Date: Wed, 27 Jul 94 15:47:59 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#013
Computer Privacy Digest Wed, 27 Jul 94 Volume 5 : Issue: 013
Today's Topics: Moderator: Leonard P. Levine
Questions about using "discussion list" membership lists
Re: Government E-Mail Directive
Re: Government E-Mail Directive
Credit card opt out?
Re: Companies Recording Phone Calls
Re: Companies Recording Phone Calls
Re: Companies Recording Phone Calls
Re: University of New Mexico use of SSN as ID
Re: Many Phone Taps are now Legal
Re: Many Phone Taps are now Legal
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: DAVID@SIMSC.SI.EDU (David Bridge, MSC VAX System Manager)
Date: 26 Jul 1994 10:34:41 -0400 (EDT)
Subject: Questions about using "discussion list" membership lists
Dear Friends of Ethics-L and Cyberia-L:
(cross posted to both discussion lists)
We are compiling a "Directory" of people and their e-mail addresses in
one subject area (museums, museum staff, cultural organization, and
museum-related organizations) currently using the various worldwide
electronic networks.
We are gathering information from two sources: personal contributions,
and organization representatives (i.e. e-mail administrators). Since
these people are providing the information for the Directory they are
"agreeing" to having it included and published.
A third sources of names and e-mail addresses, which we are considering
is the membership list for several discussion lists., i.e. MUSEUM-L,
etc. Some of these are "private lists", i.e. not publicly available.
Others are "public" in my opinion. Any person can become a member.
Any person can send a "review" command and get a copy of the members of
these discussion list. For example: Ethics-L has 228 non-concealed
people listed, and reports 5 concealed "people"; while Cyberia-L has
237 non-concealed subscribers, (concealed user are not specified by the
review command).
THE PROBLEM: It has been suggested that it would be very wrong for us
to gather names from these distribution list, (even though they are
public domain in my opinion) and include them in the directory without
the explicit approval of the individuals. We know that laws, customs,
ethics, and netiquette vary from country to country.
My good friend Cary Karp writes specifically from Sweden, "The
rules of netiquette with which I'm familiar regard it as highly
inappropriate to publish things such as the names and email
addresses of participants in a distribution list. Are we going to
ask for permission prior to making a compilation of this type? In
Sweden, at least, it would be illegal simply to publish a
compilation of the names and addresses of people who had posted to
a discussion list, or many of the other sources listed here. (Such
a list could be seen as a catalog of identifiable individual's
interests and, as such, may not be maintained without an explicit
permit.)"
Including names and addresses from these discussion lists will be a
VERY important and major contribution to the final directory, if they
can be included.
1. We could contact the list owners for permission to include the
names. This might cover me, but might still get the list-owner in
trouble with the list membership.
2. We could post a message to each list about our project, and that
their names and addresses will be included after some date, UNLESS they
issue the conceal command (with instructions on how to do that).
3. We could omit the names from the Directory; but make a list of the
different discussion list. And then include the number of members of
each list and how to use the "review" command to get their own copy of
the members of each discussion list.
QUESTIONS:
Does using the names of a public list, WITHOUT permission constitute an
invasion of privacy ?
If we include the names without permission, is it: completely legal,
"bad form", poor netiquette, or illegal ?
What is the "official view" on this subject from different countries,
not just the United States ?
Please -- lets not start any wars here!!
I'm looking forward to your thoughtful comments.
yours, David Bridge
Smithsonian Institution
David@simsc.si.edu
------------------------------
From: "Dennis G Rears (FSS" <drears@pica.army.mil>
Date: 26 Jul 1994 17:35:24 GMT
Subject: Re: Government E-Mail Directive
Organization: U.S Army ARDEC, Picatinny Arsenal, NJ
Stan Koper <skoper@netcom.com> wrote: binskeep@crl.com (Bob
Inskeep) wrote: Two friends had been corresponding with me via a
Military and Government net. Both recently stopped their e-mail
with me and stated that they had received a rather lengthy
instruction prohibiting personal e-mail on gov systems. I would
like to obtain a copy of the instruction, if it exists. Any help
would be appreciated. Thanks.
To my knowledge there is no Government Wide, DOD wide, or even Army
wide policy on use of electronic mail. There is the standard
prohibition about using "goverment resources for personal
business/use". Each installation actually puts up its own policy. At
some places it is an oral policy others it is written. In still other
installations not policy is put up until there is a reason to put a
policy.
This is my experience only, however, I have been doing sys admin for
the military for 10 years. In lots of cases, the local installation
will have a very lax policy because they want to encourage the use of
email. In my case, it was one of "don't abuse it". When I started the
CPD, it was allowed because it somewhat related (not that much related
really) to my job as an sys admin.
Why not e-mail them and ask them to send you a copy? They may not
be able to reply via e-mail, but as long as they're hooked into the
internet, they should be able to receive your messages. Of course,
you could always ask for a copy under the Freedom of Information
Act (not that you'd get it, necessarily).
The problem with a FOIA request is the people processing the request
would have a hard tiem finding it.
It's actually pretty much a common-sense thing, like not being able
to use a government computer to keep and/or print out your
Christmas card list, that sort of thing, and "private" e-mail would
just be an extension of that.
Common Sense and government work rules do not necessarily go together.
The more rigid "real army" sites would disapprove of this posting. R&D
Army sites don't care.
[moderator: This posting is from Dennis Rears, the former moderator of
Computer Privacy Digest who originated and then ran this show for three
years before handing me the blazing torch last December. Most of what
is organized here is credit to him. Welcome home Dennis. LPL]
------------------------------
From: huggins@quip.eecs.umich.edu (Jim Huggins)
Date: 26 Jul 1994 19:48:19 GMT
Subject: Re: Government E-Mail Directive
Organization: University of Michigan EECS Dept.
Dan Newcombe <newcombe@aa.csc.peachnet.edu> wrote:
huggins@quip.eecs.umich.edu (Jim Huggins) writes: [...] The
theory being, of course, that IBM wasn't paying for Internet
access so that I could talk for free with my girlfriend (now my
wife).
I thought that for Internet access, places paid one flat annual
fee. So what difference does it make. It would seem you'd be
getting your moneys worth if people used it more and more.
Except if the load of people using the access port for mail or whatever
for personal usage made it difficult for 'legitimate' business mail to
get through. The business might pay a flat fee no matter how high the
throughput, but the throughput is a fixed resource which (in the view
of many businesses) needs to be managed.
For a 'big' firm like IBM, this might seem silly, since they've got the
resources for an awful lot of throughput. But that presumes that the
main priority in network access is throughput. At Westinghouse, for
example, all incoming e-mail is sent to a single site on the East coast
and then re-distributed nationwide. It's not the greatest for quick
access, but it provides for greater security (since there is only one
site directly reachable from the Outside World).
--
Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu
"You cannot pray to a personal computer no matter how user-friendly it is."
(PGP key available upon request) W. Bingham Hunter
------------------------------
From: es@crl.com (Eric Smith)
Date: 26 Jul 1994 05:25:41 -0700
Subject: Credit card opt out?
Robert Ellis Smith <0005101719@mcimail.com> wrote: California
Begins New 'Opt-Out' for Credit-Card Customers
Does this mean we can opt out of paying our monthly credit card bills,
and have the state pay them instead? Doesn't sound very likely. Or
does it mean we can opt out of having our transactions reported on our
credit files? That doesn't sound very likely either. Or if it means
we can opt out of getting junk mail from mailing lists maintained by
the credit card companies, I thought that option was already available
nationwide, not just in California.
------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: 26 Jul 1994 11:57:26 -0800
Subject: Re: Companies Recording Phone Calls
tnyurkiw@laplace.uwaterloo.ca (Tom Yurkiw) wrote: I think that
recording business phone calls can be a GOOD idea in many cases.
... A recording can only be helpful in situations where verbal
authorizations or contracts are made over the phone.
I agree that there are cases where recording calls can be a good way to
prevent finger pointing etc. I'm not so sure that calling AAA for road
service is in that category, but... Once they place the timed beeps
on the line, they can record the call and DO WHATEVER THEY WANT WITH
IT. You've agree to the recording and you've agreed that they can
release it, publish it, broadcast it, anything.
Now, if they instead used a recording that advised that all calls would
be recorded and stored for xxxx period of time and what use would be
made of them and that you agreed to those terms, then I'd have little
objection. In that situation, we would know what's going to be done
with our recording and the company would be bound to that use. But
that's not how it's being done.
Another reason I posted this was to note that this is becoming more and
more common. It is difficult to call for service on your hardware or
software and NOT have them want to record your calls "for training"
(whatever that might mean -- it could mean they play the funny ones in
the lunch room and have a good laugh...).
from this comment and the two or three private emails I've received, it
would appear that no one else sees this trend as a frightening glimpse
into the future invasions of our privacy...
The EMPLOYEES, however, might be concerned about constant
monitoring of their actions. ... The ONLY way to stop this is
through regulation, and if this is not done, I foresee job-stress
levels and turnover rates skyrocketing.
That's a whole different problem, and one that I've spoken on
publicly... and it IS a huge problem for employees who are being
monitored.!!!!!
--
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
------------------------------
From: huggins@quip.eecs.umich.edu (Jim Huggins)
Date: 26 Jul 1994 19:56:40 GMT
Subject: Re: Companies Recording Phone Calls
Organization: University of Michigan EECS Dept.
Tom Yurkiw <tnyurkiw@laplace.uwaterloo.ca> wrote: I think that
recording business phone calls can be a GOOD idea in many cases.
[...] The EMPLOYEES, however, might be concerned about constant
monitoring of their actions. [...] One company even requires its
employees to wear little transponder-badges which give the exact
location within the building.
I actually heard a talk about such a system which was in active use
(and still may be for all I know). The speaker treated the
transponders as an advantage; for example, it was integrated with the
phone system so that if an incoming call came in for you, it was
automatically routed to the phone nearest you (in case you were in a
meeting in another cube or in the lab or something). I'm not sure what
privacy protections were in place, though -- the speaker spoke of
co-operative management which presumably meant that no-one abused the
information.
Most people would rebel if a camera was pointed directly at their
desk to monitor them all the time;
There was an interesting piece in the Communications of the ACM a year
or two back which talked about exactly that type of environment; it was
an attempt to link two remote offices through lots of cameras
everywhere (including offices). Every office had the option of turning
off its camera, though -- so it was clearly controlled by its end users
and not management. The report spoke well of the experiment.
The ONLY way to stop this is through regulation, and if this is not
done, I foresee job-stress levels and turnover rates skyrocketing.
Just keep in mind that there may be legitimate uses for the same
technology, and one must figure out how not to throw out the baby with
the bathwater.
--
Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu
"You cannot pray to a personal computer no matter how user-friendly it is."
(PGP key available upon request) W. Bingham Hunter
------------------------------
From: gordon@sneaky.lonestar.org (Gordon Burditt)
Date: 27 Jul 94 01:37 WET DST
Subject: Re: Companies Recording Phone Calls
Organization: /usr/lib/news/organi[sz]ation
want to have any of my phone calls recorded (unless absolutely
necessary). I have no assurances that AAA *only* uses the
recordings for those purposes. Does anyone share my concern
that this ever increasing recording of calls is a potentially
significant violation of our privacy...?
Sorry, nope, I regard this as unproductive paranoia. My calls to
911 are recorded, my calls to my mutual fund company are recorded,
and my calls to AAA are recorded. No big deal. As long as they're
upfront about it, I see this as both necessary and useful
(protecting both sides in a telephone order to sell stock at a
certain price, for example).
I'll partly disagree with this. Worrying about phone calls being
recorded in a situation where the other party is going to record the
information anyway, and furthermore, you WANT them to act on the
conversation, probably is unproductive paranoia. You want 911 to
respond, and you especially want them to respond if you give an
incoherent description of where you are and then aren't able to
continue the conversation. You want stock and mutual fund buy and sell
orders recorded properly (and you want ones issued by someone else who
has no business fooling with your account identified as not you). You
want the merchandise you ordered to show up. You're going to give your
name and address anyway, or they already have it.
I DO NOT want my calls to the IRS help line recorded (and triggering
audits). I sometimes ask hypothetical questions or ask about
questionable investment schemes before investing in them or deciding
not to. I see no reason why casual discussion with my stockbroker
about investments - specific, in general, or as affected by current
news, should be recorded until I actually issue an order to DO
something to my account.
As to the AAA calls, I have mixed feelings. If I am calling AAA to
plan a trip, I don't want my trip plans recorded and available where
they might be sold to the local burglar's union. This is more of a
problem to me than having AAA employees be rude to me.
--
Gordon L. Burditt
sneaky.lonestar.org!gordon
------------------------------
From: hibbert@netcom.com (Chris Hibbert)
Date: 27 Jul 1994 18:13:10 GMT
Subject: Re: University of New Mexico use of SSN as ID
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
<ead@netcom.com> asked: What do you make of this paragraph from the
application to the University of New Mexico's Office of Graduate
Studies:
The authority to use the social security number comes from the
Board of Regents and was adopted on March 24, 1967.
Is this permitted even if the University complies with the Family
Educational Rights and Privacy Act of 1974 (the "Buckley
Amendment"), which prohibits them from giving out personal
information (e.g. the SSN) on students without permission?
Government agencies which were already using the SSN as an ID before
the Privacy Act was passed were allowed to continue using it. The
above statement constitutes a legal justification for using the SSN.
As long as they also comply with the provisions of FERPA, (and their
disclosure statement tells all the ways they do use the number) it
looks like they're legal.
--
Chris Hibbert protecting privacy in the computer age is
hibbert@netcom.com like trying to change a tire on a moving car.
------------------------------
From: John Medeiros <71604.710@compuserve.com>
Date: 27 Jul 94 01:01:38 EDT
Subject: Re: Many Phone Taps are now Legal
rja14@cl.cam.ac.uk (Ross Anderson) stated: In the Law Report in
`The Times' of Friday 22nd July (p 34) there is a report of a case,
Regina v Effik and Regina v Mitchell (``Cordless phone tap
admissible'', p 34) in which Lord Templeman, Lord Roskill, Lord
Ackner, Lord Oliver and Lord Mustill found that the proceeds of an
unauthorised phone tap are admissible in the UK provided that the
tap was not applied to a link which was `comprised in' the public
telecommunications system.
The Electronic Communications Privace Act (ECPA) defines protected
communications, specifies the legal requirements for interception and
sets out the process for authorizing interception. The ECPA
specifically refers to the handset to base portions of "cordless
telephones" and permits interception of that portion without any legal
process (warrant). The law draws a distinction between the handset to
base portion of the call, which it equates with all other radio
communications governed by the FCC; and the rest of the call (from the
base to the telephone company equipment). The terminology is
different, but the legal concept is exactly as related by Anderson.
Basically, the radio portion of a "cordless telephone" call is fair
game. The law makes a third distinction by prohibiting the intentional
interception and recording of cellular calls (a warrant is required).
Cellular calls, like traditional telephone calls, involve a "common
carrier" from the outset. Logically then, wireless intercoms would
also be unprotected radio transmissions.
------------------------------
From: tnyurkiw@lambert.uwaterloo.ca (Tom Yurkiw)
Date: 27 Jul 1994 14:48:49 -0400
Subject: Re: Many Phone Taps are now Legal
Organization: University of Waterloo
rja14@cl.cam.ac.uk (Ross Anderson) writes: In the Law Report in
`The Times' of Friday 22nd July (p 34) there is a report of a case,
Regina v Effik and Regina v Mitchell (``Cordless phone tap
admissible'', p 34) in which Lord Templeman, Lord Roskill, Lord
Ackner, Lord Oliver and Lord Mustill found that the proceeds of an
unauthorised phone tap are admissible in the UK provided that the
tap was not applied to a link which was `comprised in' the public
telecommunications system.
Interestingly, in Canada, illegally obtained evidence is NEVER
automatically excluded. Rather, if someone's rights have been
violated, the evidence shall only be excluded "where it would bring the
administration of justice into disrepute". (source: Canadian Charter
of Rights and Freedoms) So each illegally obtained wiretap would be
considered individually.
--
Tom Yurkiw
------------------------------
End of Computer Privacy Digest V5 #013
******************************
.