Date: Sat, 04 Dec 93 09:14:35 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#003 Computer Privacy Digest Sat, 04 Dec 93 Volume 4 : Issue: 003 Today's Topics: Moderator: Leonard P. Levine Re: Right To Search Floppy Disks? Re: Right To Search Floppy Disks? Re: Right To Search Floppy Disks? Re: California DVM's SSN requirements Re: Guns Control/Registration/Confiscation Re: Privacy of cellular phones The Club CallerID Approved in Wisconsin New GAO report on Communications Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: ranck@joesbar.cc.vt.edu (Wm. L. Ranck) Subject: Re: Right To Search Floppy Disks? Date: 2 Dec 1993 16:19:55 GMT Organization: Virginia Tech, Blacksburg, Virginia Brinton Cooper (abc@arl.army.mil) wrote: : This seems comparable to searching lockers. In at least some cases, the : rights of school authorities to search student lockers looking for : "drugs" or "stolen property" has been upheld; and these administrators : aren't even police! They have also exercised their right to require : students to empty the contents of their pockets for the principal; : again, no police are involved. So-called suspension hearings in Harford Actually I think folks seem to have a basic misconception here. It is precisely *because* they are not the police that they can do locker searches, etc. The police are held to a higher standard for probable cause to search. A school administrator might be able to do a search that would be illegal for the police. As far as the floppy disks that the original poster asked about, who knows. Do they belong to the school (as lockers do) or did the person own them? Depending on the situation a lawyer might be worth talking to. -- * Bill Ranck (703) 231-9503 Bill.Ranck@vt.edu * * Computing Center, Virginia Polytechnic Inst. & State Univ., Blacksburg, Va. * ------------------------------ From: "Dick Murtagh (8-465-4916)" Subject: Re: Right To Search Floppy Disks? Date: Fri, 3 Dec 93 14:21:40 PST > Justin Fidler writes : > > Does anyone know of the legal issues involved when a public high school > searches the floppy disks of a student? I have witnessed an incident > where a school administration has gone to the effort of undeleting files > and then using the information found in these undeleted files against a > student. It seems to me this would be comparable to the police searching > through a person's garbage. Any ideas? Disclaimer: I am not a lawyer. Do not take this as legal advice : It's a matter of who owns the disks. Are they borrowed from the school or were they purchased by the student ? If they belong to the school, then the school can search them at any time (like the lockers). If they belong to the student, then the search is an invasion of privacy and the student can sue for damages. Dick Murtagh ------------------------------ From: craffert@nostril.lehman.com (Colin Owen Rafferty) Subject: Re: Right To Search Floppy Disks? Organization: Lehman Brothers Inc. Date: Fri, 3 Dec 1993 22:28:51 GMT In article jfidler@cap.gwu.edu (Justin Fidler) writes: > Does anyone know of the legal issues involved when a public high school > searches the floppy disks of a student? I have witnessed an incident > where a school administration has gone to the effort of undeleting files > and then using the information found in these undeleted files against a > student. It seems to me this would be comparable to the police searching > through a person's garbage. Any ideas? It seems to me more closely comparable to looking in a student's locker, or through his/her book bag. In recent history (last fifteen years or so), it has become very accepted that going through students' lockers is perfectly acceptable. Schools will perform open lockers for cause, for random checks, and will even spot check entire schools. Now I don't think that students should be afforded any fewer rights than adults, but that is what is happening. A floppy disk is just another kind of school locker. This is why everything personal that you have should be encrypted. Everything. If you only encrypt some things, then they are hiding something. If you have everything encrypted (including the file holding the mapping of random file names to useful file names), then you are simply being cautious about losing your disk. Then, when the principal asks for you to decode your files, you can weigh the punishment between disobeying and whatever you are actually trying to hide. -- Colin Rafferty, Lehman Brothers pgp print = 91FED077 BD5588B6 30B372D2 F9172162 Don't know what pgp is? Ask me! ------------------------------ From: "Willis H. Ware" Subject: Re: California DVM's SSN requirements Date: Fri, 03 Dec 93 15:30:32 PST bruces@sco.com (Bruce Steinberg) writes at length about the situation in California which compels use of the SSN for DMV purposes. The response from his Senator Mello was marvelously non-responsive, and it amounted to a brush-off bread-and-butter letter. That's the politician's way of telling you that the matter is not high on his priority list and will not be until some legislator gets caught or is threatened by the system; e.g., Judge Bork and video rental records. As a passing comment, I'm told that Calif State Senator Lockyer was the person who made sure that the DMV did not put the SSN on the face or the mag stripe of the driver license. You might try your views on him. The California DMV tried to be responsive to the privacy points as manifested in the federal Privacy Act of 1974. There is a brochure in DMV offices that explains the SSN thing and advises why it is collected. Unfortunately the usage is given in terms of enforcement of several laws which are quoted by legislative code identifiers, but never named and never described. It was a nice try but the brochure falls far short of being really informative about the rationale behind the procedure. Did the DMV just goof it? Did the DMV not appreciate what a privacy act notice is intended to convey? Or did the DMV in effect stonewall the issue and honor the letter, not the spirit, of such notices? And this discussion leads to a collateral concern. The present status of the SSN's being a de facto personal identifier is a result of a sequence of decisions over 55 years, none of them seen as "a big thing" at the time but in fact, seen as rational and proper. The country has before it the question of what enumeration system should be used for patient ID in the healthcare reform movement. The obvious tendency will be "go for the SSN" for a whole variety of reasons; e.g., the government issues and maintains the system for us, we're used to it, making changes will be prohibitively costly, what's wrong with it anyway, too much software is built around the 9 [or 10] character SSN or Medicare number. It would be distressful for the country to adopt the SSN as the patient ID for such reasons. I would argue that an acceptable patient ID from the privacy point of view must be limited in use to only health care information. The most compelling argument against the SSN is that it cannot possibly be given legal protection at this juncture. The horse is long gone. A counter argument might be that we can legislate control of the databases in which health data reside; but if the SSN is in the record, sooner or later there will be a reason that somebody will sell as compelling and in the interests of society. In fact, the mere presence of the SSN will encourage people to think of new uses, because the file linkage will be so easy. The barrier will break and health data will leak and migrate to all sorts of other databases which contain personal information and the SSN. More to the point, if the SSN is used as the patient ID, unauthorized leakage of health data to other databases will occur anyway. Given the dossier-quality records already available in electronic form on at least half the people in the country, it's shuddering to contemplate that health data might be added to them. And all because the country failed to bite the bullet and make a change that is needed; we do it now or we never do it. We act to assure confidentiality and privacy, or we implcitily agree to live with collateral [to healthcare delivery] uses of health information. Willis H. Ware Santa Monica, CA ------------------------------ From: "Willis H. Ware" Subject: Re: Guns Control/Registration/Confiscation Date: Fri, 03 Dec 93 15:30:32 PST David Horvath writes: >>> ................... A simple NCIC check would show if you were a >>>convicted felon and the addition of a 'mental stability' flag to the >>>database would be a simple matter. You have made a grievous mistake. Why do you think that the NCIC records are correct, complete, and accurate? Generally speaking, criminal history records are notorious for being full of errors, and often the indictment side is in the record without the result of the judicial closure. The record hence is one-sided. For something as important as gun control, we better not lean on a weak and bending, if not ancient, database whose integrity has never been established. And given that, would you be happy to have yourself in such a database with a mental stability flag? Would you be happy to have such an entry available to ALL law enforcement agencies in the country -- federal, local, state -- for none of whom is there accountability ? There is no Privacy Act considerations in re NCIC; how would you cause an error to be corrected, even if you were able to discover that an error even existed? Please -- when you think using databases for all manner of societal safeguards, controls, and services, think about the fact that such systems typically have poor security, are commonly implemented on older equipment, usually have no oversight mechanism that enforces accountability to the citizenry; AND most importantly, think about the fact that systems usually do not work the way some legislature believes it will as a consequence of some law. Systems will always have anomalies and often unforeseen effects. Think about the privacy and societal consequences before the fact, not lament them after the fact. ------------------------------ From: tim@umcc.umcc.umich.edu (Tim Tyler) Subject: Re: Privacy of cellular phones Date: 4 Dec 1993 00:29:49 -0500 In article , Percival Wendel Wippenheimer wrote: >The answer to this is simple: Do not use Cellular Phones until >proper scrambling becomes widespread. That's not very practical. Just don't say anything sensitive in a manner which would be understandable by any unauthorized parties listening in. >Furthermore, any ham radio operator who knows even a >little bit >can modify a cellular phone so that monitoring can take place. > Most of the modifications are software-based, although some involve shorting out two particular pins on the programming port. I really doubt any ham operator is going to instantly have the knowledge of modifying the CMT to receive/scan all the channels. >PWW -- Tim Tyler Internet: tim@ais.org MCI Mail: 442-5735 GEnie: T.Tyler5 P.O. Box 443 C$erve: 72571,1005 DDN: Tyler@Dockmaster.ncsc.mil Ypsilanti MI AOL: Hooligan Packet Radio: KA8VIR @WB8ZPN.#SEMI.MI.USA.NA 48197 "Celebrate diversity -- get intolerant about something!" ------------------------------ From: walls@oms24.cfsat.honeywell.com (Gerald Walls) Subject: The Club Date: Thu, 2 Dec 93 07:35:02 MST Maybe I'm just being irrational but I heard an ad on the radio this morning that really bugs me. The makers of The Club have a set up a number (800) 633-CLUB that you are supposed to call to report the license plate number of a car registered in your state that has The Club in it. This enters you into a drawing where they will award 50 $100 prizes. You can only enter once. This to me seems like a violation of privacy. If I buy The Club and don't send in the registration form maybe I don't care for them to know I bought it. Maybe I didn't want to get a bunch of crappy junk mail. Now they're going to pay my neighbor to turn me in. I called the number to complain but it was an automated touch-tone response line and I didn't hang on to see if there was a drop-to- operator if you didn't have touch-tone. Maybe everyone with an idle computer and a modem should call the number over and over and run up their 800 charges. Nah. That wouldn't be nice and I'd never advocate it. -- My Opinions Only | Who is John Galt? | --------- Space Available ----------- Gerald Walls | NRA Life Member | Don't blame me. I voted Libertarian. walls@saifr00.ateng.az.honeywell.com / int_walls@ecc6.ateng.az.honeywell.com ------------------------------ From: "Prof. L. P. Levine" Subject: CallerID Approved in Wisconsin Date: Fri, 3 Dec 1993 07:00:12 -0600 (CST) The state of Wisconsin Public Service Commission has just approved the CallerID service that Ameritech and PTI Communications had requested. That service will permit per-call blocking for no charge, per-line blocking for no charge for agencies such as law enforcement and social service and for clients of such agencies. No others will be allowed per-line blocking. The monthly charge for receiving CallerID will be about $6.50. According to an Ameritech spokesman service probably will begin in March in the Milwaukee-Racine-Kenosha area unless further legal challenges occur. This is excerpted from a front page (below the fold) story in Thursday's (12/2/93) Milwaukee Journal. -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 ------------------------------ From: KH3@cu.nih.gov Subject: New GAO report on Communications Privacy Date: Fri, 03 Dec 1993 16:10:13 EST GAO recently issued a report "Communications Privacy: Federal Policy and Actions", GAO/OSI-94-2, dated November 4, 1993, that may be of interest to members of your group. The report focused on the following issues: --The need for information privacy in computer and communications systems--through such means as encryption, or conversion of clear text to an unreadable form--to mitigate the threat of economic espionage to U.S. industry; --federal agency authority to develop cryptographic standards for the protection of sensitive, unclassified information and the actions and policies of the National Security Agency (NSA), Department of Defense, and of the National Institute of Standards and Technology (NI ST), Department of Commerce, regarding the selection of federal cryptographic standards; --roles, actions, and policies of NSA and the Department of State related to export controls for products with encryption capabilities and industry rationale for requesting liberalization of such controls; and --the Federal Bureau of Investigation's (FBI) legislative proposal regarding telephone systems that use digital communications technology. I have placed an electronic version of the report named OSI-94-2.TXT in the GAO-REPORTS anonymous FTP directory at NIH (ftp.cu.nih.gov). Joe Sokalski, GAO--Los Angeles kh3@cu.nih.gov ------------------------------ End of Computer Privacy Digest V4 #003 ****************************** .