Date: Wed, 27 Jul 94 15:47:59 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#013 Computer Privacy Digest Wed, 27 Jul 94 Volume 5 : Issue: 013 Today's Topics: Moderator: Leonard P. Levine Questions about using "discussion list" membership lists Re: Government E-Mail Directive Re: Government E-Mail Directive Credit card opt out? Re: Companies Recording Phone Calls Re: Companies Recording Phone Calls Re: Companies Recording Phone Calls Re: University of New Mexico use of SSN as ID Re: Many Phone Taps are now Legal Re: Many Phone Taps are now Legal The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: DAVID@SIMSC.SI.EDU (David Bridge, MSC VAX System Manager) Date: 26 Jul 1994 10:34:41 -0400 (EDT) Subject: Questions about using "discussion list" membership lists Dear Friends of Ethics-L and Cyberia-L: (cross posted to both discussion lists) We are compiling a "Directory" of people and their e-mail addresses in one subject area (museums, museum staff, cultural organization, and museum-related organizations) currently using the various worldwide electronic networks. We are gathering information from two sources: personal contributions, and organization representatives (i.e. e-mail administrators). Since these people are providing the information for the Directory they are "agreeing" to having it included and published. A third sources of names and e-mail addresses, which we are considering is the membership list for several discussion lists., i.e. MUSEUM-L, etc. Some of these are "private lists", i.e. not publicly available. Others are "public" in my opinion. Any person can become a member. Any person can send a "review" command and get a copy of the members of these discussion list. For example: Ethics-L has 228 non-concealed people listed, and reports 5 concealed "people"; while Cyberia-L has 237 non-concealed subscribers, (concealed user are not specified by the review command). THE PROBLEM: It has been suggested that it would be very wrong for us to gather names from these distribution list, (even though they are public domain in my opinion) and include them in the directory without the explicit approval of the individuals. We know that laws, customs, ethics, and netiquette vary from country to country. My good friend Cary Karp writes specifically from Sweden, "The rules of netiquette with which I'm familiar regard it as highly inappropriate to publish things such as the names and email addresses of participants in a distribution list. Are we going to ask for permission prior to making a compilation of this type? In Sweden, at least, it would be illegal simply to publish a compilation of the names and addresses of people who had posted to a discussion list, or many of the other sources listed here. (Such a list could be seen as a catalog of identifiable individual's interests and, as such, may not be maintained without an explicit permit.)" Including names and addresses from these discussion lists will be a VERY important and major contribution to the final directory, if they can be included. 1. We could contact the list owners for permission to include the names. This might cover me, but might still get the list-owner in trouble with the list membership. 2. We could post a message to each list about our project, and that their names and addresses will be included after some date, UNLESS they issue the conceal command (with instructions on how to do that). 3. We could omit the names from the Directory; but make a list of the different discussion list. And then include the number of members of each list and how to use the "review" command to get their own copy of the members of each discussion list. QUESTIONS: Does using the names of a public list, WITHOUT permission constitute an invasion of privacy ? If we include the names without permission, is it: completely legal, "bad form", poor netiquette, or illegal ? What is the "official view" on this subject from different countries, not just the United States ? Please -- lets not start any wars here!! I'm looking forward to your thoughtful comments. yours, David Bridge Smithsonian Institution David@simsc.si.edu ------------------------------ From: "Dennis G Rears (FSS" Date: 26 Jul 1994 17:35:24 GMT Subject: Re: Government E-Mail Directive Organization: U.S Army ARDEC, Picatinny Arsenal, NJ Stan Koper wrote: binskeep@crl.com (Bob Inskeep) wrote: Two friends had been corresponding with me via a Military and Government net. Both recently stopped their e-mail with me and stated that they had received a rather lengthy instruction prohibiting personal e-mail on gov systems. I would like to obtain a copy of the instruction, if it exists. Any help would be appreciated. Thanks. To my knowledge there is no Government Wide, DOD wide, or even Army wide policy on use of electronic mail. There is the standard prohibition about using "goverment resources for personal business/use". Each installation actually puts up its own policy. At some places it is an oral policy others it is written. In still other installations not policy is put up until there is a reason to put a policy. This is my experience only, however, I have been doing sys admin for the military for 10 years. In lots of cases, the local installation will have a very lax policy because they want to encourage the use of email. In my case, it was one of "don't abuse it". When I started the CPD, it was allowed because it somewhat related (not that much related really) to my job as an sys admin. Why not e-mail them and ask them to send you a copy? They may not be able to reply via e-mail, but as long as they're hooked into the internet, they should be able to receive your messages. Of course, you could always ask for a copy under the Freedom of Information Act (not that you'd get it, necessarily). The problem with a FOIA request is the people processing the request would have a hard tiem finding it. It's actually pretty much a common-sense thing, like not being able to use a government computer to keep and/or print out your Christmas card list, that sort of thing, and "private" e-mail would just be an extension of that. Common Sense and government work rules do not necessarily go together. The more rigid "real army" sites would disapprove of this posting. R&D Army sites don't care. [moderator: This posting is from Dennis Rears, the former moderator of Computer Privacy Digest who originated and then ran this show for three years before handing me the blazing torch last December. Most of what is organized here is credit to him. Welcome home Dennis. LPL] ------------------------------ From: huggins@quip.eecs.umich.edu (Jim Huggins) Date: 26 Jul 1994 19:48:19 GMT Subject: Re: Government E-Mail Directive Organization: University of Michigan EECS Dept. Dan Newcombe wrote: huggins@quip.eecs.umich.edu (Jim Huggins) writes: [...] The theory being, of course, that IBM wasn't paying for Internet access so that I could talk for free with my girlfriend (now my wife). I thought that for Internet access, places paid one flat annual fee. So what difference does it make. It would seem you'd be getting your moneys worth if people used it more and more. Except if the load of people using the access port for mail or whatever for personal usage made it difficult for 'legitimate' business mail to get through. The business might pay a flat fee no matter how high the throughput, but the throughput is a fixed resource which (in the view of many businesses) needs to be managed. For a 'big' firm like IBM, this might seem silly, since they've got the resources for an awful lot of throughput. But that presumes that the main priority in network access is throughput. At Westinghouse, for example, all incoming e-mail is sent to a single site on the East coast and then re-distributed nationwide. It's not the greatest for quick access, but it provides for greater security (since there is only one site directly reachable from the Outside World). -- Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter ------------------------------ From: es@crl.com (Eric Smith) Date: 26 Jul 1994 05:25:41 -0700 Subject: Credit card opt out? Robert Ellis Smith <0005101719@mcimail.com> wrote: California Begins New 'Opt-Out' for Credit-Card Customers Does this mean we can opt out of paying our monthly credit card bills, and have the state pay them instead? Doesn't sound very likely. Or does it mean we can opt out of having our transactions reported on our credit files? That doesn't sound very likely either. Or if it means we can opt out of getting junk mail from mailing lists maintained by the credit card companies, I thought that option was already available nationwide, not just in California. ------------------------------ From: tenney@netcom.com (Glenn S. Tenney) Date: 26 Jul 1994 11:57:26 -0800 Subject: Re: Companies Recording Phone Calls tnyurkiw@laplace.uwaterloo.ca (Tom Yurkiw) wrote: I think that recording business phone calls can be a GOOD idea in many cases. ... A recording can only be helpful in situations where verbal authorizations or contracts are made over the phone. I agree that there are cases where recording calls can be a good way to prevent finger pointing etc. I'm not so sure that calling AAA for road service is in that category, but... Once they place the timed beeps on the line, they can record the call and DO WHATEVER THEY WANT WITH IT. You've agree to the recording and you've agreed that they can release it, publish it, broadcast it, anything. Now, if they instead used a recording that advised that all calls would be recorded and stored for xxxx period of time and what use would be made of them and that you agreed to those terms, then I'd have little objection. In that situation, we would know what's going to be done with our recording and the company would be bound to that use. But that's not how it's being done. Another reason I posted this was to note that this is becoming more and more common. It is difficult to call for service on your hardware or software and NOT have them want to record your calls "for training" (whatever that might mean -- it could mean they play the funny ones in the lunch room and have a good laugh...). from this comment and the two or three private emails I've received, it would appear that no one else sees this trend as a frightening glimpse into the future invasions of our privacy... The EMPLOYEES, however, might be concerned about constant monitoring of their actions. ... The ONLY way to stop this is through regulation, and if this is not done, I foresee job-stress levels and turnover rates skyrocketing. That's a whole different problem, and one that I've spoken on publicly... and it IS a huge problem for employees who are being monitored.!!!!! -- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 ------------------------------ From: huggins@quip.eecs.umich.edu (Jim Huggins) Date: 26 Jul 1994 19:56:40 GMT Subject: Re: Companies Recording Phone Calls Organization: University of Michigan EECS Dept. Tom Yurkiw wrote: I think that recording business phone calls can be a GOOD idea in many cases. [...] The EMPLOYEES, however, might be concerned about constant monitoring of their actions. [...] One company even requires its employees to wear little transponder-badges which give the exact location within the building. I actually heard a talk about such a system which was in active use (and still may be for all I know). The speaker treated the transponders as an advantage; for example, it was integrated with the phone system so that if an incoming call came in for you, it was automatically routed to the phone nearest you (in case you were in a meeting in another cube or in the lab or something). I'm not sure what privacy protections were in place, though -- the speaker spoke of co-operative management which presumably meant that no-one abused the information. Most people would rebel if a camera was pointed directly at their desk to monitor them all the time; There was an interesting piece in the Communications of the ACM a year or two back which talked about exactly that type of environment; it was an attempt to link two remote offices through lots of cameras everywhere (including offices). Every office had the option of turning off its camera, though -- so it was clearly controlled by its end users and not management. The report spoke well of the experiment. The ONLY way to stop this is through regulation, and if this is not done, I foresee job-stress levels and turnover rates skyrocketing. Just keep in mind that there may be legitimate uses for the same technology, and one must figure out how not to throw out the baby with the bathwater. -- Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter ------------------------------ From: gordon@sneaky.lonestar.org (Gordon Burditt) Date: 27 Jul 94 01:37 WET DST Subject: Re: Companies Recording Phone Calls Organization: /usr/lib/news/organi[sz]ation want to have any of my phone calls recorded (unless absolutely necessary). I have no assurances that AAA *only* uses the recordings for those purposes. Does anyone share my concern that this ever increasing recording of calls is a potentially significant violation of our privacy...? Sorry, nope, I regard this as unproductive paranoia. My calls to 911 are recorded, my calls to my mutual fund company are recorded, and my calls to AAA are recorded. No big deal. As long as they're upfront about it, I see this as both necessary and useful (protecting both sides in a telephone order to sell stock at a certain price, for example). I'll partly disagree with this. Worrying about phone calls being recorded in a situation where the other party is going to record the information anyway, and furthermore, you WANT them to act on the conversation, probably is unproductive paranoia. You want 911 to respond, and you especially want them to respond if you give an incoherent description of where you are and then aren't able to continue the conversation. You want stock and mutual fund buy and sell orders recorded properly (and you want ones issued by someone else who has no business fooling with your account identified as not you). You want the merchandise you ordered to show up. You're going to give your name and address anyway, or they already have it. I DO NOT want my calls to the IRS help line recorded (and triggering audits). I sometimes ask hypothetical questions or ask about questionable investment schemes before investing in them or deciding not to. I see no reason why casual discussion with my stockbroker about investments - specific, in general, or as affected by current news, should be recorded until I actually issue an order to DO something to my account. As to the AAA calls, I have mixed feelings. If I am calling AAA to plan a trip, I don't want my trip plans recorded and available where they might be sold to the local burglar's union. This is more of a problem to me than having AAA employees be rude to me. -- Gordon L. Burditt sneaky.lonestar.org!gordon ------------------------------ From: hibbert@netcom.com (Chris Hibbert) Date: 27 Jul 1994 18:13:10 GMT Subject: Re: University of New Mexico use of SSN as ID Organization: NETCOM On-line Communication Services (408 261-4700 guest) asked: What do you make of this paragraph from the application to the University of New Mexico's Office of Graduate Studies: The authority to use the social security number comes from the Board of Regents and was adopted on March 24, 1967. Is this permitted even if the University complies with the Family Educational Rights and Privacy Act of 1974 (the "Buckley Amendment"), which prohibits them from giving out personal information (e.g. the SSN) on students without permission? Government agencies which were already using the SSN as an ID before the Privacy Act was passed were allowed to continue using it. The above statement constitutes a legal justification for using the SSN. As long as they also comply with the provisions of FERPA, (and their disclosure statement tells all the ways they do use the number) it looks like they're legal. -- Chris Hibbert protecting privacy in the computer age is hibbert@netcom.com like trying to change a tire on a moving car. ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 27 Jul 94 01:01:38 EDT Subject: Re: Many Phone Taps are now Legal rja14@cl.cam.ac.uk (Ross Anderson) stated: In the Law Report in `The Times' of Friday 22nd July (p 34) there is a report of a case, Regina v Effik and Regina v Mitchell (``Cordless phone tap admissible'', p 34) in which Lord Templeman, Lord Roskill, Lord Ackner, Lord Oliver and Lord Mustill found that the proceeds of an unauthorised phone tap are admissible in the UK provided that the tap was not applied to a link which was `comprised in' the public telecommunications system. The Electronic Communications Privace Act (ECPA) defines protected communications, specifies the legal requirements for interception and sets out the process for authorizing interception. The ECPA specifically refers to the handset to base portions of "cordless telephones" and permits interception of that portion without any legal process (warrant). The law draws a distinction between the handset to base portion of the call, which it equates with all other radio communications governed by the FCC; and the rest of the call (from the base to the telephone company equipment). The terminology is different, but the legal concept is exactly as related by Anderson. Basically, the radio portion of a "cordless telephone" call is fair game. The law makes a third distinction by prohibiting the intentional interception and recording of cellular calls (a warrant is required). Cellular calls, like traditional telephone calls, involve a "common carrier" from the outset. Logically then, wireless intercoms would also be unprotected radio transmissions. ------------------------------ From: tnyurkiw@lambert.uwaterloo.ca (Tom Yurkiw) Date: 27 Jul 1994 14:48:49 -0400 Subject: Re: Many Phone Taps are now Legal Organization: University of Waterloo rja14@cl.cam.ac.uk (Ross Anderson) writes: In the Law Report in `The Times' of Friday 22nd July (p 34) there is a report of a case, Regina v Effik and Regina v Mitchell (``Cordless phone tap admissible'', p 34) in which Lord Templeman, Lord Roskill, Lord Ackner, Lord Oliver and Lord Mustill found that the proceeds of an unauthorised phone tap are admissible in the UK provided that the tap was not applied to a link which was `comprised in' the public telecommunications system. Interestingly, in Canada, illegally obtained evidence is NEVER automatically excluded. Rather, if someone's rights have been violated, the evidence shall only be excluded "where it would bring the administration of justice into disrepute". (source: Canadian Charter of Rights and Freedoms) So each illegally obtained wiretap would be considered individually. -- Tom Yurkiw ------------------------------ End of Computer Privacy Digest V5 #013 ****************************** .