Date: Fri, 17 Nov 95 14:07:22 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#042
Computer Privacy Digest Fri, 17 Nov 95 Volume 7 : Issue: 042
Today's Topics: Moderator: Leonard P. Levine
Re: Unsolicited email Advertising
Re: Unsolicited email Advertising
Re: Unsolicited email Advertising
Re: Uncolicited email Advertising
Re: Unsolicited email Advertising
Re: S. 1360 - Medical Privacy
Corporate Privacy Shop
Re: Phone Number Privacy
Survey About Privacy on the Internet
Stopping Junk Mail
Re: United Way uses SSN now
Re: United Way uses SSN now
Re: United Way uses SSN now
Re: United Way uses SSN now
Re: United Way uses SSN now
Telemarketing
Re: Company Network email Reading
Re: Company Network email Reading
Re: Copyright Notice
Re: Copyright Notice
Re: Copyright Notice
Health Privacy Legislation - Part III
Review of IITF Privacy Working Group White Paper
Info on CPD [unchanged since 08/18/95]
----------------------------------------------------------------------
From: jeff@cher.heurikon.com (Jeffrey Mattox)
Date: 15 Nov 1995 17:06:27 GMT
Subject: Re: Unsolicited email Advertising
Organization: Heurikon Corporation
Would this work? Since most junk mailer routines probably grab the
addresses from the header, what if you used a bogus Reply-To address
and then included your real and correct email address in your
signature?
--
Jeffrey Mattox -- jeff@heurikon.com
Cartoon of the day: http://www.heurikon.com
------------------------------
From: Seth Tager <sdt@cs.brown.edu>
Date: 16 Nov 1995 11:59:20 -0500
Subject: Re: Unsolicited email Advertising
Organization: Brown University
Gary McGath wrote: A law which protects you from feeling annoyed
would stomp on free communication. If sending unsolicited E-mail
were a crime, then I could not use E-mail to contact an old friend
whom I hadn't seen in years. Or if the law were that unsolicited
E-mail is permitted with limitations on mailing list size and/or
content, then it's guaranteed that as soon as someone sent out an
alert against a deadly piece of legislation that some politician
really wanted, that person would find his computer raided, his
disks and laser printer seized, and himself threatened with
prosecution.
What's wrong with prohibiting people from sending mass mailings that
are for direct commercial advantage? This wouldn't stop all spamming
but it would cut down on the most annoying and egregious.
I'm afraid that once people start to think of the web as a free
advertising platform it will become a useless tool.
--
Seth
------------------------------
From: peter@nmti.com (Peter da Silva)
Date: 16 Nov 1995 18:35:38 GMT
Subject: Re: Unsolicited email Advertising
Organization: Network/development platform support, NMTI
Gary McGath <gmcgath@condes.MV.COM> wrote: The number of people
being annoyed does not convert annoyance into force or fraud; if it
did, then one would have to accept the premise that a book or
article which annoyed a sufficiently large number of readers could
justifiably be censored. "Emotional harm" cannot be a justification
for criminalization in a free society.
How about theft?
The annoyance factor of junk email is minimal.
Yes, minimal. It's not even as annoying as telemarketers. It's not a
privacy issue. It's not an "emotional harm" issue. It's a matter of
simple theft of services.
The problem with junk email is that it's not paid for by the sender.
It's paid for by the recipient. It's like junk fax (consumes paper) or
telemarketing calls to cellphones and 800 numbers, all of which are now
illegal most places.
It's legal to cold-call me at 7AM just as I get into the shower. It's
not legal if I'm driving to work. Not because it's more or less
annoying, but because it costs me money.
But in any case it's got nothing to do with privacy, so it's off topic for
this forum.
--
Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard
Bailey Network Management 'U` Sugar Land, TX 77487-5013
+1 713 274 5180 "Har du kramat din varg idag?" USA
Bailey pays for my technical expertise. My opinions probably scare them
------------------------------
From: jcr@mcs.com (John C. Rivard)
Date: 16 Nov 1995 15:11:48 -0600
Subject: Re: Uncolicited email Advertising
Organization: very little
gmcgath@condes.MV.COM (Gary McGath) wrote: If you regard first-time
unsolicited E-mail as so heinous an assault on your person that you
want to prosecute the person who did it, then you should at least
take some reasonable precautions against letting your E-mail
address be known to strangers. For example, just by posting to a
newsgroup, you're letting many people know your address.
Letting people know your email address is not the same as inviting them
to send you unsolicited junk advertising. As an analogy, having your
phone or fax number published in the paper phone book does not render
this law unenforceable.
The mania of today is that if somebody does something which we
don't like, we look for a law to keep him from doing it. This has
resulted in a society in which we are all criminals in more ways
than we can know.
I agree with a lot of what you say here, but I don't think it really
applies in this case. This is not a "new" law, and I don't personally
think that its application in this way is so novel--the law's purpose
was to prevent people from unsolicited advertising using the RECEIVER'S
resources at the RECIEVER'S expense.
Have we reached the point where people can't deal with annoyance
except by calling the cops?
You can deal with many annoyances by only THREATENING to call the cops.
I think that is the point and the strength of this and many other
laws.
--
John C. Rivard � <jcr@mcs.com>
Opinions expressed yadda yadda--you know the drill
------------------------------
From: haz1@kimbark.uchicago.edu (Bill)
Date: 17 Nov 1995 16:03:26 GMT
Subject: Re: Unsolicited email Advertising
Organization: The University of Hell at Chicago
Bruno Wolff III <bruno@cerberus.csd.uwm.edu> wrote: One way to
handle unsolicited email is to use a mail filter that checks the
digital signature of all incoming mail and discard all messages
that don't come from a source permitted to send you mail.
Skipping the point that digital signatures aren't widely used yet, and
instead reading this idea as using the sender's email address to sort
and discard, this is still not an acceptable solution if you post at
all to USENET. It's considered very bad form to post followups that
are irrelevant to most readers, and email is used instead for such
replies. Anyone who read your post could be sending you a legitimate
reply, and the mail filter you propose would blithely toss those in the
trash along with the real junk mail. There has to be a better
solution. Filtering out known email-SPAMers and sites that don't
bother to verify who they're giving accounts to helps, but will not be
enough in the long run. Constructive suggestions?
--
Bill (haz1@midway.uchicago.edu)
------------------------------
From: jwarren@well.com (Jim Warren)
Date: 15 Nov 1995 08:24:26 -0800
Subject: Re: S. 1360 - Medical Privacy
Jamie Love from Ralph Nader's group just posted a lengthy
comment/analysis of the privacy problems re Senate Bill 1360. This
excerpts his lead, plus ending pointers to where full information can
be obtained.
--
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc.
===
These were our comments at today's hearing on S. 1360. We did not
testify. (only one opponent of the bill was permitted to testify today).
jamie
Comments of Consumer Project on technology
on
S. 1360 - the Medical Records Confidentiality Act of 1995
submitted to the Senate Committee on Labor and Human Resources*
James P. Love
November 14, 1995
Introduction
The following comments of the Consumer Project on Technology
(CPT) outline our suggestions for improvements in S. 1360, the
Medical Records Confidentiality Act. While we join others in
applauding the sponsors of S. 1360 for focusing attention on the
important issue of privacy of medical records, we cannot support
the bill as introduced. ...
...
The Consumer Project on Technology has created an Internet
discussion list for this issue, called med-privacy, which
available for subscriptions from listproc@essential.org. Send a
note to listproc@tap.org, with the message:
subscribe med-privacy yourfirstname yourlastname
Our World Wide Web page has additional information, and is
located at:
http://www.essential.org/cpt/privacy/privacy.htm.
The Consumer Project on Technology (CPT) is a project of the
Center for Study of Responsive Law. The CPT was created by Ralph
Nader this year to study a number of issues related to new
technologies, including telecommunications regulation, pricing of
pharmaceutical drugs, intellectual property rights, and the
impact of computers on privacy. The URL for CPT is
http://www.essential.org/cpt/cpt.html.
----------------------------------------------------------------------
James Love, love@tap.org
P.O. Box 19367, Washington, DC 20036; v. 202/387-8030; f. 202/234-5176
Consumer Project on Technology; http://www.essential.org/cpt/cpt.html
Taxpayer Assets Project; http://www.essential.org/tap/tap.html
------------------------------
From: placidego@aol.com (Placidego)
Date: 15 Nov 1995 11:47:20 -0500
Subject: Corporate Privacy Shop
Organization: America Online, Inc. (1-800-827-6364)
Leading manufacturer of high tech spy devices announces unique internet
web site.
Name of Site: Spyzone.com
URL: http://www.spyzone.com
E-mail: spyzone@webscope.com
General Description:Spyzone
This is NOT a game! This is the real world of spy versus spy, corporate
espionage, counter intelligence, surveillance, and ultra-high tech
detection systems. The products, services and information contained in
this site are designed to protect you, your business and anything that
you consider valuable from theft, corruption or misuse. The majority of
this site is open to the general public however, parts of the site are
restricted to law enforcement personnel.
The Counter Spy Shop of London has always been referred to as the place
where "James Bond" shops.
For nearly half a century, governments, corporations, key executives,
law enforcement officials and people who have a great deal to loose
have come to CCS for solutions to their critical security problems.
CCS products have been featured in such films as "Silence of the
Lambs", "Sneakers", "Miami Vice" as well as being covered in news
features on all major networks and many premiere publications such as
Fortune, Time Magazine and the New York Times.
This site is not only a source of product and service solutions but also
provides a dynamic link to many other highly interesting security related
sites.
Goods and Services Offered:
Covert Audio Interception
Wiretap and Bug Detection
Electronic Surveillance and Counter Surveillance
Electro Optical Surveillance and Night Vision
Micro Video Photo Optical Systems
Audio Surveillance
Radio and Satellite Communications
Explosive and Contraband Detection
Body and Vehicle Armor
Voice Stress Analysis
Tracking, Locating and Kidnap Protection
Personal Protection
Riot Control
Information Protection
Disaster Recovery
Computer Security
Voice, Fax and Data Encryption
Business Opportunities within the high-tech security field
Publishing of security related materials and information guides
Consulting services with regard to security
------------------------------
From: Chris Kocur <ckocur@jcpenney.com>
Date: 15 Nov 1995 20:59:16 GMT
Subject: Re: Phone Number Privacy
Organization: JCPenney
eichin@mit.edu wrote: On a recent CD, folk singer Christine Lavin
included a song actually titled "*69" about a similar, though
different in the details, scenario... interesting from the "raising
public awareness" perspective at least.
I have the *69 feature and have used it to stop prank callers. I
subscribed to the service before caller id came to my area. The service
changed as soon as the phone company started offering caller id. It
used to be it would just dial the number back, and if it was not a toll
call you had no way of telling what the number was. Now that caller id
is in place (which I did not subscribe to), when I dial *69, it first
tells me the number and asks if I want to go ahead and place the call.
So I get the number without even having to call the person back. Just
wanted to let you know that with some *69 systems the suspicious spouse
doesn't have to wait for the bill or alert the other person by calling
them in order to find out who they are.
--
Regards, Chris
#include <std/disclaimer.h>
I can be do it quick; I can do it well; I can do it cheap -- pick any
two. -- Red Adair
ckocur@jcpenney.com (work), ckocur@plano.net (home)
------------------------------
From: gita@Glue.umd.edu (Rajesh N. Raghavan)
Date: 15 Nov 1995 22:03:17 -0500
Subject: Survey About Privacy on the Internet
Organization: Project Glue, University of Maryland, College Park
I am conducting a survey as part of a graduate level MIS class that I
am taking. This survey will be used as part of the data for my research
paper on the Internet and our rights to privacy. I would appreciate it
if you could respond to this survey. Thank you very much in advance for
your response.
The survey follows:
1) Do you feel that you privacy is being violated when you use the internet?
2) Should the government regulate the Internet
3) Would you feel comfortable sending email about a confidential issue,
say an impending corporate merger, over the internet
4) Would you feel comfortable sending your credit card information
while doing business over the Internet
5) Do you demand or expect privacy over the Internet
6) Do you think we need infrastructure that supports privacy eg., proper
encryption technology and the enforcemnet of constitutional protection
that already exist for privacy and free speech
You may send your responses to gita@eng.umd.edu
------------------------------
From: conduit@alpha.c2.org
Date: 15 Nov 1995 19:25:09 -0800 (PST)
Subject: Stopping Junk Mail
I live in Ohio in the United States. A few local bulk-rate junk
mailers don't seem interested in removing me from their computerized
mailing lists. They send mail every month or two. I feel that if I
don't want the mail to enter my home, then I shouldn't have to receive
it.
So I have some questions:
- Do I have a right to forbid certain people or groups to send me
mail? Since I can bar solicitors, et al from my property, it seems
that I should be able to forbid mailers from entering the same
space, and that my home should be free from unwanted intrusion.
- If I have such a right, how do I assert it when mailers don't care?
- If I don't have such a right, then, in the spirit of those
"Distribution by Microsoft Network permitted only for a fee of
$1000" USENET signature lines, is there anything to prevent me from
turning junk mail into a profit center by delivering a notice like
this one via certified mail to the obnoxious junk mailers?
NOTICE:
Company X, located at 987 Corporate Behemoth Drive, Anytown, OH
49999 (hereinafter called "Company X") is hereby notified that
beginning on the date of receipt of this letter by Company X,
Company X may not mail or cause to be mailed any unsolicited
advertising material to 1234 Wavy Willow St., Anytown, OH
49999-9999 (hereinafter called "My Home Address") except under
the following terms: Each piece of unsolicited advertising mail
mailed or caused to be mailed to My Home Address by Company X
constitutes an agreement by Company X to pay a $100.00 handling
and disposal fee, plus collection expenses, including any legal
expenses deriving therefrom, payable to the owner of My Home
Address.
Unsolicited advertising mail mailed or caused to be mailed by
Company X to My Home Address after receipt of this letter by
Company X constitutes agreement by Company X to the terms of
this notice.
Since it's unlikely that checks from Company X would just start
appearing in the mail, the idea would be to recover in small claims
court if the junk mailings persist.
Thanks for any information,
--
<conduit@alpha.c2.org>
------------------------------
From: gmcgath@condes.MV.COM (Gary McGath)
Date: 16 Nov 1995 12:27:00 GMT
Subject: Re: United Way uses SSN now
Organization: Conceptual Design
wrf@ecse.rpi.edu (Wm. Randolph U Franklin) wrote: The United Way
pledge form that my employer, Rensselaer Polytechnic Institute, a
private university, sent me has my SSN printed on it along with my
name. RPI probably printed the forms, so that United Way doesn't
know my SSN, unless I contribute. Gee, that's a dilemma: should I
give away money and thereby spread my SSN around, or keep my money
and also keep my SSN a little more secret?
One simple solution: Tell RPI that you will contribute money to United
Way directly, but will not use their form because of inappropriate use
of a federal ID number for private purposes.
--
Gary McGath
gmcgath@condes.mv.com
http://www.mv.com/users/gmcgath
------------------------------
From: Richard_Meeder@atlmug.org (Richard Meeder)
Date: 16 Nov 95 01:03:14 -0400
Subject: Re: United Way uses SSN now
Organization: Atlanta Macintosh Users Group
wrf@ecse.rpi.edu (Wm. Randolph U Franklin) wrote: The United Way
pledge form that my employer, Rensselaer Polytechnic Institute, a
private university, sent me has my SSN printed on it along with my
name. RPI probably printed the forms, so that United Way doesn't
know my SSN, unless I contribute. Gee, that's a dilemma: should I
give away money and thereby spread my SSN around, or keep my money
and also keep my SSN a little more secret?
I would keep the money and to hell with there form, your employer
violated your privacy by giving them your SSN number. It would
certainly concern me!
------------------------------
From: glr@ripco.com (Glen L. Roberts)
Date: 16 Nov 1995 16:22:06 GMT
Subject: Re: United Way uses SSN now
Organization: Full Disclosure
wrf@ecse.rpi.edu (Wm. Randolph U Franklin) wrote: The United Way
pledge form that my employer, Rensselaer Polytechnic Institute, a
private university, sent me has my SSN printed on it along with my
name. RPI probably printed the forms, so that United Way doesn't
know my SSN, unless I contribute. Gee, that's a dilemma: should I
give away money and thereby spread my SSN around, or keep my money
and also keep my SSN a little more secret?
The issue of employer's providing insurance companies or others
employee SSNs came up on Full Disclosure Live recently. I am curious if
there aren't any state employment record confidentality laws that might
prohibit businesses from disclosing information (including SSN) without
consent.
Anyone have any ideas?
--
Glen L. Roberts, Host Full Disclosure Live
Privacy, Surveillance, Technology and Government!
Tech Talk Network, WWCR Shortwave: 5065 khz. 8pm est/Sundays.
Real Audio: 7 days/week, 24 hrs a day:
http://pages.ripco.com:8080/~glr/glr.html
--
------------------------------
From: jmcging@access.digex.net (John McGing)
Date: 16 Nov 1995 16:33:13 -0500
Subject: Re: United Way uses SSN now
Organization: Digital Express, Maryland
wrf@ecse.rpi.edu (Wm. Randolph U Franklin) writes: I think that
Death certificates often have the deceased's SSN on them. Dunno
whether this is required by law, or whether the relevant government
flunky just heavily suggests, w/o actually stating, that this is
required.
Once you are dead, you loose your right to privacy. The SSN on a death
certificate is used to feed into an automated death reporting system
that is used by various government agencies, fed and state, to ensure
that benefits by various agencies are terminated.
As to being required, I suspect that it is but probably via a
requirement imposed by the feds on the states to have such a rule.law
in order to get access to various fed databases.
--
------------------------------------------------------------------
jmcging@access.digex.net Nobody knows the troubles I've seen
JOHN.PF on GEnie Team OS/2 .... and nobody cares!
http://www.access.digex.net/~jmcging
------------------------------
From: lffield@pipeline.com (Lynelle Ffield)
Date: 16 Nov 1995 17:24:57 -0500
Subject: Re: United Way uses SSN now
Organization: The Pipeline
'wrf@ecse.rpi.edu (Wm. Randolph U Franklin)' wrote: I think that
Death certificates often have the deceased's SSN on them. Dunno
whether this is required by law, or whether the relevant government
flunky just heavily suggests, w/o actually stating, that this is
required.
In Snohomish County, Washington, the funeral director fills out part
of the death certificate re: the end disposition of the body. He told
me that they regularly send a copy of the death cert to the soc. sec.
administration, so that they will know to stop sending the social
security checks. They use the soc.sec. # that way.
--
Lynelle
------------------------------
From: anonymous <levine@cs.uwm.edu>
Date: 15 Nov 1995 15:46:29 -0800
Subject: Telemarketing
Organization: California Senate
please post this anonymously, thank you [moderator: done.]
I've been looking for creative solutions to the nuisance problem of
telemarketing. One solution to unwanted telemarketing is the creation
of a "don't call me" list wherein people can designate that they don't
wish to be telemarketed. Then, rather than rely on local or state law
enforcement to prosecute offenders, allow the individual the ability to
prosecute the offender through small claims court. Any reactions to
this idea? Thanks.
------------------------------
From: WELKER@a1.vsdec.nl.nuwc.navy.mil
Date: 16 Nov 1995 11:06:04 -0400 (EDT)
Subject: Re: Company Network email Reading
sanders@pipeline.com (John C. Sanders) said: We use Word Perfect
Office for internal email where I work and we have a LAN over which
the email runs. A friend and I were having a discussion about the
issue of whether or not the LAN system administrator/supervisor has
the capability to see, monitor, review, save the email of all
employees. My friend says he has such a capability if he chooses to
use it. It seems doubtful to me...
The administrator(s) have filesystem level access to the server. Your
mail is stored as a set of WordPerfect documents, therefore any LAN
administrator with a copy of WordPerfect can read your mail. This is
over and above the capability of using a packet sniffer to trap your
raw text, which can be done by anyone who has physical access to the
network. If you are using WordPerfect's password facility, there is
commercial software availabe which can break it in a _very_ short
period of time (see the PGP manual for details). The LAN administrator
is therefore one of the most trusted ("key") employees in the company,
or at least he'd better be. The LAN administrator is usually also
responsible for redirecting misrouted email, therefore he has to be
able to read messages in order figure out who they're really for. Of
course, it is possible to separate "email" and "LAN" administration
functions, but then there are two people who can read your mail...
I read an article recently in one of the trade pubs (_Communications
Week_, I think) where a CEO at a major systems house (Sun, HP or some
such) stated that he NEVER used email for anything remotely sensitive,
because at least half of his employees knew how to hack it (must be a
Unix shop - grin).
Perversely enough, this could be a legitimate argument for outsourcing
the LAN manager's job -- his employer could be made to assume liability
for any compromises of your company's information, or you could make
him a bonded employee, or some such thing. I don't know the legal
issues involved.
The only way to prevent the administrator(s) from be able to routinely
read the mail is "defense in depth" using public key encryption, both
of the network packets (kerberos?), and individual mail messages
(PGP?). The technologies exist today, but most companies aren't
interested in spending the money -- the benefits of sharing
_everything_ currently outweigh the costs of securing _some things_.
------------------------------
From: Richard Beels <71333.2551@compuserve.com>
Date: 16 Nov 95 12:16:42 EST
Subject: Re: Company Network email Reading
sanders@pipeline.com (John C. Sanders) said: We use Word Perfect
Office for internal email where I work and we have a LAN over which
the email runs. A friend and I were having a discussion about the
issue of whether or not the LAN system administrator/supervisor has
the capability to see, monitor, review, save the email of all
employees. My friend says he has such a capability if he chooses to
use it. It seems doubtful to me, though. This would make this LAN
administrator/supervisor very powerful if he had access to
everybodies email, especially the email of key people in the
organization. Could a LAN administrator/supervisor have this
capability and not know it? Can anyone cite any articles or other
sources of information on this topic?
I haven't used WPO in a few years but what you describe is very easy to
do for a user with rights to the admin directory. If the secruity is
set to low, you can just assign the account a password and get in, if
it's set to high, you need to swap the user's preference file out with
yours and you're in. Note that the supervisor could always reset your
usercode's password, login, get your mail and then just say that,
"There was a system problem, and I had to reset some peoples passwords"
or just wait for you to complain that you can't login and then reset
your password then. In the new WPO, now called GroupWise, it's a bit
more difficult to spoof into another's email account if security is set
to High but it can be done but it is very difficult and you need to
understand some internals of how GW works.
--
Richard Beels - CompuServe NetWire Sysop
71333.2551@compuserve.com
------------------------------
From: Christopher Stacy <cstacy@spacy.Boston.MA.US>
Date: 15 Nov 1995 14:07:11 -0500
Subject: Re: Copyright Notice
les@Steam.Stanford.EDU (Les Earnest) said: Yes, but typing
something into a computer doesn't necessarily record it locally in
a "fixed, readable" form.
As I tried to explain previously, in the copyright law (U.S. code 17)
the word "fixed" is not an adjective; it's a verb indicating the
general concept "to write down". When you post a newsgroup article,
the words are "fixed" onto a computer disk somewhere. That medium of
expression is covered by the law both explicitly ("magnetic") and
implicitly ("now known or later developed, from which they can be
perceived, reproduced, or otherwise communicated, either directly or
with the aid of a machine or device").
The word "local" does not appear in the law; that requirement is purely
some invention of yours.
Who owns the copyright if some other computer on the Internet is
the first to record the work on its disk?
It has been explained numerous times here that the author need not be
the owner of typewriter (or disk drive or whatever). It does not
matter who owns the computer; the author owns the copyright.
And what if the person who typed it in is merely recording an oral
statement made by someone else?
This is a different issue, which has also been addressed before.
------------------------------
From: michaelm@nairobi.eecs.umich.edu (Michael McClennen)
Date: 15 Nov 1995 22:01:40 GMT
Subject: Re: Copyright Notice
Organization: University of Michigan EECS Dept., Ann Arbor, MI
The arguments advanced here are silly, since they completely ignore
what I see as the intent of the law. I would guess (although I'm not a
lawyer or a legislator) that the intent is that copyright is
automatically granted to a work as soon as it appears in a form such
that everyone can agree upon the exact content. Thus, a verbal
utterance is not automatically copyrighted, since two people who heard
it may remember it differently. However, as soon as that utterance is
recorded on a magnetic tape, written down, or typed into a computer,
there is an unambiguous record of the content and thus an automatic
copyright to the author. Now who the "author" is may in some cases be
disputable, but that's a different matter. The exact ownership of the
computer (or the tape recorder, the pen, etc.) does not enter into the
question.
--
Michael McClennen
michaelm@eecs.umich.edu
------------------------------
From: peter@nmti.com (Peter da Silva)
Date: 16 Nov 1995 18:38:16 GMT
Subject: Re: Copyright Notice
Organization: Network/development platform support, NMTI
Les Earnest <les@Steam.Stanford.EDU> wrote: Yes, but typing
something into a computer doesn't necessarily record it locally in
a "fixed, readable" form.
What does "locally" have to do with it? Computers don't own copyrights,
people do. If I call my ISP and write my great american novel there I
might be stupid (don't assume privacy on any computer you can't
control) but it's still *me* fixing the data into a tangible medium,
not my ISP.
--
Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard
Bailey Network Management 'U` Sugar Land, TX 77487-5013
+1 713 274 5180 "Har du kramat din varg idag?" USA
Bailey pays for my technical expertise. My opinions probably scare them
------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 15 Nov 1995 17:31:41 -0500 (EST)
Subject: Health Privacy Legislation - Part III
This is the third in a series of postings with excerpts from studies of
health privacy. These studies show uniformly that health records have
inadequate legal protection today.
From "Health Data in the Information Age: Use, Disclosure,
and Privacy" by the Institute of Medicine (1994).
Legal and ethical confidentiality obligations are the same whether
health records are kept on paper or on computer-based media. Current
laws, however, have significant weaknesses. First, and very important,
the degree to which confidentiality is required under current law
varies according to the holder of the information and the type of
information held.
Second, legal obligations of confidentiality often vary widely within a
single state and from state to state, making it difficult to ascertain
the legal obligations that a given health database organization will
have, particularly if it operates in a multistate area. These
state-by-state and intrastate variations and inconsistencies in privacy
and confidentiality laws are well establishing among those
knowledgeable about health care records law. . . .
Third, current laws offer individuals little real protection against
redisclosure of their confidential health information to unauthorized
recipients for a number of reasons. Once patients have consented to an
initial disclosure of information (for example, to obtain insurance
reimbursement), they have lost control of further disclosure.
Information disclosed for one purpose may be used for unrelated
purposes without the subject's knowledge or consent (sometimes termed
secondary use). For instance, information about a diagnosis taken from
an individual's medical record may be forwarded to the Medical
Information Bureau in Boston, Massachusetts . . . and later used by
another insurance company in an underwriting decision concerning life
insurance. Redisclosure practices represent a yawning gap in
confidentiality protection.
Comment: Current health privacy controls are completely inadequate.
We need uniform federal legislation to keep things from getting worse.
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman rgellman@cais.com +
+ Privacy and Information Policy Consultant +
+ 431 Fifth Street S.E. +
+ Washington, DC 20003 +
+ 202-543-7923 (phone) 202-547-8287 (fax) +
+ + + + + + + + + + + + + + + + + + + + + + + + +
------------------------------
From: David@InterAccess.com (David J. Loundy)
Date: 15 Nov 1995 15:54:15 -0600
Subject: Review of IITF Privacy Working Group White Paper
Published in the Chicago Daily Law Bulletin, November 9, 1995 at p. 6.
Past articles archived at http://www.leepfrog.com/E-Law/
Task Force Develops Privacy Principles
Copyright 1995 by David Loundy
Reprinted with permission
Growth in the "Information Infrastructure" is producing a growth in
concern over personal privacy. With the increasing use of computer
technology comes an increasing ability to gather, store, match and
retrieve personal information.
Some of this is information people would like to keep private. Some of
the information is not sensitive in and of itself, but can lead to
detailed, potentially intrusive, and uncontrollable profiles when many
individual pieces of information are collected into a coherent
picture.
Privacy on the National Information Infrastructure (NII) (which
encompasses the Internet, cable, television, and telephones) is enough
of a concern that the U.S. Department of Commerce formed the
Information Infrastructure Task Force Privacy Working Group (the
"Privacy Working Group") to look at how certain information about NII
users should be protected. At the end of October, the Privacy Working
Group released a "White Paper" entitled "PRIVACY AND THE NII:
Safeguarding Telecommunications-Related Personal Information"
(available over the Internet at
gopher://www.ntia.doc.gov:70/00/policy/privwhitepaper.txt).
This report is concerned largely with only a subset of information,
specifically Telecommunications-Related Personal Information (TRPI).
TRPI refers to information such as: to whom you have made phone calls,
when, and for how long, but does not include the contents of the call.
It would include what movies you request by pay-per-view cable. It
would also include the "header" information from an e-mail message, but
not the message itself. In some cases, as the Privacy Working Group
points out, the distinction between transactional and actual content
information may be meaningless-- if you know the title of the movie
watched on cable, you may already have a fairly good idea about its
content.
The Privacy Working Group report points out that, without a certain
level of protection, people will not want to use the NII, and thus the
communications networks will not advance, bringing all of the wonders
we have been promised that they will bring. The report also points out
that, while protections exist for some types of transactional data,
often the level of protection is either inadequate, nonexistent, or
does not apply uniformly to all types of service providers-- even when
the services provided are essentially the same.
For example, federal law protects access to lists of what movies you
have rented (18 U.S.C. $2710), but arguably this protection does not
extend to movies ordered by wireless cable, direct broadcast satellite,
or perhaps by any Internet delivery mechanisms which may be developed
in the future. Unequal privacy obligations may also put one type of
service provider at a competitive disadvantage compared to another
competitor providing a similar service, but employing a different
medium.
Another limitation is that the Privacy Working Group report addresses
only private sector collections of information. This is a significant
limitation, especially in light of the perception that more people fear
privacy invasions by the government much more than they fear privacy
invasions by the private sector.
The Privacy Working Group report states that there are two principles
which should be employed when examining privacy protection on the
National Information Infrastructure. Using these principles, discussed
below, voluntary industry compliance should be solicited, and only if
that fails should legislation be passed which establishes at least a
minimum level of privacy protection.
The first principle is "provider notice." This principle states that
each service provider should inform its customers about what TRPI is
being collected and for what purposes that information will be used.
Once this disclosure is made, the provider could use this customer
information in any way already disclosed, and the customer can either
accept the degree of disclosure, or do business with a provider who
will ensure a greater level of privacy.
For the notice to be adequate, the Privacy Working Group found that the
notice should (i) be conspicuous, (ii) be in language the particular
consumer can understand, and (iii) provide sufficient information to
allow the consumer to decide whether or not to accept service under the
given terms. Any notice by a provider should also clearly instruct the
customer that a choice about his or her privacy is required, and it
should allow the customer time to respond before the customer's
information is used for a purpose other than any use which may be
required to provide service.
The second principle is "customer consent." This principle states, in
order for a provider to use sensitive information, explicit customer
consent should first be required from the customer. Any consent
requirement, and any provisions as to how this consent is to be given,
should depend on the type of TRPI at issue.
For sensitive information, such as health care and financial
information, authorization to use the information should be obtained
before the information is used-- an "opt in" approach. For less
sensitive information, the customer should be given notice that the
information will be used unless the consumer takes active steps to
prevent its use-- an "opt out" approach.
By using these two methods, the Privacy Working Group believes that
industry will allow consumers greater protection for their most
sensitive information, yet it will also keep transaction costs lower
for NII providers. The Privacy Working Group said that by encouraging
industry to employ the notice and consent principles, market forces
will see that consumer's privacy needs are met. Further, this will
happen with a minimum of government intervention while providing a
maximum of flexibility for service providers, which, in turn, will
promote the growth of the NII. The Privacy Working Group refers to
this as its "contractual approach" to privacy protection.
While the Privacy Working Group's principles would provide a good
minimum level of protection, even the Privacy Working Group itself
acknowledges that this approach may not ultimately work. This voluntary
approach assumes that the marketplace will be sufficiently competitive
to allow customers to chose an alternative provider, an option that may
not be readily available in the current market for services such as
video and local telephone service.
The contractual approach would also break down when privacy is
available to NII users only at a premium, thus excluding poor and low
income consumers. For these reasons, the Privacy Working Group
suggests that, if industry will not comply with its two privacy
principles voluntarily, then the principles should be imposed on the
service providers through legislation. Unfortunately, by making the
notice and consent minimums voluntary, consumers will know only that
their privacy rights have been violated once it is too late.
The Privacy Working Group report even cites examples of companies not
following their own privacy protection guidelines. Merely asking for
compliance in developing privacy policies-- when most customers will
not even be able to tell who has violated such policies-- does not
provide enough protection. It is also important that other privacy
concerns be addressed which were not discussed in the Privacy Working
Group white paper.
The Privacy Working Group's principles are good ones, but they may not
carry enough bite, and they must be applied to more than just private
companies if users are to feel their privacy is protected when
transacting business and communicating over the NII.
________________________________________________________________________
David J. Loundy | E-Mail: David@InterAccess.com
| WWW: http://www.leepfrog.com/E-Law/
Paradise is exactly like |
where you are right now | Researching car-jackings, drive by shootings
only much, much, better | and other over-used metaphors on the
--Laurie Anderson | Information SuperHighway.
________________________________________________________________________
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 18 Oct 1995 13:55:25 -0500 (CDT)
Subject: Info on CPD [unchanged since 08/18/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
[new: Ordinary copyrighted material should not be submitted. If a]
[copyright owner wishes to make material available for electronic]
[distribution then a message such as "Copyright 1988 John Doe.]
[Permission to distribute free electronic copies is hereby granted but]
[printed copy or copy distributed for financial gain is forbidden" would]
[be appropriate.]
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #042
******************************
.