Date: Wed, 12 Oct 94 19:47:54 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#048 Computer Privacy Digest Wed, 12 Oct 94 Volume 5 : Issue: 048 Today's Topics: Moderator: Leonard P. Levine Re: AOL Sells its Subscriber List AOL Rents Lists: The Truth Re: AOL Sells its Subscriber List Give Me Input On The Future Of Computing Re: Background Check For Job Re: Background Check For Job Re: SSN on driver's license in MO Re: Shareware Campaign Tool Send Me FTP Document Skip Tracer Finds Old Friends UW Madison Policy on Electronic Data Privacy 2nd Intl Conf on InfoWar (long) Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716) Date: 10 Oct 94 23:26:00 GMT Subject: Re: AOL Sells its Subscriber List It's up to you if you want to print this. I downloaded this from my account on AOL which will be cancelled shortly after I make a big huff and puff over there. What's the difference between selling and renting a customer list? A Letter from Steve Case, President and CEO of America Online, Inc.: October 6, 1994 Dear Members, Over the past few days, there has been a fair amount of publicity -- and confusion -- regarding our policy of renting mailing lists, so I decided to send this update to you. For those who missed it, a leading Congressman (Rep. Ed Markey) issued a press release on Tuesday expressing concern about AOL's recent decision to rent its customer list. In particular, he expressed concern about the possibility of AOL selling lists based on data that should remain private. Within hours after receiving the press release and an accompanying letter from Rep. Markey to me, I issued the following statement to the press: "As an industry leader, we fully support the privacy provisions as outlined in Congressman Markey's letter today, and we believe we are fully compliant with them. Sensitivity toward our members' privacy has been at the core of our business since we founded the company. We have asked for a meeting with Congressman Markey at his earliest convenience to explore issues of concern to him. If there continues to be confusion, we will pull the list off the market until this issue can be satisfactorily resolved. We believe that as this new interactive medium develops, it will be critical to build and maintain a strong sense of community. We have adopted guidelines which address privacy rights of our members. We look forward to working with members of the Subcommittee, as well as with our industry associations, to ensure comprehensive privacy protections by all providers as we move this medium forward." On Wednesday, this story was picked up by the wire services and a number of newspapers and television stations. The coverage was quite negative, and, unfortunately, misleading. For example, a wire story was headlined "Lawmaker Blasts America Online On Privacy" and the first sentence said: "America Online Inc., the on-line computer service, came under fire from a senior congressman Tuesday for the sale of lists that offer detailed information about its million-odd subscribers." (To be clear, we are *not* selling lists that contain information about the specific services people are using.) Since there was so much misunderstanding of what we did, and why we did it, I thought it might be helpful to share our perspective directly with you. As I'm sure you know, it is a common practice for companies to rent their lists. Just about every magazine, for example, rents its list. And the largest online provider, CompuServe, has been renting their list for the past 5 years. Another online leader, Prodigy, has rented an "electronic list" (promotional mail is sent to Prodigy mailboxes) for a comparable period of time. Among the major players, AOL was the only holdout. Why? Because it made us a bit uncomfortable. We felt that some of our members might be concerned about such a policy, so we decided not to do it. However, after learning more about the list rental business, we decided to go forward with a list rental program. There were two reasons for this. First, there was considerable profit potential. That's of course good for us -- but also ultimately good for our members, as the additional profit can help fund new content, features, and other innovations. Second, we felt that safeguards could be built into a list rental program that could minimize problems. This "safeguard" program had four elements. First, we decided to limit the amount of information we made available to direct marketers. To be clear, we are NOT selling any information about the specific services people are using, we are NOT selling telephone numbers, we are NOT selling any billing information (credit card or checking account numbers). Second, we put restrictions on the use of the list. Although we were certainly interested in maximizing list rental profit, we decided to be cautious about offering the list. So before providing the list, we will review every package that companies would like to mail. The third decision was to make it easy for members to take their name off our mailing list, if they so choose. So we created an area online (the keyword is MARKETING PREFS) to make it easy for people to "opt out" of the list program. Finally, we decided to notify members of the list program. New members learn about the list program as part of the standard registration process. For existing members, we created a "Personal Choices" menu option on the new Windows and Mac software we are sending to all members this Fall, and the "opt out" option was included there as well. So we thought we were balancing the various interests and issues in a reasonable manner.We'd generate new revenues, but members who wanted their names taken off the list would be easily accommodated. In retrospect, I think we made some mistakes. The first, and in my opinion by far the most important one, was that we did not proactively and directly notify our existing members about this new program -- before initiating the program. We had thought the menu option in the new software would suffice -- but in retrospect it was too indirect (and, worse, we had expected to have the new software in your hands by now, and it was delayed). As a result, some of you first learned of our list rental program by reading an article in a newspaper -- and felt, quite understandably, somewhat betrayed. We have worked hard to build the AOL community and certainly won't do anything to harm it. Indeed, our goal is to build it, and set a shining example for the emerging online world. The core of a community is trust -- and I am deeply apologetic to all of you for not informing you in advance and directly about this new program. The second mistake we made was not being clearer about what we're doing. The initial promotional announcement was somewhat ambiguous about precisely what we were offering for rental, and this was the source of the considerable confusion in the press and within Rep. Markey's office. For example, the promotional listing indicated that "running charges" were available -- suggesting to some that we would be releasing information about the size of the monthly charges each AOL member was incurring. This is not the case. "Running charges" is a term used within the direct marketing industry that refers to the cost of running a computer tape containing the list. This confusion created something of a tempest in a teapot, as it suggested we were violating personal privacy -- which we most certainly are not. The bottom line is that our decision to rent the list was, I think, a reasonable one. I do realize that some will not approve of this, but, on balance, I continue to believe that -- coupled with appropriate safeguards -- it was and is a reasonable thing to do. However, in retrospect, we could have, and should have, handled this better. Although I was, quite frankly, initially disappointed that Rep. Markey's press release singled AOL out (given that several of our competitors have been offering their lists for years), on reflection I think this has been a positive step for our industry, because the issue of privacy is very important. I share Rep. Markey's deep concerns about setting unusually high privacy standards in the electronic world, and by putting this issue on the public agenda, he has forced us -- and, I hope, others -- to make a renewed commitment to upholding these high standards. We do believe that online services in general -- and, we think, AOL in particular -- have a unique relationship with customers. You place great trust in us -- to build a service you can find value in, and an online community you can benefit from participating in. We know that you all expect us to live up to the trust you have placed in us, and we certainly will strive to do so. To summarize: We are now renting our list. We are doing this because it will be a source of additional profit for us, and that in turn will enable us to fund the creation of new services and features, while maintaining an affordable price. We hope you'll be supportive of this new initiative as we do believe you'll benefit from it. But if you want to have your name removed from our list, we'd be happy to do so. Just use MARKETING PREFS and we'll take care of it. ------------------------------ From: matt@enterprise.America.com (Matthew Lyle) Date: 11 Oct 1994 16:07:16 -0400 (EDT) Subject: AOL Rents Lists: The Truth For those of you that would like to hear both sides of the story, before having a lynching party, here is a letter from the President of AOL. It was posted on AOL, in the Spotlight area. (kind of like being in the Message Of The Day-MOTD on a Unix box) Looks like, yet again, you're another victim of the media not bothering to check out details prior to printing an article. Numerous things in the article were false, but the damage has been done and the San Jose paper doesn't really care. (personal opinion, of course) I know people that work for AOL... They were shocked when they read the article on the news wire and went to check and see if it was true. It wasn't. These friends include gays and members of EFF and CPSR, so I really doubt that they'd condone censorship. (again... a personal value judgement, based on my knowledge of them. Steve Case posted an article on the "Spotlight" area of AOL. (kind of like the Message Of The Day-MOTD on a Unix system) I've appended it to this message. >From what I read, what they are doing is no worse than what Citibank does in selling out customer lists. Regards, Matthew [moderator: Matthew included a copy of the letter also posted by by Mark Anderson above. I am not including it here in order to save bandwidth.] ------------------------------ From: mea@intgp1.att.com (Mark E Anderson +1 708 979 4716) Date: 12 Oct 94 17:00:00 GMT Subject: Re: AOL Sells its Subscriber List Here's some of the things I found on AOL on the MARKETING PREFS window. The main mechanism for taking your name off the list was rather confusing and required you to put an X in one of the boxes. It appeared that marking this box only stopped them from "renting" your address to a specific list of products and services. Attached to this message are some other things that I think are required to complete the purge. This means I have to write a letter, find a couple of envelopes and stamps, walk to the mailbox, and hope the letter doesn't get "lost in the mail." You can print this paragraph if you want. Regards, Mark Anderson ABOUT MARKETING PREFERENCES In this section, you can learn about services that the Direct Marketing Association provides to reduce the amount of advertising mail and phone calls that you receive. The Direct Marketing Association is the nation's oldest and largest national trade association serving the direct marketing field. Members of the DMA market goods and services directly to consumers using media such as direct mail, catalogs, telephone calls, magazine and newspaper ads, and broadcast advertising. America Online occasionally makes our membership list available to select, reputable companies whose products or services may be of interest to you. Marketing Preferences allows you to tell us about the types of offers you would like to receive or if you do not want your name to be released to other organizations. MAIL PREFERENCE SERVICE For many people, advertising mail is informative and provides value, convenience and fun. However, direct marketing companies recognize that some people do not like to receive advertising mail. If you want to reduce the amount of national advertising mail you receive at home, send your name and address to the Direct Marketing Association's Mail Preference Service (MPS): Mail Preference Service Direct Marketing Association P.O. Box 9008 Farmingdale, NY 11735-9008 After a few months, the MPS will reduce the amount of advertising mail you receive. You will continue to receive mail from companies with which you do business. Names remain part of the MPS for five years. After five years, you will need to register with the MPS again. If you continue to receive unwanted mail after a few months, the Direct Marketing Association suggests that you write directly to the mailer to request that your name be removed from the mailer's list. AMERICA ONLINE MAILING LIST POLICY AOL carefully screens all offers to its mailing list to ensure that they are appropriate. AOL does not release members' telephone numbers, credit card numbers, or checking account numbers to other organizations. If you do not want your name released to other organizations, simply indicate this on the Member Mailing Preferences form. To access this form, double-click on the heading "Tell Us What Your Preferences Are" on the previous window. TELEPHONE PREFERENCE SERVICE If you want to reduce the amount of national advertising calls you receive at home, send your name, address, area code and telephone number to the Direct Marketing Association's Telephone Preference Service (TPS): Telephone Preference Service Direct Marketing Association P.O. Box 9014 Farmingdale, NY 11735-9014 After a few months, the TPS will reduce the amount of advertising calls you receive from national marketers such as credit card and magazine subscription companies. Some local organizations and charities may not participate. Names remain part of the TPS for five years. After five years, you will need to register with the TPS again. If you continue to receive unwanted phone calls after a few months, the Direct Marketing Association suggests that you request your name be removed from a company's list when they call. ------------------------------ From: derby@admaix.sunydutchess.edu (Scott Derby) Date: 11 Oct 1994 13:35:31 GMT Subject: Give Me Input On The Future Of Computing Organization: Dutchess Community College I am scheduled to give a lecture on the future of computing in about a month. I would like some input from the Internet community regarding what they believe/know the future of computing and computers will be. You don't have to be an expert, just share what you have read, seen or even imagined (just be realistic in your imaginings). I guess you could reply to the list if you feel it would be of interest, or you can simply reply to me directly. Thanks... Scott DCC Computer Center ------------------------------ From: nowakp@hfsi.hfsi.com (Paul Nowak) Date: 11 Oct 1994 18:30:39 GMT Subject: Re: Background Check For Job Organization: HFSI kazmarek@ix.netcom.com (Edward Kazmarek) writes: lindline@rice.edu (Ann Lindline) writes: Is this legal? If you want to work for certain government agencies, I know you have to submit to, and subject your family and friends to, a lot of poking and prying into backgrounds. Is working for a defense contractor basically the same as working for the government? What rights to refuse would these roommates have? Any feedback is much appreciated. I'm not sure, but I suspect it's legal. At least, it's pretty common. Actually the investigator will give you the pertinent sections to read and ask you to sign a statement to that effect. Anyone can refuse to be interviewed (if it's you doing the refusing it will probably reflect negatively; but, if one of your references refuses, or your roommate refuses, no sweat. My SO was apprehensive about her first interview (I've been interviewed so many times for myself and others that I've gotten rather friendly with one of the DIS agents). For security clearance background checks, it is quite common to assess someone's potential security risk by the character of the company they keep. Actually they are more concerned with your character and lying about the kind of company you keep is very indicative ... as is telling the truth. They don't so much care that you smoked pot 30 years ago as they are that you're trying ot hide that fact ... and could face extortion because of it. Even more, it's quite common to pursue what are called "developed references." You ask a listed reference, "Who else knows this person?" You ask the same question to two or three names on that list, and so on for two or three levels. You'd be surprised that you don't have to go very far in a chain of developed references before you're talking to people who are NOT friends of the candidate. And you get some REAL interesting information. That's life. This implies that they are going to believe the lies your enemies will tell. Not so. They are aware that people will lie about others and take that into account. Unsubstatiated rumors of a drinking problem will be tossed out, out of hand in the presence of overwhelming evidence to the contrary; however, they will check out "adverse information". That is reasonable first hand knowledge of defects such as gross indebtedness, unusual spending, etc. (a whole list of stuff, none of which was looked at in the case of Mr. Ames.) -- HFSI 7900 Westpark Dr. Mclean Va. 22102 (just HFSI) A gummint systems integrator Despite what my return address may say, I'm "nowakp@hfsi.com" and though I'm an opinionated son-of-a-gun, HFSI refuses to endorse any of them (even at gun point) Illigitimii Non Carborundamus! ;-? ------------------------------ From: nowakp@hfsi.hfsi.com (Paul Nowak) Date: 11 Oct 1994 18:40:36 GMT Subject: Re: Background Check For Job Organization: HFSI anonymous writes: lindline@rice.edu (Ann Lindline) wrote: Is this legal? If you want to work for certain government agencies, I know you have to submit to, and subject your family and friends to, a lot of poking and prying into backgrounds. Is working for a defense contractor basically the same as working for the government? What rights to refuse would these roommates have? Yes, I believe it is. My sister works for a nave contractor, and although her job may not be charaterized as "high risk" the level of security clearance that she has is relatively high. Because of that, her family and friends were checked out. I suspect it was more like her friends and family were interviewed to develop information about *her*. There are very few instances (personal reliability wrt guarding the life of the pres. for eg) where the family is also investigated ... even for very high sublevels of Top Secret clearances such as SIOP and ATOMAL. I personally did not have to undergo any interviewing, but that may be because I'm relatively "clean." More likely because they don't do that. in addition, her husband works for the CIA, so they may think that he'll keep on eye on her (even though that's beyond their charter, I think that's the NSA's ). It's the FBI's ... whihc is why it is most often FBI field agents who do the interviewing when there are no local DIS (Defense Investigative Service) or other appropriate investigators nearby. Although we may not like it, when subjects of "national security" come up, it appears that the government can take whatever measures they feel are necessary... Within the limits laid out by law. Just tell the truth and nothing will happen .... unless the truth is that you've been hiding something illegal for lo these many years. ;-) -- HFSI 7900 Westpark Dr. Mclean Va. 22102 (just HFSI) A gummint systems integrator Despite what my return address may say, I'm "nowakp@hfsi.com" and though I'm an opinionated son-of-a-gun, HFSI refuses to endorse any of them (even at gun point) Illigitimii Non Carborundamus! ;-? ------------------------------ From: robert@unlv.edu (Robert Cray) Date: 11 Oct 94 18:41:01 GMT Subject: Re: SSN on driver's license in MO Organization: Information Science Research Institute Seth Golub (seth@cs.wustl.edu) wrote: When I entered the DMV I saw a large sign in a prominent location with large, clear type (and with some parts highlighted) that said I could check a box on a form if I objected to using my SSN as my license number. I checked the box, and I got a different number. No hassle. Of course, I'll have to deal with store clerks' odd looks when they see a license number that starts with a letter, but I guess that will be a good time to enlighten them about SSNs. I don't know how things are done in MO, however in Nevada if you choose to not have your SSN on the license it doesn't really matter - take the 1st ten digits of the non-SSN number they give you, call and N, then (N-2600000001)/2 translates into your SSN. Just about everyone knows this so the SSN might as well be on the license. -- robert ------------------------------ From: gordon@sneaky.lonestar.org (Gordon Burditt) Date: 12 Oct 94 00:21 CDT Subject: Re: Shareware Campaign Tool Organization: /usr/lib/news/organi[sz]ation The next release of Precinct Walker, free to all registered users, and available in early October, will have a new get out the vote (GOTV) module. This fax-in function will allow a volunteer to produce a list of the voters in their precinct and to go to the polls and determine who has voted. I found this little tidbit interesting. Is it really possible to go to the polls and determine, in the middle of an ongoing election, who has voted and who hasn't? Why? How does one do this without disrupting the process of voting? (In areas where I vote, this information is kept manually in several large computer-printed list of eligible voters, divided alphabetically by last name. It may be computerized later, and the production of the list is certainly computerized, but it's manual DURING the election. This doesn't mean optical scanning of ballots isn't done, but there's not supposed to be a one-to-one correspondence between voter and ballot to keep individual votes private. Taking the lists away from the election workers during the election will definitely bog down the voting process.) Gordon L. Burditt sneaky.lonestar.org!gordon ------------------------------ From: Chuck Weckesser <71233.677@compuserve.com> Date: 12 Oct 94 12:29:43 EDT Subject: Send Me FTP Document Dear Friend, I do not know how to use FTP. I desparately wish to acquire a copy of the FBI's new wiretapping proposal. If some kind sould reading this would be gracious enough to send me a copy of the document, I will be eternally grateful. Have a nice day! Chuck Weckesser [moderator: Mail to comp-privacy-request@uwm.edu will get a copy of the bill passed by the Senate mailed to you.] ------------------------------ From: Mike Crawford Date: 12 Oct 1994 16:41:23 -0700 Subject: Skip Tracer Finds Old Friends I heard an intriguing radio ad yesterday... "Miss your old college friends? Want to find them? It's easy with The Right Connection." (hmm... I thought.. sounds like a skip-tracer is trying to find new markets for his service). "We'll find them quickly using the most advanced technologies" (yep... sure like to know what those are!) "Dial 1-800-xxx-xxxx" The punch line: "We also offer a complete line of business services".... meaning, I presume, traditional skip-tracing. I wonder whether one could call them up and register as someone who is not to be "found"? I would imagine not - or if so, they'd probably charge for the service of not handing out your address and phone number to any paying customer Mike Crawford | Call Congress toll free at 1-800-768-2221. When the crawford@scipp.ucsc.edu | operator answers, ask for your Senator or Rep. ------------------------------ From: "Prof. L. P. Levine" Date: 10 Oct 1994 18:07:29 -0500 Subject: UW Madison Policy on Electronic Data Privacy NOTICE: THIS IS *NOT* AN OFFICIAL COPY OF THIS DOCUMENT -- FOR AN OFFICIAL COPY OF THIS DOCUMENT, CONTACT THE OFFICE OF THE SECRETARY OF THE FACULTY: phone: (608) 262-3956, fax: (608) 263-2081. =========================================================================== University of Wisconsin Faculty Document 890a Madison 7 October 1991 REPORT OF THE UW-MADISON AD HOC ELECTRONIC DATA ADVISORY COMMITTEE September 13, 1991 (as revised October 7, 1991 by the Faculty Senate) INTRODUCTION The Electronic Data Advisory Committee was created by the University Committee to clarify the privacy and confidentiality status of electronic data and to draft procedures for the University to follow in providing access to information in this form. The faculty and staff of the University should be under no delusions as to the essential confidentiality of their electronic files. Even when one takes elaborate precautions (e.g.. file encryption) the nature of modern communication networks is such that true confidentiality is impossible to guarantee. In addition, the Wisconsin open records law may require public disclosure of electronic data. All users of these services should be apprised of these facts. The Federal Electronic Communications Privacy Act of 1986 (18 U.S.C. sec. 2511) and parallel language adopted by the Wisconsin Legislature (sec. 968.31(2), Wis. Stats.) allows the University to examine electronic information when necessary to protect the rights and property of the University. The proposed procedures provide a mechanism for doing so in a way that respects the rights of individuals involved. The report that follows deals with the question of appropriate procedures for the University to follow in cases of requests for access to electronic files initiated internally. (Requests for access that originate external to the University will normally arise under circumstances described in Section 6 of these procedures. In such cases, the University will provide notice to the controller and the opportunity to respond, whenever possible.) In general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to 1. meet the requirements of the state open records law and other statutory or regulatory requirements; 2. protect the integrity of the University and the rights and property of the State; 3. allow system administrators to perform routine maintenance and respond to emergency situations such as combating "viruses" and the like: and 4. protect the rights of individuals working in collaborative situations where information and files are shared. Accordingly the Ad Hoc Electronic Data Advisory Committee recommends the following actions: 1. The University should make a special and periodic effort to notify users that: a. Faculty Policies and Procedures include rules governing the privacy of electronic data; b. State or federal regulations may supersede these policies and procedures; and c. electronic communications and data files are not secure from unauthorized access. 2. Because the proposed policy does not address how departments and schools may access students' instructional accounts, departments and schools should codify their procedures for managing and gaining access to such accounts; 3. The Faculty adopt the following policy and procedures to govern access to electronic files controlled by faculty and staff: POLICY AND PROCEDURES GOVERNING ACCESS TO ELECTRONIC FILES AT THE UNIVERSITY OF WISCONSIN-MADISON PRINCIPLES: The procedures are based on three fundamental principles: 1. Intrusion into electronic files requires carefully considered cause; 2. Controllers of files should be notified before accessing their files; and 3. The University has an obligation to protect the integrity of the University, its services, its confidential data, and the rights and property of the State. DEFINITIONS As used in these procedures: 1. "Electronic File" encompasses information stored and/or transmitted in electronic form, including but not limited to text, data, sound, graphics, images, and video, irrespective of its recording and transmission media or its format. Examples of electronic files include e-mail messages, databases, and magnetic tape files and subsets thereof. 2. "Controller of a file" is defined as follows: a. on a single user computer under the control of a single person (e.g., a computer in a faculty office) the files normally are controlled by that person; b. on computers accessed by more than one individual, but which do not have an operating system that identifies files with a specific user, the individual responsible to the University for control of the computer (e.g., the laboratory director or department chair) is considered to be the controller of electronic files resident on that computer; c. On multiuser systems, an individual is typically registered or given an account. The registered user or account holder is normally considered to be the controller of files held in that account; d. In "work for hire" situations where one party enters or edits material for the originator of a file, the one responsible for originating the material in the file is the controller of the file. The person charged with entering the material is usually considered to be an authorized user. For example, when a secretary or a research assistant working under explicit directions uses a computer to enter and edit a document for a faculty member, the faculty member is the controller of the file and the secretary or research assistant is an authorized user. 3. "Authorized User" includes the controller of a file and someone who is given explicit access to the file by a controller. 4. "System Administrator" is an individual who has been charged by a University unit with maintaining a computer system and its software at an acceptable level of performance for the service that it is expected to provide. PROCEDURES 1. Except as provided for in Sections 5 and 6, no one but an authorized user of an electronic file may intentionally access that file without receiving either a. The permission of the controller of the file; or b. The express written permission of the Vice Chancellor for Academic Affairs, who may grant such permission only in accordance with the procedures established by Sections 2 and 3 below. 2. Except as provided for in Sections 5 and 6, the Vice Chancellor for Academic Affairs may grant permission to those persons listed in section 2(b) to access a computer or electronic file only upon determining that the all of the following steps have been taken: a. The Vice Chancellor for Academic Affairs has received in writing a request for access that specifies the reasons for the requested access and lists the requested file(s) by name, contents, or a description that clearly limits access to the file(s) necessary to further the purposes designated in Section 2(f). b. The written request has been made by a dean, director, department chair, vice-chancellor, or other person who has responsibility for protecting the integrity of the University, its services, and the rights and property of the State. c. The Vice Chancellor for Academic Affairs has notified in writing the controller of the file(s) that a request for access to the specified file(s) has been made and is pending. When there is doubt as to who is the controller of a file, notice should be sent to all the known individuals likely to have such an interest. Notification must, at a minimum, i. specify the name of the party requesting the file(s); ii. list by name, description, or contents the file(s) requested; iii. indicate that unless waived in writing by the controller of the file(s) within four days of notification, an inquiry as specified in section 2(d) of these procedures will be held to examine whether justification exists for granting the requested access; iv. indicate that in the event a section 2(d) committee has been appointed, the controller of the file(s) has a right to make known to the committee his or her views on whether access is justified; v. indicate that the file(s) in question shall not be altered or deleted by anyone, including the controller and that alterations or deletions may be a basis for disciplinary action; and, vi. if relevant, indicate that the Vice Chancellor for Academic Affairs has exercised his or her power under section 3 to take the minimum steps necessary to preserve the contents of the subject file(s). d. The Vice Chancellor for Academic Affairs has appointed a committee of three members, all of whom are otherwise uninvolved in the request and at least two of whom are members of the faculty or academic staff (as is appropriate to the case), to inquire into whether a justification under section 2(f) exists to warrant granting the requested access. Unless granted additional time, the committee will conduct its inquiry and make a written report to the Vice Chancellor within ten calendar days of its appointment. At a minimum, the committee shall i. examine the written request for access provided to the Vice Chancellor under Section 2(a); and ii. offer all those notified under Section 2(c) an opportunity to make known to the ad hoc committee their views on whether access is justified. e. The Vice Chancellor for Academic Affairs has received the results of the inquiry specified in Section 2(d) of these procedures or has received the controller's waiver of the section 2(d) inquiry. f. The Vice Chancellor for Academic Affairs finds that the requested access is necessary to protect the integrity of the University, its services, and the rights and property of the State. g. The Vice Chancellor for Academic Affairs has put in writing, with as much specificity as possible, the reasons for granting access to the file(s). 3. Upon the written request of one of those persons listed in section 2(b) or on his or her own initiative, the Vice Chancellor for Academic Affairs may authorize the appropriate University unit to take all necessary steps to preserve and save the contents of any file(s) within the University's computer systems. An order to preserve the contents of the file is meant to assure that the data in the file(s) is not destroyed, altered, or lost. Any such order does not constitute permission to open, read, or otherwise use the contents of the file(s). Access to the contents of the file(s) shall be obtained only under procedures specified herein or under conditions stated in Sections 5 and 6. 4. All requests for access to electronic files made under the Wisconsin open records law shall be made through the office of the University's Custodian of Records. It is recommended that the office of the Custodian of Records promulgate procedures consistent with the Wisconsin open records law and the principles expressed in these procedures. Such procedures shall provide for notice to the controller before public disclosure, whenever possible. 5. Nothing in these procedures is meant a. to supersede the usual procedures followed by departments and schools in monitoring student accounts given for specific course work; or b. to preclude computer system administrators from authorizing the routine maintenance of campus computer or communication systems or the rectification of emergency situations that threaten the integrity of campus computer or communication systems. provided that use of accessed files is limited solely to maintaining or safeguarding the system (which may include safeguarding the system from illegal use) or solving specific problems. 6. Nothing in these procedures is meant to either limit or expand access to files pursuant to Wisconsin or United States statutes or regulations, such as those governing patient records, student information files, open records, criminal investigations conducted by federal, state or local law enforcement authorities or certain personnel actions. The Ad Hoc Electronic Data Advisory Committee: Seymour Parter, Professor, Computer Sciences and Mathematics (Chair) David Brown, Senior Policy and Planning Analyst, Office of Information Technology Dennis Fryback, Professor, Industrial Engineering and Preventive Medicine Thomas Palay, Professor, Law Tad Pinkerton, Professor, Computer Sciences & Director, Information Technology Charlene Rieck, Information Processing Consultant, College of Agricultural & Life Sciences ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 12 Oct 94 07:44:14 EDT Subject: 2nd Intl Conf on InfoWar (long) FINAL CALL FOR PARTICIPATION [Please post where appropriate.] Second International Conference on Information Warfare: Chaos on the Electronic Superhighway Conference Date: Wed-Thu 18-19 January 1995 Conference Locale: Dorval Airport Hilton Hotel Montreal, Canada 1. INTRODUCTION Cultures that depend on information systems are vulnerable to Information Warfare. Attacks on data confidentiality and possession, integrity and authenticity, and availability and utility will damage individuals, corporations and other private organizations, government departments and agencies, nation-states and supranational bodies. It is essential to erect legal, organizational, and cultural defences against information warfare. Winn Schwartau, author of the new book, _Information Warfare: Chaos on the Electronic Superhighway_, published in 1994 by Thunder's Mouth Press (ISBN 1-56025-080-1), has defined three levels of information warfare: Level one: interpersonal damage. Damage to individuals in recent cases includes impersonation in cyberspace (e.g., false attribution of damaging communications), appropriation of credit records (for fraud and theft), harassment (e.g., interruption of phone services) and loss of privacy (e.g., theft of medical records). Level two: intercorporate damage. In a recently reported case, a ring of criminal hackers stole the telephone calling cards of 100,000 subscribers to MCI, AT&T, and Sprint. These thefts are estimated to have resulted in $50 million of fraudulent long distance calls. In this case, a switch engineer working for MCI is accused of having inserted Trojan horse software to record calling-card numbers passing through MCI's telephone switching equipment. Other recent attacks include data leakage of confidential information with high competitive value in the automotive and airline industries. Level three: international and inter-trading block damage. The World Trade Center bombing caused more economic loss through interference with business communications and information processing than it did by physical damage to the building. It is inconceivable that terrorist organizations and nations are unaware of the low cost and minimal risk of attacks on information infrastructure compared with physical attacks. On a global scale, an aggressive trading block could acquire significant competitive advantage over an entire society by corrupting widely-used software (e.g., inserting code in a spreadsheet or accounting package to introduce occasional random errors) or even inserting logic bombs into microcode for new processors. The collapse of the Soviet bloc has made thousands of skilled programmers available for such subversion. The Second International Conference on Information Warfare will focus on the likelihood and nature of deliberate attacks in cyberspace. Speakers and panelists will consider the military perspective on information warfare: how are defence establishments of technologically-advanced nations approaching warfare in cyberspace? How will the threat of information warfare affect military command and control structures? Can a national military posture be envisaged without including collaboration with civilian users and managers of information systems? What is the future of aggressive information warfare as a component of national policy? The Conference will serve the interests of information security specialists and strategic planners from military and government circles, the corporate world, and academia. The Press will be permitted to cover the event, providing opportunities for increased public awareness of vulnerabilities of the information infrastructure. The Conference Proceedings will contribute to national and international debates about information warfare and the need for careful planning to avoid disruption by hostile forces as information highways develop worldwide. Following recommendations from last year's participants in the First International Conference on Information Warfare, we have scheduled more free time for informal discussion among participants. Informal discussions will be aided by Special Interest Group signs allowing people with specific interests to congregate if they wish. The organizers extend a special welcome to members of world defence establishments. In order to foster the greatest degree of serious and productive discussion, room has been reserved for approximately 100 participants. 2. PROGRAM WEDNESDAY 18 JAN 95 07:00-08:05 Registration and Continental Breakfast 08:05-08:15 Welcome from NCSA and Organizing Committee 08:15-09:00 Keynote Address: Civil Defence in Cyberspace-- Maj.Gen.(Rtd) Alan Pickering / Communications Security Establishment of Canada 09:00-09:15 Short break 09:15-10:30 Class I InfoWar: Attacks on Personal Information 10:30-11:00 Break for informal discussions optionally by topic: Privacy, Cryptography, Laws & Law Enforcement 11:00-12:30 Class II InfoWar: Corporate Espionage and Sabotage 12:30-13:45 Buffet lunch and informal discussions optionally by sector: Corporate, Government, Military, Academic 13:45-15:30 Class III InfoWar: Global Conflict and Terrorism 15:30-16:30 Breakout groups by Class of InfoWar 16:30-17:15 Group discussion of appropriate actions for establishing civil defence in cyberspace 17:15-18:00 Closing comments for first day-- Winn Schwartau / Inter.Pact, Mich Kabay / NCSA THURSDAY 19 JAN 95 08:15-08:30 Introductory comments, logistics 08:30-10:00 War and Peace in the Age of Information Robert David Steele / Open Source Solutions Inc. 10:00-10:30 Informal discussions 10:30-11:30 Questions/Discussion with Winn Schwartau and Robert Steele 11:30-12:00 Conference summary and closing comments: Mich Kabay, Robert Bales / NCSA The official language of the Conference is English. 3. KEYNOTE SPEAKERS The Organizing Committee is proud to announce that our first Keynote Speaker will be Maj-Gen (Rtd.) Alan Pickering. Mr Pickering joined the Communications Security Establishment of the Government of Canada as Director General, Information Technology Security in January 1985, after completing 36 years service in the Canadian Forces. Mr Pickering is a graduate of the Royal Military College and Queen's University, from which he holds a degree in mechanical engineering. He also attended the RCAF Staff College and the U.S. Navy War College and served as Director of Cadets and Military Training at the Royal Military College. Some of the positions held during his military career include pilot and instructor in Air Transport Command; engineer in the U.S. Gemini space program; Commanding Officer of an Anti- submarine Patrol Squadron; Base Operations Officer and Base Commander of Canadian Forces Base Greenwood; Deputy Project Manager for the AURORA long-range patrol aircraft; and Commander of the Maritime Air Group. His last position before retiring in 1985 with the rank of Major-General was Chief, Intelligence and Security at National Defence Headquarters in Ottawa. He is a Commander in the Order of Military Merit; in October 1987, he was appointed to the honourary position of Colonel-Commandant of the Canadian Forces Security Branch. The Keynote Speaker for the second day of the Conference will be Robert David Steele, President of the non-profit educational corporation, Open Source Solutions, Inc. Mr Steele holds graduate degrees in international relations and public administration and is a graduate of the Harvard University Executive Program in Intelligence Policy. He is a distinguished graduate of the U.S. Naval War College and recently completed an eighteen year career in the U.S. Marine Corps in national and defense intelligence. Mr Steele is a leading advocate for national information strategies encompassing connectivity, content, coordination of research and communications and computing security. He is the architect of the National Information Strategy Act of 1994 which has been circulated among members of Congress and which includes extensive discussion of the need for communications and computer security in the national interest. Mr Steele was invited to present the Superintendent's Guest Lecture in August 1993 at the U.S. Naval Postgraduate School; his topic was "War and Peace in the Age of Information." In his presentation at the Second International Conference on Information Warfare, Mr Steele will discuss the national strategic implications of both information warfare and information peacekeeping. He will tie in how government, corporate, and personal initiatives must all come together to create a safe environment in cyberspace. Winn Schwartau, Executive Director of Inter.Pact, is a key player in the evolving study of information warfare. He has frequently appeared before and advised committees of the Congress of the United States and has analyzed the vulnerabilities of the Western world to electronic terrorism. Schwartau, editor and publisher of the widely-respected Security Insider Report, has investigated and reported on many topics bearing on information warfare. His textbook, Information Warfare, is a signal contribution to the field; his novel, Terminal Compromise, published in 1991 and recently released for free distribution on the Internet, presents a gripping account of plausible cyberterrorism. Mr Schwartau is a dynamic and exciting speaker who seized the imagination of participants at the First International Conference on Information Warfare in September 1993; the Program Committee is especially pleased at his participation. M. E. Kabay, Ph.D. is Director of Education of the National Computer Security Association. He is Chief Sysop of the NCSA's new Information Security Forum on CompuServe and is a regular contributor to the Risks Forum Digest on the Internet. He is security columnist for Network World and Computing Canada and has published over 150 articles on system management and security since 1986. Mich Kabay won the Best Paper award at the 16th National Computer Security Conference in 1993 and was asked to organize the panel on Interdisciplinary Perspectives on Information Security at the 17th NCSC in October 1994. Dr Kabay was the leader of the International Delegation of Computer Security Experts to the People's Republic of China in April 1994. He has been invited to be the Keynote Speaker at the U.S. Department of Energy's Security Conference in spring 1995. He currently teaches Information Technology Security at the Institute for Government Informatics Professionals in Ottawa. The remainder of the Call for Participation, including hotel details, costs and registration information, is available on request from 75300.3232@compuserve.com, by fax to 514-695-7393, or by phone to 514-695-4968. ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #048 ****************************** .