The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Wednesday, 19 August 1998 Volume 07 : Issue 14 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS John Gilmore of DES-Breaking "Deep Crack" on PRIVACY Forum Radio (Lauren Weinstein; PRIVACY Forum Moderator) Privacy Concerns Regarding Netscape Communicator 4.5 (Lauren Weinstein; PRIVACY Forum Moderator) GeoCities Agrees to Settlement with FTC over Privacy Problems (Lauren Weinstein; PRIVACY Forum Moderator) More Ads Based on Web Usage Tracking On the Way (Lauren Weinstein; PRIVACY Forum Moderator) The Texas Department of Health Wants to Track Your Kids; It's Time To Say "No! (Dawn Richardson) CallerID in the Netherlands (Daniel van Os) Highway privacy round-up (Phil Agre) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 07, ISSUE 14 Quote for the day: "In a free society, information is the name of the game. You can't win the game if you're a man short!" -- Deputy Minister Eugene Helpmann (Peter Vaughan) "Brazil" (Universal; 1985) ---------------------------------------------------------------------- Date: Tue, 28 Jul 98 10:11 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: John Gilmore of DES-Breaking "Deep Crack" on PRIVACY Forum Radio Greetings. I'm very pleased to announce that a recent audio interview I conducted with John Gilmore is now available via PRIVACY Forum Radio. John is co-founder of the Electronic Frontier Foundation (EFF) and leader of the EFF team that built the "Deep Crack" computer, that has solved a DES-encrypted message in less than three days. John is a widely known and frank advocate of strong, non-escrowed encryption systems. In this half hour interview we discuss the Deep Crack project and the various pros and cons regarding encryption accessibility, ranging from technical to more philosophical issues. This is a very important topic and an interview you definitely won't want to miss--I think you'll find it very interesting. To hear the interview over the net via streaming audio, please visit PRIVACY Forum Radio via: http://www.vortex.com/pfr Thanks much. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Thu, 13 Aug 98 19:49 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Privacy Concerns Regarding Netscape Communicator 4.5 Greetings. I recently received a message from a PRIVACY Forum reader who is very concerned about a privacy matter regarding the new preview version of the Netscape Communicator web browser. The browser in question is Communicator 4.5 (preview release 1), which is now available for download from Netscape's web site. Web users are being urged to download this version both by messages at Netscape's site and at many other major sites. The author of the forwarded text below asked to have their name withheld since they perform work with Netscape. Following is the text from the message itself, followed by the results of my investigation into this issue and my discussions with Netscape. ---- Forwarded text from [Name Withheld] BEGINS ---- Communicator 4.5 (preview release 1) now redirects every mis-typed URL to Netscape's home server so that it can try to look for something similar. For example, if you enter "www.nettscape.com", which doesn't exist, instead of just telling you that the domain name could not be found (as all previous versions have done), Communicator 4.5 launches a new URL: . This URL then sends you back a friendly message. Yes, Netscape Communications can be logging every DNS typo you make, noting the IP address and DNS name of who made the typo. Even if you are not scared of Netscape knowing this, how long do you think it will take until they get served with a warrant for a log of all the people who mistyped a domain name for a server that is being investigated by the feds or a local police department? If you're a law enforcement official and you want to find out who's accessing a server, shut off its DNS server for a day and then go ask Netscape for the log, since everyone trying that URL with Communicator 4.5 will be there. Further, now every Communicator 4.5 user is susceptible to anyone snooping Netscape's Internet connection for the same kind of information. I see no way to turn this off in Preview 1. Let's hope it becomes an option before the final release, but I doubt it, since this gives Netscape one more opportunity to put advertising in front of you. Even if you can turn it off, you probably won't do it until you've mistyped at least one DNS name. ---- Forwarded text from [Name Withheld] ENDS ---- This forwarded message does a good job of explaining both the browser behavior and the resulting potential privacy problems. I took this issue immediately to Netscape through a series of phone calls. Netscape was extremely prompt in putting the appropriate knowledgeable persons in touch with me--at one point I had a four-way conference call with a Netscape media representative, the Netscape Netcenter program manager, and the program manager for Netscape Communicator. The following analysis is based on those conversations. There are actually two different aspects of Communicator 4.5 that involve new types of "automatic" contact between the local Communicator browser and Netscape's server facilities. One of these is "Smart Browsing," a system by which entries typed into the browser's URL line that do not appear to be actual URLs are sent to Netscape for lookup in their web search engine database, with the results returned to the user via a page which Netscape generates. Netscape informs me that the URL vs. keyword decision is based on fairly obvious aspects of the entry (e.g., if an entry doesn't include a ".domain" part, it is considered to be an entry for keyword searching). Smart Browsing is enabled by default, but *can* be disabled via the browser preferences. Netscape considers Smart Browsing to be a feature that will definitely be included in the regular release of Communicator 4.5. The second automatic lookup is the one that the message text above was referring to, involving mistyped URLs. Netscape calls this function "DNS Help." Netscape says that the idea was to give the user more helpful information than just "No DNS entry" type error messages. DNS Help indeed *cannot* be disabled in the Communicator 4.5 Preview 1 release. Netscape says they do not consider DNS Help to be a definite feature for the regular release--that it is instead an "experiment" in the Preview 1 version that will not *necessarily* exist in the same form when Communicator 4.5 starts its "regular" distribution--but it might. Netscape acknowledges that there are privacy concerns regarding this function (including the ones that I brought up with them), and says these are being taken under advisement. In the course of my conversations with Netscape, not only did we discuss some details of these specific privacy concerns and possible methodologies to deal with them in a privacy-enhancing manner, but I also took the opportunity to briefly discuss some "cookie control" issues with them as well. So, that's the situation. Since Netscape is actively evaluating the "DNS Help" function at this time, it might be useful to express constructive opinions regarding this functionality, or aspects of the "Smart Browsing" system, directly to Netscape. They ask that such messages be sent to: info@netscape.com Further discussion of these issues here in the PRIVACY Forum will of course appear as events warrant. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Fri, 14 Aug 98 14:00 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: GeoCities Agrees to Settlement with FTC over Privacy Problems Greetings. GeoCities, a very heavily used provider of a range of Internet services, has agreed to a proposed settlement (consent agreement) with the U.S. Federal Trade Commission (FTC) concerning collection of GeoCities' customers' personal information. This is the first FTC case relating to Internet privacy. According to the Director of the FTC's Bureau of Consumer Protection, "GeoCities misled its customers, both children and adults, by not telling the truth about how it was using their personal information." Issues involving release of customer information to third parties were apparently among the key issues. The proposed settlement would require a number of changes in GeoCities' operating practices, and a web link, to be present for five years, from GeoCities to the FTC's web site. Details on this story can be obtained at: http://www.ftc.gov/opa/9808/geocitie.htm --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sun, 16 Aug 98 09:20 PDT From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: More Ads Based on Web Usage Tracking On the Way Greetings. It is reported that a new round of sites using targeted ads based on collected web usage data is about to spring forth. According to currently available reports, this would include the Lycos search engine and Geocities, both very heavily visited sites (it is unclear whether Geocities' recent agreement with the Federal Trade Commission regarding privacy problems would relate to this in any way). Other smaller sites, such as Ticketmaster, have also reportedly signed up. These efforts have apparently been organized by CMG Information Services in the form of a system called "Engage," which judging from descriptions I've obtained apparently is using cookies as its information targeting carrier, much like other similar ad services. A web site to allow users to remove this Engage identification information will apparently be made available. Of course, another solution might be to disable cookies in your browser if this sort of ad system is something in which you do not wish to participate. Many persons leave cookies disabled at all times except occasionally activating them for specific sites which use cookies in manners acceptable to the particular user. I have long advocated that web browsers should allow the choice of cookie handling to be specified on a site-by-site basis as part of bookmark properties, to make this sort of controlled usage much more convenient. Cookies *can* have valid and useful, non-privacy violating applications, but being able to control them appropriately is very important. --Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com ------------------------------ Date: Sun, 16 Aug 1998 01:20:28 -0500 From: "Dawn Richardson" Subject: The Texas Department of Health Wants to Track Your Kids; It's Time To Say "No!" The controversy surrounding national campaigns for unique health identifier numbers shows people don't want to be surveilled by government computers. The Texas Department of Health's initial attempt to legislate a statewide immunization tracking system would have mandated the tracking of our children. Doctors and insurance companies would have been required to give TDH your child's confidential medical records for a nationally accessible database. These plans were thwarted when the legislature astutely amended the legislation to require parental consent and limit access and release. Despite the law, TDH has repeatedly circumvented consent requirements. In February, TDH published rules allowing them to "assume" parental consent. They wrote provisions which promoted unrestricted data exchange. Objections from parents and legislators led TDH to withdraw the rules and re-write them. In March, parents learned that TDH's tracking registry already held, without their consent, private identifying information including social security numbers and children's birth information. A legislative inquiry revealed that TDH had entered 3.3 million children's records since 1995. Furthermore, over 700,000 records had been created from the confidential portion of birth certificate applications without the parents' knowledge. The legislature had authorized the creation of the registry unaware of TDH's premature efforts. TDH's second attempt at rules is now open for public comment until September 8th. Although they appear to protect private information, closer examination reveals loopholes which compromise informed consent and the legislative protections governing the security, collection, and release of confidential medical information. The Centers for Disease Control is systematically helping create these registries in every state to link together into a national immunization registry network. Parents everywhere need to be concerned about the use of immunization tracking as a way of establishing the infrastructure for more intrusive monitoring and compliance programs. Children don't have a voice; it's time parents used theirs. Dawn Richardson President PROVE (Parents Requesting Open Vaccine Education) prove@swbell.net http://home.swbell.net/PROVE P.O. Box 1071 Cedar Park, TX 78630-1071 (512) 918-8760 [ While there clearly are significant public health problems which might be improved through increased knowledge of immunization patterns, it's also the case that systems which might attempt to collect such data are treading in an extremely personal area. Any system which is perceived as invasive of medical privacy is likely to be subjected to significant opposition. To the extent that similar medical data collection is aboveboard and completely voluntary, overall public health objectives are likely to be better served. -- PRIVACY Forum Moderator ] ------------------------------ Date: Tue, 18 Aug 1998 13:11:01 +0000 From: daj.v.os@gdvdieren.nl (Daniel van Os) Subject: CallerID in the Netherlands This August KPN Telecom, Holland's largest telecom company, introduced Caller-ID ("Nummerweergave") for all subscribers. It only displays the number of the caller and can be blocked per-call. After reading the articles in this list, and not being able to remember anything about complete blocking, I got curious and I phoned KPN. It turned out that complete blocking is available, but it has to be activated by KPN. Subscribers cannot do it themselves. When I asked for this to be done, all I had to tell the KPN employee was my telephone number. This surprised me a little, since it apparently means that anyone can enable or disable Caller-ID on any number. While Caller-ID is free of charge, there are other services which aren't free and can be activated in a similar manner. Since KPN will send me a letter within 8 days to inform me about the changes made, unwanted changes will be detected eventually. But it seems that KPN's policy on abuse is detection by their customers instead of prevention on their own part. Daniel van Os ------------------------------ Date: Thu, 25 Jun 1998 18:26:29 -0700 (PDT) From: Phil Agre Subject: Highway privacy round-up Cleaning up my office at the end of the school year, I have finally pulled together a batch of newspaper clippings from April and May. Several of these clippings concern the privacy issues that are starting to arise on public roads. Although each of these issues may seem harmless enough in isolation, together they illustrate something important. In the fictional world of Big Brother, privacy issues arise through the centralized plotting of a malevolent bureaucracy. In the real world, however, privacy issues arise through the convergence of ten thousand separate forces, each with its own economics and politics but united in their use of conventional computer system design practices. Here are the articles I clipped: Virginia Ellis, Thriving trade in fake drivers' licenses poses tough problem for DMV, Los Angeles Times, 5 April 1998, pages A1, A26. Employees are issuing fake drivers' licenses, sometimes for family and friends but mostly for money; the incentive to create fake licenses increases as drivers' licenses increasingly become the basic form of identification from with all other forms of identification can be derived. This is, of course, a very old story -- one of those stories that gets rediscovered every few years as if it were new. Nothing much is ever done about it, however, and we can expect to see the same story written again in a few years -- unless, of course, some vendor decides that it is time to sell the state on a more invasive form of identification such as a centralized database of biometric identifiers. Roberto J. Manzano, Portable scanner will speed police fingerprint checks, Los Angeles Times, 17 April 1998, page B2. This article describes a hand-held device that a police officer can use to capture a fingerprint scan and transfer it to a laptop in the officer's patrol car, from which it can be uploaded by radio to a database at headquarters, which then radios back any matches. Now, one might argue that such devices simply make life more convenient for those people whose identity the police wish to determine. But another, more likely possibility is that cheaper technology for capturing fingerprints means that more fingerprints will be captured. A free society, of course needs to trade off crime-fighting against civil liberties. In the past, much of that trade-off was provided automatically by the limitations of the physical world: it was simply cumbersome and expensive to search, seize, surveil, and so forth. With the march of progress, however, it becomes necessary to make more and more conscious judgments about the proper balance point. Those judgments are hardest when they must second-guess the choices that police officers make in the field. As it becomes easier and easier to identify people in public places, whether by fingerprint scans or automatic face identification, the very nature of public space starts to change. Leslie Helm, Today the desktop, tomorrow all those other places, Los Angeles Times, 24 May 1998, pages D1, D8. A group at Microsoft is developing standards for the "auto PC", a PC-like software platform for use in automobiles. It plugs in to the slot in the dashboard that would otherwise hold the stereo. A Microsoft employee is quoted as saying, "I don't know about you, but each time I see an automobile, I see 100 million potential customers". The point of the article is Microsoft's ability to leverage its existing proprietary de facto standards into control of other markets, whether they are contested or not. From a privacy perspective, the significance of the auto PC is that many of its most useful functions will surely require it to communicate wirelessly with other computers, either at the car owner's residence or workplace or at the premises of vendors. If the device incorporates GPS tracking then even more functionalities will be possible. The likely result is a wide variety of functionalities that involve the transfer of personal information, for example what you're listening to on your stereo, to databases kept by software companies, content vendors, and other firms and governments with whom you might transact business while on the road. Roy S. Johnson, Envirotest aces the competition, Fortune, 25 May 1998, page 36. Envirotest is "the nation's largest owner-operator of vehicle emissions testing centers and creator of a new remote sensing technology (RST) designed to make auto exhaust testing a no-brainer. The devices use infrared light and ultraviolet rays to analyze the tailpipe emissions of a moving vehicle and photograph its license plate in only half a second". This is only one of many technologies that identify passing cars for one purpose or another. Some of these technologies require the car to have an onboard transponder, while others simply photograph the license plate. The problem, of course, is the slippery slope that this immediately sets up. A device that can check your emissions when you want it to can also identify your car for other purposes, such as tracking your travel patterns for the sake of direct marketing, or for evaluating insurance risks, or for identifying behavioral patterns that might raise a question mark at work. Of course these worrisome scenarios won't happen right away. But once the technologies are in place, imaginations will start working overtime and the only barriers against them will be political. New device calls 911 in an auto crash, Los Angeles Times, 12 May 1998, page D12. The federal government is testing the device in question, "an electronic box about 6 inches square and an inch deep under the back seat", in 500 vehicles in Erie County, NY. The device is capable of beaming its location, together with information on the nature and severity of the crash, through the car's cellular phone. It is hard to object to such an invention in isolation, of course. The surprising thing is that the device is only being designed for such a narrow range of functions. Gary S. Becker, Good-bye, tollbooths and traffic jams?, Business Week, 18 May 1998, page 26. This column recycles some old ideas about using market mechanisms to control traffic congestion. When it is cheap to collect tolls, Becker points out, many more roads can become toll roads. Furthermore, the tolls themselves can vary depending on the level of demand. That way everyone will have an incentive to schedule their lives to trade off road costs against other factors. Whether this "congestion pricing" mechanism really works depends on how sensitive traffic levels are to price, which depends in turn on the scheduling flexibility of the events people are driving to. Becker is much more optimistic about this than I am. But from a privacy perspective, what's important about automatic toll collection is the database of records it leaves behind. One virtue of free public roads (and free public parks, and free public sidewalks, etc) is that they require little surveillance. As soon as the use of these facilities becomes conditional on paying money, it becomes necessary to instrument the whole environment to ensure that payments are made, and to handle the payments themselves. Road tolls *can* be collected anonymously, of course. In practice, however, the standards will be set by vendors who know that drivers will face little real choice. Sales of personal information based on toll records may provide a significant income stream for the operators of toll roads, particularly when toll payments are pervasive enough that it becomes possible to construct detailed profiles of drivers' travel patterns. Economists like Becker tend to ignore this dimension of the market, which they assume by default operates costlessly and without side-effects. In the real world, however, the costs and side- effects are considerable and should be taken fully into account. Phil Agre ------------------------------ End of PRIVACY Forum Digest 07.14 ************************