The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Saturday, 16 January 1999 Volume 08 : Issue 02 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Signatures in E-Mail (Lauren Weinstein; PRIVACY Forum Moderator) Law Enforcement Access to Supermarket "Club" Data (Lauren Weinstein; PRIVACY Forum Moderator) Pacific Bell's Caller ID Push (Conrad Heiney) Privacy Discussions Classified as a "Criminal Skill" (Marcus de Geus) A New Concept in Privacy Invasion (Carlos A. Alvarez) Re: Arrest puts jury-selection form on trial (Billy Harvey) Harmful changes to Wassenaar Arrangement (Monty Solomon) Report on the implementation of the "Adequacy" provisions of the EU Data Protection Directive (Colin Bennett) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 02 Quote for the day: "I make death into a game for people like you to get thrilled about." Professor Groeteschele (Walter Matthau) "Fail-Safe" (Columbia; 1964) ---------------------------------------------------------------------- Date: Sat, 16 Jan 99 09:54 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Signatures in E-Mail Greetings. An enterprising firm, currently receiving considerable publicity, believes it has solved the "problem" of people not being able to include their familiar written signatures in e-mail. Presumably oriented towards persons not possessing a scanner (or functioning neurons in their brains) they'll set it all up for you, all at no charge for a limited time. Step one: fax them your signature... And they said Vaudeville was dead. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sat, 16 Jan 99 11:09 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Law Enforcement Access to Supermarket "Club" Data Greetings. It appears that the practice of supermarket purchase data being made available for investigatory purposes may be going mainstream. In one recent case, a major national chain admitted that it had provided "club card" purchase information, under subpoena, to investigators (in a drug enforcement case) who wanted to know if a particular person had bought large numbers of plastic garbage bags. Apparently such purchases may be an indication of involvement with illicit drugs (or, perhaps, lots of deciduous trees in the backyard? Are garbage bags classified as a "dual use" technology?) I believe it would certainly be inappropriate to fault the supermarket for complying with the subpoena. But a more fundamental question revolves around what happens if such investigatory practices continue to spread. Will supermarket and credit card records be subpoenaed in civil cases, such as divorce settlement suits? Did the spouse by a lot of booze? Racy books? Whip cream? Brightly colored prophylactics? In the absence of laws setting down standards for how incidental transactional purchase data are protected in different situations, abuses are sure to occur. The problem will only get worse as more persons are lured into providing additional data about their purchases and web browsing habits in exchange for free e-mail accounts, discount airline tickets, twenty cents off on a jar of mayo, or any number of other goodies. Vacuum does not make for good law. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Wed, 30 Dec 1998 08:49:52 -0800 (PST) From: Conrad Heiney Subject: Pacific Bell's Caller ID Push I received a call from a hapless telemarketer yesterday. His pitch was that he was making a courtesy customer service call to "let you know about an upgrade in your area". The "upgrade", of course, was to change our line from complete blocking to selective blocking of Caller ID. Some things about this call were interesting. He never used the phrase "Caller ID". He just kept talking about "selective blocking" and how it was better than "complete blocking". In fact, when I told him that we didn't want Caller ID he said "This isn't caller ID, it's just selective blocking." Second, it wasn't at all clear that there was an option to refuse the "upgrade". When I explicitly said that I didn't want the change made, he agreed, but I have no idea what would have happened if I hadn't very strenuously objected. Finally, the pitch was that I would find it more convenient because, in his words "so many people are now blocking calls if this isn't done". I'm not sure what the fine line legal details of this call would be; perhaps if I just said "ok" or "yes" sometime during the conversation my service would have been switched? The whole way this call was handled certainly violates the spirit of the law; who knows about the letter. Thanks again for your Privacy Forum; it's an invaluable resource and I look forward to each mailing. Best, Conrad Conrad Heiney conrad@fringehead.org http://fringehead.org [ I contacted John Britton, Pacific Bell's media relations representative, with whom I've had prior discussions regarding these sorts of issues. We had another couple of long chats. The call you received was apparently made by a third party telemarketing firm under contract to Pacific Bell/SBC Communications. He obtained copies of the telemarketing scripts involved, which he says do not contain language of that misleading sort (though they are clearly very much oriented towards trying to convince people to dump their complete blocking choice). I've asked him to look into the issue of what sorts of financial incentives individual telemarketers, or that outside firm itself, might have that could potentially cause them to "stray" from the script in order to apply additional pressure to customers to encourage their switching. I hope to have information about this soon. Given this use of telemarketers by PacBell to promote caller-ID services, I couldn't help mentioning to John my "amusement" at the latest round of PacBell caller-ID television ads. These portray a number of telemarketers, and suggest caller-ID as a way to block them (which, as we know, is highly problematical). The irony is impossible to ignore. -- PRIVACY Forum Moderator ] ------------------------------ Date: Mon, 21 Dec 1998 08:33:00 GMT From: Marcus de Geus Subject: Privacy Discussions Classified as a "Criminal Skill". On reading Lauren Weinstein's contribution on the (lack of) accuracy of web software filtering systems, the first question that occurred to me, particularly in view of the fact that the classification itself remains the work of people, not an automated system, was to what extent such a system might be (is?) susceptible to criminal tampering. Consider the following scenario. Party X wishes to hinder access to a web site belonging to a competitor, Party Y. One method would be to approach the people making the decisions on which sites to include in the blocking lists of the web filtering software and convince them that it would be to their advantage to include the web site of Party Y. This would render it impossible for any users (sufferers?) of the affected web filtering software to gain access to said web site, and in the process would cast serious doubt on the trustworthiness of Party Y, which would be represented as a purveyor of "criminal skills" (or any other category of Party X's choosing, provided it is/can be included in the blocking software). Which brings up another question: does the current system (i.e. selection by people) include any form of peer review by the selectors themselves? If not, the scenario outlined above would be extremely simple to set up. And another question springs to mind: since the occurrence of the above scenario (i.e. the use of "criminal skills") would be extremely difficult to disprove, should not the purveyors of the blocking lists themselves be included in the blocking lists? Regards, Marcus de Geus marcus@degeus.com http://www.degeus.com ------------------------------ Date: Sun, 10 Jan 1999 12:11:07 From: "Carlos A. Alvarez" Subject: A New Concept in Privacy Invasion I was shocked today to discover a whole new concept in online privacy invasion. The Costco Wholesale web site (formerly Price Club) will not allow ANY viewing unless you accept their cookies. I was sent to a page telling me how to enable them, and how great they are. I sent them an e-mail letting them know how much this practice disgusted me, and that I would not be visiting their site. My visit was made so I could see their hours and whether they carried a certain type of product. That's a sale that will go to a merchant who wants my business (and private web traffic). [ Cookies are of course not a new concept, but it does appear that Costco may have broken some new ground. I checked out this site and found that, indeed, you cannot even access their home page with cookies disabled. Instead you receive (as of the date I write this) a text-only page (with a Costco URL) that doesn't even contain the text "Costco" within the page text. Since I first checked, the page has changed--now it's displaying apparently the same text (at least on my browser) but in tiny little print. A link on the page leads to the usual benign descriptions of cookies (only mention the positive!) and a discussion of Costco's data collection practices. While there are obviously many sites that use cookies for various display and control purposes (and the wisdom of this can be considered separately for any given case) I've never run across a site before that wouldn't even let you see their home page unless you were cookie-friendly. For an enterprise like Costco to do this certainly doesn't seem likely to engender much good will among customers, or potential customers. Whether it's arrogance or cluelessness, the effect is really the same. -- PRIVACY Forum Moderator ] ------------------------------ Date: Mon, 21 Dec 1998 18:37:23 -0500 (EST) From: Billy Harvey Subject: Re: Arrest puts jury-selection form on trial Bill Fason writes: > On November 10, 1998, a potential juror in a capital murder case in was > held in contempt, jailed for 30 days, and fined $500.00 for refusing to > answer a jury questionnaire. ... > As the fully informed jury movement picks up steam, I am willing to bet > that in the coming years we will see more and more jury questionnaires > designed to help prosecutors ferret out citizens who understand the true > power of juries to judge both the facts and the law. A book I recently read put forth the idea of having professional jurors. I had personally never heard of the idea before, but the concept began to make a lot of sense when I thought about it. The use of a professional juror would alleviate problems such as I read about after the O.J. trial when one juror said they (as a group) did not understand what DNA testing meant so the data presented to them was not properly considered. Professions normally entail some type of national standardized testing, written by members held in some esteem by their peers (I am thinking along the lines of a Professional Engineer). This would imply a sufficient intelligence to at least follow the presentation of evidence, and good problem solving skills. Removing the supposed right (where did that idea ever come from anyway?) of attornies and jury-pickers to cull juries for appropriate selections would remove any violations of privacy. Jurors would normally work some distance away from their residences, and their identities could be kept secret from all involved except the judge who could verify credentials, etc. Attempting to ferret out information about jurors could be considered along the lines of contempt of court, or worse if mandated. Better, faster, cheaper? Billy ------------------------------ Date: Fri, 18 Dec 1998 19:53:11 -0500 From: Monty Solomon Subject: Harmful changes to Wassenaar Arrangement FYI, from the IETF Secretariat. Subject: Harmful changes to Wassenaar Arrangement Date: Fri, 18 Dec 1998 18:15:36 -0500 From: Steve Coya The IAB and the IESG deplore the recent changes to the Wassenaar Arrangement (http://www.wassenaar.org) that further limit the availability of encryption software by including it in the Wassenaar agreement's list of export controlled software (section 5.A.2.a.1 of the list of dual-use goods, WA LIST 98 (1)). As discussed in RFC 1984, strong cryptography is essential to the security of the Internet; restrictions on its use or availability will leave us with a weak, vulnerable network, endanger the privacy of users and businesses, and slow the growth of electronic commerce. The new restrictions will have a particularly deleterious effect on smaller countries, where there may not be enough of a local market or local expertise to support the development of indigenous cryptographic products. But everyone is adversely affected by this; the Internet is used world-wide, and even sites with access to strong cryptographic products must be able to talk to those who do not. This in turn endangers their own security. We are happy that the key size limit has been raised in some cases from 40 bits to 64; however, this is still too small to provide real security. We estimate that after a modest capital investment, a company or criminal organization could crack a 64-bit cipher in less than a day for about $2500 per solution. This cost will only drop in coming years. A report released about three years ago suggested that 90-bit keys are the minimum for long-term security. Brian Carpenter (IAB Chair) Fred Baker (IESG and IETF Chair) ------------------------------ Date: Wed, 13 Jan 1999 09:38:59 -0800 From: "Colin Bennett" Subject: Report on the implementation of the "Adequacy" provisions of the EU Data Protection Directive For the last year, four privacy experts (Charles Raab, Colin Bennett, Nigel Waters and Bob Gellman) have been working on a report for the European Commission on the implementation of Articles 25 and 26 of the EU Data Protection Directive. The report contains 30 empirical case studies of the international transfer of personal data from Europe to 6 jurisdictions (Canada, US, Japan, Australia, New Zealand, Hong Kong). These cases represent five different transfer categories: sensitive information in airline reservations systems; human resources data; electronic commerce; medical data; and subcontracted outsourcing. For each transfer, we gained the collaboration of certain partner organizations to give us a realistic sense of the nature of the personal data transferred and the means of communication. We then made certain evaluations about the "adequacy" of protection according to a common evaluative methodology. The final report entitled "Application of a methodology designed to assess the adequacy of the level of protection of individuals with regard to processing personal data" has just been published and can be found under the "Reports" section at: http://europa.eu.int/comm/dg15/en/public/index.htm#5 Colin J. Bennett, cjb@uvic.ca Department of Political Science University of Victoria PO Box 3050 Victoria, BC Canada, V8W 3P5 Phone: (250) 721-7495 Fax: (250) 721-7485 http://www.cous.uvic.ca/poli/bennett/ ------------------------------ End of PRIVACY Forum Digest 08.02 ************************