The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- PRIVACY Forum Digest Sunday, 21 March 1999 Volume 08 : Issue 05 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Digital signature capture (Phil Agre) Re: GAO Report on Govt/Comm Use of SSN (Quentin Fennessy) New, More-Secure U.S. Passport (Monty Solomon) CA bill [via PrivacyExchange] (Peter Marshall) DataGlyphs: Hiding a serial number when printing (Tom Robinson) Required registration of computer programs (E. Baker) Call for Papers: CQRE (Detlef) ACLU Launches New Web Site: Defend Your Data (Jessica Botta) 1999 Privacy Intl Big Brother Awards USA Nominations (Privacy International) "Privacy in Cyberspace" Lecture Series (Jocelyn R. Dabeau) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 05 Quote for the day: "I believe everything, and I believe nothing." Inspector Jacques Clouseau (Peter Sellers) "A Shot in the Dark" (United Artists; 1964) ---------------------------------------------------------------------- Date: Mon, 22 Feb 1999 22:39:58 -0800 (PST) From: Phil Agre Subject: digital signature capture Last week I made a purchase at Macy's department store in Los Angeles. As I handed over my Visa card, I noticed a device for digitally capturing signatures. Although such devices have come and gone for years, this one was not familiar. As the guy at the cash register put the charge slip on the device, I said, as nonconfrontationally as I could, "I'm not signing on that machine. I can sign a piece of paper if you like." He did not seem surprised by this, or more than a little bit put out. He simply unplugged the device, voided the sale, and rang it up again, whereupon the cash register generated a standard charge slip, which I signed. (Another casher said in a low voice, as if reminding him of something he already knew, "you're supposed to call security before you do that".) Everything suggested that mine was not the first objection of the day. When I got home, I found a yellow slip of paper in the bag with the merchandise. Here is its complete text, indented, with my comments. Macy's continues to look for innovative ways to protect our customers from fraudulent use of their credit cards. You may be wondering: Q. What happens to my signature after I've signed? A. It is stored in a secure unreadable format on another computer. Store associates have no access to it once you have signed. The first sentence of this reply is quite unclear. If the format is unreadable, why store it? I know that passwords are often stored in encrypted form, since future passwords can be verified by encrypting them as well and comparing them to the stored password. But this would never work signatures, which are too variable. I would thus conjecture that they don't really mean what they've said. Q. Do I have to sign on the pad? A. Yes, we require all credit card transactions to have customer signatures attached to them. This answer is misleading. You do have to sign, but not on the pad, as my experience demonstrated. This misleading answer is already enough to undermine my trust in the test. Q. What happens if I have an inquiry about my credit card bill (wrong amount, etc)? A. As always, Macy's charge card customers should call our Customer Service Department, 1-800-659-6229. For other credit cards please contact the issuer for assistance. Thank you for helping us test this new technology! The point of my message is not the technology as such. I haven't talked to the Macy's people about the new device, so I don't know what's really new and how digitizing my signature in an unreadable format is supposed to prevent credit card fraud. The point, rather, is the misleading and confusing way that Macy's is explaining the technology to its customers. Phil Agre [ We've discussed these systems here in the PRIVACY Forum Digest in the past, but they continue to be a topic of frequent inquiries and concerns, for the sorts of reasons that Phil mentions. While the ostensible purpose for these signature capture systems is to reduce credit card fraud, it's clear that many customers are choosing to sign the paper slips but refusing (one way or another) to allow their signatures to be transferred into the capture devices, as evidenced by many cashiers' reported lack of surprise or concern at this attitude. -- PRIVACY Forum Moderator ] ------------------------------ Date: Sat, 20 Feb 1999 15:45:27 -0600 From: Quentin Fennessy Subject: Re: GAO Report on Govt/Comm Use of SSN The GAO article "Social Security: Government and Commercial Use of the Social Security Number Is Widespread" is available on the web at: http://www.gao.gov/new.items/he99028.pdf Thanks for providing an excellent publication. Quentin Fennessy ------------------------------ Date: Sun, 14 Mar 1999 12:19:37 -0500 From: Monty Solomon Subject: New, More-Secure U.S. Passport U.S. Department of State Office of the Spokesman For Immediate Release November 18, 1998 STATEMENT BY JAMES P. RUBIN, SPOKESMAN The State Department Issues A New, More-Secure U.S. Passport Featuring Digitized Imaging On November 16, the State Department introduced a new U.S. passport featuring a digitized photograph and data page. The first one was issued at the National Passport Center in Portsmouth, NH. This represents the most important improvement in passport technology in 17 years. This innovation vastly enhances the security of the passport. Having a computer-generated image of the bearer in the passport makes it much less vulnerable to photo-substitution. (Photo-substitution is an illegal technique used to replace the picture of the legitimate bearer with that of an impostor.) Identity fraud is considered one of the fastest growing types of crimes perpetrated on innocent victims each year. http://travel.state.gov/photo_dig.html ------------------------------ Date: Thu, 11 Mar 1999 19:58:55 -0800 From: Peter Marshall Subject: CA bill [via PrivacyExchange] CA Bill Would Restrict Use Of Personal Information State Senator Steve Peace has introduced a bill in California, SB 129, that would prohibit collection, use, and disclosure of any type of personally-identifiable information without the consent of the record subject. The "Personal Information and Privacy Act of 1999" would require organizations to "inform individuals about the type of information it collects, how it collects the information, the purposes for which the information is collected, the types of organizations to which the information is disclosed, and the choices and means the organization offers individuals to limit the use and disclosure of the information." A privacy ombudsman would be appointed to accept complaints about organizations from private citizens. Industry experts believe SB 129 may be the most important state bill facing businesses this year; if the bill passes in California, it would dramatically change everyday business information practices and possibly lead other states to enact similar legislation. Peace, a Democrat from the San Diego area, has been able to enact tough privacy measures in the past -- including a statute limiting access to criminal histories -- and last year organized a legislative task force that developed fair information principles for California. February 15, 1999. A copy of proposed Personal Information and Privacy Act of 1999 may be found at: www.leginfo.ca.gov/pub/bill/sen/sb_0101-0150/ sb_129_bill_19981222_introduced.html ------------------------------ Date: Wed, 17 Mar 1999 16:43:58 +1300 From: Tom Robinson Subject: DataGlyphs: Hiding a serial number when printing Xerox are marketing a technology which allows a hidden serial number to be encoded on a printed page. This has obvious implications for "anonymous" surveys and the like. There's a page from Xerox explaining their new "DataGlyph" technology at [ The technology actually allows for essentially any information to be encoded in a very compact and innocuous manner. -- PRIVACY Forum Moderator ] ------------------------------ Date: Fri, 19 Mar 1999 19:32:50 -0500 From: "E. Baker" Subject: Required registration of computer programs Caere Corporation's Omniform 3.0 (which costs approx. $150) provides only a limited number of uses (even though you paid for the full program) unless you call them or register on their web site. Unless you block your outgoing phone number they can track your phone number if you call in. Registry via the internet requires that you provide a home address to receive the unlocking code via mail or an e-mail address (in addition) to receive the code faster. In addition, EACH time you install the program you must reregister it because the original code will not work. I appreciate the effort to limit unauthorized use of the program, but I, as a lawful consumer, have rights too. This is an invasion of privacy. [ Given rampant software piracy (over the Internet and via other means), the desire for software publishers to try find means to better control their product is at least understandable. The question is to what extent such registration techniques are, or are not, appropriate or effective means to this end. Of course, persons who would legitimately obtain and use such software can vote on such systems via their wallet and their purchase decisions--which ultimately are likely to have the most impact on software manufacturers' decisions in this regard. -- PRIVACY Forum Moderator ] ------------------------------ Date: Mon, 08 Mar 1999 08:10:05 +0000 From: "Detlef =?iso-8859-1?Q?H=FChnlein?=" Subject: Call for Papers: CQRE *************************************************************** Call for Papers CQRE [Secure] Congress & Exhibition Duesseldorf, Germany, Nov. 30 - Dec. 2 1999 --------------------------------------------------------------- provides a new international forum covering most aspects of information security with a special focus to the role of information security in the context of rapidly evolving economic processes. --------------------------------------------------------------- Deadline for submission of extended abstracts: May 14, 1999 website: http://www.secunet.de/forum/cqre.html mailing-list: send mailto:cqre@secunet.de = (where the subject is "subscribe" without parenthesis) *************************************************************** The "CQRE - secure networking" provides a new international forum giving a close-up view on information security in the context of rapidly evolving economic processes. The unprecedented reliance on computer technology transformed the previous technical side- issue "information security'' to a management problem requiring decisions of strategic importance. Hence, the targeted audience represents decision makers from government, industry, commercial, and academic communities. If you are developing solutions to problems relating to the protection of your country's information infrastructure or a commercial enterprise, consider submitting a paper to the "CQRE - secure networking" conference. We are looking for papers and panel discussions covering: electronic commerce - new business processes - secure business transactions - online merchandising - electronic payment / banking - innovative applications network security - virtual private networks - security aspects in internet utilization - security aspects in multimedia- applications - intrusion detection systems legal aspects - digital signatures acts - privacy and anonymity - crypto regulation - liability corporate security - access control - secure teleworking - enterprise key management - IT-audit - risk / disaster management - security awareness and training - implementation, accreditation, and operation of secure systems in a government, business, or industry environment security technology - cryptography - public key infrastructures - chip card technology - biometrics trust management - evaluation of products and systems - international harmonization of security evaluation criterias standardization future perspectives Any other contribution addressing the involvement of IT security in economic processes will be welcome. Authors are invited to submit an extended abstract of their contribution to the program chair. The submissions should be original research results, survey articles or ``high quality'' case studies and position papers. Product advertisements are welcome for presentation, but will not be considered for the proceedings. Manuscripts must be in English, and not more than 2.000 words. The extended abstracts should be in a form suitable for anonymous review, with no author names, affiliations, acknowledgments or obvious references. Contributions must not be submitted in parallel to any conference or workshop that has proceedings. Separately, an abstract of the paper with no more than 200 words and with title, name and addresses (incl. an E-mail address) of the authors shall be submitted. In the case of multiple authors the contacting author must be clearly identified. We strongly encourage electronic submission in Postscript format. The submissions must be in 11pt format, use standard fonts or include the necessary fonts. Proposals for panel discussions should also be sent to the program chair. Panels of interest include those that present alternative/controversial viewpoints or those that encourage lively discussions of relevant issues. Panels that are collections of unrefereed papers will not be considered. Panel proposals should be a minimum of one page describing the subject matter, the appropriateness of the panel for this conference and should identify participants and their respective viewpoints. mailing list/ web-site: ----------------------- If you want to receive emails with subsequent Call for Papers and registration information, please send a brief mail to cqre@secunet.de. You will find this call for papers and further information at http://www.secunet.de/forum/cqre.html . important dates: ---------------- deadline for submission of extended abstracts May 14, 1999 deadline for submission of panel proposals June 1, 1999 notification of acceptance June 25, 1999 deadline for submission of complete papers July 30, 1999 program chair: -------------- secunet - Security Networks GmbH c/o Rainer Baumgart Weidenauer Str. 223 - 225 57076 Siegen Germany Tel.: +49-271-48950-15 Fax: +49-271-48950-50 R.Baumgart@secunet.de program committee: ------------------ Johannes Buchmann (TU Darmstadt) Dirk Fox (Secorvo) Walter Fumy (Siemens) R=FCdiger Grimm (GMD) Helena Handschuh (ENST/Gemplus) Thomas Hoeren (Uni Muenster) Pil Joong Lee (POSTECH) Alfred Menezes (U.o.Waterloo/Certicom) David Naccache (Gemplus) Clifford Neumann (USC) Mike Reiter (Bell Labs) Matt Robshaw (RSA) Richard Schlechter (EU-comm.) Bruce Schneier (Counterpane) Tsuyoshi Takagi (NTT) Yiannis Tsiounis (GTE Labs) Michael Waidner (IBM) Moti Yung (CERTCO) Robert Zuccherato (Entrust) ------------------------------ Date: Wed, 10 Mar 1999 12:15:16 -0500 From: Jessica Botta Subject: ACLU Launches New Web Site: Defend Your Data What They Do Know Can Hurt You! ACLU Launches Special Web Collection On Privacy and Data Protection Urging netizens everywhere to defend their data, the American Civil Liberties Union today launched a special web site to focus public attention on the threat to personal privacy through the collection and widespread distribution of personal data. The new web collection -- which can be found at -- features several interactive elements, including: -- A complaint form where individuals can spell out their privacy horror stories. -- A tool that shows individuals just what can be learned about them on the web. -- A survey and postcard utility. -- Faxable letters to Congress. -- A discussion forum. The web collection marks the ACLU's increasing efforts to protect individual privacy in America. "We clearly have our work cut out for us to derail what has been an endless stream of proposals that attack our privacy rights," said ACLU Executive Director Ira Glasser. "And although many believe widespread dissemination of our data is harmless, the ACLU believes that what they do know, can hurt us." Glasser pointed out that 200 years ago nearly every bit of personal information about an individual was kept at home, on paper, and stored as a personal effect. "To protect privacy of this information," he said, "early Americans insisted on the Fourth Amendment, which established the home as a person's 'castle,' inviolate against government searches except when warranted by a court for very specific and particular criminal investigations." The Fourth Amendment still protects the privacy of our homes, but personal information isn't exclusively stored there anymore, Glasser said. Now, a wide array of personal information about each of us is kept electronically by others -- by medical insurers, employers, credit card companies, banks, phone companies and a wide range of government and private agencies. "Some of these entities exist solely to sell our personal information, no matter how private," Glasser said. "And new technologies keep arising to develop, collect, store and disseminate the most private information about each of us, with few if any legal protections." A leading privacy advocate, the ACLU is a nationwide, non-partisan organization dedicated to defending and preserving the Bill of Rights for all individuals through litigation, legislation and public education. Headquartered in New York City, the ACLU has 53 staffed affiliates in major cities, more than 300 chapters nationwide, and a legislative office in Washington. The bulk of its $35 million annual budget is raised by contributions from members -- 275,000 strong -- and gifts and grants from other individuals and foundations. The ACLU does not accept government funds. The new web collection can be found at: ------------------------------ Date: Sun, 7 Mar 1999 16:56:37 -0500 From: Privacy International Subject: 1999 Privacy Intl Big Brother Awards USA Nominations ********* CALL FOR NOMINATIONS ********* PRIVACY INTERNATIONAL 1999 US BIG BROTHER AWARDS On April 6, 1999, the human rights group Privacy International will present the first annual US "Big Brother" awards to the government and private sector organizations which have done the most to invade personal privacy in the United States. The awards will be bestowed at an event during the 9th Computers, Freedom and Privacy Conference in the Ballroom of the Omni Shoreham Hotel in Washington, DC. "Big Brother" awards will be presented to the government agencies, companies, individuals and initiatives which have done most to invade personal privacy. A "lifetime achievement" award will also be presented. The judging panel, consisting of lawyers, academics, consultants, journalists and civil liberties activists, are inviting nominations from members of the public. Awards will also be given to individuals and organizations that have made an outstanding contribution to the protection of privacy. The event will be the first of its kind in the United States. Privacy International previously held a ceremony in the United Kingdom in October 1998. Awards were given in the UK to the NSA's spybase in northern England, the Department of Trade and Industry's Key Escrow plan, the township of Newham for its camera system with facial recognition, Harlequin Corp for its WatCall software system to track phone calls, and to Procurement Services International for exporting surveillance equipment to such military regimes as Indonesia and Nigeria. Privacy International (PI) was formed in 1990 as a non-government watchdog on surveillance and privacy invasion. The organization has campaigned throughout the world on dozens of issues ranging from identity cards and encryption policy, to workplace surveillance and military intelligence. PI's membership includes IT specialists, lawyers, judges and journalists from forty countries. More information on PI can be found at: http://www.privacyinternational.org/ The awards page can be found at: http://www.bigbrotherawards.org/ Nominations can be made directly from this site. More information on CFP 99 can be located at: http://www.cfp99.org/ ------------------------------ Date: Tue, 16 Mar 1999 00:05:26 -0500 From: "Jocelyn R. Dabeau" Subject: "Privacy in Cyberspace" Lecture Series For immediate release: HARVARD'S BERKMAN CENTER OFFERS "PRIVACY IN CYBERSPACE" LECTURE DISCUSSION SERIES Cambridge, MA.-- The Berkman Center for Internet & Society at Harvard Law School invites the public to register for "Privacy in Cyberspace," a free Online Lecture and Discussion Series open to participants worldwide. The series, led by Professor Arthur Miller, will consider how the Internet and related technologies reframe traditional privacy concerns and the control users have over their personal information online. Discussion will often spring from events in the news, such as the controversy over Intel's Pentium III serial numbers and the $104 million jury verdict against the website for detailed personal information on doctors who performed abortions. Topics will also include browser data trails and "cookies," medical privacy, cross-border issues raised by the European Data Privacy Act, and Internet privacy in the workplace. The series follows the Berkman Center's entrepreneurial research method of studying cyberspace by building within it. In addition to real-time chat and threaded discussion modules, we will be using software developed by the Center to facilitate the exchange of ideas among series participants. Each week will begin with a hypothetical situation described by Professor Miller in the Socratic method he uses in the Law School classroom. Participants will be challenged to ask questions and offer their own analyses in discussions moderated by the course's Teaching Fellows. They will also be asked to respond to their classmates' analyses in software-directed conversations. At the conclusion of each lesson, Professor Miller will engage in a real-time chat with participants and invited guests. The Series begins on the 15th of March and lasts for 8 weeks. Apply to "Privacy in Cyberspace" at: http://eon.law.harvard.edu/privacy/ Additional information on all of the Harvard Law School Online Lecture and Discussion Series can be found at the Center's Web Site: http://cyber.law.harvard.edu Please note that this offering is not a Harvard Law School course. Therefore, do not direct inquiries to the Harvard Law School Registrar's office; they will be unable to assist you. Please direct press inquiries to Donna Wentworth at 617.496.0747. Regards, Jocelyn R. Dabeau Teaching Fellow Berkman Center for Internet & Society Harvard Law School ------------------------------ End of PRIVACY Forum Digest 08.05 ************************