Date: Thu, 26 Oct 95 13:46:14 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#034 Computer Privacy Digest Thu, 26 Oct 95 Volume 7 : Issue: 034 Today's Topics: Moderator: Leonard P. Levine Privacy of Email over the Internet Re: Author Profiles at Deja News Re: Author Profiles at Deja News Re: Author Profiles at Deja News Re: Author Profiles at Deja News Re: Author Profiles at Deja News Re: Author Profiles at Deja News Re: The Information Rights Act of 1996 Re: The Information Rights Act of 1996 Re: The Information Rights Act of 1996 UC Berkeley Ethics of the Internet Conference Re: Inappropriate Access to Absentee Ballot Lists? Re: Inappropriate Access to Absentee Ballot Lists? Re: Call Blocking Clickshare(sm) alpha up; "test drives" available CDT POLICY POST No.27 -- Landmark Health Privacy Bill Introduced Info on CPD [unchanged since 08/18/95] ---------------------------------------------------------------------- From: mciseis@aol.com (McisEis) Date: 25 Oct 1995 12:14:24 -0400 Subject: Privacy of Email over the Internet Organization: America Online, Inc. (1-800-827-6364) I've discovered an interesting software helping privacy of material we all send over the internet The site address is : http://www.netvision.net.il/~vts/ ------------------------------ From: converse@cs.uchicago.edu (Tim Converse) Date: 25 Oct 1995 22:28:08 GMT Subject: Re: Author Profiles at Deja News Organization: Univ. of Chicago Computer Science Dept. Eric Hunt writes: Upon learning from this discussion group of the Author Profiles available to anyone with a web client at Deja News (http://www.dejanews.com), I investigated. Sure enough, they had their database engine compile a summary of all the newsgroups I had posted to. At that point, I used their mailto: form to politely but firmly request that they remove me from their database, as I felt it was an invasion of my privacy. I checked it out too, and it was sort of disturbing to see my author's profile. Does anyone have any sense of the legal situation here? That is, what rights if any does the author of a netnews article retain over its future distribution? Is it conceivable that I could post articles but not grant rights to duplicate them in this kind of "compilation"? -- Tim Converse U. of Chicago CS Dept. converse@cs.uchicago.edu (312) 702-8584 ------------------------------ From: leppik@seidel.ncsa.uiuc.edu (Peter Leppik) Date: 25 Oct 1995 19:35:13 -0500 Subject: Re: Author Profiles at Deja News Organization: University of Illinois at Urbana Eric Hunt wrote: By virtue of its entirely unmanageable size, UseNet was essentially a "private" place. Just as you can move to New York City and do *lots* of things that absolutely no one will notice, you could post to weird and potentially sensitive areas on UseNet and no one would be the wiser. [snip] Again, my point is this: there was an expectation of privacy with UseNet before your service. Is it just me, or is the idea of an expectation of "privacy" in a USENET posting laughable? You compose a message, then broadcast it to literally millions of computers all around the world, with potentially tens of millions of readers, and unknown storage time, and you expect this to be "private"? I might buy the notion that it is unethical to attempt to gather names of people who post to mailing lists (which are inherently limited distribution), but USENET, almost by definition, is the widest possable distribution for a given post in a given field. This is hardly the first example of USENET filtering (cf. Kibo), and it won't be the last--nor the most convenient. When you post tu USENET, you simply have to expect that anyone, anywhere might read your message for any reason. Amusing aside: I use the SIFT Netnews filter to filter any message containing the word "Leppik" and mail it to me (make sure nobody's talking behind my back--it helps to have a very unusual name). This week, I was mailed a post from my younger brother in the Babylon 5 newsgroup (this was the first post he's made anywhere in a year or longer--since before I started using SIFT)....So I sent my brother a note explaining how I had SIFT configured, and added, "Big Brother is Watching You." -- Peter Leppik leppik@seidel.ncsa.uiuc.edu Lost in the Information Supercollider http://seidel.ncsa.uiuc.edu/ ------------------------------ From: "Bill McClatchie" Date: 24 Oct 1995 09:19:13 +0000 Subject: Re: Author Profiles at Deja News Organization: the Twilight Zone I'd welcome any comments public or private on my arguments. Is the reality of UseNet completely different from the banners and net.guide documents, or am I being completely silly for assuming there was any expectation of privacy when posting to obscure newsgroups? I think the biggest problem with this profile what it leaves out. I am a frequent poster in a couple of big groups - yet I'm apparently not in their database (not that I'm complaining). And the profile could show someone as posting to groups like the alt.pedophilia.* groups, and quite possibly they won't have the article you followed up to which had a "unusual" follow-up line. Something like that ought to look good on a quick check of what you do online. ------------------------------ From: kf7qz@bcstec.ca.boeing.com (Ricky Scott) Date: 26 Oct 1995 13:18:51 GMT Subject: Re: Author Profiles at Deja News Organization: The Boeing Company Eric Hunt (ehunt@bga.com) wrote: I went to their feedback page and firmly but politely requested they remove my two active UseNet posting accounts from their database. I also informed them I would not bring out the lawyers but I would become very active elsewhere in UseNet to bring pressure on them to remove this service. Eric. I did this also and I was wondering if you recieved their polite form letter. It was about how we compromise our privacy everyday on the net, etc etc etc. Its my feeling that yes I do in some way or form by posting but it was the way that they do it that bothers me. And the fact that they have an Authors profile. -- Ricky J. Scott | The comments expressed here in do not Ship Side Support | reflect the views of my company or my 767 Electrical | supervisor. In fact they wish I would not kf7qz@bcstec.ca.boeing.com | express my opinions. ------------------------------ From: "David H. Klein" Date: 26 Oct 1995 10:26:51 -0400 (EDT) Subject: Re: Author Profiles at Deja News On the issue of privacy in the Newsgroups, IMHO, the service such as Dejanews was bound to happen. I agree with it. In the form of communication of the usenet newsgroups, when you post, you are willfully making a public statement for the potential readership of millions of people. If you would like to conduct a communication of users wishing to discuss a difficult issue, I would highly suggest a _private_ mailing list. The list is the form of internet communication which allows multiple people to talk without having to worry about public accountability. Newsgroup parallels to other forms (or inefficiencies) of communication cannot necessarily apply in cyberspace. Remember, there is not a lack of the ability to discuss issues privately, only amongst the newsgroups (privacy is definitely not their overall purpose). The press has shown clearly that events and issues in cyberspace are pubilc by reprinting them in the other mediums. For more information on establishing a private mailing list, please send e-mail to mail-list@mail.cint.com ------------------------------ From: Ted Lemon Date: 25 Oct 1995 20:48:51 -0700 Subject: Re: Author Profiles at Deja News Eric Hunt writes: Just as you can move to New York City and do *lots* of things that absolutely no one will notice, you could post to weird and potentially sensitive areas on UseNet and no one would be the wiser. Would that it were so. The fact of the matter is that archiving all news has never been a terribly difficult thing to do - all it takes is a lot of disk space. There are plenty of government agencies who have the money to do this sort of thing, both in the U.S. and abroad. Sure, none of your *friends* might be the wiser, but the gummint will be. Actually, you don't even need a lot of disk space - just watch articles as they go by and record the number of times each user posts to each newsgroup. This gives you your marketing survey without wasting disk space on actual content. If you're the Secret Police, search for keywords like sugar, gas and tank, or spike and tree, or whatever, in the same sentence, and record articles that match. You'll still get all the monkey wrenching articles, but you won't have to store as much junk. This is all really easy, obvious stuff, unfortunately. The UseNet is and always has been the equivalent of the podium at the Rialto. If you incriminate yourself, expect the Doge's men to come after you. If you behave badly, expect it to be remembered. There is a price to be paid for being a public personality, and posting to the UseNet makes you just that. For better or worse, it's probably a good thing that DejaNews is here to remind us of our mortality. -- MelloN ------------------------------ From: Robert Gellman Date: 26 Oct 1995 00:13:27 -0400 (EDT) Subject: Re: The Information Rights Act of 1996 Dick Mills posted a message asking for suggestions about what might belong in an Information Rights Act. This is a response. Actually, it is a relatively easy question to answer. The code of fair information practices, a complete and coherent set of data protection principles, forms the basis for just about every modern privacy law around the world. There has been a tremendously strong policy convergence around these principles. Any new attempt to develop an information privacy law should start with the code. Most formulations look something like this: A Code of Fair Information Practices 1) The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data. 2) The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to correct or remove any data that is not timely, accurate relevant, or complete. 3) The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the subject. 4) The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely. 5) The Principle of Use Limitation, which provides that there must be limits to the internal uses of personal data and that the data should be used only for the purposes specified at the time of collection. 6) The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority. 7) The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Sufficient resources should be available to offer reasonable assurances that security goals will be accomplished. 8) The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices. This version is derived from several sources, including codes developed by the Department of Health, Education, and Welfare (1973); Organization for Economic Cooperation and Development (1981); and Council of Europe (1981). Bob + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 26 Oct 1995 07:39:04 -0400 Subject: Re: The Information Rights Act of 1996 I'll respond to my own challenge. (Did you think I wouldn't :) I think there are only three principles needed to provide fundamental definition of rights. 1) Information is either public or private. The net especially has been contributing to lack of clarity and confession by failing to make this distinction. This week's furor over the Deja News service is a good example. "I want to post on the thousands of people who read the UseNet group but that doesn't mean I want the whole world to know. Not my employer, not my parents." Get real. Private information is private only in that the owner takes specific steps to keep it private. For example, UseNet posters can use an anonymous remailer. If they don't then they have no right to expect their post to be treated as private. In the case of disputes, courts will have to look for evidence of specific efforts to keep the information private. In other words, these vague and indefinable "expectations of privacy" have to go. 2) Information providers, including consumers, have the right to enter legally binding contracts restricting the use of the information provided. No business or government may demand information not directly relevant to the transaction as a condition for commerce or services, nor to use the relevant information for secondary purposes except as granted by contract. This is the means needed for citizens to take actions to keep their information as private as they wish. Contracts must follow all the standard conditions, including consideration for each side. If the phone company wants to sell your demographics to a mailer, they have to contract with you in writing, and offer consideration such as money. In real life, I don't expect the phone company to negotiate 300 million individual contracts, but in the absence of a written contract, they couldn't use anybody's information for secondary purposes. Commerce and government can offer incentives for people to make their information public. It will probably be necessary to provide exceptions to this rule for law enforcement purposes. 3) Information gathered by lawful direct observation is owned by the observer. If I see you buy something in a store, or I see you murder someone on a surveillance camera, or I read your post in UseNet, I gain information about you. That information is my property. I can sell it. You have no right to restrict me in its use. Abuses, like peeping Toms, are addressed by laws such as trespass, which make some kinds of observation unlawful. Sometimes (3) may appear to conflict with (2). The grocery store can observe what you buy and sell the information under (3). However they can't demand to know your name, nor use the name from your check without entering a contract with you under (2). Of course if the grocer knows you anyhow, he won't need a contract. The solution should be for you to conclude a contract with your grocer granting him some rights to use your information in exchange for consideration. -- Dick Mills +1(518)395-5154 http://www.albany.net/~dmills ------------------------------ From: prvtctzn@aol.com (Prvt Ctzn) Date: 26 Oct 1995 13:09:22 -0400 Subject: Re: The Information Rights Act of 1996 Organization: America Online, Inc. (1-800-827-6364) As technology tightens world community links, access to the avalanche of available personal information must be EFFECTIVELY regulated for the sake of us all. As the direct marketing industry has failed to effectively regulate itself the past, its future `effort' in that regard will be judged as insufficient. Who should manage personal information? Not the custodian of that information, but rather its owner/subject; the person that the information describes. The mechanism for that management should require the custodian to have (before it may release or allow access to that data) a S.P.A.D.E. authorization from the owner/subject (O/S): 1) S pecific- custodian to itemize (for the O/S) all personal data it collected 2) P rior- release of data is denied until authorized by O/S (opt-in policy) 3) A ffirmative- the authorization must be given in a pro-active fashion by the O/S 4) D ocumented- the authorization must be recorded & available for inspection 5) E xpress- it must come directly from an O/S, no 3rd party transmittals Information custodians who have your SPADE authorization, may allow others to dig into your private affairs concerning information held by that custodian. SPADE authorizations may be revoked at any time. A SPADE authorization, held and transmitted by a third party will not be sufficient to access the S/O's information, unless the S/O and the custodian have negotiated such an allowance in advance. SPADE violations would preferably be enforced through a `private right of action' available in a civil court. The news media get's away with invading a person's privacy on the basis that the person they report on is a celebrety, and abandoned their expectation of privacy when they became that celebrity. The circular conundrum regarding this rational is that; when the media reports on a person, that person becames a celebrity That logic now seems to be sweeping us all into a `privacy-challenged' society. Unless we take charge of our privacy, others will. Bob Bulmash Private Citizen, Inc. 1/800-CUT-JUNK ------------------------------ From: Lisa Schiff Date: 25 Oct 1995 12:52:51 -0700 Subject: UC Berkeley Ethics of the Internet Conference ----------------------------Original message---------------------------- This is an announcement regarding a one day conference on the Ethics of the Internet to be held on the UC Berkeley Campus, Saturday Nov. 18th (agenda outlined below). The conference is cosponsored by the UC Berkeley Division of Undergraduate and Interdisciplinary Studies, the UC Berkeley School of Information Management and Systems, and UC Berkeley Extension. Funding is provided by the Steven V. White Endowment for the Teaching of Ethics. Please feel free to repost this announcement. The conference is open to the public ($35) and is free to UC Berkeley Students and Staff who pre-register with a UC ID. There is limited attendance, so if you are interested in attending, pre-registration is recommended. Please call UC Berkeley Extension at (510) 642-4111 (reference number EDP 391938). For more information go to the Web page for the conference: http://www.sims.berkeley.edu/conferences or send email to RKR@unx.berkeley.edu. Hope to see you there. Lisa Schiff doctoral student School of Information Management and Systems UC Berkeley lschiff@info.berkeley.edu ************************************************************************* *** Ethics of the Internet Saturday November 18 145 Dwinelle UC Berkeley Campus 9:30 am - 4:30 pm Welcome Dr. Hal R. Varian Dean, UCB School of Information Management and Systems Setting the Stage: Ethics of the Internet Dr. Yale Braunstein Associate Professor, UCB School of Information Management and Systems Morning: Perspectives on Access and Democracy Access as an Ethics Issue: How Access to the Internet Affects Children Cynthia Samuels founding executive producer of Channel One; former planning producer of Today Universal Access: Social and Political Implications. Karen Coyle Technical Specialist, University of California Library Automation Unit; Internet instructor; chair of the Berkeley chapter of Computer Professionals for Social Responsibility Free Expression, Copyright, and Democracy. Steve Arbuss attorney and unofficial legal advisor to the Internal Interactive Communications Society (IICS); expert on privacy and authors' rights in cyberspace. Panel of all 3 morning speakers answers remarks from student responders and questions from audience Afternoon: Freedoms, Rights, and Crimes Authenticity, Ownership, and Commercialism of Digital Images. Howard Besser Visiting Associate Professor, School of Information and Library Studies, University of Michigan; expert on image databases and the impact of multimedia and new information technologies. Surveillance and Censorship on the Internet. Jim Warren MicroTimes columnist; founder of the Computers, Freedom and Privacy Conferences and InfoWorld Magazine; pioneer in computer-assisted political action and civil liberties advocacy. Controlling Criminal Contamination of the NET. Don Ingraham Assistant District Attorney, Alameda County; head of the High Tech Crime Team; international consultant on computer crime and its prosecution. Panel of all 3 afternoon speakers answers remarks from student responders and questions from audience. Wrap-up and conclusion - Panel of all 6 speakers. ------------------------------ From: John Medeiros <71604.710@compuserve.com> Date: 26 Oct 95 00:40:31 EDT Subject: Re: Inappropriate Access to Absentee Ballot Lists? clearnts@coho.halcyon.com (Steve Habib Rose) was surprised to get a political mailing based on his having used an absentee ballot in the past. He inquired as to the legality of absentee ballot lists. Voter registration records and derivatives thereof are public records. I have not yet seen a service which had automated that information, unlike other public records such as property tax, property ownership and court records. Should absentee voter lists be available? Personally, I have no objection. I can forsee that protecting voter records could make it difficult for minority parties to prove voter fraud. Should they be automated (on disks)? I see no other practical way but to use a computer to cross check to uncover several types of voter fraud. So how do you limit their use to purely benificent purposes? Is the existence of voter records as "public records" common knowledge? I knew it, but I would guess that most people outside of this list don't. ------------------------------ From: "Dennis G. Rears" Date: 26 Oct 95 10:31:12 EDT Subject: Re: Inappropriate Access to Absentee Ballot Lists? Steve Rose writes: I live in Seattle, Washington. I just got a mailing from a candidate named Richard B. Sanders encouraging me to: "Mark your absentee ballot today..." I found this, shall we say, interesting, considering I also happened to get an absentee ballot this same day. This mailing was clearly addressed: "Attention Absentee Voter" and my next door neighbor, who had not ordered an absentee ballot, didn't get the same mailing. This brings up things I had never thought of before. Voting information is a public record. Anyone can go to the township clerk and look at my voting record in Morris County. They will find my current address as well as all my addresses for the last 10 years. They will find out my party affiliation (if I had one) and well as all the elections I voted in and did not vote in. They will find out how many times I voted absentee. We all know of the privacy implications. Why is this information public? To protect the integrity of the voting process. What's more important the voting process or privacy issues? I don't know. Interesting question. Among my many questions: 1. Is it legal to distribute to political campaigns the list of people who have asked for absentee ballots? I think the question here is really "Does a candidate (or anyone) have access to who is filing for absentee ballots"? I would certainly hope so. This is a front line way of stopping absentee voter fraud. 2. Should it be? yes. Maybe guidelines should be in place on what to do with this information. 3. In what format is this information supplied, and to whom? Is it provided on disk, for convenience? Or "just" on easily scanned printouts? Is there a cost for this "public service"? I think this depends on the individual township or county. 4. Is it common knowledge that absentee ballot lists are made available in this fashion? I would doubt it. It is common knowledge to people involved in the voting record process, just like ANI is common knowledge to telecom savvy people. People would be surprised just what information on them is available because it is public record: births, marriage, divorce, home ownership, and other information. Most newspapers publish real estate transactions. Never make the FBI fugitive list, on the wanted posters they publish the SSN of the criminal. Is that an invasion of privacy? I would bet that Mr. Sanders doesn't even see this as a government/privacy issue. Candidates have always gone to the voting records. Why else do only democrats get democratic primary mailings and republicans republican maillings. When a process has always been done a certain way very few if any look at process. It's not right but it is human nature. BTW, what is worse that people have access to these records or the junk mail they send? I have problems with the access but I wonder what is the worse evil, lack of accoutability of voting records or lack of privacy of records. If it is the junk mail, even if the access was denied they would probably end up junk mailing everyone. Either way we lose. -- dennis ------------------------------ From: "Peter M. Weiss" Date: 26 Oct 1995 08:47:59 -0400 (EDT) Subject: Re: Call Blocking Organization: Penn State University Bell Atlantic-PA had proposed changing the monthly fee for Private Telephone Number Service from $1.75 to $3+. Fortunately, they recinded it. Instead they upped the D.A. rates from $.40 to $.59 per call (after 2 "free" per month for residential service). /Pete Weiss -- Penn State ------------------------------ From: "Newshare Corp." Date: 24 Oct 1995 12:40:03 -0700 Subject: Clickshare(sm) alpha up; "test drives" available CLICKSHARE UNIVERSAL-ID, PROFILING AND MICRO-TRANSACTION SYSTEM ENTERS ALPHA; PERSONALIZED "TEST DRIVES" BEGIN WILLIAMSTOWN, Mass., Oct. 23 -- Newshare Corp. begins shipping to selected publishers this week the alpha version of its breakthrough Clickshare(SM) system to track and settle Internet-wide micro- transactions. "Clickshare removes one of the biggest barriers to the evolution of the Internet by giving users universal-ID access to a free market for digital information," said Bill Densmore, Newshare president and cofounder. "Yet the information -- and the user relationship -- remain physically controlled by the publisher." Clickshare's personal Newshare(sm) topic-profiling and custom-linking facilities are open for public use at . Transaction-handling capabilities, and an initial base of Publishing Members, will be launched in early 1996. "At that point, publishers will be able to sell each others' information for as little as a dime per click, exchanging royalties and commissions seamlessly," added Densmore. "Internet Service Providers will be able to act as on ramps into this content universe as well." Clickshare requires no special software for consumers beyond their Web browser and costs a publisher as little as $795 to join. Publishers can sell information by subscription or per-query to their own users, and set all pricing. Newshare is now soliciting a broader group of "beta" publishers. "Publishers thinking toward the next century want to maintain a close relationship with their users," says David M. Oliver, Newshare's managing director-technology and principal Clickshare author. "And this implies registering them, profiling their interests and preferences, authenticating and verifying their use of resources, and billing them for charged items. Clickshare does this for publishers and for users in background, not in-your-face." WHAT IS CLICKSHARE(sm)? Clickshare is a complete, distributed, user-management system which provides the only true third-party validation of web usage. It differentiates "eyeballs" rather than just counting them. It protects personal privacy and the publisher/subscriber relationship. Clickshare(SM) permits consumers to access information on multiple, unrelated Internet Web servers with a single ID and password. It gives publishers revenues not only from their own information but from the information their users buy elsewhere. And it gives advertisers the best way to measure web traffic by specific user. "Clickshare's versatile architecture is core technology for a worldwide free market for digital communications -- a true information exchange," said Densmore. Newshare Corp., is based in Berkshire County, Massachusetts, a region which has spawned several multimedia startups because of its high quality-of-life, accessibility to New York and Boston and good talent pool. Formed in September, 1994, it is privately held. HOW IT WORKS Clickshare has two principal components, Oliver says. Clickshare-enhanced Web server software runs on publishers' computers as a primary piece of controlling software or as an adjunct to other UNIX-based server software. It logs user registration, authentication, personalization and micro- transactions. The second piece of essential software, the Clickshare token-validation service (TVS) server, is run by Newshare Corp. or licensees. It creates and validates authentication tokens, brokers non-personal user preferences among publishers, and maintains "page visit" records from multiple independent sites sortable by anonymous user number, page visited and site ID. "At no time does Clickshare know a user's name or demographic profile," says Oliver. "Only the user's home-base publisher has this information." Clickshare has been called a an example of "wise thinking" (Steve Outing, Editor & Publisher Interactive, Sept. 18, 1995) and "the excelsior that will allow web businesses to sell information by the page" (WEBster, Oct. 3, 1995). Each user has a single "home base" at a Publishing Member (likely to be a local or speciality publication with whom they have a continuing relation). Clickshare users register just once with their home base, providing credit-card information by phone, fax, mail or secure Internet connection. At no time do credit-card numbers or other personal information traverse the Clickshare system. Thereafter, a user begins a Clickshare(sm) session as simply as logging in to the online world in the first place. The user must enter a personal ID and password just once during each session. In response, their home Publishing Member provides them a personalized, updated, jumpoff page of useful links, based on the personal topical-interest profile the user provided at initial registration. As they browse effortlessly to Clickshare-enabled and other sites, users can be confident that the link between their identity and their tracks does not go beyond their home Publisher. Clickshare provides mechanisms to establish charge limits and receive periodic reports of charges. The Clickshare-enhanced Web Server -- which is browser independent -- is provided to Member Publishers by Newshare Corp. free under license. Newshare's back-end service network exchanges data with the Internet servers of Clickshare-enabled sites, validating users and tracking all discrete page accesses -- chargeable or free -- across every participating site. Clickshare tracks content served to users regardless of the location of their "home" Publishing Member. Aggregate micro- charges, settled monthly or more frequently, allocating commissions, royalties and transaction fees, thus form the basis of a system resembling an ATM network. Clickshare leaves to each Publishing Member the marketing contours of its relationship to its customers. Each Publishing Member is thus free to use its own model for user subscription or per-page rates. A portion of all fees accumulated by a user for all visited Clickshare-enabled sites is retained by the user's home Publishing Member. This is termed a "referral commission." And Newshare retains a portion for its role in tracking and clearing transactions. At least 50 percent of each transaction goes to the content owner as a royalty. MORE THAN IP NUMBERS Beyond the model of payment for access to information, because it tracks known users (rather than Internet Protocol (IP) numbers), Clickshare may also serve as a third-party circulation/viewership auditing mechanism for the advertising and publishing industry, while leaving to users control of release of demographic and other data, and respecting their desires for privacy. "This transparent and efficient mechanism makes it economically practical to bill information purchases of as little as a dime and possibly less," says Oliver. "Thus Clickshare provides the platform on which the consumer of the 21st century can freely and conveniently access independently owned information worldwide, paying through existing credit structures." For more news and information, send email to info(at)newshare.com or see: http://www.newshare.com/clickshare/ "Clickshare" and "Newshare" are registered servicemarks of Newshare Corp. For media information contact: Felix Kramer, Kramer Communications, (212) 866-4864 (felix@newshare.com); all other queries to: Bill Densmore or Lynn Duncan at Newshare Corp., (413) 458-8001 (mail@newshare.com). ------------------------------ From: editor@cdt.org (editor@cdt.org) Date: 24 Oct 1995 15:54:51 -0500 Subject: CDT POLICY POST No.27 -- Landmark Health Privacy Bill Introduced ------------------------------------------------------------------------ ****** ******** ************* ******** ********* ************* ** ** ** *** POLICY POST ** ** ** *** ** ** ** *** October 24, 1995 ** ** ** *** Number 27 ******** ********* *** ****** ******** *** CENTER FOR DEMOCRACY AND TECHNOLOGY ------------------------------------------------------------------------ A briefing on public policy issues affecting civil liberties online ------------------------------------------------------------------------ CDT POLICY POST Number 27 October 24, 1995 CONTENTS: (1) Landmark Privacy Legislation Introduced in Senate -- Would Ensure Confidentiality of Medical Records (2) CDT Led Coalition Letter In Support of Bennett Bill (4) How To Subscribe To The CDT Policy Post Distribution List (3) About CDT, Contacting Us This document may be re-distributed freely provided it remains in its entirety. ------------------------------------------------------------------------- (1) LANDMARK PRIVACY LEGISLATION INTRODUCED IN SENATE Bill Would Ensure Confidentiality of Medical Records Landmark privacy legislation designed to protect the confidentiality of medical records was introduced today in the Senate by Senators Robert Bennett (R-UT), Robert Dole (R-KS), Nancy Kassebaum (R-KS), Edward Kennedy (D-MA), and Patrick Leahy (D-VT). If enacted, the "Medical Records Confidentiality Act" would create strong, comprehensive, privacy safeguards for the health data of all Americans. Similar legislation has been introduced in the House by Representative Gary Condit (D-CA). As CDT Deputy Director Janlori Goldman stated during a press conference announcing the Introduction of the bill, "the Medical Records Confidentiality Act is desperately needed to close a gaping hole in current law that leaves peoples' most personal, sensitive information extremely vulnerable to abuse and misuse. Strong protections are needed to safeguard peoples' health records as the information moves on the Global information highway. Congress must seize the opportunity to pass this bill this session." Towards this end, CDT has organized a broad range of privacy and consumer advocates, along with representatives from the health care and information industries to work towards its passage. (see attached letter below) The 'Medical Records Confidentiality Act' would: * Give people the right to see, copy, and correct their own medical records; * Limit disclosure of personal health information by requiring an individual's permission prior to disclosure of his or her health information by doctors, insurance companies, and other health information 'trustees' (e.g.: researchers and public heath departments); * Require the development of security guidelines for the use and disclosure of personal health information; and * Impose strict civil penalties and criminal sanctions for violations of the Act, and provide individuals with a private right of action against those who mishandle their personal medical information. CDT believes that strong uniform privacy rules for the handling of personal health data are critical to ensuring public trust and confidence in the emerging health information infrastructure. Recent studies by the Institute of Medicine and the Office of Technology Assessment have shown that state laws are inadequate to protect peoples' health records, and that a federal law is needed to address this shortfall. More information, including the text of the bill and a section-by-section summary, are available from CDT's Health Information Privacy web page (URL:http://www.cdt.org/health_priv.html). BACKGROUND -- THE NEED FOR MEDICAL RECORDS PRIVACY PROTECTIONS The public is continually told that increased data collection, linkage and sharing is necessary to improve the quality of health care and reduce costs. Yet without giving individuals confidence that their most sensitive personal information will be protected, we risk falling short of these health reform goals. If people don't trust the health care system to maintain the confidentiality of personal health information, they will be reluctant to fully participate. A 1993 Lou Harris poll shows that a majority of Americans favors new, comprehensive legislation to protect the privacy of medical records. The poll found that nearly 50 million people believe their own medical records have been improperly disclosed. It is no wonder individuals are nervous about the privacy of their health information. One need only read the paper to learn about leaks of the sensitive health information of politicians, sports figures, and celebrities. The ordeals of Representative Nydia Velazquez (D-NY) and the late tennis star Arthur Ashe expose the dire consequences that can occur when health information is wrongly disclosed. Both Velazquez and Ashe suffered the disclosure of the most private intimate details of their lives -- a suicide attempt and HIV infection respectively -- to the world. Public figures are not the only victims of unauthorized, egregious disclosures. The average American also suffers from leaks of sensitive medical information. Recently, information on the HIV status, drug-abuse history, and sexual practices of volunteers at an Ohio Health Department's AIDS prevention unit was wrongly disclosed. Following another breach of confidential information, the office closed for retraining. Weak security also leads to unauthorized internal access and misuse of peoples' health records. In March of this year, a 13-year-old daughter of a hospital clerk printed out the names and phone numbers of patients who had been treated at the University of Florida's Medical Center. As a hoax, the 13-year old girl then contacted seven patients and erroneously told them they were infected with HIV. After receiving one of these prank calls, a young girl attempted suicide believing she had the HIV virus. CDT believes that the Medical Records privacy act is the most important privacy bill since the Electronic Communications Privacy Act of 1986 (ECPA). Furthermore, enacting health information privacy legislation is a critical first step in health care reform. The Medical Records Confidentiality Act is supported by nearly everyone with a stake in the debate. If passed, CDT believes the legislation will go a long way to restore the public's faith and confidence in the integrity and security of our nation's health care system. NEXT STEPS: The bill has been referred to the Senate Labor and Human Resources Committee (Chaired by Sen. Kassebaum (R-KS), a co-sponsor). Committee hearings are scheduled for mid-November, and the bill is expected to be considered by the full Senate early in 1996. Similar legislation is pending in the House (HR 435, sponsored by Rep. Condit (D-CA). For More Information Contact: Janlori Goldman, CDT Deputy Director Deirdre Mulligan, CDT Staff Counsel +1.202.637.9800 ------------------------------------------------------------------------ (2) CDT LED COALITION LETTER IN SUPPORT OF BENNETT BILL October 20, 1995 Senator Robert Bennett 431 Dirksen Senate Office Bldg Washington, DC 20510 Dear Senator Bennett: We write to express our appreciation and strong support for your efforts to enact a comprehensive privacy law to protect personal health information. We believe that safeguarding the privacy of peoples' health information is a necessary and critical component of health care reform. As the health system's infrastructure grows increasingly automated, it is essential that people have confidence that their participation in the health care system does not mean the loss of their privacy. Although we are still in the process of resolving certain issues in the draft Medical Records Confidentiality Act developed by your office, a substantial consensus has emerged on the central policy of providing Americans uniform, strong confidentiality protection for their health information. We look forward to continuing to work with you on this important bill. Sincerely, Aimee Berenson AIDS Action Council Kathleen Frawley American Health Information Management Association Rick Pollack American Hospital Association American Association of Retired Persons Leanord Rubenstein Bazelon Center for Mental Health Law Joel Gimpel Blue Cross and Blue Shield Association Janlori Goldman Center for Democracy and Technology Arthur Levin Center for Medical Consumers Christopher G. Caine IBM Corporation Susan Jacobs Legal Action Center John Rector National Association of Retail Druggists Blair Horner New York Public Interest Group Don E. Detmer, M.D. University of Virginia Health Sciences Center --------------------------------------------------------------------------- (3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST CDT Policy Posts, which is what you have just finished reading, are the regular news publication of the Center For Democracy and Technology. CDT Policy Posts are designed to keep you informed on developments in public policy issues affecting civil liberties online. SUBSCRIPTION INFORMAITON 1. SUBSCRIBING TO THE LIST To subscibe to the policy post distribution list, send mail to "Majordomo@cdt.org" with: subscribe policy-posts in the body of the message (leave the subject line blank) 2. UNSUBSCRIBING FROM THE LIST If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo@cdt.org" with the following command in the body of your email message: unsubscribe policy-posts youremail@local.host (your name) (leave the subject line blank) You can also visit our subscription web page URL:http://www.cdt.org/join.html ----------------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance constitutional civil liberties and democratic values in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1001 G Street NW * Suite 500 East * Washington, DC 20001 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post No. 27 ------------------------------ From: "Prof. L. P. Levine" Date: 18 Oct 1995 13:55:25 -0500 (CDT) Subject: Info on CPD [unchanged since 08/18/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. [new: Ordinary copyrighted material should not be submitted. If a] [copyright owner wishes to make material available for electronic] [distribution then a message such as "Copyright 1988 John Doe.] [Permission to distribute free electronic copies is hereby granted but] [printed copy or copy distributed for financial gain is forbidden" would] [be appropriate.] Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #034 ****************************** .