Date: Fri, 15 Dec 95 14:26:56 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#051 Computer Privacy Digest Fri, 15 Dec 95 Volume 7 : Issue: 051 Today's Topics: Moderator: Leonard P. Levine A Privacy Problem? Re: Employer Abuse of Private Voicemail Re: Employer Abuse of Private Voicemail Seeking Info on Lawsuits re Junk e-mail Privacy Issues and Java Re: Cashless Society Avrami Case BC Commissioner Upholds Severing of Voter Addresses Computers, Freedom, and Privacy Conference The Privacy Pages The Computer Law Report #14 Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: "Prof. L. P. Levine" Date: 14 Dec 1995 08:33:11 -0600 (CST) Subject: A Privacy Problem? Organization: University of Wisconsin-Milwaukee [moderator: I found this in my family room near the fireplace. It was covered with soot and seems to have been dropped down the chimney. I suspect it was meant as a humorous comment about our privacy problems.] It has recently come to my attention that an offshore data collection operation has been discovered that appears to intrude into the privacy of our most innocent citizens. The CEO of this operation works on these citizens claiming to be willing to deliver gifts to each of them in return for personal and private information about their life styles, goals and wishes. He claims to have collected massive amounts of data alread; he asserts that he sees them when they are sleeping, that he knows when they are awake; he knows when they have been bad or good and implores them to be good for goodness sake. I have it on good authority that the CEO of this operation has stationed agents who, wearing disguises, move among us collecting money from passers-by. These agents implore people to dig into their funds for charitable purposes. Working in cahoots with more cynical citizens, other of his disguised agents offer to deliver gifts revealed through questionable interrogation processes of our innocents. Even his delivery methods (involving James Bond like devices such as flying deer, magical sleds, penetration of private homes through apertures for too small for a normal man) are so extreme as to cause one to wonder how even the most naive among us can believe these assertions. Furthermore, he is an international scofflaw: during the winter, when weather conditions make interception impossible, he flies unregistered aircraft across international borders without a passport, flies over cities below FAA minimum altitudes and generally behaves as a pubic nuisance. In spite of all of these privacy intrusions I hope that he makes a safe landing at your house and leaves a fair number of appropriate holiday tokens for you and yours. ------------------------------ From: WELKER@a1.vsdec.nl.nuwc.navy.mil Date: 13 Dec 1995 10:01:54 -0400 (EDT) Subject: Re: Employer Abuse of Private Voicemail I am looking for clarification on the rules (laws) behind employee privacy with regards to company voicemail systems. I have some understanding of the general rights of the employer, as it relates to his ownership, and therefore ultimate control, of these systems. I will assume for purposes of this discussion that all employees signed an agreement stating they had read a company policy that says the company can monitor all calls on its telephone lines, so that this issue in itself is probably not actionable (it _might_ be illegal, but not worth following up) HOWEVER: He has admitted his transgression out of "guilt" (his words) and she is under- standably furious. As I understand it, this is a textbook case of sexual harrasment. Sexual harrasment is ILLEGAL under FEDERAL law, provided that said employer was clearly informed that his advances were unwelcome. Go talk to the EEOC. What laws has he broken? Would this help her case in a sexual-harassment suit? See above. There appears to be basis for civil and criminal liability based on sexual harrasment statutes. I suspect that there is probably not a basis for action under wiretap statutes for the reason that all employees probably agreed to having their calls monitored, in writing (but this is an assumption). The exact nature of the beast may depend upon whether the person doing the monitoring was the business owner or just an immediate supervisor. If the latter, and the company had not explicitly authorized him to monitor calls, I should think he would be vulnerable under wiretap law in addition to sexual harrasment. DISCLAIMER: I ain't no goddamn bloodsucking lawyer. My employer has nothing to do with this. ------------------------------ From: Robert Gellman Date: 13 Dec 1995 20:48:32 -0500 (EST) Subject: Re: Employer Abuse of Private Voicemail A question was posted here about the privacy of voice mail. I don't know if there is any decided case law in this area. There is at least one case in the courts now, I believe. In any event, I can't answer the legal questions posed. I doubt that anyone can with a high degree of confidence. But there is a recent report on voice mail privacy. The Information and Privacy Commissioner in Ontario Canada released a report titled "Privacy Protection Principles for Voice Mail Systems" in October 1995. The report is about 25 pages long. It is a useful, thoughtful document. There is a homepage for the IPC office in Ontario. I don't have the address within reach, but it should be easy to surf to it. The report may be available there or there may be a way to order a copy. It won't help with current legal questions in the US, but it may help to figure out a reasonable policy. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: Mark Eckenwiler Date: 14 Dec 1995 17:20:21 -0500 (EST) Subject: Seeking Info on Lawsuits re Junk e-mail Organization: Saltieri, Poore, Nash, deBrutus & Short, Attorneys at Law I would appreciate information (or pointers to same) concerning any attempts to use the TCPA (the federal anti-junk-fax law, 47 USC 227) to attack the senders of junk e-mail. I am aware of at least one such proceeding (Robert Arkow v. CompuServe), but lack contact info for the plaintiff. ------------------------------ From: gindling@cs.colorado.edu (Jim Gindling) Date: 13 Dec 1995 10:53:31 -0800 Subject: Privacy Issues and Java Organization: Eskimo North (206) For-Ever I had a question concerning privacy issues in relation to Java. With the release of Windows 95 and Microsoft Network (MSN), in my opinion, Microsoft set a dangerous precedent violating personal privacy. From what I understand, Windows 95 has agents built in that gather statistics on the user's installed hardware and software. If the user is connected to a LAN, Windows 95 will gather statistics on all computers attached to that network. Then, the first time the user logs onto MSN, all that information is downloaded to the crew in Redmond for their personal use. My concern is, with Java, will anybody who desires now be able to write applets that do similar statistic gathering chores? If so, is there any way to protect ourselves? I do not consider myself a paranoid person, but I do care about my personal privacy. I feel Microsoft has definitely crossed the line, and hope Java will not enable others to do the same. Thanks in advance. -- Jim Gindling Software Engineer ------------------------------ From: JF_Brown@pnl.gov (Jeff Brown) Date: 13 Dec 1995 20:11:56 +0000 (GMT) Subject: Re: Cashless Society Organization: Battelle Pacific Northwest Labs haz1@kimbark.uchicago.edu says... Oops. You were doing fine until you suggested downloading directly from an (identifiable) bank account into this "virtual wallet". Digital cash is a complex problem which has so far been solved (as far as I know) in only two ways: 1) By having a reliable institution (e.g. a bank) digitally sign a "packet" of cash; at each transfer of the cash, the recipient must check with the institution to verify that the packet has not already been used by its current possessor (the double-spending problem). Or, 2) by creating a tamper-proof card ("wallet") with a unique "signature" which identifies it (to prevent tampering or phony cards from passing unnoticed). [...] If you have a solution to this problem, by all means do post it; quite a few people will be elated to see this problem solved... :-) How about: . Digital cash which is "signed" by the creator of it. . When put into a "wallet" it is signed by the owner of the "wallet". E.G., . To take money out of a "wallet" have the owner "sign" for the release of that cash from the "wallet". The identity of the cash owner is known only to the cash owner, or actually to the cash owner's "wallet". This provides: anonymity and prevents someone else from spending the cash in a "wallet" without knowing the signature. -- Jeff Brown JF_Brown@pnl.gov ------------------------------ From: "Prof. L. P. Levine" Date: 14 Dec 1995 11:26:11 -0600 (CST) Subject: Avrami Case Organization: University of Wisconsin-Milwaukee "Epic Alert" posted the following: Avrahami Case Delayed On November 27 Ram Avrahami appeared in Arlington district court to pursue his claim against US News & World Report. Mr. Avrahami is charging that the magazine violated his property rights when it sold his personal information to another publication without his permission. About a month prior to the scheduled court date, US News & World Report hired the Washington law firm of Shaw, Pittman. Subsequently, the magazine filed two elaborate procedural motions, attempting to deny Mr. Avrahami the opportunity to pursue the case in district court. In one motion, US News & World Report urged the circuit court, a court higher up than the district court where Mr. Avrahami filed suit, to accept a motion for declaratory judgment in effect ruling that Mr. Avrahami could not proceed with his case. In a second motion to the district court, USN&WR urged the judge to stay the November 27 proceeding until the circuit court had ruled on the motion for declaratory judgment. When Avrahami's attorney Jonathan Dailey responded to both motions, USN&WR then hastily moved for a continuance, arguing that it could not be fully prepared to go to trial on the scheduled trial date. (Shaw, Pittman is one of the largest law firms in Washington.) On November 27, the district court judge denied the magazine's motion for a stay but granted the motion for continuance. The trial has been rescheduled for early February. Additional information about the Avrahami case is available at: http://www.epic.org/privacy/junk_mail/ -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-6958 Box 784, Milwaukee, WI 53201 PGP Public Key: finger llevine@blatz.cs.uwm.edu ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 15 Dec 1995 17:48:08 GMT Subject: BC Commissioner Upholds Severing of Voter Addresses Organization: The National Capital FreeNet, Ottawa, Ontario, Canada Commissioners Order No 69, which should soon be available at HTTP://espresso.cafe.net:80/gvc/FOI/orders (the 95-69 link currently points to a non-existent file) The order confirms a decision by the District of Squamish to refuse access to the addresses of electors contained in a List of Registered Electors. [moderator: the most interesting thing of the document for me is the conclusion, I have inserted it below:] [...] 8. Order I find that the provisions of the Municipal Act apply to authorize the District of Squamish to refuse access to the records in dispute. I also find, under section 22(1) of the Act, that it would be an unreasonable invasion of personal privacy of third parties for the District to disclose the records in dispute to the applicant, and that the District was required to refuse access. Under section 58(2)(b) of the Act, I confirm the decision of the District of Squamish to refuse access under section 63 of the Municipal Act. Under section 58(2)(c) of the Act, I require the District of Squamish to refuse access to the records in dispute to the applicant under section 22. ------------------------------ From: hal@murren.ai.mit.edu (Hal Abelson) Date: 13 Dec 1995 21:27:19 GMT Subject: Computers, Freedom, and Privacy Conference Organization: MIT Project MAC Please redistribute widely **************************************** The Sixth Conference on Computers, Freedom, and Privacy will take place at the Massachusetts Institute of Technology on March 27-30, 1996. CFP96 is hosted by MIT and by the World Wide Web Consortium. You can register for CFP96 by US Mail, by fax, or via the World Wide Web. Conference attendance will be limited. Due to the enormous public interest in CFP issues over the past year, we encourage you to register early. SPECIAL NOTE TO STUDENTS: There are a limited number of places available at a special student rate. These will be allotted on a first-come first-served basis, so register as soon as possible. For more information, see the CFP96 Web page at http://web.mit.edu/cfp96 or send a blank email message to cfp96-info@mit.edu Since its inception in 1991, the series of CFP conferences has brought together experts and advocates from the fields of computer science, law, business, public policy, law enforcement, government, and many other areas to explore how computer and telecommunications technologies are affecting freedom and privacy. Events planned for this year's conference include: - Federal prosecutors square off against civil-liberties lawyers in a mock Supreme Court test of the "Cryptography Control Act of 1996", which criminalizes non-escrowed encryption. - Authors Pat Cadigan, Tom Maddox, Bruce Sterling, and Vernor Vinge divine the future of privacy. - College administrators, students, lawyers, and journalists role-play scenarios that plumb the limits of on-line expression on campus networks. - Panels on international issues in privacy and encryption; on the struggle to control controversial content on the Internet; on tensions between copyright of digital information and freedom of expression; on threats posed by electronic money to law enforcement, privacy, and freedom; on mass communication versus mass media. -- Hal Abelson Phone: (617) 253-5856 Fax: (617) 258-8682 Email: hal@mit.edu URL: http://www-swiss.ai.mit.edu/~hal/hal.html MIT Artificial Intelligence Laboratory Room NE43-429 545 Technology Square Cambridge, MA 02139 ------------------------------ From: maildrop@aksi.net (Orlando Mail Drop) Date: 15 Dec 1995 18:45:32 GMT Subject: The Privacy Pages Organization: Acquired Knowledge Systems, Inc. *** THE PRIVACY PAGES *** The Privacy Pages is a World Wide Web site devoted to the research and dissemination of important privacy issues. This site is sponsored by the Orlando Mail Drop. In this age of electronic marvels, our basic human rights are being violated with more efficiency than ever before. Learn what you can do to protect yourself. http://www.2020tech.com/maildrop/privacy.html -- ORLANDO MAIL DROP P.O. Box 608039 - Orlando, FL 32860-8039 Phone: (904) 357-3933 - Fax: (407) 862-6690 - Email: maildrop@2020tech.com World Wide Web: http://www.2020tech.com/maildrop ------------------------------ From: Galkin@aol.com Date: 14 Dec 1995 01:46:05 -0500 Subject: The Computer Law Report #14 *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ THE COMPUTER LAW REPORT *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ December 14, 1995 [#14] SORRY FOR THE DELAY SINCE THE LAST ISSUE. THIS ISSUE BEGINS A SERIES DISCUSSING PRIVACY RIGHTS IN THE DIGITAL AGE. ===================================== GENERAL INFO: The Computer Law Report is distributed (usually) weekly for free and is prepared by William S. Galkin, Esq. The Report is designed specifically for the non-lawyer. To subscribe, send e-mail to galkin@aol.com. All information contained in The Computer Law Report is for the benefit of the recipients, and should not be relied on or considered as legal advice. Copyright 1995 by William S. Galkin. ===================================== ABOUT THE AUTHOR: Mr. Galkin is an attorney in private practice in Owings Mills, Maryland (which is a suburb of Baltimore), and has been an adjunct professor of Computer Law at the University of Maryland School of Law. Mr. Galkin has concentrated his private practice in the Computer Law area since 1986. He represents small startup, midsized and large companies, across the U.S. and internationally, dealing with a wide range of legal issues associated with computers and technology, such as developing, marketing and protecting software, purchasing and selling complex computer systems, and launching and operating a variety of online business ventures. He also enjoys writing about computer law issues! ===> Mr. Galkin is available for consultation with individuals and companies, wherever located, and can be reached as follows: E-MAIL: galkin@aol.com/TELEPHONE: 410-356-8853/FAX: 410-356-8804/MAIL: 10451 Mill Run Circle, Suite 400, Owings Mills, Maryland 21117 ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ Articles in The Report are available to be published as columns in both print and electronic publications. Please contact Mr. Galkin for the terms of such usage. ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^ *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ PRIVACY: WHAT IS IT? *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ [This is the first of a series of articles discussing privacy rights in the digital age.] As the Information Age reaches maturity, its tentacles seem to stretch into every aspect of our lives. These fiber optic tentacles gather information from us often without our knowledge. Vast amounts of personal information is collected, sorted, organized by both government and private entities, and then used for a wide variety of purposes. Do we have any right to control the uses made of "our" information? Is there a right to privacy that provides us with some protection? I remember once calling an 800 number. The person who answered the phone knew my name and address immediately without my giving this information. Through use of a caller identification system linked to a data base sorted by phone numbers, they had personal information available instantaneously when people called. I was disturbed by the knowledge that making a telephone call could no longer be done with anonymity. I wondered how much information they had about me, where it was gleaned from, and whether I could have any control over how this information would be used. It is important to identify what is meant by a right to privacy in the context of personal information. In 1928, the Supreme Court in Olmstead v. United States, explained the right to privacy as the right to be "left alone." While many will agree with this description, it will need to be much further refined to be useful for applying it in the many different situations where this right will arise. Rather than trying to define the right to privacy at this point, it is better to look at some circumstances where such a right might arise: (1) Where the government unlawfully seizes evidence of a crime and the evidence is then inadmissible in court. One example of this is where the unlawful seizure occurs in a location where the possessor of the information had a "reasonable expectation of privacy." Where a car is lawfully stopped by the police for a simple traffic violation, illegal objects that are in plain view from outside the car may be seized because there cannot be a reasonable expectation of privacy, but , without probable cause for suspicion, objects seized from the glove compartment would not be admissible because there is a reasonable expectation of privacy applicable to the glove compartment. (2) Where government agencies or private entities are lawfully collecting personal data, but more data is collected than is needed to accomplish the purpose of the data collection. The collection of this excess data might amount to an invasion of privacy, even though the data is never misused. (3) Where information that has been lawfully collected is then disclosed (e.g., disclosure to the public under the Freedom of Information Act (FOIA) or disclosure to other entities). The courts have determined that since the purpose of the FOIA is to allow the public to monitor the activities of government, disclosure of personal data about individuals does not further this purpose, and therefore is not subject to disclosure under the FOIA. This conclusion results from balancing the public's right to access to government records and the privacy interests of individuals. Disclosure to third parties might be data transfer or data matching between government agencies or a business selling customer lists. (4) Where information lawfully collected is not disclosed, but rather used for a purpose different than the purpose for which it was originally collected. For example, information collected pursuant to an application for a mortgage might be used for trying to sell other products or services offered by the same company. (5) Where data lawfully collected is inaccurate. The classic case of this is the credit report. In this context, the right to privacy might be the right to examine and correct these records. The "Right to Privacy" is a battle cry we often hear these days as we see our cherished realm of privacy being invaded by the onslaught of technology. However, legal scholars and the courts have had difficulty identifying the specific source of this right and defining its scope and application. Many believe that this right emanates from the Constitution. While it may, the U.S. Supreme Court has never expressly recognized a constitutionally-based right to privacy relating to collection and use of personal data, except as regards disclosure in criminal law proceedings. In 1965, in the case of Griswald v. Connecticut, the Supreme Court recognized a right to privacy relating to birth control counseling. This and subsequent cases identified the right to privacy relating to controlling an individual's life as relates to personal decisions. However, this does not provide a foundation for a right to privacy of personal information. Others prefer to view the right to privacy as a property right, similar to the accepted corresponding property right found in the commercial context: trade secrets. As a property right, the owner of this information would have the right not to disclose the information and to restrict others who received this information through a permitted disclosure from further disclosure in a manner that is not inconsistent with the "owner's" expressed instructions. The comparison of trade secrets law with a right to privacy of personal information is difficult to take too far because the primary requirements for establishing a trade secret are not usually present in personal data. These requirements are (1) the secret information has value because it provides an economic advantage over competitors and (2) the information is actually secret, and the owner made reasonable efforts to maintain the secrecy of the information. First, in the personal information context, the information itself has no value to the "owner," rather it is the disclosure of the information that has a negative value, though usually in a noneconomic sense. Second, much of the information that people would like to keep secret is already lawfully in the possession of some company or government entity, and what we want is to stop further disclosure without our authorization. When viewing the current legal landscape relating to the right to privacy of personal information, it is useful to consider that there may be no such single "right". Rather privacy rights will take different forms depending upon the type of personal information involved, how it was gathered, and what it is being used for. These different forms, may often have little to do with each other, and therefore need to be distinguished from one another. Some of these rights may actually emanate from the U.S. Constitution, others from state constitutions, and yet others from federal and state statutes and common law. In each context, the right is not absolute, but must be balanced against other competing interests of the public, law enforcement, government agencies and private commercial interests. In future issues, we will examine various places that these rights are found. The following federal statutes are an example of the diversity: the Freedom of Information Act, the Electronic Communication Privacy Act of 1986, the Privacy Act of 1974, the Paperwork Reduction Act of 1980, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act. The purpose of this series is not to come up with a definition of the right to privacy or to identify its ultimate source. Rather, we will explore various legal sources of these rights along with examining vulnerable areas where no clear rights have yet become manifest. It will be left up to the readers to determine what definition might be appropriate in different circumstances, taking into account relevant competing interests. -- END -- ------------------------------ From: "Prof. L. P. Levine" Date: 22 Nov 1995 14:25:54 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #051 ****************************** .