Date: Wed, 15 Nov 95 07:01:16 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#041 Computer Privacy Digest Wed, 15 Nov 95 Volume 7 : Issue: 041 Today's Topics: Moderator: Leonard P. Levine Re: Unsolicited email Advertising Re: Unsolicited email Advertising Re: Unsolicited email Advertising Re: Unsolicited email Advertising Re: Copyright Notice Re: Phone Number Privacy Re: Phone Number Privacy Re: Health Privacy Legislation - Part II Re: First Interstate Bank's Inkless Fingerprint Program Re: First Interstate Bank's Inkless Fingerprint Program United Way uses SSN now Re: Can you Sue if Credit is Denied for Lack of SSN? Company Network email Reading by Network Ad/Sup? Info on CPD [unchanged since 08/18/95] ---------------------------------------------------------------------- From: bruno@cerberus.csd.uwm.edu (Bruno Wolff III) Date: 09 Nov 1995 21:31:44 GMT Subject: Re: Unsolicited email Advertising Organization: University of Wisconsin - Milwaukee haz1@kimbark.uchicago.edu (Bill) wrote: Unfortunately, there is no such thing as an "unlisted" email address; if you wish to receive legitimate responses to your posted comments, then it is also possible for someone to use that address to send you junk mail. Even using an anonymous-remailer does not shield you-- if you read replies to your posts, you will also find junk email. One way to handle unsolicited email is to use a mail filter that checks the digital signature of all incoming mail and discard all messages that don't come from a source permitted to send you mail. Right now this isn't practical because there isn't software that makes doing this convenient. In my opinion something like this will be necessary within the next few years because we will be receiving many more junk mail messages than useful ones. ------------------------------ From: Dave Mann Date: 09 Nov 1995 22:37:42 -0500 Subject: Re: Unsolicited email Advertising There have been many recent discussions about receipt of e-mail junk messages, spam, advertisements, all interrelated with an expectation of privacy on the internet. Privacy invasions always seem to be viewed as *someone* is using our name. (Jimi sang it well: *There's a Po-Liceman on the Corner and He Know My Name") I submit that we also should include what we do to ourselves (yep, let's stand right up and say "That incident was MY fault, not the provider, advertiser, other person". I can mention two stupid mistakes on my part, and I have been a computer user, engineer, manager, and programmer since 1963: big machines and little blivits. The day hasn't passed by since then that there weren't screwups that were my fault. Case One: subscribing to a group then neglecting to remember the name/server/domain combination under which I subscribed. How is the list adminstration going to unsubscribe me when I don't even know how I am subscribed? Not his fault; *my fault*. Case Two: sending my name off to a software purveyer asking for updates on their software. This generated an average of 100 messages per day until their mail machine went brain dead. I got what I wanted ... updates ... but also a whole forum full of other stuff. OK, my point here (if it isn't clear enuff yet) think before you send the message and if the spam starts rolling in, investigate how best to eliminate it just as you would deal with a particularly pesky bug review and repair. We can't always blame the other guy all the time ... it is easier to paranoically finger *the other guy*, but that undermines the system. Even the Clueless get off my hook too, they should have Mentors willing to help them answer questions like "What happened when I pushed that button?" rather than receive a nasty-gram telling them to RTFM, when they have RTFM but don't understand it because people like *us* write TFM. Privacy is certainly a right and not a privilege, but there are times when we do ourselves in. [May be attributed to Dave Mann, no copyright protection desired or sought, close cover before striking; you mileage may vary. Vlad the Impaler had his Good Points] ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 10 Nov 1995 12:45:43 GMT Subject: Re: Unsolicited email Advertising Organization: Conceptual Design haz1@kimbark.uchicago.edu (Bill) wrote: There's a big difference between one person doing something that annoys only yourself, and dozens (soon to be hundreds, at current rates of growth) of people doing something that annoys not only yourself, but also many other people. This may be the first junk email Philip Duclos has received, but I guarantee it won't be the last. I'm getting about one a week, and I know several people who get one almost every day. Junk email is a common problem, growing in proportion, that needs to be solved before it achieves the status of junk snail-mail. Deterring junk email by "calling the cops" is, in my view, a laudable public service. The number of people being annoyed does not convert annoyance into force or fraud; if it did, then one would have to accept the premise that a book or article which annoyed a sufficiently large number of readers could justifiably be censored. "Emotional harm" cannot be a justification for criminalization in a free society. A law which protects you from feeling annoyed would stomp on free communication. If sending unsolicited E-mail were a crime, then I could not use E-mail to contact an old friend whom I hadn't seen in years. Or if the law were that unsolicited E-mail is permitted with limitations on mailing list size and/or content, then it's guaranteed that as soon as someone sent out an alert against a deadly piece of legislation that some politician really wanted, that person would find his computer raided, his disks and laser printer seized, and himself threatened with prosecution. More broadly, what we have here is a variant on the old false alternative of "security vs. freedom"; here, the imagined alternative is "privacy vs. freedom." It's supposed that if only the government puts enough restrictions on E-mail, then nobody will dare to send us E-mail which we don't want, and we'll thus achieve privacy. But in implementing this, the government would be giving itself the right to police and examine E-mail; and once it had that power, we'd suffer a loss of privacy far more grievous than that resulting from unwanted advertisements. Give up freedom, and you give up privacy as well. If junk (snail) mail could have been fined under the law, back when it was just getting started, would you have been making similar remarks about someone who went to the trouble to punish the offenders? I certainly hope so. -- Gary McGath gmcgath@condes.mv.com http://www.mv.com/users/gmcgath ------------------------------ From: "John E. Bredehoft" <72604.2235@CompuServe.COM> Date: 11 Nov 1995 15:10:36 GMT Subject: Re: Unsolicited email Advertising Organization: CompuServe, Inc. (1-800-689-0736) haz1@kimbark.uchicago.edu (Bill) writes: Junk email is a common problem, growing in proportion, that needs to be solved before it achieves the status of junk snail-mail. Deterring junk email by "calling the cops" is, in my view, a laudable public service. I would *much* rather have to put up with the annoyance of junk mail of any medium. The idea of having some entity (governmental or otherwise) control my incoming mail is chilling. Market forces will take care of the more notorious junk e-mailers. As more businesspeople learn about Slaton's tactics and his effectiveness or lack thereof, his business will probably decrease. "Oh, *you're* the guy who sends e-mail to two-year old discontinued addresses. No, I'll pass..." -- John E. Bredehoft 72604.2235@compuserve.com ------------------------------ From: les@Steam.Stanford.EDU (Les Earnest) Date: 09 Nov 1995 23:42:13 GMT Subject: Re: Copyright Notice Organization: Stanford University, CA 94305, USA John C. Rivard writes: There is a fundamental distinction in copyright law that you cannot copyright an IDEA, but you can copyright the ESPRESSION of that idea. That is why it is a stated in US copyright law that the copyright is "automatically" created when an author first records the work in a "fixed, readable" form. The law specifically states that this form can be machine readable (a phonograph record or a computer disk, for example). Yes, but typing something into a computer doesn't necessarily record it locally in a "fixed, readable" form. Who owns the copyright if some other computer on the Internet is the first to record the work on its disk? And what if the person who typed it in is merely recording an oral statement made by someone else? Not clear in either case, it seems to me. -- Les Earnest (les@cs.stanford.edu) Phone: 415 941-3984 Computer Science Dept.; Stanford, CA 94305 Fax: 415 941-3934 ------------------------------ From: night@acm.rpi.edu (Trip Martin) Date: 09 Nov 95 23:50:57 GMT Subject: Re: Phone Number Privacy Organization: Rensselaer Polytechnic Institute, Troy NY, USA bcn@world.std.com (Barry C Nelson) writes: When you can see the redial button or memory on your telephone you KNOW that the information is stored there for the taking. When you have no knowledge of *69, you're information is being placed at risk by your phone company without you knowing about it. [...] I agree that it's somewhat paranoid for those of us with no secrets ;-) but it could be a shock to someone who finds out the hard way. I also agree with moderator's note that the biggest risk is to those who have an urge to keep their unlisted numbers private, yet make toll calls to people who have *69 features. One thing that is available in my area (518 area code) is call return blocking. It means that if I call someone, they can't call me back by using *69. I don't know if this is available in other areas, but it's worth asking about for those who are concerned about it. -- Trip Martin night@acm.rpi.edu ------------------------------ From: eichin@mit.edu Date: 10 Nov 95 20:52:32 EST Subject: Re: Phone Number Privacy Imagine you get a late-night phone call from a secret paramour and tell your spouse that it was a "wrong number." The suspicious spouse can just press *69 to call back your wrong number, and find out who it was, or wait for the phone bill and work from there. On a recent CD, folk singer Christine Lavin included a song actually titled "*69" about a similar, though different in the details, scenario... interesting from the "raising public awareness" perspective at least. ------------------------------ From: Robert Gellman Date: 09 Nov 1995 21:35:05 -0500 (EST) Subject: Re: Health Privacy Legislation - Part II This is the second in a series of postings with excerpts from studies of health privacy. These studies show uniformly that health records have inadequate legal protection today. From "Protecting Privacy in Computerized Medical Information" by the Office of Technology Assessment (1993): There is tremendous variation in the number and quality of State laws on medical confidentiality. While it may be difficult to generalize about the adequacy of State medical confidentiality laws, a report of the Committee on Government Operations of the House of Representatives concluded in 1980 that "most States do not have well defined, modern laws on the confidentiality of medical records." A survey of State statutes governing privacy in medical records published by Robert Ellis Smith emphasizes this point. These statutes, however, do not address the flow of medical information to secondary users outside the treatment process who are deemed to legitimately have access to the information. They do not address the responsibilities of third-party payers in handling this information, nor do they impose rules about the use of medical information by secondary users of that data: parties that use medical records for nonmedical purposes. This patchwork of law addressing the question of privacy in personal medical data is inadequate to guide the health care industry in carrying out its obligations in a computerized environment. * * * * * * * * * * * * * * * * Legal and ethical principles currently available to guide the health care industry with respect to obligations to protect the confidentiality of patient information are inadequate to address privacy issues in a computerized environment that allows for intra- and interstate exchange of information of research, insurance and patient care purposes. Lack of legislation in this area will leave the health care industry with little sense as to their responsibilities for maintaining confidentiality. It also allows for a proliferation of private sector computer databases and data exchanges without regulation, statutory guidance, or recourse for persons wronged by abuse of data. The scheme, as it exists, does not adequately take into account the tremendous outward flow of information generated in the health care relationship today . . . . This problem has always existed, but was not serious because medical records were only occasionally used outside the medical treatment process. The expanded use of medical records for nontreatment purposes exacerbates the shortcomings of existing legal schemes to protect privacy in patient information. The law must address the increase in the flow of data outward from the medical care relationship by both addressing the question of appropriate access to data and providing redress to those that have been wronged by privacy violations. Lack of such guidelines, and failure to make them enforceable could affect the quality and integrity of the medical record itself. Comment: The health privacy situation today is awful and it is getting worse. In the absence of new legislation, new and expanded uses of health records will continue to expand in a largely uncontrolled fashion. Private, computerized databases are unregulated and are growing. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: "Dave Banisar" Date: 10 Nov 1995 16:35:34 -0500 Subject: Re: First Interstate Bank's Inkless Fingerprint Program I understand that banks in AZ and TX are also demanding that anyone who does not have an account at a bank who wants to cash a check must be fingerprinted. They claim that the fingerprints are only used after a bad check appears. -------------------------------------- Date: 11/10/95 2:44 PM To: Dave Banisar From: Jim Warren Just received this prelim note from a net contact. At first blush, it sounds pretty scary for its privacy and surveillance *potential*, regardless of its initial purpose(s) -- regardless of whether it utilizes digital fingerprinting technology such as is (for instance) now used by the Calif DMV. Just wait until the start asking for a hair strand for genetic-marker proof of identity! (I'm joking. Aren't I?) === From: Rich.Woods@245.genesplicer.org (Rich Woods) Date: 03 Jan 00 23:22:31 -0800 Recently Wells Fargo Bank of CA took over First Interstate Bancorp. I bank at 1st Interstate in Nevada (Henderson, NV 13 miles outside of Las Vegas). I got the following information today from the bank (posted on their countertops) Introducing First Interstates Inkless Fingerprint Program ... === Rich is forwarding a copy of the bank's fingerprint-program brochure. Will write it up in GovAccess as soon as I get a chance. In the meantime, do other folks have information/thoughts? -- Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. === EXPLANATION OF WHAT GOVACCESS IS & WHERE TO FIND ITS ARCHIVES === GovAccess is a list distributing irregular info & advocacy regarding technology and civil liberties, citizen access to government - and government access to citizens, covert and overt. To add or drop GovAccess, email to Majordomo@well.com ('Subject' ignored) with message: [un]subscribe GovAccess YourEmailAddress (insert your eaddr) For brief description of GovAccess, send the message: info GovAccess ------------------------------ From: jdav@mcs.com (Jim Davis) Date: 13 Nov 95 13:27 CST Subject: Re: First Interstate Bank's Inkless Fingerprint Program The other big use of fingerprinting (outside of law enforcement) in CA is the use of electronic fingerprinting ofgeneral assistance welfare recipients in several CA counties (LA, Alameda, SF, Contra Costa, proposed for Santa Clara), and being tested for AFDC (mostly women & kids) in LA, with legislation (AB 275) propsing to alternatively extend it to 3 or 4 outher counties, or statewide. Since AFDC is a federally-mandated program, this would open the way for a national welfare database. I'm not sure of the status re: FBI standards for digital fingerprinting, but once those are in place, I should think we will see vendors supporting those standards, so we might/probably will see a convergence in storage techniques, and merging of databases. The welfare databases in CA, by the way, are not maintained by the various Dept of Social Services agencies, but are maintained by EDS out of their LA facility, and linked together by design. More and more goverment and other data is being handled by private firms like EDS as data processing activity is contracted out or privatized, as the NYT pointed out: "The rapid growth of EDS and its biggest competitors raises the intriguing question of how much of the nation's computing capacity will one day end up in the hands of a few computer services giants." (New York Times, October 30, 1991.) Finally, historically welfare programs have been important areas where new incursions on privacy vis-a-vis data gathering have been introduced and/or sold to the public. -- Jim Davis ------------------------------ From: wrf@ecse.rpi.edu (Wm. Randolph U Franklin) Date: 10 Nov 1995 03:39:41 GMT Subject: United Way uses SSN now Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA The United Way pledge form that my employer, Rensselaer Polytechnic Institute, a private university, sent me has my SSN printed on it along with my name. RPI probably printed the forms, so that United Way doesn't know my SSN, unless I contribute. Gee, that's a dilemma: should I give away money and thereby spread my SSN around, or keep my money and also keep my SSN a little more secret? I think that Death certificates often have the deceased's SSN on them. Dunno whether this is required by law, or whether the relevant government flunky just heavily suggests, w/o actually stating, that this is required. -- Wm. Randolph Franklin, wrf@ecse.rpi.edu, (518) 276-6077; Fax: -6261 ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 10 Nov 1995 22:21:34 +0000 (GMT) Subject: Re: Can you Sue if Credit is Denied for Lack of SSN? Organization: Battelle Pacific Northwest Labs jcr@mcs.com says... Not to be a fly in the ointment, but when they pulled your TRW with your name and address, your SSN appeared big and bold at the top of the screen. The question is, did they then add it to your bank records? The Credit Manager and I were in the same room when he looked up my credit record. Yes, my SSN was on the record. The Credit Manager promised that he would have my credit application processed without adding it to their records. BTW, I have other accounts at this institution, so they could have just transferred the number from there. They were up front about that also. -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: sanders@pipeline.com (John C. Sanders) Date: 12 Nov 1995 11:04:28 -0500 Subject: Company Network email Reading by Network Ad/Sup? Organization: The Pipeline We use Word Perfect Office for internal email where I work and we have a LAN over which the email runs. A friend and I were having a discussion about the issue of whether or not the LAN system administrator/supervisor has the capability to see, monitor, review, save the email of all employees. My friend says he has such a capability if he chooses to use it. It seems doubtful to me, though. This would make this LAN administrator/supervisor very powerful if he had access to everybodies email, especially the email of key people in the organization. Could a LAN administrator/supervisor have this capability and not know it? Can anyone cite any articles or other sources of information on this topic? ------------------------------ From: "Prof. L. P. Levine" Date: 18 Oct 1995 13:55:25 -0500 (CDT) Subject: Info on CPD [unchanged since 08/18/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. [new: Ordinary copyrighted material should not be submitted. If a] [copyright owner wishes to make material available for electronic] [distribution then a message such as "Copyright 1988 John Doe.] [Permission to distribute free electronic copies is hereby granted but] [printed copy or copy distributed for financial gain is forbidden" would] [be appropriate.] Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #041 ****************************** .