Date: Mon, 18 May 92 17:01:34 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#029 Computer Privacy Digest Mon, 18 May 92 Volume 1 : Issue: 029 Today's Topics: Moderator: Dennis G. Rears Re: Privacy and Law and Order (Long) Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Re: "IF you have nothing to hide..." IF you have nothing to hide Privacy in video rental records? Re: What's to hide? Re: "IF you have nothing to hide..." An answer to "IF you have nothing to hide..." Re: "IF you have nothing to hide..." Caller ID decision European Unification & Information Security Papers of interest to readers re: Is Email Private--NOT! Re: Is e-mail private? The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: Emmett Subject: Re: Privacy and Law and Order (Long) Date: 14 May 92 03:29:14 GMT In article John Higdon writes: >> From: Conrad Kimball writes: > >> If I was given the option of selecting my line's default to be either >> blocked or unblocked, with a '*' code to temporarily reverse the >> default, I'd be a happy camper. > >Is this what it would take to satisfy you on the whole matter of CNID? >This comes under the heading of "feature implementation" and is so >trivial as be not worth mentioning, yet is would be, for you, the >salvation of CNID. Incredible. > Key words there are 'for you'. As for the 'feature implementation' argument, when is the last time you tried to get something changed after you accepted delivery? It's always made sense to me to get it right the first time. The fact that there is a controversy over this issue at all should show you that not everyone believes it would be offered as a feature. [ Argument that privacy shouldn't be given up now that we have it, deleted ] >And that, dear sir, is exactly why you and millions like yourself can >get credit cards, debit cards, instant store accounts, bank lines of >credit, property sale closures in days instead of months, and all of >the financial conveniences that are taken for granted these days. Do >you think that all of these companies and financial institutions would >just hand you the money if they knew nothing about you? In Smalltown, Do you think I would get letters about 'Terrific new products we're just absolutely positve you'll love hearing about, even when we send you yet another copy of this letter with a TENTH variant of your name on it.' if they new nothing about me?? >after you had lived there for about ten years, Mr. Smith might just >open a store account for you with a small limit. After another ten of >showing a good payment history (as observed and recorded by Mr. Smith) >you might get your limit raised. Of course all of this credit is only >good at one place: Mr. Smith's. > >Today, your credit is portable and easily obtained at new locations. >How did YOU think that it was possible to walk into a store for the >first time in your life and open an account? Magic? > >> Must we tolerate (nay, even aid and abet!) repeats of the shoddy history >> of credit bureaus such as TRW, in which the worst problem is not so much >> that they have a lot of data (which some would argue is a problem in >> itself), but rather that so much of the data they have is incorrect, >> and use of which can seriously damage people. > >Then it should be corrected. I have done this myself; it is not hard. >Without this extensive database, we would be forced back into a >cash and carry society. While some may approve of that, there are many >more who would not. > Your argument is that you and others who share your opinion feel you would be inconvenienced if you were forced into a situation not of your choosing or of your liking. Guess what my argument is. >> Some people have raised concerns >> about lifestyle data being fed to insurance companies, which being *very* >> highly motivated to reduce risk, raise rates or refuse coverage in >> situations that do not in fact warrant it. And, when they raise your >> rates or refuse you coverage, how are you to know the basis for their >> unjust decision? > >Try asking. Someone, somewhere started the "truism" that "they" are >unreachable, untouchable, and have unlimited power. I have received >such things as notices of cancellation and simply called the company to >get an explanation. In some cases, after discussing the matter, the >cancellation was rescinded. I am surprised that you give people so little >credit for being able to pick up a phone or write letters of inquiry. Why is this my responsibility?? These people are paid quite handsomely for providing information that is presumed accurate by their customers. Extending your line of reasoning leads to the argument that if I choose to eat food that has been shipped to a grocery store in a truck, then I'm responsible for doing maintainance work on the truck. >Of course, failing to mention those avenues of redress gives more >weight to your argument. And speaking of weight: > >> - The greenhouse effect. > >> - Smoking. > >> - Logging > >What do these things have to do with privacy? Is the implication that >the consequences are on a par with these things? Is this the only way you >can make your argument seem non-trivial? The most serious privacy >violations that could occur in modern society will not kill, mame, or >even cause much more than a minor annoyance or inconvenience. We are >not talking disasterous global climate changes here. We are not talking >500,000 deaths a year. We are not even talking about endangered >species. > No, we're talking about minor annoyances and inconveniences. Frankly, given a choice I'd just as soon avoid them. Besides, it's at least as important to me as the issue of death from smoking (I don't smoke) and will impact me personally a lot more than spotted owls (I doubt I'll encounter a significant number of spotted owls in my liftime, but I'm pretty sure I haven't seen the last of the annoyances and inconveniances. Besides [ my turn to be dramatic ], falling two feet is pretty minor by itself, but if they happen to be the last two feet of a hundred foot drop, the results are noticable. [ Bluster about things I consider irrelevant deleted ] > >There is someone who asserted in print that we are all going >to get cancer because of electrical transmission lines. I would guess >that you must be in favor of shutting down our electrical grid until >someone proves him wrong. Never mind that it would disrupt our whole >way of life, destroy the economy, and literally make it impossible for >people to live in our cities. But we cannot take any chances now, can >we? > Until you hit the bit about shutting down the cities, you weren't doing too badly there. Shut 'em down says I. :-) >So it is with privacy. A few very noisy people are running around >announcing the death of all we hold near and dear because some nasty >people can find out our little secrets. Shall we return to green visors >and ledger paper until the theorists can come to a conclusion one way >or another? Does it really matter? > For someone who was just complaining about making sweeping statements just for effect, don't you think this is a bit much?? Personally I see it as a bandage. I'd rather do away with the nasty people that can 'find out our little secrets'. As far as I'm concerned it does matter. If it were an ideal world, I can't think of anything I've personally done in the privacy of my own home that I would really care one way or another if the world knew about (a few things that might disturb my mother, but such is life). Unfortunately, there are a lot of people in the world (and even in Montana) who possess value systems that I choose not to subscribe to. Some of them have the clout to be more than minor annoyances. You used the metaphor of Smalltown, USA. In Smalltown, there was only one Mrs. Grundy, if you include Tinytown and Diminuitive-ville to the list we're talking about at least three Mrs. Grundys. How many do you suppose live in the New York or LA areas alone? Can you really blame me for not wanting to be forced to deal with them?? > >-- > John Higdon | P. O. Box 7648 | +1 408 723 1395 > john@zygot.ati.com | San Jose, CA 95150 | M o o ! -- Larry Emmett v 'Computers are a lot like the God of the Internet:icsu8249@cs.montana.edu /o\ Old Testament. A whole lot of rules Bitnet: icsu8249@MtsUnix1.bitnet --- and no mercy.' -- Joseph Campbell ------------------------------ From: David Karr Subject: Re: "IF you have nothing to hide..." Date: 14 May 92 16:28:24 GMT Source-Info: From (or Sender) name not authenticated. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ||||||||||||||||||||||||||||||||||||||| In article ygoland@edison.seas.ucla.edu (The Jester) writes: >Would anyone care to provide a concise explination of WHY the >previously mentioned rational is wrong? Because everyone has something to hide from someone. Even you. (Or do you claim there is NOTHING you ever do that you would be ashamed for me to have a videotape of?) >And please, though examples >are useful for illustration of a point, they do not make one. And, pray tell, why not? Suppose I tell you that it's a bad idea to shove paper clips into live electrical outlets with your bare fingers. Suppose you don't believe me. Suppose I then suggest you try it and see, and you do, and you get a shock. Now the shock would just be an example illustrating my point, not exactly a mathematical argument, yet I think it would make the point pretty well, don't you? -- David Karr ------------------------------ From: "Daniel E. Platt" Subject: Re: "IF you have nothing to hide..." Date: 14 May 92 20:09:34 GMT Disclaimer: This posting represents the poster's views, not necessarily those of IBM Source-Info: From (or Sender) name not authenticated. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ||||||||||||||||||||||||||||||||||||||| In article , emba-news.uvm.edu!cavrak@kira.uvm.edu (Steve Cavrak) writes: |> "If you have nothing to hide, you have nothing to fear" |> |> - sounds like an opening line by the KGB, CIA, FBI, Stassi, or you name |> your favorite terrorist group, |> |> - sounds like an incorrect inversion of, "if you are fearful, you must |> be hiding something" - i.e. you are the cause of your own fear. |> |> - |> ------------------------------------------------------------------------ |> |> HEY !@ |> |> |> - I have the right to an unlisted phone number |> |> - I have the right not to have a telephone at all |> |> - I have the right not to carry identification |> |> - I have the right to travel without telling anyone where I am going |> |> - I have the right to carry money |> |> - I have the right not to carry money |> |> - I have the right not to be searched WITHOUT DUE CAUSE. Not if you ride a public bus. |> |> HEY! |> |> This is America. These are the rights that make it so. This must not be America any more (we seem to have ceded our rights when we supported candidates who felt the police powers had suffered, and put in supreme court justices who agreed). |> |> We don't need to apologize for them, we need to celebrate them, to |> assert them. We need to get them back. |> |> Geez. |> |> Steve |> |> [Moderator's Note: Do you really have a right to an unlisted phone |> number? What type is it? God Given, constitutional, moral, or another |> type of right? What entity gave you this right. Constitutional rights |> only apply to what the government does to its citizens not what private |> entities does to citizens. What about the "right" of the Telephone |> Company to give you service on it own terms. It is TPC that gives you |> phone service and it is their number not yours. It is only for your |> use while you pay for the service. _Dennis] ------------------------------ From: Carl Ellison Subject: Re: "IF you have nothing to hide..." Date: 14 May 92 20:18:56 GMT The proposition behind the trick question is that the government has the right to spy on us without being equally open and transparent to all citizens in return. The flaw is that this proposes a two-class system with the people in the second-class role. That is reversed from the basis of this country. Knowledge is power and in our democracy, the power lies in the people not in the government. It is therefore vital that the government have a minimum of knowledge about the citizens and that the citizens have a maximum of knowledge about the government. Result: prohibit encryption technology in the hands of the government; give it to the individual citizens only. After all: aren't we happy that Ollie North's criminal activities were available for public examination? ------------------------------ From: "Richard A. Schumacher" Subject: Re: "IF you have nothing to hide..." Date: 15 May 92 01:30:02 GMT >In article ygoland@edison.seas.ucla.edu (The Jester) writes: >>One of the reasons that many people are against 'intrusive' laws is >>because they disagree with the rational "If you have nothing to >>hide, then you don't need to worry." However what I have failed to >>see is a single cogent explination of WHY the rational of "If you >>have nothing to hide, then you have nothing to fear" is a bankrupt >>one. Would anyone care to provide a concise explination of WHY the >>previously mentioned rational is wrong? (BTW: The word is "rationale".) Because people disagree, sometimes violently, about what is worth hiding. For example, one person might go to absurd lengths to prevent people from learning the details of how he masturbates even though most people would probably find it uninteresting. For another example, many people do not want their tax returns made public even though they might not reveal anything which is, strictly speaking, illegal. Is the point now clear? (If you have no emotional need for privacy, or no appreciation for the need in others, then I suppose that no argument against the "nothing-to-hide" doctrine will have any force for you.) ------------------------------ From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: "IF you have nothing to hide..." Date: 14 May 92 20:18:56 GMT Organization: Stratus Computer, Software Engineering The proposition behind the trick question is that the government has the right to spy on us without being equally open and transparent to all citizens in return. The flaw is that this proposes a two-class system with the people in the second-class role. That is reversed from the basis of this country. Knowledge is power and in our democracy, the power lies in the people not in the government. It is therefore vital that the government have a minimum of knowledge about the citizens and that the citizens have a maximum of knowledge about the government. Result: prohibit encryption technology in the hands of the government; give it to the individual citizens only. After all: aren't we happy that Ollie North's criminal activities were available for public examination? ------------------------------ From: platt@watson.ibm.com (Daniel E. Platt) Subject: Re: "IF you have nothing to hide..." Date: 14 May 92 20:09:34 GMT Organization: IBM T.J. Watson Research Center Disclaimer: This posting represents the poster's views, not necessarily those of IBM In article , emba-news.uvm.edu!cavrak@kira.uvm.edu (Steve Cavrak) writes: |> "If you have nothing to hide, you have nothing to fear" |> |> - sounds like an opening line by the KGB, CIA, FBI, Stassi, or you name |> your favorite terrorist group, |> |> - sounds like an incorrect inversion of, "if you are fearful, you must |> be hiding something" - i.e. you are the cause of your own fear. |> |> - |> ------------------------------------------------------------------------ |> |> HEY !@ |> |> |> - I have the right to an unlisted phone number |> |> - I have the right not to have a telephone at all |> |> - I have the right not to carry identification |> |> - I have the right to travel without telling anyone where I am going |> |> - I have the right to carry money |> |> - I have the right not to carry money |> |> - I have the right not to be searched WITHOUT DUE CAUSE. Not if you ride a public bus. |> |> HEY! |> |> This is America. These are the rights that make it so. This must not be America any more (we seem to have ceded our rights when we supported candidates who felt the police powers had suffered, and put in supreme court justices who agreed). |> |> We don't need to apologize for them, we need to celebrate them, to |> assert them. We need to get them back. |> |> Geez. |> |> Steve |> |> [Moderator's Note: Do you really have a right to an unlisted phone |> number? What type is it? God Given, constitutional, moral, or another |> type of right? What entity gave you this right. Constitutional rights |> only apply to what the government does to its citizens not what private |> entities does to citizens. What about the "right" of the Telephone |> Company to give you service on it own terms. It is TPC that gives you |> phone service and it is their number not yours. It is only for your |> use while you pay for the service. _Dennis] ------------------------------ From: James Davies Subject: Re: "IF you have nothing to hide..." Date: Fri, 15 May 92 20:15:03 GMT In article ygoland@edison.seas.ucla.edu (The Jester) writes: > >There have been several posts regarding my quest for a definitive >statement regarding WHY the concept of "if you have nothing to hide >then you have nothing to fear" is wrong. However these posts have >consistently ignored the point I ended my post with, that examples >do NOT make a point, they only illustrate one. The responses seen so >far have been examples and lots of them, some good, some not, but >examples none the less. So far no one has been able to write a >concise explination of WHY they feel that this idea is wrong. We are >all in agreement that the statement IS wrong. Why is everyone >(myself included) having so much trouble comming up with a short, >direct, statement of why? My private affairs are my business, not the government's. I see no reason to elaborate on this view. ------------------------------ From: Charlie Mingo Date: Fri, 15 May 1992 21:00:01 -0500 Subject: IF you have nothing to hide mc/G=Brad/S=Hicks/OU=0205925@mhs.attmail.com writes: > If admitting that you want privacy equals an admission that you have > "something to hide", then by definition the people who seek privacy > are admitting that they have something to hide. Compelling them to do > this as a matter of law would violate the 5th amendment to the U.S. > Constitution, and is generally recognized as tacky elsewhere. As a general matter, this is not true. The Fifth Amendment only protects against forced incrimination as part of a criminal or quasi-criminal (eg, legislative committee) proceeding. It is far too narrow a provision to support the concept of "privacy" you are trying to establish. The Fifth Amendment does permit the government to force you to disclose things outside of the courtroom which may tend to incriminate you. For example, the US Treasury requires people transferring over $10,000 into or out of the country in cash or bearer form to report this, and the sole reason for the reporting is to detect money laundering. No court has ever recognized a Fifth Amendment defense for a person charged with failing to report money transfers. There are countless instances where we are required to report on ourselves (taxation, customs declarations, etc.) where the information provided may expose us to criminal liability. The Fifth Amendment is designed as a protection against tortured confessions, not against non-criminal reporting requirements. ------------------------------ From: Charlie Mingo Date: Fri, 15 May 1992 21:09:30 -0500 Subject: Privacy in video rental records? "Mark P. Neely" writes: > ___ State Attorney John Tanner (Volusia Co, FL) has subpoenaed the > rental records of two video shopkeepers to identify the individuals > who rented one of four named explicit films. > > Ostensibily, the customers are only wanted as potential witnesses. > Tanner states that he does not intend to prosecute any citizen whose > name might be on this list. Both store owners are resisting, citing > customers' rights to privacy. Tanner maintains people who rent > material have no expectation of privacy. Did this take place in the US or Australia? I believe there is a federal law prohibiting the release of video rental records enacted after the confirmation hearings for Judge Robert Bork for the US Supreme Court in 1987. During the hearings, a local free paper (DC's _City Paper_) managed to obtain a list of Bork's rentals (nothing very interesting -- lots of 1940's-era B classics), and tried to make something of it. During the Thomas confirmation hearings in 1991, one of the major unanswered questions turned out to be whether the Judge was familiar with certain porno movie stars, a question which could easily be answered by checking the local video stores. Fortunately, the Judge's records were safe from prying eyes, and he now sits upon the Court. ------------------------------ From: Bryan Morse Subject: Re: What's to hide? Date: 15 May 92 21:34:10 GMT In article michael.scott.baldwin@att.com writes: >As has been mentioned, the Supreme Court (Bowers v. Hardwick) does not see >any privacy right in the Constitution, and even invoked Judeo-Christian >teachings to support laws that invade our privacy. And these laws are >not trifling: in Georgia, sodomy is a FELONY with up to 20 YEARS in jail. Wasn't this the case where the police officer had a warrant (based on other charges), was allowed entry by another member of the household, and then witnessed the "felonious" act through a partially open doorway? What made this such a landmark case was that it was a rare opportunity to test such laws. They usually don't come up because enforcement is so difficult (due to laws regarding privacy). This made for a perfect test case because the officer did *not* violate the privacy of the individuals when witnessing the illegal act. The court upheld the position that the officer legitimately entered the house (for other reasons, remember) and therefore did not violate anyone's privacy. They also upheld the Georgia law. The outcome of this is not a wholesale loss of privacy. What the court basically said was that laws regarding "private" conduct were permissible, but reemphasized that the enforcement of such could not invade privacy. In other words, it is not the law itself that invades privacy, but the enforcement of it. In cases like this where the enforcement does not invade privacy, the law can be applied. (Okay, so this is getting away from the technical aspects of the group, but this is the second time I have seen this case misapplied here in the last week.) -- Bryan Morse University of North Carolina at Chapel Hill morse@cs.unc.edu Department of Computer Science ------------------------------ From: egdorf@zaphod.lanl.gov (Skip Egdorf) Subject: Re: "IF you have nothing to hide..." Organization: Los Alamos National Laboratory Date: Fri, 15 May 1992 23:51:19 GMT In article ygoland@edison.seas.ucla.edu (The Jester) writes: > One of the reasons that many people are against 'intrusive' laws is > because they disagree with the rational "If you have nothing to > hide, then you don't need to worry." However what I have failed to > see is a single cogent explination of WHY the rational of "If you > have nothing to hide, then you have nothing to fear" is a bankrupt > one. Would anyone care to provide a concise explination of WHY the > previously mentioned rational is wrong? And please, though examples > are useful for illustration of a point, they do not make one. There are two main reasons that I can see: 1. Everyone has something to hide. Did you just buy something for a Lover on your credit card and don't want your spouse to know? Are you in an -intolerant area? From basic logic 101: "IF a -> b" When "a" is FALSE, then "b" is true. A false premise implies any conclusion. This is one of the more important and least intuitive satetments of logic. Your basic premise is false. 2. Even if I had nothing to hide, the real-life data-collectors are very inacurate. How many folks have been sending in to TRW lately to see just how much stuff the had to have removed from their credit records? Either by accident or malice, false information can be very damaging. I believe that I have suggested that BOTH your premise and conclusion are false. Your false premise allows me to state that your is TRUE regardless of the conclusion. Hence, there is absolutley NOTHING wrong with the statement "If you have nothing to hide, then you don't need to worry." It is perfectly TRUE. How do we discuss this from this point? Skip Egdorf hwe@lanl.gov ------------------------------ From: Len Charest Subject: An answer to "IF you have nothing to hide..." Date: Sat, 16 May 1992 00:14:58 GMT In article , ygoland@edison.seas.ucla.edu (The Jester) writes: |> |> There have been several posts regarding my quest for a definitive |> statement regarding WHY the concept of "if you have nothing to hide |> then you have nothing to fear" is wrong. However these posts have |> consistently ignored the point I ended my post with, that examples |> do NOT make a point, they only illustrate one. The responses seen so |> far have been examples and lots of them, some good, some not, but |> examples none the less. So far no one has been able to write a |> concise explination of WHY they feel that this idea is wrong. We are |> all in agreement that the statement IS wrong. Why is everyone |> (myself included) having so much trouble comming up with a short, |> direct, statement of why? Perhaps you missed this... In article , michael.scott.baldwin@att.com writes: |> Let me try, without using examples: the definition of what it is that you |> have to "hide" rests with the government, not you. If the legal system |> creates bankrupt laws that make your private life punishable, then you end |> up hiding and fearing for simply living your life and pursuing your own |> happiness. BTW, I assume that since "we are all in agreement that the statement is wrong", you were just playing devil's advocate in your original post vis a vis your 'nom de net', Mr. Jester. .................................................. Len Charest, Jr. JPL Artificial Intelligence Group charest@aig.jpl.nasa.gov ------------------------------ From: "Michael T. Palmer" Subject: Re: "IF you have nothing to hide..." Date: 16 May 92 04:04:40 GMT ygoland@edison.seas.ucla.edu (The Jester) writes: >There have been several posts regarding my quest for a definitive >statement regarding WHY the concept of "if you have nothing to hide >then you have nothing to fear" is wrong. However these posts have >consistently ignored the point I ended my post with, that examples >do NOT make a point, they only illustrate one. The responses seen so >far have been examples and lots of them, some good, some not, but >examples none the less. So far no one has been able to write a >concise explination of WHY they feel that this idea is wrong. Bullshit. I have seen at least four posts which contain no examples, but state clearly how the concept of "If you have nothing to hide..." violates the basis of our legal system; i.e. that you are innocent until proven guilty (with all the attendent regulations concerning probable cause for searches and seizures). True, many people have chosen to respond with examples, but I challenge you to find a single "example" or "case study" in even my own earlier response. I have seen several well-constructed *arguments* (not examples) better than my own in later postings as well. Please, pretty please, take the time to actually read the responses you get to questions that you post. My apologies if you did read them all. But if you did, I cannot fathom how you could claim that nobody explained why this was wrong. I'm not trying to start a flame war. Honest. But if you (re)read the previous responses I think you'll find that your question was indeed answered. Note to the moderator: You may edit the first word of this if you feel you absolutely must (use asterisks for the vowels or something). And then please remove this note to you. Thanks. -- Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23665 Temporarily a Techie: Center for Human-Machine System Research, Georgia Tech Voice: 404-894-4318, FAX: 404-894-2301, Email: palmer@chmsr.gatech.edu ------------------------------ Date: Sat, 16 May 1992 10:12:38 GMT From: "Mark P. Neely" Subject: Caller ID decision Pulled this one from a mailing list... Mark N. Subj: PRIVACY WINS OVER CALLER ID in the State of Washington Sender: Activists Mailing List >From the Seattle Post-Intelligencer, March 26, 1992 - PRIVACY WINS OVER CALLER ID Phone companies must offer free blocking service P-I Staff and News Services OLYMPIA - Telephone companies offering caller-identification service must also offer callers - free of charge - the ability to block display of their number or location, a state commission ruled yesterday. The ruling by the Utilities and Transportation Commission came over vigorous protest from telephone companies seeking to provide caller-ID service, which uses special phones equipped with display monitors to identify the source of incoming calls. The companies said an offer of free line-blocking, or automatic blocking of the caller's name or number, would doom caller-ID service. "Washington has just adopted the most constrictive and conservative regulation on called ID in the nation.," said Lisa Bowersock, spokeswoman for US West in Seattle. Companies such as US West wanted permission to charge a monthly or flat rate for a line block, while offering a "per-call" blocking ability for free. They said they believe a fee for line-blocking - $2.50 a month was mentioned - would sift out those who do not care if they are identified. At least one company, GTE Northwest, said it would not operate in Washington if the commission adopted the rule approved yesterday. US West is currently installing the system in Denver and Phoenix, then will look at expansion into other areas. Bowersock said. "With today's ruling, Washington will have a very low priority", she said. "There's no incentive for the company to introduce the service," she added. "The regulations adopted today won't even allow companies to recover the costs of line-blocking for individual customer". Caller ID is not available now in Washington, though the commission next month will consider a request from Pacific Telecom Inc. to offer the service in the Gig Harbor area. Caller ID is seen by some law enforcement officials and other as a means of identifying the source of harassing or obscene telephone call.s Those resisting the technology say it raises concerns about callers' privacy rights. In hearings around the state, people said they wanted their privacy considered before the needs of advancing telephone technology, commission Chairwoman Sharon Nelson told telephone officials at yesterday`'s proceedings. The 1991 Legislature approved a change in the state's privacy statute permitting caller ID service after the commission pledged to protect the privacy of callers. "We made a promise in good faith," said Commissioner A.J. Pardini before the three-member panel voted unanimously for the regulation. But telephone officials said the commission was going too far when it refused to allow a fee for line-blocking service. If line-blocking is free, they said, people who buy caller-ID equipment will get too many calls in which identifications are blocked and will not sufficiently benefit from the service to make it viable. That remains to be seen, the commission countered. "There are too many unknowns," said Commissioner Richard Casad. He added that the best course was to come down on the side of callers. Industry officials argued that free per-call blocking service - in which the called dials three digits before making the call - has worked well in other states and provides enough protection for those who do not want their number disclosed. The Washington Association of Sheriffs and Police Chiefs and the Washington State Patrol both said they favored charging for the line-block to ensure it was not overused. Law enforcement is a major supporter of caller-ID technology, believing that when it is widely used the incidence of harassing and obscene telephone calls will fall. ------------------------------ Date: Sat, 16 May 1992 10:15:55 GMT From: "Mark P. Neely" Subject: European Unification & Information Security EUROPEAN UNIFICATION '92 IMPACTS ON INFORMATION SECURITY Sanford Sherizen, Ph.D. Published in __Computers & Security__, 10 (1991) 601-610 NOTE: This article is adapted with permission from the author's __Information Security in Financial Institutions: How to Reduce the Risk of Computer Crime__, Dublin, Ireland and London, England: Lafferty Publications Ltd, 1989. Abstract The unification of Europe at the end of 1992 will create information security challenges. The Single European Market will serve as a major landmark for the restructuring of Continent-wide institutions and services. There will be major changes in European finance, governance, and technology. Unification decisions will lessen existing controls and restrictions over financial processing as well as create new conditions where controls and restrictions have not been anticipated. In either of these cases, computer crimes may well increase as a consequence of the Single European Market. This article will discuss the impact of Unification '92 on the protection of information. While much attention has been paid by security experts to the development of the Information Technology Security Evaluation Criteria (ITSEC), other important but less direct decisions are being made that are related to information security. The Unification '92 decisions that will be outlined could turn out to be of great importance in determining the nature of information protection in the Post-1992 Era. Many EC directives and decisions, some of which are not specifically treated or labeled as information security, will substantially affect what protections will be possible as well as necessary. The major categories of these directives and decisions are: (1) Technical decisions on the use of computer and communications technologies (2) Legal decisions on how financial errors, crimes, and disagreements are defined and how they will be resolved (3) Political and public policy decisions on the general economy and the regulatory constraints applied to financial services operations, services, and products. Illustrations of these categories will be drawn from important EC decisions. These will include decisions on stimulating European information services, auditing standards and requirements, money laundering controls, open borders, and electronic data interchange (EDI). INTRODUCTION The Single European Market will serve as a major landmark for the restructuring of Continent-wide institutions and services. The end of 1992 will see the creation of major changes in European finance, governance, and technology. In a similar vein, the unification of Europe will create information security challenges. Unification decisions will lessen certain existing controls and restrictions over financial processing as well as create new conditions where controls and restrictions have not been anticipated. In either of these cases, computer crimes may well increase as a consequence of the Single European Market. This article will discuss the impact of Unification '92 on the protection of information. While much attention has been paid by security experts to the development of the Information Technology Security Evaluation Criteria (ITSEC) and the Proposal for a Decision of the European Commission on Information Security \1, other important but less direct decisions are being made that are related to information security. The Unification '92 decisions that will be outlined in detail in this article could turn out to be of great importance in determining the nature of information protection in the Post-1992 Era. In order to understand the more general ways in which the emergence of the Single European Market will affect information protection, consider how extensively EC proposals will affect information. A large number of the EC directives are in some manner information-related, affecting the production, processing, and/or servicing of information, including: Selected EC Proposals Related to Information \2 Standards, Testing, and Certification Telecommunications Regulations of Company Behaviors Mergers & Acquisitions Trademarks & Copyrights Accounting Operations Across Borders Protection of Computer Programs Changes in Government Procurement Regulations Extension of EC Law to Telecommunications Harmonization of Regulation of Services Banking & Mutual Funds Information Services Insurance Securities Electronic Payment Cards Liberalization of Capital Movements Long-Term Capital, Stocks Short-Term Capital EC decisions are forming the larger context for information protection, with information security being "interpreted" by factors quite different from those that traditionally influenced its functions and objectives. Those concerned with providing adequate safeguards over information will increasingly have to understand these other forces in order to prepare for a new, more complex information security. TECHNICAL, LEGAL, AND POLITICAL/PUBLIC POLICY IMPACTS ON INFORMATION SECURITY Since banking is a central institution in society and banks will be especially influenced by the Single Market, banking operations will be used as examples throughout this article. Clearly, however, the EC '92 impacts will apply well beyond banking alone. In our judgement, the advent of a single European banking market...may eventually be recorded in the annals of bank history as the single most important banking event of the twentieth century. \3 The Second Banking Directive and other EC bank-specific decisions are extremely important to European bankers. These define the banking industry and many of its central functions. Yet, equal in importance to the Directive are other directives and decisions that will substantially affect banking but may not be labeled as being bank-related. Often, these decisions are technical decisions, such as computer and communications technical standards that support information security and privacy protections. Other decisions have indirect implications for information security and privacy, such as banking requirements for structuring money transactions and financial standards. The major categories of these other important bank-related issues are:  (1) TECHNICAL issues. The nature and shape of communications and information systems are not solely determined by companies and the marketplace. Rather, compatibility and interconnectivity of these systems evolve from a variety of technical decisions on standards and certification. Technologies emerge into a slowly evolving set of regulatory policies set by governments and national as well as international standards created by technical bodies. Banks are heavy users of these technologies and are affected by these decisions on technical matters. Banks are involved in many of the standards committees and in political and advisory attempts to influence regulatory policies. IMPACT OF EC TECHNICAL DECISIONS: HOW BANKING PRACTICES CAN BE ACHIEVED THROUGH THE USE OF COMPUTER AND COMMUNICATIONS TECHNOLOGIES, HOW BANKING RISKS WILL BE MINIMIZED, AND FINANCIAL TRANSACTIONS WILL BE PROTECTED (2) LEGAL issues. There are a large number of legal decisions that establish rules of conduct and resolution of disagreements for individuals, companies, and nations. Multiple powers and jurisdictions establish such decisions, including the EC, Member States, and international legal bodies. In the context of the Single European Market, legal directives and decisions are being made on intellectual property protections, copyright agreements, trade secrets, criminal laws, extradition agreements, bank secrecy laws, and similar issues. Banks are directly and indirectly affected by these legal decisions. IMPACT OF EC LEGAL DECISIONS: HOW BANKING ERRORS, CRIMES, AND DISAGREEMENTS ARE DEFINED AND HOW THEY WILL BE RESOLVED (3) POLITICAL AND PUBLIC POLICY issues. These issues are macroeconomic and social structural decisions. They include laws concerning the use and ownership of information, supports for the distribution of economic and technical resources, definitions of acceptable corporate structures and business practices, and developments in international trade and international telecommunications regulation. For banks, these are essential considerations that affect the environment within which banking services operate. IMPACT OF EC POLITICAL AND PUBLIC POLICY DECISIONS: HOW BANKING WILL FUNCTION WITHIN THE GENERAL ECONOMY AND THE REGULATORY CONSTRAINTS APPLIED TO BANK OPERATIONS, SERVICES, AND PRODUCTS, AND PUBLIC CONFIDENCE WILL BE FOSTERED It should be noted that the impact of the Single European Market can be positive and/or negative. For example, the telecommunications changes will improve the clarity and efficiency of certain nation's phone systems and possibly improve security controls. On the other hand, opportunities for computer crime might be increased as the ability of criminals to electronically move across national borders increases the ability to find targets of opportunity. Thus, the 1992 Unification is both an opportunity for banks as well as a potentially disastrous situation. The technical, legal, political/public policy considerations of EC '92 that have been outlined underlie more specific decisions that the EC has taken. EXAMPLES OF EC DECISIONS AFFECTING INFORMATION SECURITY EC actions to respond to computer crime have generally been technical in nature (as with telecommunications standards), specific to a technological development (as with EDI or credit card issues raised by the Inter-Service Group on New Means of Payment), and/or specific to a particular legal issue (copyright, privacy, etc.). Proposed European security standards, referred to as the international technology security evaluation criteria (ITSEC), could also become EC-wide standards, affecting the banking industry in particular. The major categories that have been outlined encompass a large number of other, more specific EC decisions and concerns affecting information security. In order to provide specific information concerning the impact of the Single Market Unification on information and to direct attention to major developments that are related to information security, several specific examples of Unification '92 developments that affect information security will be presented. THE EUROPEAN INFORMATION SERVICES The EC has moved to establish an information market and to improve conditions for the transmitting and accessing of information services. The EC has approved a plan of action for setting up an information services market. The major objectives for this market were to stimulate and reinforce the competitive capability of European suppliers of information services and to promote the use of advanced information services in the Community within the context of a world market. EC activities are to harmonize legal, administrative, and technical requirements for the establishment of an information market and to establish greater standardization and simplification. In essence, the establishment of the information market will involve an overhaul of communications as it currently exists in the Member States. The EC hopes to open telecommunications to more competition in its attempt to liberalize and harmonize the 12 national telecommunications markets. At present, the 12 national PTT systems are divided by mismatched technical standards and licensing requirements, entrenched government monopolies, and protectionist procurement policies. The EC Commission has generally advocated a market-oriented approach to replace state monopolies for value-added services such as facsimile and electronic mail and for some types of telecommunications equipment. Deregulation and privatization of the telecommunications sector in many EC countries will open previously closed markets to competition. In June 1989, the EC Commission announced that it would proceed with a telecommunications service Directive. That approach allows the EC Commission to implement the Directive without the prior approval of the member state governments. The plan adopted by the Commission will force Member States to end their monopolies on all telecommunications services except real-time, switched voice, and telex, as well as provision of the underlying network infrastructure. In principle, this decision will eventually permit competition in computer communications, electronic mail, facsimile transmission, and videotex services. The technical information services decisions that will structure the information market have great implications for banking. Technical information services decisions will determine how banking practices will be able to be achieved as well as how information security and privacy can minimize risks in data processing. Certainly, there is no guarantee that the technical legislation will provide sufficient data security or privacy protections. The experience in the United States suggests that the divestiture or deregulation of phone services can affect businesses' ability to protect against attacks on their telephone systems and on the creation of business interruption problems. Information services may become highly developed and readily available, both for purposes of banking as well as for the use of those who wish to make unauthorized withdrawals. AUDITING STANDARDS AND REQUIREMENTS With the adoption of the 4th Directive on annual accounts and the 7th Directive on consolidated accounts, the EC has laid down a basic framework for accounting and financial reporting throughout the Community. In addition, specific rules for financial reporting by banks and insurance undertakings have been or are being elaborated. Banking and other financial services will be particularly affected by these actions. The EC felt a lack of progress in other efforts at modernizing accounting rules needed to be addressed beyond the Member State or accounting organization levels. Pressure for this modernizing partially came from the fact that banks have received a growing amount of public attention concerning secrecy and money laundering and increased accounting scrutiny has been called for. Finally, consumer/customer protection, quite specifically around credit and other banking operations, is another objective that the EC considers as important to establish prior to the end of 1992. Accounting rules and standards harmonization are essential to the EC internal market effort. Company law harmonization is specifically provided for in the EEC Treaty (Article 54, sub 3, littera g) by ...(C)oordinating to the necessary extent the safeguards that, for the protection of the interests of members and others, are required by Member States of companies or firms with a view to making such safeguards equivalent throughout the Community. The scope of application of the Directives is not limited to companies whose shares are listed on a stock exchange or to companies that have turned to the capital markets to obtain resources. In principle, the accounting directives apply to all limited liability companies in the Community. As a result, most undertakings involved in intra-Community trade are covered by the harmonization. For all Member States, the harmonization has resulted in the incorporation of accounting standards into legal rules. These efforts are intended to develop comparability and equivalence of financial information provided by limited liability companies. In summary, there will be an EC-wide set of regulations that will structure accounting rules and company law harmonization. For banks, this will affect the business environment within which banking operations function as well as create new regulatory-type restraints to be placed on many banking decisions that will be open to audit reviews. Whether this will improve the importance of auditors or lead to an increase in EDP audit reviews of system controls is not evident. Requirements for audits and tightening of the rules that apply to the independence of the audit will determine the strength of the auditing rule changes. EUROPEAN MONEY LAUNDERING CONTROLS One major crime-related and bank-specific topic that the EC and other international organizations have addressed is money laundering.  Central aspects of the Single European Market, such as the single financial market and the free flow of people, could create conditions conducive to money laundering. Internationalization of economies and financial services are opportunities that are seized by money launderers to carry out their criminal activities, since the origin of funds can be better disguised in an international context. For banks, the impact of anti-money laundering will be direct. These legal issues will put banks at significant risk in the event that they do not sufficiently review money sources. Also of great significance is that the regulations will require bank officials to have direct working relationships with law enforcement officials in combatting laundering. There are a number of moves both within the EC and internationally to restrict money laundering activities by banks. Bilateral agreements have been suggested to change bank secrecy laws (such as in Switzerland) in order to reveal laundering actions. Banking associations (as in Italy) have established regulations to restrict money laundering efforts. In January 1990, Sir Leon Brittan, the EC Commissioner responsible for competition and financial services, announced that the EC would adopt measures urging its members to enact legislation to combat money laundering and to follow up with mandatory measures. At that time, only a few of the Member States had laws that treated money laundering as a crime. The Community, he said, has accepted ...(T)he responsibility to impede launderers from taking advantage of the single financial market, and of the freedoms of capital movements and supplying of financial services that this financial area involves to facilitate their criminal activities. Lack of Community action against money laundering could lead Member States, with the purpose to protect their financial system, to adopt measures that could be inconsistent with the completion of the Single Market. The EC participated in discussions, and the EEC was one of the signatories to the UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances adopted on the December 19, 1988 in Vienna. This Convention provides, among other points, that the States adhering to it shall criminalize a series of conducts related to drugs as well as money laundering. International cooperation is expected in such areas as confiscation and seizure of criminal proceeds, international judicial assistance, and prohibition of invoking banking secrecy in order to avoid investigations under the scope of the Convention. The Directive specifies the need to identify customers and beneficial owners, due diligence requirements for credit and financial institutions, cooperation between credit and financial (and supervisors) and judicial or law enforcement authorities competent for criminal matters, and the establishment of procedures of internal control and training programs by credit and financial institutions. Quite likely, this attempt to find a balance between an open market for currency transactions and restrictions over money laundering will continue to be a prominent issue in the EC, even after 1992. Regardless of how the issue evolves, it has become a touchstone for determining how bank financial transactions can be acted upon. OPEN BORDERS, CRIME CONTROLS, AND INTELLIGENCE SHARING Related to the fight against money laundering but important in its own right is the issue of allowing the free flow of people and goods across borders. For banking, the importance of this political and public policy decision is that banking operations will have to be protected from gatherings of criminals intent on coordinated computer crime attacks. The opening of the borders will have to be joined with increased protections against electronic means that can allow borders (and banks) to be penetrated. There may also be a need for cooperation between bank security and intelligence agencies that are collecting information on potential crimes and other planned acts of violence. The Schengen Accord on open borders is an attempt to balance the potentially contradictory goals of open borders and crime control restrictions, particularly in fighting drugs distribution. Prior to the Schengen and similar agreements, drug trafficking restrictions resided primarily at the State level, often concentrating on police operating at border controls. The Schengen Accord builds on previous EC actions against drugs, including the establishment of an information system or data network to share information about suspected criminals and other police intelligence. The Trevi Group, a multi-nation effort that focuses on the fight against terrorism, drug trafficking and organized crime, proposed a legal regime on European information technology for identifying and controlling criminals, particularly international terrorists and drug dealers. Belgium, which at the time of the signing did not have a law protecting access to electronic data kept on file about its citizens, promised to pass new legislation before the Agreement came into full effect. Other European nations will be brought into negotiations quite soon in order to expand the Agreement's provision to larger areas of the Continent. While aspects of open borders are not new in Europe, risks of crime and terrorism may be increased. This particular set of directives and agreements may come to haunt the EC if there is an increase in terrorism, bank crimes, illegal immigration, and other problems that are of major interest to the public. As with EC money laundering efforts, banks will have to become more proactive in their ability to anticipate and respond to coordinated international criminal acts against financial systems. ELECTRONIC DATA INTERCHANGE Unknown a decade ago, uncommon a year ago, EDI payment systems are coming of age. No single development holds more potential to change the nature of corporate banking. Electronic Data Interchange is indeed a significant factor in banking as well as for other businesses. European banks will either become an established force in EDI or lose their EDI role to the value added networks, which will allow companies to bypass banks in making and receiving electronic payments. Regardless of the outcome, EDI will be a major financial force in EC '92. Banks will also have to face the legal and security complexities of EDI, as has the EC. The EC, in recognition of the importance of EDI, established TEDIS (Trade Electronic Data Interchange Systems) as a Community action plan. The objectives of TEDIS are: To avoid a proliferation of closed trade EDI systems and the widespread incompatibility that this entails; To promote the creation and the establishment of trade EDI systems that meet the needs of the users, in particular small and medium-sized enterprises (SME's); To increase the awareness of the European telematic equipment and services industry to meet users' requirements in this area; To support the common use of international and European standards, where these exist, and in particular the recommendations of the UN/ECE with regard to international trade procedures. TEDIS encourages the implementation of EDI standards, the improvement of the European telecommunications infrastructure, the promotion of adequate security measures, and appropriate harmonization of national laws. In addition, the EC has explored the security and legal aspects necessary to ensure EDI functionality. Two expert workshops were held in Brussels in June, 1989, and a number of insights and recommendations have been transmitted to the EC. Further refinement and the development is anticipated.10 Banks will have to continue to evaluate their role in EDI and whether the market conditions require bank involvement. EC and industry technical, security, and legal decisions that are now being decided upon will affect banking operations. If banks become directly involved in EDI, they will be affected in a direct manner by EC '92 decisions. In the event that banks do not participate in EDI, they will still be affected by these decisions but in an indirect fashion. Those indirect impacts will stem from EDI's importance, which will result in an expansion of decisions about EDI to other financial activities. It can be anticipated that the structuring of financial reporting requirements determining EDI operations and the development of security standards for EDI, including user authentication and digital signatures, will become necessary for banks to accept under other EC directives. CHANGES IN LEGAL RULES AND STRUCTURES Banks, as well as other institutions, will find a variety of new legal requirements that will have to be met under EC rules. These requirements may replace national laws that, under current circumstances, were more conducive to certain current banking and financial practices. Outside of the computer and communications arena, new common rules to decide questions of jurisdiction and enforcement of judgements in civil and commercial matters will apply throughout the EC. These new legal rules are already in application among Member States. At a special convention of the Community's justice ministers in San Sebastian on 26 May, 1989, all of the EC, with the exception of the United Kingdom, Germany, and Ireland, had decided to speed up the transmission of extradition demands. Nevertheless, criminal law and procedural law are increasingly being tested in response to computer-related problems, particularly when they become international. Even if one country satisfactorily solves complex legal problems of the computer networks and persons under its own jurisdiction, it may still be unable to take action when a computer harm occurs involving a network or a person "located" in another nation. Other important computer-related legal areas attended by the EC Commission cover the protection of intellectual property, including trademarks, patents, and copyrights. These property rights have traditionally come under the jurisdiction of the individual Member States. The EC has been attempting to harmonize the laws by expanding the scope of products covered and the enforcement of laws to the same level throughout the Community. Efforts are also accelerating to create a Community Trademark and a Community Patent as well as to achieve a common level of copyright protection for computer programs. Clearly, the legal changes that will develop due to the Single European Market will affect banking. As banking and computer/communications-related laws are applied Community-wide, regulations will increasingly determine how banking errors, crimes, and disagreements affecting essential aspects of banking will be resolved. The law, as well as the types of difficulties in fully extending its reach that have been discussed in this section, will have a direct impact on how banking services will function and banking will advance in the EC '92 period. DATA PROTECTION, PRIVACY, AND COMPUTER CRIME LAW REQUIREMENTS EC directives on data protection, privacy, and computer crime will also have a direct impact on unified banking as well as the formation of the important information services market. These directives will become important factors in defining information security standards and, particularly for banks, in determining how sensitive information can be collected, changed, transmitted, and stored. Computer crime laws and privacy protections also affect business operations. At least 20 industrialized nations have some form of computer crime, privacy, and/or software protection law. Recently, computer crime was listed as one of the priority legal issues identified in the plan of action for setting up an Information Services Market. A similar situation exists for privacy protections. At least 16 Western countries have passed or prepared special legislation against infringements of privacy and at least another 13 countries have bills pending to establish or to amend privacy protections. The Council of Europe has taken a leadership role by preparing various white papers and calling ministerial meetings on data protection, privacy, and computer crime laws. Yet, as of early 1990, approximately half of the Member States have as yet ratified the Council of Europe Convention on Data processing regarding data protection for individuals. At a conference in Luxembourg in late March, 1990, EC Director General Michel Carpentier said that there is pressure for a more "decisive" approach from the Commission in the form of more stringent harmonization of legislation in the Member States. This pressure is being generated, among other things, from the growth in electronic information services and the setting up of Community-wide networks. According to the Director General, these new technologies and services have social and economic ramifications. The Commission is concerned with protecting privacy and personal data while, at the same time, encouraging the growth of information services. The problem to be addressed is how to reach a proper balance between privacy and use of data. Filippo Pandolfi, Commissioner of Science and Research, says that he fears that modern telecommunications technology means there is a greater risk that sensitive information will be misused or stolen.  In the middle of 1990, the Commission proposed a package of legislative measures on the issue of data protection. These included: Companies must follow standard procedures designed to ensure that information about an individual is not improperly gathered or disclosed. Individuals are given the ability to suppress automatic number identification and require carriers to notify users when calls are forwarded to another number. The EC will join the Council of Europe in the development of pan-European personal data protection standards. A directive will be developed that will outline minimum security standards for information systems. EC officials acknowledge that it could be a long time before these proposed new regulations are enacted, if they are adopted at all. These Directives could substantially restrict direct marketing companies that utilize personal data for marketing purposes as well as the collection of information for sale by banks and other organizations. Banks will be among the major institutions to be regulated under EC data protection, privacy, and information security rules. There is no doubt that even if these EC directives are not accepted by the Member States by 1992, the first major publicized incident where computer crime occurs or privacy has been violated will become the impetus for quick and far reaching EC legislation. Banks should actively review these EC activities to determine how banking services and product will be affected. PREPARING FOR THE COMPLEXITIES OF LAW, TECHNOLOGY, AND BANK INFORMATION SECURITY In order to face these legal, technological, and information protection complexities, organizations will have to expand their perspectives on security. The material discussed in this article suggest that information security must become part of an organization's strategic planning. Information security is no longer simply a locking down and locking out process. Increasingly, it influences and is influenced by central social, political, and technical considerations. The Single European Market may turn out to be one of the major case studies of this trend. BIBLIOGRAPHY 1 Commission of the European Communities, Proposal for a Decision of the Council in the Field of Information Security [INFOSEC], Communication of the Commission to the Council and the European Parliament, COM(90) 314 final, Brussels, 03.07.90. 2 Adapted from the U.S. Department of Commerce, List of European Community 1992 Directives and Proposals, and various other publications from the Single Internal Market Information Service, International Trade Administration, U.S. Department of Commerce, various dates. 3 Thomas H. Hanley et al., European Banking Integration in 1992: The competitive Challenges Facing U.S. Multinational Banks, New York: Solomon Bros., June 1989, 1. For a brief history of the liberalization of banking services and a general discussion of the overall changes in the Single European Market program, excellent sources of information are "European Commission Prepares the Way for Changes," European Banker, April 24, 1989, 11-12 and The European Financial Common Market, an official publication of the EC, Periodical 4/1989. 4 For a general perspective on these and related issues, see U.S. Congress, Office of Technology Assessment, Critical Connections: Communications for the Future, OTA-CIT-407 (Washington, DC: U.S. Government Printing Office, 1990). This report is an evaluation of the choices facing the United States in enhancing communication technologies. 5 Peter Greiff, "Companies Must Wait Until End of '92 to Cash in on EC Telecommunications," Wall Street Journal, February 2, 1990. 6 Karel van Hulle, "Accounting and Financial Reporting in the European Community: Quo Vadis?" Der Schweizer Truehander, November 1989, 519-522. 7 For more information on this topic, see "Panama is Resisting U.S. Pressure to Alter 'Inadequate' Bank Laws", New York Times, February 6, 1990, A1,D24, Sanford Sherizen, "Are You Ready For a New Game Plan?", Bank Systems and Technology, June, 1990, 44,45. 8 This and other specific discussions about controlling money laundering are found in the Proposal for a Council Directive on Prevention of the Financial System for the Purpose of Money Laundering-COM(90) 106 final-SYN 254, Brussels, 23 March 1990. 9 Steve Ledford, "EDI and Banks: The Odd Couple?", Electronic Payments International, February 1990, p. 2. 10 Commission of the European Community, TEDIS Factsheet, DG XIII, Telecommunications, Information Industries and Innovation, Brussels, 1989. 11 Wall Street Journal, July 20, 1990, p. A9. ------------------------------ Date: Sat, 16 May 1992 10:32:01 GMT From: "Mark P. Neely" Subject: Papers of interest to readers Here are a list of some files stored at sulaw.law.su.oz.au (pub/law directory) which might be of interest to readers of this mailing list. Mark N. Law.Privacy - _Computer Privacy v. First & Fourth Amendment_ by Michael S. Borella Email-Privacy-Law.txt - _The Electronic Communications Privacy Act of 1986_ (United States) Email.Privacy - Misc. quotes from US cases involving privacy Tempest.Law - _Eavesdropping on the Electromagnetic Emanations of Digital Equiptment: The Laws of Canada, England and the United States_ by Christopher Seline ecpa.layman - _The Electronic Communications Privacy Act of 1986: A Layman's View_ by Michael H. Riddle ecpa.amendment.bill - A Bill to Amend the ECPA 1986 (transcript) elec.rights - _Citizens Rights and Access to Electronic Information_ Ascii version of a booklet distributed by the American Library Asscociation conference. by Dennis J. Reynolds (editor) foia_computer - Computer Friendly FOIA? Data-Access laws may be Updated. by George Lardner Jr, Washinton Post Staff Writer kapor - Free Speech and Privacy Online by Mitch Kapor & John Perry Barlow Telephone_Privacy - Telephone Privacy in the 1990's by Mark Rotenberg, Computer Professionals for Social Responsibility privacy_legis - Simons' Electric Privacy Bill (S.516) To prevent potential abuses of electronic monitoring in the workplace alcor1 - Article: "Alcor files suit over electronic mail siezure" by David Bloom, The Press Enterprise alcor2 - Court Filing: Complaint for Declaratory Relief and Damages (Under the ECPA) alcor3 - Notice of Motion and Motion to Dismiss Complaint for Declaratory Relief and Damages alcor4 - Reply to Motion to Dismiss alcor5 - Reply to Reply and Judges' ruling alcor6 - Article: "Email privacy case settled" alcor7 - Defendant's Memorandum of Point and Authorities in support of their motion to dismiss alcor8 - Full text of the ECPA suit cubby-against-compuserve - The Compuserve Case: A Step Forward in First Amendment Protection for On-Line Services.* by Mike Godwin * Appearing in EFFector Online, Jan 7 1992, Vol.2 No.3 telecommunications.bill - Amendment to the _Communication Act_, entitled _The Telecommunication Act_. ------------------------------ Date: Sat, 16 May 92 13:40:49 -0400 From: "Mark W. Eichin" Subject: re: Is Email Private--NOT! > Now that you've got me worried. . . . I'm on a machine that is part of MIT's > project athena, and the Kerberos authentification system. My mail may not Well, actually, you're *using* software *developed by* MIT's Project Athena. (Project Athena was 8 years of funding which is over; it is no longer a Project, but a part of MIT Information Systems...) (I'm pretty sure that Athena and Kerberos are both trademarks of MIT.) > be private, but do I have an assurance that I am the only one who can send > mail with my name on it? None at all. (I could have sent *this* message with your name on it, and wouldn't have even had the Source-Info tag that your message did...) > Or can someone forge my name on a piece of mail and > send it without the reciever getting a notice that the mail is not authentic, > and therefore suspect of forgery? This may be read as "Is Athena more secure > than other systems" if you'd like to give me a general answer. . . . Kerberos provides the tools to perform authentication over an insecure network. The only use of Kerberos that involves email is the authentication of access to Post Office servers -- if you're using the Kerberized Post Office server, then once your mail has been delivered to your "po box" the only way to get it out is by presenting appropriate Kerberos tickets. (For an analogy -- a conventional US Mail Post Office box, with a good strong lock on it, but everyone sends post cards... only you can actually pick them up, but anyone "along the way" can read them.) Without the use of some signature technology (such as "Privacy Enhanced Mail" or the NIST proposed "Digital Signature Service") forging your email is going to be trivial. Use of PEM or DSS requires either appropriate licensing (for PEM, as of today) or faith in a government-specified algorithm that hasn't had much independent analysis (NIST DSS, as of today.) Both situations are expected to improve. Until they become widely used, electronic mail over the Internet is about as private as postcards are; less, even, because it's hard to automatically search the contents of postcards going by. _Mark_ MIT Student Information Processing Board Cygnus Support ------------------------------ From: Tom Wilson Subject: Re: Is e-mail private? Date: Sat, 16 May 1992 14:06:18 GMT Any idea what the privacy law is regarding email in Canada? Does it depend on whether the email originates in Canada, or elsewhere? Tom ------------------------------ End of Computer Privacy Digest V1 #029 ******************************