insecure network. The only use of Kerberos that involves email is the
authentication of access to Post Office servers -- if you're using the
Kerberized Post Office server, then once your mail has been delivered
to your "po box" the only way to get it out is by presenting
appropriate Kerberos tickets. (For an analogy -- a conventional US
Mail Post Office box, with a good strong lock on it, but everyone
sends post cards... only you can actually pick them up, but anyone
"along the way" can read them.)
Without the use of some signature technology (such as "Privacy
Enhanced Mail" or the NIST proposed "Digital Signature Service")
forging your email is going to be trivial. Use of PEM or DSS requires
either appropriate licensing (for PEM, as of today) or faith in a
government-specified algorithm that hasn't had much independent
analysis (NIST DSS, as of today.) Both situations are expected to
improve. Until they become widely used, electronic mail over the
Internet is about as private as postcards are; less, even, because
it's hard to automatically search the contents of postcards going
by.
_Mark_ <eichin@athena.mit.edu>
MIT Student Information Processing Board
Cygnus Support <eichin@cygnus.com>
------------------------------
From: Tom Wilson <twilson@alfred.ccs.carleton.ca>
Subject: Re: Is e-mail private?
Date: Sat, 16 May 1992 14:06:18 GMT
Any idea what the privacy law is regarding email in Canada? Does it
depend on whether the email originates in Canada, or elsewhere?
Tom
------------------------------
End of Computer Privacy Digest V1 #029
******************************