Date: Fri, 03 Feb 95 13:43:59 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#014 Computer Privacy Digest Fri, 03 Feb 95 Volume 6 : Issue: 014 Today's Topics: Moderator: Leonard P. Levine Re: Wastebaskets Re: Wastebaskets Re: Wastebaskets Re: Requests for Home Phone Numbers Re: Requests for Home Phone Numbers Re: Careless News Media Re: Careless News Media Re: Careless News Media Lifestyle info on blood donor cards Re: Check Security Re: Credit Card Signatures Tracking of News and WWW Routes Re: Radio Shack and Privacy Re: Radio Shack and Privacy "Protect Your Privacy" by Stallings Ethics and Privacy Survey Forest Service and E-mail Censorship Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: leppik@uxa.cso.uiuc.edu (leppik peter) Date: 01 Feb 1995 18:27:42 GMT Subject: Re: Wastebaskets Organization: University of Illinois at Urbana G Martin writes: I think shredders are next to worthless because it's so easy to reassemble the document. And just putting it in the trash just invites someone with bad intentions to pull it out and possibly misuse the information. I told her the only safe way I could think of was to take it home and burn it. How about all of you? Here's what I do....I take the stuff home, shred it, and then take all the shredded stuff and use it as mulch around my garden. Of course, it takes a lot more mulch than what a few confidential documents can produce to handle my garden, so I also shred junk mail, magazine "blow-in" cards, and so forth. This has the added advantage that, if someone really wanted to dig through my vegetable garden and reassemble the original documents, 99% of the effort would go into reassembling "You May Have Already Won!" letters. Actual confidential documents are few and far between.... (FYI, I generally have two kinds of confidential documents: personal financial information, which I don't want people to see; and class rosters, which often contain grade information protected by federal law) -- Peter Leppik-- p-leppi@uiuc.edu Lost in the Information Supercollider http://jean-luc.ncsa.uiuc.edu/People/PeterL/HOME.html ------------------------------ From: jonsg@diss.hyphen.com (Jon Green) Date: 02 Feb 1995 09:57:18 +0000 (GMT) Subject: Re: Wastebaskets In a possible past, G Martin said: I think shredders are next to worthless because it's so easy to reassemble the document. And just putting it in the trash just invites someone with bad intentions to pull it out and possibly misuse the information. I told her the only safe way I could think of was to take it home and burn it. How about all of you? I tend to tear it into small pieces manually, making sure that sensitive stuff gets fragmented, then distribute the portions through several random wastebaskets, public bins and the dustbin at home. Oh, and I retain and _eat_ my signature, if it's a cheque I'm destroying. (No kidding. I have a high-fibre diet...) 'Course, it's only worth it for single pages on an occasional basis, but it works for me, and no-one except a most diligent and observant private investigator would be able to get enough pieces together to make something useful. Burning's no use, BTW - you can _read_ the contents of ash, unless you make sure to powder it afterwards. A number of crimes were solved by analysing burnt sheets in the grate. ------------------------------ From: Tye McQueen Date: 03 Feb 1995 12:51:48 -0600 Subject: Re: Wastebaskets Gary Martin (gmartin@FREENET.COLUMBUS.OH.US) writes: How careful are you about what you put in your wastebasket at work, or your trash at home? I was recently making photocopies at a Mailbox, Etc. and noticed what looked like a tax form in the waste basket next to the copy machine. After seeing our post office trash can overflowing with junk mail every day I visited the Post Master and requested that the waste be recycled. I was told that they can't do this because of risks to privacy of the people who threw their mail away. I don't recall exactly how the US Postal Service does dispose of this waste so as to protect privacy. The trash certainly isn't well protected before the bins are emptied. -- Tye McQueen tye@metronet.com || tye@doober.usu.edu Nothing is obvious unless you are overlooking something ------------------------------ From: "Dennis G. Rears" Date: 01 Feb 1995 22:16:35 GMT Subject: Re: Requests for Home Phone Numbers Organization: U.S Army ARDEC, Picatinny Arsenal, NJ Kelly Bert Manning wrote: In his role as the previous moderatory Mr. Rears and I have expressed differing opionions in the past about this issue. I'm hoping that we get around to some new angles and opinions this time around. My opinions on providing SSN to merchants have appeared to be disjointed in the past. This is mainly because I haven't had an original post in CPD in about 18 months, only followups. Here's my thoughts: 1. Don't give false information. Either leave it blank or fill it in. Giving false information poorly reflects on one integrity. 2. Stores should only request information they need. 3. In some cases a credit check is necessary and you do this via SSN. If you don't like they don't have to extend you credit or cash your check. On a issue not that has nothing to do with privacy, I am a firm believer in property rights. Part of owning property is have the ability to decide who you want to sell, lease, give, or otherwise convey services or property to. I believe a merchant should have the right to refuse to do business with anybody. -- dennis ------------------------------ From: djones@insight.dcss.McMaster.CA (David Jones) Date: 01 Feb 1995 17:53:59 -0500 Subject: Re: Requests for Home Phone Numbers Organization: McMaster University, Computational Vision Laboratory Kelly Bert Manning wrote: This kind of demand for information, backed up by a threat of denial of service is probably why the Quebec government made it the legal right of consumers not to have to provide unneccessary personal information. Businesses cannot refuse a request to provide goods or services just because a consumer refuses to provide irrelevant personal information. In practice, this statement is false. Despite any law to the contrary, some Quebec companies regularly refuse to provide service if personal information is not provided. Case in point: Videotron. The local cable monopoly occasionally has a trial "service" of their enhanced cable features. It involves a set-top box that you would normally rent, but during the special trial service, they loan you the box for free, but you must provide personal information like your Health Insurance Number or your Social Insurance Number (they presumably want to run a credit check to make sure you won't steal the box). Even if you offer to provide a credit card number as a kind of insurance against their concern of theft, they will refuse to give you service. After calling the appropriate gov't offices in Quebec and Ottawa I was told "that's just the way it is, and there's nothing we can do about it". So much for this well-intentioned law. ------------------------------ From: "Dennis G. Rears" Date: 01 Feb 1995 22:03:49 GMT Subject: Re: Careless News Media Organization: U.S Army ARDEC, Picatinny Arsenal, NJ G Martin wrote: I videotaped the news that day as I usually do, and replayed the tape in slow motion. Sure enough, I was able to EASILY read his name, SSN, DOB, and various physical descriptions like hair color. Columbus is a city of 500,000 people, and they had to have given that information to at least tens of thousands of people, some of who are likely criminals. I couldn't believe the stupidity of it. The stupidity was on the individual who allowed the badge to be recorded. You never allow security badges to be photographed. It makes them easier to copy that way. I also contacted an ATF agent. He said that the guy is at great risk of his SSN, etc. being used for all kinds of illegal purposes from buying guns, to credit cards, etc. His advice was that the guy contact his office, the Secret Serivce (for credit card fraud), his local credit bureau, etc., etc., etc. and try to head off any potential damage before it happens. If you speak to any professional (which by definition an ATF agent isn't) they can tell you potential horror as it relates to their profession. Yes, it is possible. Likely? no. Anyone who is of the mind to abuse information like that doesn't need to record the news and slow motion it. I think you are making a mountain out of a molehill. What can the ATF or any government employee do? Put out an All Points Bullentin for a possible misused SSN. If there is such a thing let me know and I will publicize and hopefully load it so much it crashes. My next call was to the media director at the water company. The media director had been standing right next to him when the cameras took the pictures. She treated me like I was bothering her, and was very rude. She said she'd warn the employee who's ID was aired, but I didn't believe her. I called back again and asked to speak to her boss. He was very understanding, and said they'd do what they could to help the employee out. He also said he was going to make up a phoney ID card in case they ever need to show one again in the media. Don't you have any better things to do with your time? It didn't affect you and you actually called the utility company? How could the media have been so careless?!? they may have ruined this guys life with their stupidity. Other than the possible risks I've mentioned, what other risks might he face? Has anyone else seen the media to anything like this? This is nothing. If you are going to complain about the media complain about the hatchet jobs they do. Keep in mind the employee allowed the badge to be photographed. Evidently the employee didn't care. -- dennis ------------------------------ From: sean@sdg.dra.com (Sean Donelan) Date: 02 Feb 95 02:29:10 CST Subject: Re: Careless News Media Organization: Data Research Associates, St. Louis MO G Martin writes: How could the media have been so careless?!? they may have ruined this guys life with their stupidity. Other than the possible risks I've mentioned, what other risks might he face? Has anyone else seen the media to anything like this? The problem isn't with the media. It is with the water company. Why does the water company put information such as the employee's SSN on the ID card the water meter reader is required (likely also by company policy) to show to any customer that demands it. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation ------------------------------ From: geoff@ficus.CS.UCLA.EDU (Geoff Kuenning) Date: 02 Feb 1995 22:23:20 GMT Subject: Re: Careless News Media Organization: Ficus Research Project, UCLA Computer Science Department writes: Sure enough, I was able to EASILY read his name, SSN, ... How could the media have been so careless?!? The reporter and cameraman probably forgot to consider slow-motion videotape, thinking that the card would go by too quickly to matter. But a much more important question is, why does the water company put the SSN on the ID card? That sounds totally inappropriate to me. Every house this guy visits could do all the same bad things to him that a TV viewer could. Why is the WATER COMPANY so careless?!? -- Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com ------------------------------ From: "Virginia Matzek" Date: 01 Feb 1995 11:49:34 PACIFIC Subject: Lifestyle info on blood donor cards Organization: California Alumni Assoc. Additionally, are the results of these screens the property of the blood collection agency for further use as they see fit, or does the "screenee" have the right to control the use of the information (or somewhere in-between)? The development of profiles of types of individuals is becoming less important as HIV spreads throughout the general population. Further, it may the basis of discrimination suits. If the information is not collected with any specific identifiers, (SOC # or name) then who cares? If there are personal identifiers, then it seems to me to be an attempt to develop it for another purpose. The last time I donated blood, I was given a card to fill out with personal info on one side (name, address, DOB, SSN#, etc.) and then some VERY personal info on the other (Have you had sex with anybody for money or drugs since 1977?, etc.) I left the SSN space blank, but after I had donated, I got a call from the blood bank saying they needed to confirm my SSN or they couldn't use my blood. Apparently this is their method of insuring that the person who comes in and gives blood is the same person as last time. I gave in and provided the number. Then I started thinking about the card and all that information on it and wondered exactly what sorts of identifiers went with it. I phoned the blood bank and asked them to change my personal identifier from my SSN to my Calif. driver's license # (which they did--ironically for their "security measures"--without seeing my driver's license or verifying my identity in any way at all). I also asked two different people what happened to that information. I was given consistent reports--that only the cards that I filled out were put in my file (i.e., no additional info, like a medical file would have), and that the only people to see the information were the nurses at the blood station (who check your responses for risk factors) and the business office folks who keep the files. I was told that the information would never be given out to anybody and was kept completely confidential (although one wonders, when their security of identity is so lax, what they mean by "confidential"). As to whether I had access to my file or not, I was not given a clear answer because the business office people had never fielded that question before. However, they seemed surprised that anyone would ask, and told me that the only info in the file is what I filled out myself, so why should I care? Just FYI. +----------------------------------------------------------------+ | Virginia Matzek "I love being a writer. | | Associate Editor What I can't stand is the | | California Monthly paperwork." -- Peter De Vries | | | | vmatzek@alumni.berkeley.edu | | phone: 510/642-5781 fax: 510/642-6252 | +----------------------------------------------------------------+ ------------------------------ From: "Michael O'Donnell" Date: 01 Feb 1995 16:42:45 -0500 Subject: Re: Check Security jepstein@cordant.com writes: So I sent another check in, attaching the original with a note to show this is what happened, and writing in large letters VOID across the old check. BOTH checks were deposited. Luckily I had enough in my account to cover both, so I didn't make a fuss (and I didn't have to make a payment the next month). It would have been interesting to ask the bank to explain their security if an apparantly year-old check clearly marked VOID could clear the system! The situation you described certainly ought not to have happened, but given my casual knowledge about how checks are processed it at least makes (some) sense. It's probably true that one of the last humans to touch (not necessarily look at, just touch) your check was the person who opened your envelope at your insurance company. They were most likely not paying attention and simply stamped the back of your check "for deposit to the account of..." and then jammed it into a deposit pouch with a zillion other such checks. From then on, the only other person who had cause to look at your check was probably an extremely overworked data-entry person whose only goal was to read the amount scrawled on your check and cause that amount to be imprinted at the bottom so that the MICR (Magnetic Ink Code Recognition) equipment could take it from there. I'm pretty sure that once your check gets into the pipeline between the banks and the clearinghouse(s) the process is entirely automated - as long as the MICR info is intact there is no reason for a human to ever again be interested in looking at your check. from the above, one should conclude that the way to REALLY make a check "void" is to trash the MICR characters at the bottom, especially the account number. Regards, --------------------------------------------------------------- Michael O'Donnell (617)621-7308 mod@osf.org/mod@std.com --------------------------------------------------------------- ------------------------------ From: berczuk@glendower.mit.edu (Steve Berczuk) Date: 02 Feb 1995 20:32:42 GMT Subject: Re: Credit Card Signatures Organization: MIT Center for Space Research Since June 1st, 1994 (for MasterCard) and January 1st, 1995 (for VISA), merchants have been instructed to refuse all unsigned cards. A specific procedure has been established to deal with unsigned cards: This poses an interesting problem. One of the things I like about my one of my credit cards is that it has a picture. We can argue about what is harder to fake, a picture or a signature, but given the way signature change over time, and the amount of effort clerks often give to checking signatures, I like the idea of having a picture on the card. As far as I know only 2 banks have photo cards, so for any other cards I've taken to writing "ASK FOR PHOTO ID" in the signature spot. according to the above policies, then, I imagine that I'll have to stop using the other cards, except perhaps for mail order stuff. This doesn't seem to make a whole lot of sense. -steve berczuk -- Steve Berczuk -berczuk@mit.edu | MIT Center for Space Research Phone: (617) 253-3840 | NE80-6015 Fax: (617) 253-8084 | Cambridge MA 02139 ------------------------------ From: Kajae@aol.com Date: 03 Feb 1995 03:16:24 -0500 Subject: Tracking of News and WWW Routes kirby6@psu.edu wrote: Is it possible for my school admins. to keep track of the sites I visit or the news servers I connect to, or even the groups I read? Is every connection through the campus gateway logged somehow or would I have to be a specific target? When I connect to a site does that site also record my connection? Do admins even have time to be concerned with this? What I'm wondering is just how any of this information might be used to "profile" me later. Be it through sales to marketers, restriction of account, or whatever? Do privacy laws apply to any of this? Yes, yes, and yes (some of them will tell you so, and that if it bothers you, that you should log off now). Scary, huh? I doubt your admins have the time to be bothered with all users individually (or you personally) unless you do something illegal or otherwise violates the policy of either of the systems you happen to be using at the time - in which case you'd be facing whatever disciplinary action deemed fit by them. It might be interesting to note (as was brought up in this forum a while ago) that some schools do monitor their own systems for security purposes, so not just what you do on the web is logged, but what you do on your schools system may be being logged as well. And since it's thier systems, it's all completel y legal. (See Computer Privacy Digest Vols. 5 #78 thru 6 #2 "School Monitoring" for the thread on that topic). For any agency that can and will do the leg work required, a more or less complete history of everything you've done on the net (especially recently) could be compiled... As far as your "profile" is concerned, while admittedly this data could be used to profile you, doing anything with that profile might be risky on the part of the users. Restricting accounts or credit, or denying you a job might be hard (and certainly discriminatory) based solely on what you like to read or don't like to read. And doing that based on what you say or don't say in any medium, electronic or otherwise, is unconstitutional. Or at least I *think* still it is, I haven't caught the TV news for the latest Supreme Court ruling... Marketing is another matter entirely. It never ceases to boggle the mind how people get hold of information about me so they can stuff my mailbox with junkmail. (Thank God spamming is outlawed here!) There are several computer marketing and distribution companies that, while they've somehow or another found out that I own a new computer, many of them are confused as to what kind it is (for anyone who cares its really a 486/DX2/66). But I get mail for macs, amigas, companies telling me I should use their chips to upgrade my 386 to a 486, and so on. In this case, do as I (and others) do: travis@netrix.com (Travis Low) writes: IMHO, it is better to open them and look for a postage-paid return envelope. If there is one, just stuff it full and pop it in the mail. That way, the mailers subsidize the post office, saving taxpayer dollars. And the mailers will have to spend money processing the bogus envelopes, hopefully to their fatal detriment. Try it. It's great fun. When it comes to life in Cyberspace, you have to live the Way of the Warrior: "If you love, love without reservation - if you fight, fight without fear. Live every moment as though it were your last." If you're going to post, post what you think. If you ftp, ftp for what you really want. Ride every wave on the net like you're about to max all your credit cards on it. No regrets. Knowledge is power, and there will always be those who will abuse that power, and fight tooth and nail to keep it. There are also those of us who are fighting them with our teeth and nails, but we're another story... ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 03 Feb 1995 12:53:13 GMT Subject: Re: Radio Shack and Privacy Organization: Conceptual Design privacy@interramp.com wrote: Sure, Radio Shack isn't the only game in town. But your solution doesn't solve the problem; it ignores it. Convince me that other electronic merchants will treat you any better. Even if you do find more privacy-sensitive merchants, isn't our job -- as privacy sensitive advocates -- to help others from being manipulated? Well, in my experience, Radio Shack is the only retail outfit of any kind that routinely asks for the phone numbers of people who pay cash. It's their right to do that, and my right not to deal with such bozos. I don't see why it's anyone's "job" to "help" people who are perfectly satisfied with such an arrangement. Unlike E. J. Barr, I don't boycott Radio Shack absolutely. But where the alternatives are nearly equal, I buy elsewhere. When I do buy there, I always decline to give any personal information. I use a humorous rather than confrontational approach, feigning temporary total amnesia. -- Gary McGath gmcgath@condes.mv.com PGP Signature: 3E B3 62 C8 F8 9E E9 3A 67 E7 71 99 71 BD FA 29 ------------------------------ From: privacy@interramp.com Date: 03 Feb 95 08:43:06 PDT Subject: Re: Radio Shack and Privacy Organization: PSI Public Usenet Link privacy@interramp.com wrote: ...While returning a product purchased by credit card but without providing my address, I was told that I could not receive credit unless I provided my name, address, and phone... Not only is providing false information a "bad idea," since it is illegal, as Mr. Resch writes. It is also a last ditch resort that consumers should not have to face. It's easy to lie and give out fake names, addresses, telephone numbers, etc. But this is not the "way it should be." Sure, in my newsletter, I encourage readers to use pseudonyms in certain situations. But in none of these situations are people breaking the law or hurting others. Instead, the best solution (as far as I am concerned) is to create laws and grassroot efforts to stop such requests for personal information as a condition of sale. Let's empower the consumers so that they don't have to be placed in the unenviable position of having to lie in order to protect their privacy. Until we have such laws or widespread support, we should educate consumers on how to deal with situations where personal information is requested. The more educated and the street smart consumers are not the ones we need to worry about. Often, they will read the "Riot Act" or find some way of preserving their privacy. It is the shy, naive, or less educated that we need to empower by making them aware of their "Privacy Bill of Rights." Do you have suggestions for a "Privacy Bill of Rights?" Please forward them to me, as I am compiling one for future applications. -- John Featherman Editor Privacy Newsletter PO Box 8206 Philadelphia PA 19101-8206 Phone: 215-533-7373 E-mail: privacy@interramp.com ------------------------------ From: "Rob Slade, Social Convener to the Net" Date: 02 Feb 1995 12:47:47 EST Subject: "Protect Your Privacy" by Stallings [It didn't start out this way, but this seems to be the start of a "mini" series of reviews on the topic of PGP. Garfinkel's review is due to be sent in another two weeks, Schneier's a week after that; Peachpit has one due out in February while Zimmerman's own, I found out yesterday, is due out in April. - rms] BKPRTPRV.RVW 941214 "Protect Your Privacy", Stallings, 1995, 0-13-185596-4, U$19.95 %A William Stallings ws@shore.net %C 113 Sylvan Avenue, Englewood Cliffs, NJ 07632 %D 1995 %G 0-13-185596-4 %I Prentice Hall PTR %O U$19.95 (515) 284-6751 FAX (515) 284-2607 camares@mcimail.com %P 302 %T "Protect Your Privacy" This is the first-released of at least three books on PGP (Pretty Good Privacy), the encryption and authentication package by Phil Zimmerman. It covers the concepts of encryption, public key encryption, authentication and key management, as well as the installation and operation of PGP on MS-DOS and Macintosh platforms. There is also some overview of front end shells for DOS and Windows, plus helpful supplementary information on password/phrase choice key servers, and where to get PGP. (The promise of coverage for Windows, UNIX, OS/2 and Amiga in the promotional literature is overkill, but these interfaces will be almost identical to those covered.) Stallings' material is generally very clear and well written. Many times, however, concepts are introduced early in the book but not explained until much later. This is particularly true of key management. In most cases, I can assure the reader not to worry--all will be made clear, eventually. (In some few cases, the explanation may remain confusing until you actually run the program.) The book echoes the assertion by many that PGP has become the de facto standard in Internet privacy and authentication. Certainly no commercial product has anything like the same range of use. Full acceptance of PGP, though, has been hampered by the version incompatibilities and the legal difficulties caused by the US weapons (!) expert control laws. Given the touchy nature of this subject, it is not terribly surprising that both Stallings, and Michael Johnson in the access document, comment only briefly on the subject. These passages are somewhat calming, but hardly calculated to inspire confidence. Solid background on the technology, if sometimes disjointed. Terse, but serviceable documentation on the program. Readable and informative. copyright Robert M. Slade, 1994 BKPRTPRV.RVW 941214 ============== Vancouver ROBERTS@decus.ca | "virtual information" Institute for Robert_Slade@sfu.ca | - technical description of Research into rslade@cue.bc.ca | marketing info disguised User p1@CyberStore.ca | as technical description Security Canada V7K 2G6 | - Greg Rose ------------------------------ From: Urs Gattiker Date: 03 Feb 1995 10:16:18 -0700 Subject: Ethics and Privacy Survey About 8 months ago a survey on ETHICS AND PRIVACY ON THE INTERNET was mailed through this NetWork to you and many others. The data we have gathered has been analyzed and one of the reports materialising from it is mentioned below. If you are interested in a complete copy, please feel free to drop me a line and again, thanks for your cooperation and help. The program on ETHICS AND PRIVACY ON THE INTERNET is continuing and a new survey assessing additional issues as well as regulation, cryptography and cyberspace is in the final stages of the development. Cordially Urs E. Gattiker MORALITY AND TECHNOLOGY, OR IS IT WRONG TO USE A SELF-MADE ENCRYPTION DEVICE, AND CREATE OR LET LOOSE A COMPUTER VIRUS? Urs E. Gattiker Helen Kelley Centre for Technology Studies, The University of Lethbridge, CANADA Abstract Stories about computer-related actions (e.g., placing a document about how a computer virus works on an electronic network/bulletin board) were presented to users. Data indicate that women end-users compared to men have a less libertarian sense of what is right and wrong; as well, younger respondents are more libertarian than their older compatriots. Data also indicate that participants are less likely to endorse civil liberties and more concerned about the harm and violations of social norms when the scenario describes a context- specific situation. How users act, feel and respond toward computer- mediated behaviours and actions raise questions for researchers and policy makers. For example, how do researchers and policy makers maintain and protect the privacy of individuals, and at the same time ensure moral conduct by end-users who enjoy using the electronic highway. Suggestions are made for developing theoretical models of moral judgment in the cyberspace domain as well as policy (e.g., U.S. Clipper chip debate). Published reports of some of our findings can be found in: Gattiker, U. E., & Kelley, H. (1994). Techno-crime and terror against tomorrow's organisation: What about cyberpunks. E. Raubold and K. Brunnstein (Eds)., Proceedings of the 13 World Computer Congress -- IFIP Congress '94, Hamburg (pp. 233-240). Amsterdam: Elsevier Science Publishers. Gattiker, U. E., & Kelley, H. (1995). Morality and Technology, or is it wrong to create and let loose a computer virus. In J. F. Nunamaker, Jr. & R. H. Sprague (Eds.), Proceedings of the 28th Annual Hawaii International Conference on System Sciences 1995, Hamburg (pp. 563-572). Las Alamitos, CA: IEEE Computer Society Press. Additional papers are currently being written. ************************************************************ ------------------------------ From: James Love Date: 02 Feb 1995 00:29:57 -0500 Subject: Forest Service and E-mail Censorship the following is a forwarded message from tap-resources, another one of our lists. Ned Daly reports on a proposal at the forest service to censor forest service employee email critical of the agency. jamie Distributed to TAP-RESOURCES, a free Internet Distribution List (subscription requests to listproc@tap.org) TAXPAYER ASSETS PROJECT - NATURAL RESOURCES POLICY ADVISORY (please distribute freely) TAP-RESOURCES February 1, 1995 The Following is an excerpt from "Chainsaw Justice: The U.S. Forest Service out of Control" which will be published soon by Voices of the Environment (VOTE). If you would like the report or more information, contact VOTE in Hamilton, Montana at (406)363- 4225. The Forest Service presently has a proposal under review that would prohibit Forest Service employees from criticizing agency leadership and policies on the agency's electronic mail system. The excerpt reprinted below looks at the Forest Service's attempts to limit freedom of speech. The Forest Service's proposed policy sheds light on the agency's attempt to quell any internal criticism as well as the administration's (lack of) commitment to privacy. The author of the "Chainsaw Justice", Steve Taylor, also wrote "Sleeping with the Industry" a report published by the Center for Public Integrity and excerpts from that report were published on TAP-RESOURCES earlier. Ned Daly ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SECTION #7-ROADBLOCKS ON THE INFO HIGHWAY: CHILLING E-MAIL SPEECH by Steve Taylor When Jack Ward Thomas became Chief of the Forest Service on Dec. 1, 1993, many believed he would usher in a new era of openness among agency employees and members of the press, that he would be the arbiter of "glasnost." In some respects, Thomas has met those expectations. He did grant an interview for this report and has generally been accessible to the media. However, through the office of Thomas's underling, recently retired Deputy of Administration, Lamar Beasley, the agency has drafted a policy for the USFS [Forest Service]electronic mail system, Data General (DG), that if implemented would chill free speech among the Forest Service ranks, according to several agency employees. Most insidious and possibly illegal, they say, are two provisions of the draft that prohibit criticism of agency leadership and policy. Agency brass assert that a clear policy for e-mail is needed to ensure that "government electronic communications facilities" and "official time" are not "misused," and to protect against the "unauthorized disclosure" of government information, according to a document signed by Lamar Beasley and obtained by VOTE. Chief Thomas echoed these concerns about government employees wasting the public's time and resources. He added that a major reason for the policy was to prevent too many messages from jamming the DG. (For a more thorough explanation of the Chief's opinion on this policy, see the interview excerpts below.) Considering that in the 1990's much of the inter-agency dialogue occurs on the DG, the proposed policy would greatly hamper constructive dialogue, said sources inside and outside the agency. USFS personnel use the DG to discuss ecosystem management, environmental laws, timber sales, fire control, and other issues relevant to the management of the national forests. And yes, sometimes these discussions criticize agency positions and its leaders. But from such dialogue, innovative ideas often emerge. "The DG is almost the exclusive form of internal communication," Andy Stahl, executive director of the Association of Forest Service Employees for Environmental Ethics (AFSEEE), told VOTE. "The message this [policy proposal] sends is: 'We don't want to hear the bad news. We certainly don't want to hear your opinions of where we might be going wrong.'" The policy draft was released during the summer of 1994 with little fanfare. "It's been amazingly low-profile," said a Washington Office employee, who asked to remain anonymous for fear of reprisal. "This is a blast from the past," the source said. "If this policy is adopted it would be very telling." Others within the agency are more caustic. "It is a very repressive policy," a USFS source in a western state said. "in a way, it is reprisal in a systematic sense." A Dictator's Policy? A USFS employee in the Southeast United States had this to say: "This attempt to muzzle free speech reminds me of a dictatorship in trouble. It seems like a desperate move and a tacit admission that they, that is, Beasley and Thomas, have lost control. What's next? Are they going to confiscate are pencils and notepads so we can't write bad things about them. This is really sick." In a written response to the proposed policy that was submitted to the agency, USFS computer operator Debbie Tachibana and wildlife biologist Donald Yasuda tread more lightly in their criticism. They first expressed concern that the Washington Office staff worked on writing the policy without consulting those in the field or the agency's union. "Such top-down solutions usually ensure a lack of commitment to the product by the bulk of FS employees," they wrote. "In reading this report, we can only assume that field level personnel are part of the problem you are trying to solve." Tachibana and Yasuda also note that the e-mail system levels the playing field for employees of all ranks. "It reaches employees at all levels of the organization and provides all of them the opportunity to give input to the dialogue regardless of background, culture, or position in the organization." And, they condemn the reach of government as a thought-control mechanism. The policy seeks "not only to restrict information sharing but also to restrict employees' abilities to exercise independent critical thinking." Others in the agency worry that the policy will further rip an already tattered agency morale. Dave Iverson, an outspoken USFS economist, wrote in his comments on the policy, "[It] upholds a long-standing government tradition of establishing policy that attempts to ensure 'employees don't do the wrong thing' rather than encouraging 'employees to do the right thing.' This implicit lack of confidence in the ethical foundation of government employees breeds dissention and reciprocal mistrust between employees and the agencies where they work." Another employee commented on the DG, "... the knee jerk reaction of an organization long accustomed to controlling information flow via organization hierarchy is to attempt to do the same thing in the automated information environment (i.e. computer networks)." Responding to one employee's criticism of the policy, Lamar Beasley stated that the policy is intended as a preventive measure, to keep employees from breaking the law, presumably privacy laws. "I only ask you," he wrote to a respondent over the DG, "to keep in mind that we cannot violate the law. We've had people to do that [sic] and we've also had people that were almost fired. We have an obligation to set policy in place that prevents our people from getting in trouble." What Beasley may have overlooked is that the policy itself may be illegal, particularly if it prohibits protected speech about government behavior concerning environmental laws. Both the National Forest Management Act (NFMA) and the National Environmental Policy Act (NEPA) require free discussion and dissemination of new science as it evolves, and that the government amend policies when appropriate. "NEPA demands that policy be reexamined when there is new scientific evidence," AFSEEE's Stahl said. "NFMA demands that forest plans be revised when there's new information that might trigger that. You'd be violating the law if you didn't bring those concerns forward." Stahl added that because the DG is virtually the exclusive form of communications it would impede constructive information exchange and that "would short change the public." When VOTE asked Beasley about the policy and USFS employees' concerns that it restricts free speech, he was evasive saying only that the policy had not yet been finalized. "We're along ways from issuing a [final] policy," he said. Is the Chief out of the loop? In a personal interview with Chief Thomas on Sept. 16, 1994, more than three months after the policy draft was released, he said he had not seen it. However, he did dismiss any notion that it was written to restrict any criticism. Because the interview exchange on this topic illuminates both the policy itself and his leadership, Thomas's comments are included verbatim: Thomas: "First there has been no decision made. It doesn't have anything to do with criticizing leadership. It has to do with jamming our electronic mail system. And then you begin to wonder, should taxpayers pay people to sit there and use the government's electronic mail system to do all this, or should they be doing it on the job. It doesn't matter that they can't criticize." VOTE: "I have seen the draft policy and it does say that Forest Service employees should not use the e-mail to criticize leadership and policy. Some would say that discussion of leadership and policy is what the taxpayers need and even deserve, and that, in the electronic age, this is the one way to do it." Thomas: "First, I haven't seen the policy. I know that there is one being prepared for my consideration... They can write anything they want. They have their own home computer. That is the question and I'm not sure I know what the answer is. I don't know if I'll approve the policy or not. I do know that the general complaints of the administration is that their employees are using a considerable amount of government equipment and government time on e-mail games. I'm not concerned about criticism one way or the other. I'm concerned about jamming and people using time to gossip." Interestingly, when management issued the second policy draft, the suspect provision on prohibiting criticism of leadership and policy was no where to be found -- until the very last page. Management had moved it from up front to the bottom. But it was still there. -------------------------------------------------------------- TAP-RESOURCES is an Internet Distribution List provided by the Taxpayer Assets Project (TAP). TAP was founded by Ralph Nader to monitor the management of government property, including information systems and data, government funded R&D, spectrum, allocation, public lands and mineral resources, and other government assets. TAP-RESOURCES reports on TAP activities relating to natural resources policy. To obtain further information about TAP send a note to tap@tap.org. Subscription requests to: listproc@tap.org with the message: subscribe tap-resources yourfirstname yourlastname --------------------------------------------------------------- Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036 v. 202/387-8030; f. 202/234-5176; internet: tap@tap.org ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #014 ****************************** .