Date: Wed, 12 Oct 94 19:47:54 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#048
Computer Privacy Digest Wed, 12 Oct 94 Volume 5 : Issue: 048
Today's Topics: Moderator: Leonard P. Levine
Re: AOL Sells its Subscriber List
AOL Rents Lists: The Truth
Re: AOL Sells its Subscriber List
Give Me Input On The Future Of Computing
Re: Background Check For Job
Re: Background Check For Job
Re: SSN on driver's license in MO
Re: Shareware Campaign Tool
Send Me FTP Document
Skip Tracer Finds Old Friends
UW Madison Policy on Electronic Data Privacy
2nd Intl Conf on InfoWar (long)
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716)
Date: 10 Oct 94 23:26:00 GMT
Subject: Re: AOL Sells its Subscriber List
It's up to you if you want to print this. I downloaded this from my
account on AOL which will be cancelled shortly after I make a big huff
and puff over there.
What's the difference between selling and renting a customer list?
A Letter from Steve Case, President and CEO of America Online, Inc.:
October 6, 1994
Dear Members,
Over the past few days, there has been a fair amount of publicity --
and confusion -- regarding our policy of renting mailing lists, so I
decided to send this update to you.
For those who missed it, a leading Congressman (Rep. Ed Markey) issued
a press release on Tuesday expressing concern about AOL's recent
decision to rent its customer list. In particular, he expressed
concern about the possibility of AOL selling lists based on data that
should remain private.
Within hours after receiving the press release and an accompanying
letter from Rep. Markey to me, I issued the following statement to the
press:
"As an industry leader, we fully support the privacy provisions as
outlined in Congressman Markey's letter today, and we believe we are
fully compliant with them. Sensitivity toward our members' privacy has
been at the core of our business since we founded the company. We have
asked for a meeting with Congressman Markey at his earliest convenience
to explore issues of concern to him. If there continues to be
confusion, we will pull the list off the market until this issue can be
satisfactorily resolved. We believe that as this new interactive
medium develops, it will be critical to build and maintain a strong
sense of community. We have adopted guidelines which address privacy
rights of our members. We look forward to working with members of the
Subcommittee, as well as with our industry associations, to ensure
comprehensive privacy protections by all providers as we move this
medium forward."
On Wednesday, this story was picked up by the wire services and a
number of newspapers and television stations. The coverage was quite
negative, and, unfortunately, misleading. For example, a wire story
was headlined "Lawmaker Blasts America Online On Privacy" and the first
sentence said: "America Online Inc., the on-line computer service,
came under fire from a senior congressman Tuesday for the sale of lists
that offer detailed information about its million-odd subscribers." (To
be clear, we are *not* selling lists that contain information about the
specific services people are using.)
Since there was so much misunderstanding of what we did, and why we did
it, I thought it might be helpful to share our perspective directly
with you.
As I'm sure you know, it is a common practice for companies to rent
their lists. Just about every magazine, for example, rents its list.
And the largest online provider, CompuServe, has been renting their
list for the past 5 years. Another online leader, Prodigy, has rented
an "electronic list" (promotional mail is sent to Prodigy mailboxes)
for a comparable period of time.
Among the major players, AOL was the only holdout. Why? Because it
made us a bit uncomfortable. We felt that some of our members might be
concerned about such a policy, so we decided not to do it. However,
after learning more about the list rental business, we decided to go
forward with a list rental program. There were two reasons for this.
First, there was considerable profit potential. That's of course good
for us -- but also ultimately good for our members, as the additional
profit can help fund new content, features, and other innovations.
Second, we felt that safeguards could be built into a list rental
program that could minimize problems.
This "safeguard" program had four elements. First, we decided to limit
the amount of information we made available to direct marketers. To be
clear, we are NOT selling any information about the specific services
people are using, we are NOT selling telephone numbers, we are NOT
selling any billing information (credit card or checking account
numbers).
Second, we put restrictions on the use of the list. Although we were
certainly interested in maximizing list rental profit, we decided to be
cautious about offering the list. So before providing the list, we
will review every package that companies would like to mail.
The third decision was to make it easy for members to take their name
off our mailing list, if they so choose. So we created an area online
(the keyword is MARKETING PREFS) to make it easy for people to "opt
out" of the list program.
Finally, we decided to notify members of the list program. New members
learn about the list program as part of the standard registration
process. For existing members, we created a "Personal Choices" menu
option on the new Windows and Mac software we are sending to all
members this Fall, and the "opt out" option was included there as
well.
So we thought we were balancing the various interests and issues in a
reasonable manner.We'd generate new revenues, but members who wanted
their names taken off the list would be easily accommodated.
In retrospect, I think we made some mistakes.
The first, and in my opinion by far the most important one, was that we
did not proactively and directly notify our existing members about this
new program -- before initiating the program. We had thought the menu
option in the new software would suffice -- but in retrospect it was
too indirect (and, worse, we had expected to have the new software in
your hands by now, and it was delayed). As a result, some of you first
learned of our list rental program by reading an article in a newspaper
-- and felt, quite understandably, somewhat betrayed.
We have worked hard to build the AOL community and certainly won't do
anything to harm it. Indeed, our goal is to build it, and set a shining
example for the emerging online world. The core of a community is
trust -- and I am deeply apologetic to all of you for not informing you
in advance and directly about this new program.
The second mistake we made was not being clearer about what we're
doing. The initial promotional announcement was somewhat ambiguous
about precisely what we were offering for rental, and this was the
source of the considerable confusion in the press and within Rep.
Markey's office. For example, the promotional listing indicated that
"running charges" were available -- suggesting to some that we would be
releasing information about the size of the monthly charges each AOL
member was incurring. This is not the case. "Running charges" is a
term used within the direct marketing industry that refers to the cost
of running a computer tape containing the list. This confusion created
something of a tempest in a teapot, as it suggested we were violating
personal privacy -- which we most certainly are not.
The bottom line is that our decision to rent the list was, I think, a
reasonable one. I do realize that some will not approve of this, but,
on balance, I continue to believe that -- coupled with appropriate
safeguards -- it was and is a reasonable thing to do. However, in
retrospect, we could have, and should have, handled this better.
Although I was, quite frankly, initially disappointed that Rep.
Markey's press release singled AOL out (given that several of our
competitors have been offering their lists for years), on reflection I
think this has been a positive step for our industry, because the issue
of privacy is very important. I share Rep. Markey's deep concerns
about setting unusually high privacy standards in the electronic world,
and by putting this issue on the public agenda, he has forced us --
and, I hope, others -- to make a renewed commitment to upholding these
high standards.
We do believe that online services in general -- and, we think, AOL in
particular -- have a unique relationship with customers. You place
great trust in us -- to build a service you can find value in, and an
online community you can benefit from participating in. We know that
you all expect us to live up to the trust you have placed in us, and we
certainly will strive to do so.
To summarize: We are now renting our list. We are doing this because
it will be a source of additional profit for us, and that in turn will
enable us to fund the creation of new services and features, while
maintaining an affordable price. We hope you'll be supportive of this
new initiative as we do believe you'll benefit from it. But if you
want to have your name removed from our list, we'd be happy to do so.
Just use MARKETING PREFS and we'll take care of it.
------------------------------
From: matt@enterprise.America.com (Matthew Lyle)
Date: 11 Oct 1994 16:07:16 -0400 (EDT)
Subject: AOL Rents Lists: The Truth
For those of you that would like to hear both sides of the story,
before having a lynching party, here is a letter from the President of
AOL. It was posted on AOL, in the Spotlight area. (kind of like being
in the Message Of The Day-MOTD on a Unix box)
Looks like, yet again, you're another victim of the media not bothering
to check out details prior to printing an article. Numerous things in
the article were false, but the damage has been done and the San Jose
paper doesn't really care. (personal opinion, of course)
I know people that work for AOL... They were shocked when they read
the article on the news wire and went to check and see if it was true.
It wasn't. These friends include gays and members of EFF and CPSR, so
I really doubt that they'd condone censorship. (again... a personal
value judgement, based on my knowledge of them.
Steve Case posted an article on the "Spotlight" area of AOL. (kind of
like the Message Of The Day-MOTD on a Unix system) I've appended it to
this message.
>From what I read, what they are doing is no worse than what Citibank
does in selling out customer lists.
Regards,
Matthew
[moderator: Matthew included a copy of the letter also posted by by
Mark Anderson above. I am not including it here in order to save
bandwidth.]
------------------------------
From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716)
Date: 12 Oct 94 17:00:00 GMT
Subject: Re: AOL Sells its Subscriber List
Here's some of the things I found on AOL on the MARKETING PREFS
window. The main mechanism for taking your name off the list was
rather confusing and required you to put an X in one of the boxes. It
appeared that marking this box only stopped them from "renting" your
address to a specific list of products and services. Attached to this
message are some other things that I think are required to complete the
purge. This means I have to write a letter, find a couple of envelopes
and stamps, walk to the mailbox, and hope the letter doesn't get "lost
in the mail." You can print this paragraph if you want.
Regards,
Mark Anderson
ABOUT MARKETING PREFERENCES
In this section, you can learn about services that the Direct Marketing
Association provides to reduce the amount of advertising mail and phone
calls that you receive.
The Direct Marketing Association is the nation's oldest and largest
national trade association serving the direct marketing field. Members
of the DMA market goods and services directly to consumers using media
such as direct mail, catalogs, telephone calls, magazine and newspaper
ads, and broadcast advertising.
America Online occasionally makes our membership list available to
select, reputable companies whose products or services may be of
interest to you. Marketing Preferences allows you to tell us about the
types of offers you would like to receive or if you do not want your
name to be released to other organizations.
MAIL PREFERENCE SERVICE
For many people, advertising mail is informative and provides value,
convenience and fun. However, direct marketing companies recognize
that some people do not like to receive advertising mail.
If you want to reduce the amount of national advertising mail you
receive at home, send your name and address to the Direct Marketing
Association's Mail Preference Service (MPS):
Mail Preference Service
Direct Marketing Association
P.O. Box 9008
Farmingdale, NY 11735-9008
After a few months, the MPS will reduce the amount of advertising mail
you receive. You will continue to receive mail from companies with
which you do business.
Names remain part of the MPS for five years. After five years, you
will need to register with the MPS again.
If you continue to receive unwanted mail after a few months, the Direct
Marketing Association suggests that you write directly to the mailer to
request that your name be removed from the mailer's list.
AMERICA ONLINE MAILING LIST POLICY
AOL carefully screens all offers to its mailing list to ensure that
they are appropriate. AOL does not release members' telephone numbers,
credit card numbers, or checking account numbers to other
organizations.
If you do not want your name released to other organizations, simply
indicate this on the Member Mailing Preferences form. To access this
form, double-click on the heading "Tell Us What Your Preferences Are"
on the previous window.
TELEPHONE PREFERENCE SERVICE
If you want to reduce the amount of national advertising calls you
receive at home, send your name, address, area code and telephone
number to the Direct Marketing Association's Telephone Preference
Service (TPS):
Telephone Preference Service
Direct Marketing Association
P.O. Box 9014
Farmingdale, NY 11735-9014
After a few months, the TPS will reduce the amount of advertising calls
you receive from national marketers such as credit card and magazine
subscription companies. Some local organizations and charities may not
participate.
Names remain part of the TPS for five years. After five years, you
will need to register with the TPS again.
If you continue to receive unwanted phone calls after a few months, the
Direct Marketing Association suggests that you request your name be
removed from a company's list when they call.
------------------------------
From: derby@admaix.sunydutchess.edu (Scott Derby)
Date: 11 Oct 1994 13:35:31 GMT
Subject: Give Me Input On The Future Of Computing
Organization: Dutchess Community College
I am scheduled to give a lecture on the future of computing in about a
month. I would like some input from the Internet community regarding
what they believe/know the future of computing and computers will be.
You don't have to be an expert, just share what you have read, seen or
even imagined (just be realistic in your imaginings). I guess you
could reply to the list if you feel it would be of interest, or you can
simply reply to me directly.
Thanks...
Scott
DCC Computer Center
------------------------------
From: nowakp@hfsi.hfsi.com (Paul Nowak)
Date: 11 Oct 1994 18:30:39 GMT
Subject: Re: Background Check For Job
Organization: HFSI
kazmarek@ix.netcom.com (Edward Kazmarek) writes:
lindline@rice.edu (Ann Lindline) writes: Is this legal? If you
want to work for certain government agencies, I know you have
to submit to, and subject your family and friends to, a lot of
poking and prying into backgrounds. Is working for a defense
contractor basically the same as working for the government?
What rights to refuse would these roommates have? Any feedback
is much appreciated.
I'm not sure, but I suspect it's legal. At least, it's pretty common.
Actually the investigator will give you the pertinent sections to read
and ask you to sign a statement to that effect. Anyone can refuse to be
interviewed (if it's you doing the refusing it will probably reflect
negatively; but, if one of your references refuses, or your roommate
refuses, no sweat. My SO was apprehensive about her first interview
(I've been interviewed so many times for myself and others that I've
gotten rather friendly with one of the DIS agents).
For security clearance background checks, it is quite common to
assess someone's potential security risk by the character of the
company they keep.
Actually they are more concerned with your character and lying about
the kind of company you keep is very indicative ... as is telling the
truth. They don't so much care that you smoked pot 30 years ago as
they are that you're trying ot hide that fact ... and could face
extortion because of it.
Even more, it's quite common to pursue what are called "developed
references." You ask a listed reference, "Who else knows this
person?" You ask the same question to two or three names on that
list, and so on for two or three levels. You'd be surprised that
you don't have to go very far in a chain of developed references
before you're talking to people who are NOT friends of the
candidate. And you get some REAL interesting information. That's
life.
This implies that they are going to believe the lies your enemies will
tell. Not so. They are aware that people will lie about others and take
that into account. Unsubstatiated rumors of a drinking problem will be
tossed out, out of hand in the presence of overwhelming evidence to the
contrary; however, they will check out "adverse information". That is
reasonable first hand knowledge of defects such as gross indebtedness,
unusual spending, etc. (a whole list of stuff, none of which was looked
at in the case of Mr. Ames.)
--
HFSI 7900 Westpark Dr. Mclean Va. 22102 (just HFSI) A gummint systems integrator
Despite what my return address may say, I'm "nowakp@hfsi.com"
and though I'm an opinionated son-of-a-gun, HFSI refuses to endorse any of them
(even at gun point) Illigitimii Non Carborundamus! ;-?
------------------------------
From: nowakp@hfsi.hfsi.com (Paul Nowak)
Date: 11 Oct 1994 18:40:36 GMT
Subject: Re: Background Check For Job
Organization: HFSI
anonymous <levine@cs.uwm.edu> writes:
lindline@rice.edu (Ann Lindline) wrote: Is this legal? If you
want to work for certain government agencies, I know you have
to submit to, and subject your family and friends to, a lot of
poking and prying into backgrounds. Is working for a defense
contractor basically the same as working for the government?
What rights to refuse would these roommates have?
Yes, I believe it is. My sister works for a nave contractor, and
although her job may not be charaterized as "high risk" the level
of security clearance that she has is relatively high. Because of
that, her family and friends were checked out.
I suspect it was more like her friends and family were interviewed to
develop information about *her*. There are very few instances (personal
reliability wrt guarding the life of the pres. for eg) where the family
is also investigated ... even for very high sublevels of Top Secret
clearances such as SIOP and ATOMAL.
I personally did not have to undergo any interviewing, but that may
be because I'm relatively "clean."
More likely because they don't do that.
in addition, her husband works for the CIA, so they may think that
he'll keep on eye on her (even though that's beyond their charter,
I think that's the NSA's <smile>).
It's the FBI's ... whihc is why it is most often FBI field agents who
do the interviewing when there are no local DIS (Defense Investigative
Service) or other appropriate investigators nearby.
Although we may not like it, when subjects of "national security"
come up, it appears that the government can take whatever measures
they feel are necessary...
Within the limits laid out by law. Just tell the truth and nothing will
happen .... unless the truth is that you've been hiding something
illegal for lo these many years. ;-)
--
HFSI 7900 Westpark Dr. Mclean Va. 22102 (just HFSI) A gummint systems integrator
Despite what my return address may say, I'm "nowakp@hfsi.com"
and though I'm an opinionated son-of-a-gun, HFSI refuses to endorse any of them
(even at gun point) Illigitimii Non Carborundamus! ;-?
------------------------------
From: robert@unlv.edu (Robert Cray)
Date: 11 Oct 94 18:41:01 GMT
Subject: Re: SSN on driver's license in MO
Organization: Information Science Research Institute
Seth Golub (seth@cs.wustl.edu) wrote: When I entered the DMV I saw
a large sign in a prominent location with large, clear type (and
with some parts highlighted) that said I could check a box on a
form if I objected to using my SSN as my license number. I checked
the box, and I got a different number. No hassle. Of course, I'll
have to deal with store clerks' odd looks when they see a license
number that starts with a letter, but I guess that will be a good
time to enlighten them about SSNs.
I don't know how things are done in MO, however in Nevada if you choose
to not have your SSN on the license it doesn't really matter - take the
1st ten digits of the non-SSN number they give you, call and N, then
(N-2600000001)/2 translates into your SSN. Just about everyone knows
this so the SSN might as well be on the license.
--
robert
------------------------------
From: gordon@sneaky.lonestar.org (Gordon Burditt)
Date: 12 Oct 94 00:21 CDT
Subject: Re: Shareware Campaign Tool
Organization: /usr/lib/news/organi[sz]ation
The next release of Precinct Walker, free to all registered users,
and available in early October, will have a new get out the vote
(GOTV) module. This fax-in function will allow a volunteer to
produce a list of the voters in their precinct and to go to the
polls and determine who has voted.
I found this little tidbit interesting. Is it really possible to go to
the polls and determine, in the middle of an ongoing election, who has
voted and who hasn't? Why? How does one do this without disrupting
the process of voting? (In areas where I vote, this information is
kept manually in several large computer-printed list of eligible
voters, divided alphabetically by last name. It may be computerized
later, and the production of the list is certainly computerized, but
it's manual DURING the election. This doesn't mean optical scanning of
ballots isn't done, but there's not supposed to be a one-to-one
correspondence between voter and ballot to keep individual votes
private. Taking the lists away from the election workers during the
election will definitely bog down the voting process.)
Gordon L. Burditt
sneaky.lonestar.org!gordon
------------------------------
From: Chuck Weckesser <71233.677@compuserve.com>
Date: 12 Oct 94 12:29:43 EDT
Subject: Send Me FTP Document
Dear Friend,
I do not know how to use FTP. I desparately wish to acquire a copy of
the FBI's new wiretapping proposal.
If some kind sould reading this would be gracious enough to send me a
copy of the document, I will be eternally grateful. Have a nice day!
Chuck Weckesser
[moderator: Mail to comp-privacy-request@uwm.edu will get a copy of
the bill passed by the Senate mailed to you.]
------------------------------
From: Mike Crawford <crawford@scipp.ucsc.edu>
Date: 12 Oct 1994 16:41:23 -0700
Subject: Skip Tracer Finds Old Friends
I heard an intriguing radio ad yesterday...
"Miss your old college friends? Want to find them? It's easy with The
Right Connection."
(hmm... I thought.. sounds like a skip-tracer is trying to find new
markets for his service).
"We'll find them quickly using the most advanced technologies"
(yep... sure like to know what those are!)
"Dial 1-800-xxx-xxxx"
The punch line:
"We also offer a complete line of business services".... meaning, I
presume, traditional skip-tracing.
I wonder whether one could call them up and register as someone who is
not to be "found"? I would imagine not - or if so, they'd probably
charge for the service of not handing out your address and phone number
to any paying customer
Mike Crawford | Call Congress toll free at 1-800-768-2221. When the
crawford@scipp.ucsc.edu | operator answers, ask for your Senator or Rep.
------------------------------
From: "Prof. L. P. Levine" <levine>
Date: 10 Oct 1994 18:07:29 -0500
Subject: UW Madison Policy on Electronic Data Privacy
NOTICE: THIS IS *NOT* AN OFFICIAL COPY OF THIS DOCUMENT -- FOR AN
OFFICIAL COPY OF THIS DOCUMENT, CONTACT THE OFFICE OF THE SECRETARY OF
THE FACULTY: phone: (608) 262-3956, fax: (608) 263-2081.
===========================================================================
University of Wisconsin Faculty Document 890a
Madison 7 October 1991
REPORT OF THE UW-MADISON AD HOC ELECTRONIC DATA ADVISORY COMMITTEE
September 13, 1991 (as revised October 7, 1991 by the Faculty Senate)
INTRODUCTION
The Electronic Data Advisory Committee was created by the University
Committee to clarify the privacy and confidentiality status of
electronic data and to draft procedures for the University to follow in
providing access to information in this form.
The faculty and staff of the University should be under no delusions as
to the essential confidentiality of their electronic files. Even when
one takes elaborate precautions (e.g.. file encryption) the nature of
modern communication networks is such that true confidentiality is
impossible to guarantee. In addition, the Wisconsin open records law
may require public disclosure of electronic data. All users of these
services should be apprised of these facts.
The Federal Electronic Communications Privacy Act of 1986 (18 U.S.C.
sec. 2511) and parallel language adopted by the Wisconsin Legislature
(sec. 968.31(2), Wis. Stats.) allows the University to examine
electronic information when necessary to protect the rights and
property of the University. The proposed procedures provide a mechanism
for doing so in a way that respects the rights of individuals
involved.
The report that follows deals with the question of appropriate
procedures for the University to follow in cases of requests for access
to electronic files initiated internally. (Requests for access that
originate external to the University will normally arise under
circumstances described in Section 6 of these procedures. In such
cases, the University will provide notice to the controller and the
opportunity to respond, whenever possible.)
In general, all computer and electronic files should be free from
access by any but the authorized users of those files. Exceptions to
this basic principle shall be kept to a minimum and made only where
essential to
1. meet the requirements of the state open records law and other
statutory or regulatory requirements;
2. protect the integrity of the University and the rights and property
of the State;
3. allow system administrators to perform routine maintenance and
respond to emergency situations such as combating "viruses" and the
like: and
4. protect the rights of individuals working in collaborative
situations where information and files are shared.
Accordingly the Ad Hoc Electronic Data Advisory Committee recommends
the following actions:
1. The University should make a special and periodic effort to notify
users that:
a. Faculty Policies and Procedures include rules governing the
privacy of electronic data;
b. State or federal regulations may supersede these policies and
procedures; and
c. electronic communications and data files are not secure from
unauthorized access.
2. Because the proposed policy does not address how departments and
schools may access students' instructional accounts, departments and
schools should codify their procedures for managing and gaining
access to such accounts;
3. The Faculty adopt the following policy and procedures to govern
access to electronic files controlled by faculty and staff:
POLICY AND PROCEDURES GOVERNING ACCESS TO ELECTRONIC FILES AT THE
UNIVERSITY OF WISCONSIN-MADISON
PRINCIPLES:
The procedures are based on three fundamental principles:
1. Intrusion into electronic files requires carefully considered cause;
2. Controllers of files should be notified before accessing their
files; and
3. The University has an obligation to protect the integrity of the
University, its services, its confidential data, and the rights and
property of the State.
DEFINITIONS
As used in these procedures:
1. "Electronic File" encompasses information stored and/or transmitted
in electronic form, including but not limited to text, data, sound,
graphics, images, and video, irrespective of its recording and
transmission media or its format.
Examples of electronic files include e-mail messages, databases,
and magnetic tape files and subsets thereof.
2. "Controller of a file" is defined as follows:
a. on a single user computer under the control of a single person
(e.g., a computer in a faculty office) the files normally are
controlled by that person;
b. on computers accessed by more than one individual, but which do
not have an operating system that identifies files with a
specific user, the individual responsible to the University for
control of the computer (e.g., the laboratory director or
department chair) is considered to be the controller of
electronic files resident on that computer;
c. On multiuser systems, an individual is typically registered or
given an account. The registered user or account holder is
normally considered to be the controller of files held in that
account;
d. In "work for hire" situations where one party enters or edits
material for the originator of a file, the one responsible for
originating the material in the file is the controller of the
file. The person charged with entering the material is usually
considered to be an authorized user. For example, when a
secretary or a research assistant working under explicit
directions uses a computer to enter and edit a document for a
faculty member, the faculty member is the controller of the file
and the secretary or research assistant is an authorized user.
3. "Authorized User" includes the controller of a file and someone who
is given explicit access to the file by a controller.
4. "System Administrator" is an individual who has been charged by a
University unit with maintaining a computer system and its software
at an acceptable level of performance for the service that it is
expected to provide.
PROCEDURES
1. Except as provided for in Sections 5 and 6, no one but an authorized
user of an electronic file may intentionally access that file
without receiving either
a. The permission of the controller of the file; or
b. The express written permission of the Vice Chancellor for
Academic Affairs, who may grant such permission only in
accordance with the procedures established by Sections 2 and 3
below.
2. Except as provided for in Sections 5 and 6, the Vice Chancellor for
Academic Affairs may grant permission to those persons listed in
section 2(b) to access a computer or electronic file only upon
determining that the all of the following steps have been taken:
a. The Vice Chancellor for Academic Affairs has received in writing
a request for access that specifies the reasons for the requested
access and lists the requested file(s) by name, contents, or a
description that clearly limits access to the file(s) necessary
to further the purposes designated in Section 2(f).
b. The written request has been made by a dean, director, department
chair, vice-chancellor, or other person who has responsibility
for protecting the integrity of the University, its services, and
the rights and property of the State.
c. The Vice Chancellor for Academic Affairs has notified in writing
the controller of the file(s) that a request for access to the
specified file(s) has been made and is pending. When there is
doubt as to who is the controller of a file, notice should be
sent to all the known individuals likely to have such an
interest.
Notification must, at a minimum,
i. specify the name of the party requesting the file(s);
ii. list by name, description, or contents the file(s)
requested;
iii. indicate that unless waived in writing by the controller of
the file(s) within four days of notification, an inquiry as
specified in section 2(d) of these procedures will be held
to examine whether justification exists for granting the
requested access;
iv. indicate that in the event a section 2(d) committee has been
appointed, the controller of the file(s) has a right to make
known to the committee his or her views on whether access is
justified;
v. indicate that the file(s) in question shall not be altered
or deleted by anyone, including the controller and that
alterations or deletions may be a basis for disciplinary
action; and,
vi. if relevant, indicate that the Vice Chancellor for Academic
Affairs has exercised his or her power under section 3 to
take the minimum steps necessary to preserve the contents of
the subject file(s).
d. The Vice Chancellor for Academic Affairs has appointed a
committee of three members, all of whom are otherwise uninvolved
in the request and at least two of whom are members of the
faculty or academic staff (as is appropriate to the case), to
inquire into whether a justification under section 2(f) exists to
warrant granting the requested access. Unless granted additional
time, the committee will conduct its inquiry and make a written
report to the Vice Chancellor within ten calendar days of its
appointment.
At a minimum, the committee shall
i. examine the written request for access provided to the Vice
Chancellor under Section 2(a); and
ii. offer all those notified under Section 2(c) an opportunity
to make known to the ad hoc committee their views on whether
access is justified.
e. The Vice Chancellor for Academic Affairs has received the results
of the inquiry specified in Section 2(d) of these procedures or
has received the controller's waiver of the section 2(d)
inquiry.
f. The Vice Chancellor for Academic Affairs finds that the requested
access is necessary to protect the integrity of the University,
its services, and the rights and property of the State.
g. The Vice Chancellor for Academic Affairs has put in writing, with
as much specificity as possible, the reasons for granting access
to the file(s).
3. Upon the written request of one of those persons listed in section
2(b) or on his or her own initiative, the Vice Chancellor for
Academic Affairs may authorize the appropriate University unit to
take all necessary steps to preserve and save the contents of any
file(s) within the University's computer systems. An order to
preserve the contents of the file is meant to assure that the data
in the file(s) is not destroyed, altered, or lost. Any such order
does not constitute permission to open, read, or otherwise use the
contents of the file(s). Access to the contents of the file(s)
shall be obtained only under procedures specified herein or under
conditions stated in Sections 5 and 6.
4. All requests for access to electronic files made under the Wisconsin
open records law shall be made through the office of the
University's Custodian of Records. It is recommended that the office
of the Custodian of Records promulgate procedures consistent with
the Wisconsin open records law and the principles expressed in these
procedures. Such procedures shall provide for notice to the
controller before public disclosure, whenever possible.
5. Nothing in these procedures is meant
a. to supersede the usual procedures followed by departments and
schools in monitoring student accounts given for specific course
work; or
b. to preclude computer system administrators from authorizing the
routine maintenance of campus computer or communication systems
or the rectification of emergency situations that threaten the
integrity of campus computer or communication systems. provided
that use of accessed files is limited solely to maintaining or
safeguarding the system (which may include safeguarding the
system from illegal use) or solving specific problems.
6. Nothing in these procedures is meant to either limit or expand
access to files pursuant to Wisconsin or United States statutes or
regulations, such as those governing patient records, student
information files, open records, criminal investigations conducted
by federal, state or local law enforcement authorities or certain
personnel actions.
The Ad Hoc Electronic Data Advisory Committee:
Seymour Parter, Professor, Computer Sciences and Mathematics (Chair)
David Brown, Senior Policy and Planning Analyst, Office of Information
Technology
Dennis Fryback, Professor, Industrial Engineering and Preventive
Medicine
Thomas Palay, Professor, Law
Tad Pinkerton, Professor, Computer Sciences & Director, Information
Technology
Charlene Rieck, Information Processing Consultant, College of
Agricultural & Life Sciences
------------------------------
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Date: 12 Oct 94 07:44:14 EDT
Subject: 2nd Intl Conf on InfoWar (long)
FINAL CALL FOR PARTICIPATION
[Please post where appropriate.]
Second International Conference on Information Warfare:
Chaos on the Electronic Superhighway
Conference Date: Wed-Thu 18-19 January 1995
Conference Locale: Dorval Airport Hilton Hotel
Montreal, Canada
1. INTRODUCTION
Cultures that depend on information systems are vulnerable to
Information Warfare. Attacks on data confidentiality and
possession, integrity and authenticity, and availability and utility
will damage individuals, corporations and other private
organizations, government departments and agencies, nation-states
and supranational bodies.
It is essential to erect legal, organizational, and cultural defences
against information warfare.
Winn Schwartau, author of the new book, _Information Warfare:
Chaos on the Electronic Superhighway_, published in 1994 by
Thunder's Mouth Press (ISBN 1-56025-080-1), has defined three
levels of information warfare:
Level one: interpersonal damage. Damage to individuals in
recent cases includes impersonation in cyberspace (e.g., false
attribution of damaging communications), appropriation of credit
records (for fraud and theft), harassment (e.g., interruption of
phone services) and loss of privacy (e.g., theft of medical records).
Level two: intercorporate damage. In a recently reported case, a
ring of criminal hackers stole the telephone calling cards of
100,000 subscribers to MCI, AT&T, and Sprint. These thefts are
estimated to have resulted in $50 million of fraudulent long
distance calls. In this case, a switch engineer working for MCI is
accused of having inserted Trojan horse software to record
calling-card numbers passing through MCI's telephone switching
equipment. Other recent attacks include data leakage of
confidential information with high competitive value in the
automotive and airline industries.
Level three: international and inter-trading block damage. The
World Trade Center bombing caused more economic loss through
interference with business communications and information
processing than it did by physical damage to the building. It is
inconceivable that terrorist organizations and nations are unaware
of the low cost and minimal risk of attacks on information
infrastructure compared with physical attacks. On a global scale,
an aggressive trading block could acquire significant competitive
advantage over an entire society by corrupting widely-used software
(e.g., inserting code in a spreadsheet or accounting package to
introduce occasional random errors) or even inserting logic bombs
into microcode for new processors. The collapse of the Soviet bloc
has made thousands of skilled programmers available for such
subversion.
The Second International Conference on Information Warfare
will focus on the likelihood and nature of deliberate attacks in
cyberspace. Speakers and panelists will consider the military
perspective on information warfare: how are defence establishments
of technologically-advanced nations approaching warfare in
cyberspace? How will the threat of information warfare affect
military command and control structures? Can a national military
posture be envisaged without including collaboration with civilian
users and managers of information systems? What is the future of
aggressive information warfare as a component of national policy?
The Conference will serve the interests of information security
specialists and strategic planners from military and government
circles, the corporate world, and academia. The Press will be
permitted to cover the event, providing opportunities for increased
public awareness of vulnerabilities of the information infrastructure.
The Conference Proceedings will contribute to national and
international debates about information warfare and the need for
careful planning to avoid disruption by hostile forces as information
highways develop worldwide.
Following recommendations from last year's participants in the
First International Conference on Information Warfare, we
have scheduled more free time for informal discussion among
participants. Informal discussions will be aided by Special Interest
Group signs allowing people with specific interests to congregate if
they wish.
The organizers extend a special welcome to members of world
defence establishments. In order to foster the greatest degree of
serious and productive discussion, room has been reserved for
approximately 100 participants.
2. PROGRAM
WEDNESDAY 18 JAN 95
07:00-08:05 Registration and Continental Breakfast
08:05-08:15 Welcome from NCSA and Organizing Committee
08:15-09:00 Keynote Address: Civil Defence in Cyberspace--
Maj.Gen.(Rtd) Alan Pickering / Communications Security
Establishment of Canada
09:00-09:15 Short break
09:15-10:30 Class I InfoWar: Attacks on Personal Information
10:30-11:00 Break for informal discussions optionally by topic:
Privacy, Cryptography, Laws & Law Enforcement
11:00-12:30 Class II InfoWar: Corporate Espionage and Sabotage
12:30-13:45 Buffet lunch and informal discussions optionally by sector:
Corporate, Government, Military, Academic
13:45-15:30 Class III InfoWar: Global Conflict and Terrorism
15:30-16:30 Breakout groups by Class of InfoWar
16:30-17:15 Group discussion of appropriate actions for
establishing civil defence in cyberspace
17:15-18:00 Closing comments for first day--
Winn Schwartau / Inter.Pact, Mich Kabay / NCSA
THURSDAY 19 JAN 95
08:15-08:30 Introductory comments, logistics
08:30-10:00 War and Peace in the Age of Information
Robert David Steele / Open Source Solutions Inc.
10:00-10:30 Informal discussions
10:30-11:30 Questions/Discussion with Winn Schwartau and Robert Steele
11:30-12:00 Conference summary and closing comments:
Mich Kabay, Robert Bales / NCSA
The official language of the Conference is English.
3. KEYNOTE SPEAKERS
The Organizing Committee is proud to announce that our first
Keynote Speaker will be Maj-Gen (Rtd.) Alan Pickering.
Mr Pickering joined the Communications Security Establishment
of the Government of Canada as Director General, Information
Technology Security in January 1985, after completing 36 years
service in the Canadian Forces. Mr Pickering is a graduate of the
Royal Military College and Queen's University, from which he
holds a degree in mechanical engineering. He also attended the
RCAF Staff College and the U.S. Navy War College and served as
Director of Cadets and Military Training at the Royal Military
College. Some of the positions held during his military career
include pilot and instructor in Air Transport Command; engineer in
the U.S. Gemini space program; Commanding Officer of an Anti-
submarine Patrol Squadron; Base Operations Officer and Base
Commander of Canadian Forces Base Greenwood; Deputy Project
Manager for the AURORA long-range patrol aircraft; and
Commander of the Maritime Air Group. His last position before
retiring in 1985 with the rank of Major-General was Chief,
Intelligence and Security at National Defence Headquarters in
Ottawa. He is a Commander in the Order of Military Merit; in
October 1987, he was appointed to the honourary position of
Colonel-Commandant of the Canadian Forces Security Branch.
The Keynote Speaker for the second day of the Conference will be
Robert David Steele, President of the non-profit educational
corporation, Open Source Solutions, Inc. Mr Steele holds
graduate degrees in international relations and public
administration and is a graduate of the Harvard University
Executive Program in Intelligence Policy. He is a distinguished
graduate of the U.S. Naval War College and recently completed an
eighteen year career in the U.S. Marine Corps in national and
defense intelligence.
Mr Steele is a leading advocate for national information strategies
encompassing connectivity, content, coordination of research and
communications and computing security. He is the architect of the
National Information Strategy Act of 1994 which has been
circulated among members of Congress and which includes
extensive discussion of the need for communications and computer
security in the national interest.
Mr Steele was invited to present the Superintendent's Guest
Lecture in August 1993 at the U.S. Naval Postgraduate School; his
topic was "War and Peace in the Age of Information." In his
presentation at the Second International Conference on
Information Warfare, Mr Steele will discuss the national strategic
implications of both information warfare and information
peacekeeping. He will tie in how government, corporate, and
personal initiatives must all come together to create a safe
environment in cyberspace.
Winn Schwartau, Executive Director of Inter.Pact, is a key player
in the evolving study of information warfare. He has frequently
appeared before and advised committees of the Congress of the
United States and has analyzed the vulnerabilities of the Western
world to electronic terrorism. Schwartau, editor and publisher of
the widely-respected Security Insider Report, has investigated and
reported on many topics bearing on information warfare. His
textbook, Information Warfare, is a signal contribution to the field;
his novel, Terminal Compromise, published in 1991 and recently
released for free distribution on the Internet, presents a gripping
account of plausible cyberterrorism. Mr Schwartau is a dynamic
and exciting speaker who seized the imagination of participants at
the First International Conference on Information Warfare in
September 1993; the Program Committee is especially pleased at
his participation.
M. E. Kabay, Ph.D. is Director of Education of the National
Computer Security Association. He is Chief Sysop of the NCSA's
new Information Security Forum on CompuServe and is a regular
contributor to the Risks Forum Digest on the Internet. He is
security columnist for Network World and Computing Canada and
has published over 150 articles on system management and security
since 1986. Mich Kabay won the Best Paper award at the 16th
National Computer Security Conference in 1993 and was asked to
organize the panel on Interdisciplinary Perspectives on Information
Security at the 17th NCSC in October 1994. Dr Kabay was the
leader of the International Delegation of Computer Security
Experts to the People's Republic of China in April 1994. He has
been invited to be the Keynote Speaker at the U.S. Department of
Energy's Security Conference in spring 1995. He currently teaches
Information Technology Security at the Institute for Government
Informatics Professionals in Ottawa.
The remainder of the Call for Participation, including hotel details,
costs and registration information, is available on request from
75300.3232@compuserve.com, by fax to 514-695-7393, or by phone to
514-695-4968.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #048
******************************
.