Date: Mon, 11 May 92 16:23:22 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#019 Computer Privacy Digest Mon, 11 May 92 Volume 1 : Issue: 019 Today's Topics: Moderator: Dennis G. Rears Census Bureau Database "IF you have nothing to hide..." Re: TRW Reports Re: Is e-mail private? Re: Is e-mail private? Re: E-mail privacy should be independent of carrier. Re: E-mail privacy should be independent of carrier. The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Subject: Census Bureau Database Date: Sat, 9 May 92 9:22:26 CDT From: "Eric J. Johnson" Here's another database that we may be overlooking wrt privacy concerns. In the past, I have worked with the U.S. Census Bureau's household database, which contains all sorts of information about the households in a particular census block and tract. It contains stuff like number of cars owned, number of toilets, income figures, and all of the answers to those innocuous little questions Americans are required to answer about themselves on their Census forms. All available on tape from your friendly government. The tapes I have received are massaged to contain no personal information, but it is quite straightforward to combine the household database with the United States Postal Service Zip+4 database (free on tape from the USPS) and your local telephone directory ($$ on tape from most RBOCS with non-pubs excluded) and voil`a we have your name, address, phone number and a rather good profile of your household to assist in targeted mailings and calls. The possibilities are endless! For example, if I already happen to own a few mailing lists, I can filter them through this database and produce a more exact match of the type of household I am trying to target. As far as reducing junk mail is concerned, this may not be all bad. But say I am a bank out looking for new customers, or better yet, the bank/credit card processor which already has a financial records on you... Think of the tool this is for law enforcement. All the government has to do is develop a demographic profile of a particular type of criminal, produce a list of the most likely suspects in a particular area (zip+4 resolves down to a single side of a single city block) and target them for closer scrutiny. And you provided them the information that made this possible on your Census form! A story I was told by one of the marketers out hawking an on-line database of this type I helped develop (about five years ago) tailored for the banking community might help illustrate the appeal of this sort of tool. The demo was pretty simply, a portable PC with an overhead projector adapter connected remotely to a database machine. The marketer would ask a member of the audience for their zip code. They would the enter a simple SQL command to retrieve (in a couple seconds) the household demographic info for the particular person's household. The marketer would then read off the demographic profile to a stunned audience. There was at least one person who stood up during the demo yelling that there was no way such private information could be available! I'll bet that person's company was one of the first in line to purchase the service, though. What got me started writing this article was a conversation I had a few days ago with a genealogy fan in my office. I had tacked up on the wall of my office one the many articles flying about regarding all the information available to someone with your SSN. He read the article and told me that he could get much more information through an area genealogical society, which has been tracing families through dial-up access to the Census Bureau's computer. It seems they have access to individual's personal records. I wonder who else does... -- Eric J. Johnson UUCP: eric@null.uucp The opinions expressed in this article are those of the author and in no way reflect the will of Landru. (or U S WEST Communications) ------------------------------ From: The Jester Subject: "IF you have nothing to hide..." Date: 9 May 92 19:49:17 GMT One of the reasons that many people are against 'intrusive' laws is because they disagree with the rational "If you have nothing to hide, then you don't need to worry." However what I have failed to see is a single cogent explination of WHY the rational of "If you have nothing to hide, then you have nothing to fear" is a bankrupt one. Would anyone care to provide a concise explination of WHY the previously mentioned rational is wrong? And please, though examples are useful for illustration of a point, they do not make one. The Jester -- The Jester "You can lead a herring to water, but you have to walk really fast, or he'll die."-Stolen from my Evil Mistress (TM) NWILSON@MIAVX1.ACS.MUOHIO.EDU ------------------------------ From: James Davies Subject: Re: TRW Reports Date: Sun, 10 May 92 04:42:06 GMT Apparently-To: In article zimmer@gw.wmich.edu writes: > >Montgomery Wards, when successfully soliciting business over the phone >with you, does ask for private information you've previously supplied >them to verify you are who they think you are. It's been my experience that most organizations use the same piece of "private information" for verification -- your mother's maiden name. This is about as secure as using your social security number in some sense, in that someone who cared could easily find it out with a little research. AT&T asked for this when I called their Universal Card 800 number with a change request last week. I've been tempted to make up a different "mother's maiden name" for each organization that asks (including, in the past, various utility companies and banks), but I worry that I'll forget it and they won't have any way of resetting my "password" (after all, your mother's maiden name isn't supposed to change, right?). ------------------------------ From: sbyers@crash.cts.com (Steve Byers) Subject: Re: Is e-mail private? Date: Sun, 10 May 1992 23:45:05 GMT >Continuing the discussion on whether e-mail is "private," our esteemed >Moderator wrote: > ... On a different note I seem to recall federal >legislation some years back that made interception of email a federal >offense. Does anyone know anything about that? _Dennis ] I'm surprised you guys don't have this already. I picked it up a few months ago on alt.privacy. I have included the whole article below (including the header) in case you want to look up the thread yourself. [Note to moderator: I realize this is a bit long, so feel free to edit it in any way you see fit.] -------- begin included article -------- #From: riddle@hoss.unl.edu (Michael H. Riddle) #Subject: Re: E-mail Privacy #Date: 29 Mar 91 17:15:17 GMT In <1991Mar29.082317.14316@vpnet.chi.il.us> louisg@vpnet.chi.il.us (Louis Giliberto) writes: >To what extent should E-Mail be private? I believe that the general consensus >is that it should be viewed as private, and not intentionally looked at. It >is common in performing maintainence funvtions that some mail may accidently >be seen, but in general E-Mail should not be wilfully read. Correct so far. >This brings up a problem though (digression time!). If, as recent events >have shown, a system operator can lose his computer if illegal messages >are passed through E-mail without his knowledge, then does he have a right >and/or responsibility to monitor E-mail? At a minimum, the person or entity providing the service has a right to report evidence of illegal acts occurring on the system. >Without protecting the sysop/administrator from responsibility for what passes >through his machine, he may have to take unorthodox steps to cover his hide. >This confuses the issue greatly, and brings responsibility and privacy into >conflict with one another. >For if the law states that he IS responsible for the mail in his system, and >there is another law which guarantees the privacy of E-mail, the two become >at odds with each other. Can this be resolved? I think this is >an important point to consider. The Electronic Communications Privacy Act of 1986, codified at 18 U.S.C. 2701 et seq., attempts to strike this balance. Since this is the law, it is the required starting point for any intelligent discussion of the subject. If the current law has flaws, then means exist to get it changed. The following are the principal parts that apply to this area: CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS s 2701. Unlawful access to stored communications (a) Offense. Except as provided in subsection (c) of this section whoever (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. (b) Punishment. The punishment for an offense under subsection (a) of this section is- (1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain (A) a fine of not more than $ 250,000 or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and (B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and (2) a fine of not more than $ 5,000 or imprisonment for not more than six months, or both, in any other case. (c) Exceptions. Subsection (a) of this section does not apply with respect to conduct authorized- (1) by the person or entity providing a wire or electronic communications service; (2) by a user of that service with respect to a communication of or intended for that user; or (3) in section 2703, 2704 or 2518 of this title. CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS s 2702. Disclosure of contents (a) Prohibitions. Except as provided in subsection (b)- (1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and (2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service- (A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service; and (B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing. (b) Exceptions. A person or entity may divulge the contents of a communication- (1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient; (2) as otherwise authorized in section 2517, 2511(2)(a), or 2703 of this title; (3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service; (4) to a person employed or authorized or whose facilities are used to forward such communication to its destination; (5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service; or (6) to a law enforcement agency, if such contents- (A) were inadvertently obtained by the service provider; and (B) appear to pertain to the commission of a crime. -- <<<< insert standard disclaimer here >>>> riddle@hoss.unl.edu | University of Nebraska postmaster%inns@iugate.unomaha.edu | College of Law mike.riddle@f27.n285.z1.fidonet.org | Lincoln, Nebraska, USA ------------------------------ Date: Mon, 11 May 1992 11:28:03 EDT From: Stacy Veeder Subject: Re: Is e-mail private? Jyrki Kuoppala writes: >It is illegal, just as it is illegal to tap into people's phones. >However, there's a small hole in the law - it's illegal only when the >email is "in transit" and nobody really knows what that means. That's >going to be changed to cover all email. >//Jyrki I'm afraid this is inaccurate. The Electronic Communications Privacy Act of 1986 covers electronic mail both in transit _and_ in storage. Moreover, the ambiguities in the law, as it is now written, are not in how "in transit" is defined (see 18 USC 2510 et seq.), but rather in the level of privacy protection (if any) covering e-mail that passes through gateways connecting public and private networks. Stacy B. Veeder Bitnet: SBVEEDER@SUVM.BITNET Internet: sbveeder@suvm.acs.syr.edu DISCLAIMER: I am not a lawyer, just a layman following legal and other developments in the area of e-mail privacy. If you need legal advice, contact an attorney. ------------------------------ Date: Sun, 10 May 92 21:10:45 EDT From: Brinton Cooper cc: Bob Weiner Subject: Re: E-mail privacy should be independent of carrier. Bob Weiner writes, in response to my posting on whether one has an expectation of privacy in e-mail: > The ignorance that yields this kind of widespread corporate view on > information privacy comes from a biased analysis that asks only "What > can we do with this technology?" not "What should we do, given what we > know we can do?" The poster's question was whether there IS an expectation of privacy, not whether there SHOULD BE. I addressed this question and did not state my position on it's correctness. I believe that, taken to the presently-constituted Supreme Court, the "corporate view" would prevail. (Incidentally, I do not hold corporate views. I have no connection with any corporations.) > No such right has been widely recognized in our electronic mediums > such as e-mail within a private network, even though it should be easy > to recognize the direct parallels to both paper mail and telephony. A > call that goes from one extension of a PBX to another of its > extensions never passes through any "common carrier" network, yet I am > fairly certain, it is protected in the same way, because we recognize > that there is more to the issue at stake than just the status of the > carrier that transfers the signals. We may recognize it, but the machines' owners may not. In any case, the machines' owners can, in fact, get access to any file on the machine. Do you expect an employee to obtain a federal court injunction denying a machine's owners access? > So answers to issues of privacy that we can socially tolerate are not > to be found in asking questions such as "who's equipment was involved" > but only in "who were the conversants," "what was the conversation > on," "in what capacity was the conversation held," etc. I rather like the concept embodied in the last three "questions," but I believe that, in the present climate, they represent only wishful thinking. _Brint ------------------------------ From: Steve Barber Subject: Re: E-mail privacy should be independent of carrier. Date: Mon, 11 May 1992 01:35:10 GMT In rsw@cs.brown.edu (Bob Weiner) writes: >No such right has been widely recognized in our electronic mediums >such as e-mail within a private network, even though it should be easy >to recognize the direct parallels to both paper mail and telephony. A >call that goes from one extension of a PBX to another of its >extensions never passes through any "common carrier" network, yet I am >fairly certain, it is protected in the same way, because we recognize >that there is more to the issue at stake than just the status of the >carrier that transfers the signals. While I agree that "personal" communications made from the place of business ought to be private, when made by telephone they just aren't. Courts have ruled that companies may listen into employee phone calls, since, after all the company owns the PBX. Sigh. Privacy activists (and workplace rights activists like 9to5) are busting their guts just to get companies to even *notify* employees about surveillance policies. Getting them to stop monitoring is a long way off. Solution? Get a cellular phone and take it to work. Get one with a modem and jack into the internet via a public access host that ensures your privacy by contract or statute (i.e. the ECPA of 1986), from your own laptop. Ridiculous? Sure. -- Steve Barber sbarber@panix.com "The direct deed is the most meaningful reflection." - Bill Evans The above is not a legal advice. It is, at best, a discussion of generalities. Consult your attorney before acting in a specific situation. ------------------------------ End of Computer Privacy Digest V1 #019 ******************************