Date: Sat, 04 May 96 15:22:47 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#036 Computer Privacy Digest Sat, 04 May 96 Volume 8 : Issue: 036 Today's Topics: Moderator: Leonard P. Levine Medical Privacy Legislation Children on the Internet Prepaid Calling Card Stores Called Numbers Re A Far-Reaching Privacy Bill Re: Security and E-Commerce Information May 10 Workshop on Medical Privacy Senator Burns writes open Letter to Internet Community Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Robert Gellman Date: 29 Apr 1996 23:07:40 -0400 (EDT) Subject: Medical Privacy Legislation The moderator asked about the status of federal medical privacy legislation. The main bill on Capitol Hill is S.1360 (the Bennett bill). There was a hearing last year and a committee markup is expected soon. It had been scheduled last week and this week, and is now scheduled for next week. Don't bet the mortgage on that, but a markup seems likely eventually. Significant revisions are in the works. The House bill (HR 435, the Condit bill) has seen no action anywhere in the House. Other bills have been rumored, but it is hard to see that anything much will happen soon. But life in Congress is highly unpredictable these days. The only relevant bill that has passed either House is the Insurance Portability bill (I don't have the number within reach). Both House and Senate have passed different versions. The House bill includes a one liner directing the Secretary of HHS to write privacy rules for electronic health care data. This bill will be in conference soon and the privacy outcome is uncertain at best. Both bills also include some language preventing some use of genetic information in determing preexisting conditions. This is my latest understanding as of the end of last week. Of course, everything is subject to change and interpretation in the usual fashion. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + ------------------------------ From: "David E. Sorkin" <7sorkin@jmls.edu> Date: 01 May 1996 00:47:14 GMT Subject: Children on the Internet Organization: John Marshall Law School The John Marshall Law School Center for Informatics Law, in association with the Illinois Privacy Council, announces the following conference: CHILDREN ON THE INTERNET: A FORUM FOR PARENTS AND EDUCATORS. Saturday, May 18, 1996, 8:30 am-5:30 pm, at The John Marshall Law School, 315 South Plymouth Court, Chicago, Illinois. The purpose of The Forum is to explore the benefits of the Internet and online services and to learn about risks as well, so that informed parents and educators can cooperate with service providers so as to enjoy the advantages of the Internet while avoiding the negatives. Panelists will demonstrate Internet resources available for children; will discuss the potential for commercial manipulation of children, invasions of privacy, access to objectionable materials, and other risks; and will suggest appropriate roles and responsibilities of parents, educators, and institutions in minimizing these risks. The registration fee of $40 includes continental breakfast, lunch, and conference materials. Registration deadline: May 13, 1996. Space is limited. For more information, call the Center for informatics Law at (312) 987-1419, or e-mail privacy@jmls.edu. Information about the Forum is also available on the World Wide Web at http://www.jmls.edu/conf/ipcforum/. -- David E. Sorkin (7sorkin@jmls.edu) Associate Director, Center for Informatics Law, The John Marshall Law School ------------------------------ From: wrfuse@mab.ecse.rpi.edu (Wm. Randolph U Franklin) Date: 02 May 1996 23:13:13 GMT Subject: Prepaid Calling Card Stores Called Numbers Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA If you use a prepaid calling card, then all the numbers that you call may be stored permanently. (As I say this, it sounds all so reasonable; however in the past I've been called paranoid by some Usenet readers for even observing the possibility.) My source is http://www.nando.net/newsroom/ntn/nation/050296/nation13_13359.html a news article saying that the Oklahoma City bombing suspects used a pre-paid phone calling card purchased in November 1993 thru the Spotlight to make 634 calls to bomb suppliers, the truck rental company, etc. -- Wm. Randolph Franklin. ------------------------------ From: Pirkko Kallaper Date: 30 Apr 1996 13:43:39 +0200 Subject: Re A Far-Reaching Privacy Bill A few weeks ago I read about Far-Reaching Privacy bills and I'd like to tell my opion about it. In Finland some busineses have placed for many years a few sentences in their contracts like this which Glenn Foote wrote: you agree thatt all information contained heirein and/or resulting[...] Here in Finland a person can strike out such a sentence. I do so and I do not have any problems while doing it -- pirkko kallaper=E4 kallapep@atki.helbp.fi ------------------------------ From: Mich Kabay <75300.3232@CompuServe.COM> Date: 30 Apr 96 09:30:38 EDT Subject: Re: Security and E-Commerce Information Joan Andreu (DCQ006@ps.uib.es) asked for URLs dealing with e-commerce and security. Here are some basic information-technology security pointers from my MOSAIC browser hotlist: Hotlist Security { Item CERT-CC http://www.sei.cmu.edu/technology/cert.cc.html Item CIAC Security Web Site http://ciac.llnl.gov/ciac/CIACHome.html Item Cryptorebel/Cypherpunk Page ftp://furmint.nectar.cs.cmu.edu/security/README.html Item Cypherpunks Home Page ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html Item Electronic Frontier Foundation http://www.eff.org/ Item Galactus' homepage http://toad.stack.urc.tue.nl/~galactus/index.html Item InfoSec Heaven URL http://all.net/ Item InfoSec News http://www.infosecnews.com/isn Item NCSA Home Page http://www.ncsa.com Item NIST Computer Security Resource Clearinghouse http://csrc.ncsl.nist.gov/ Item Privacy Rights Clearinghouse gopher://pwa.acusd.edu/11/USDinfo/privacy Item Sources http://www.dso.com/sources/ Item SRI Computer Science Laboratory http://www.csl.sri.com/sri-csl.html Item SRI-CSL-Security-Research http://www.csl.sri.com/sri-csl-security.html } You might also want to scan the archives of the RISKS FORUM DIGEST which are available as described in that e-publication: RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks I hope you will let us know the results of your research by posting a summary in a later issue of COMPUTER PRIVACY DIGEST. [moderator: as do I.] Best wishes, -- M. E. Kabay, Ph.D. (Kirkland, QC) / Director of Education / National Computer Security Association (Carlisle, PA) ------------------------------ From: James Love Date: 30 Apr 1996 16:56:47 -0400 (EDT) Subject: May 10 Workshop on Medical Privacy Workshop on Medical Records Privacy CO-SPONSORED BY: American Civil Liberties Union Consumer Project on Technology Computer Professionals for Social Responsibility Coalition for Patient Rights Electronic Privacy Information Center (EPIC) JRI Health Law Center Friday, May 10, 9 a.m. to 5:30 p.m. The Carnegie Institution 1530 P Street, NW, Washington, DC The U.S. Senate is considering legislation that would pre-empt most state laws on health care privacy, and create a new federal system regulating access to medical records. The proposed legislation, S. 1360 is controversial. Many privacy groups say that S. 1360 provides far too much access to personally identified medical records by insurance companies, employers, schools, medical researchers, public health and law enforcement officials. These groups say that technology has outpaced policy, that the legislation fails to address the radical changes in the way records are stored and disseminated, and that the proposed legislation does more to promote access to records than to assure patients that their medical records will be private. Supporters of S. 1360 claim that the legislation strikes a balance between the needs of industry and government and the patient's rights to privacy, and that extensive third party access to personal medical records is both inevitable and socially desirable. The May 10 workshop features experts from a number of fields, and tackles some of the most thorny controversies. 9:00 am Who really controls access to medical records? What is coercive consent? What proposals would enhance patient control over access to records? Lawrence Gostin, Professor of Law at Georgetown University Law Center and Professor of Public Health at Johns Hopkins University School of Hygiene and Public Health. Editor of JAMA's section on Health Law and Ethics, and former Chair of President Clinton's Health Care Task Force group on Privacy and the Health Care Infrastructure. Mark Rothstein, Hugh Roy and Lille Cranz Cullen Distinguished Professor of Law and Director of the Health Law and Policy Institute at the University of Houston. Author of The Genome and the Future of Health Care, and consultant to several federal agencies. Anthony Kraus. Mr. Kraus is a principal with the firm of Miles & Stockbridge, a litigator of invasion of privacy suits, and is active in efforts to preserve medical privacy. 10:30 am Non-consensual Access to Medical Records by Civil Litigants, Law Enforcement and Other Government Oversight Officials Moderator, David Banisar. Policy Analyst, Electronic Privacy Information Center (EPIC), Deputy Director of Privacy International, Editor of Privacy Bulletin. Don Haines, Attorney, American Civil Liberties Union. Andrew Grosso, formerly the head of the first joint federal and state health care fraud task force. Vice Chair of the ABA Criminal Justice Section's Committee on Science and Technology, member of Association for Computing's Committee on U.S. Pubic Policy (USACM). A.G. Breitensten, Director of the JRI Health Law Institute (HLI), Attorney with the JRI Health Law Center in Boston, Massachusetts. HLI represents over 20 AIDS service Organizations in the Boston area who are suing the Inspector general of Health and Human Services regarding the Inspector General's claimed right to access and disclose the identities of people receiving AIDS services from federally funded organizations. Noon to 1:30 p.m. Lunch. 1:30 p.m. Management of Medical Records. What types of security are desirable and feasible in computerized health care information systems? Professor Ross Anderson. Faculty member at Cambridge University Computer Laboratory and Security Adviser to the British Medical Association. Professor Anderson is a well known specialist in cyptography and computer security who has developed a security policy model for medical records. Professor James Fackler. Professor of Anesthesia and Pediatrics at Harvard Medical School, Associate Director of Children's Hospital Informatics Program. Professor Fackler's research includes explorations of the use of the world-wide-web technologies for medical record integration, and systems and policies for protecting patient privacy. 3:00 p.m. Privacy of Mental Health records. State Efforts to Collect Medical Data. Denise Nagel, MD. Psychiatrist in private practice, President of the Coalition for Patient Rights of New England, Chair of Medical Privacy Confidentially Project, Coalition for Patient Rights, Chair of the Medical Privacy Coalition. Mimi Azrael, Attorney in Private Practice with the firm Azrael, Gann and Franz. A specialist in state laws concerning medical records privacy. Version 1.0 REGISTRATION Registration isn't required, but it is appreciated (it helps us plan). To register, please send a note to: Manon Anne Ress Consumer Project on Technology P.O. Box 19367, Washington, DC 20036 Voice: 202/387-8030; Fax 202/234-5176 Internet: mress@essential.org Name: Organization: Telephone: Fax: Internet: ------------------------------ From: akrause@Sunnyside.COM (Audrie Krause) Date: 03 May 1996 00:23:51 -0700 Subject: Senator Burns writes open Letter to Internet Community CPSR Members and Supporters, U.S. Senator Conrad Burns is asking the Internet community to support legislation that would promote the development and use of encryption technology. CPSR is a member of the Internet Privacy Coalition (IPC), which supports this legislation. For more information on IPC, visit the CPSR web page at: http://www.cpsr.org/home/html To receive alerts about encryption legislation, send a message to: IPC-announce@privacy.org The body of the message should say: subscribe IPC-announce To unsubscribe to *this* cpsr-announce list, send a message to: listserv@cpsr.org The body of the message should say: unsubscribe cpsr-announce ############################################################################### Sender: Conrad_Burns@burns.senate.gov OPEN LETTER TO THE INTERNET COMMUNITY May 2, 1996 Dear friends: As an Internet user, you are no doubt aware of some of the hurdles the federal government has put up that limit the growth and full potential of exciting, emerging technologies. One of the most egregious of these has been the governmentally set limits on so-called "encryption" technologies. Today I am introducing a bill to address this major problem for businesses and users of the Internet. If the telecommunications law enacted this year is a vehicle to achieve real changes in the ways we interact with each other electronically, my bill is the engine that will allow this vehicle to move forward. The bill would promote the growth of electronic commerce, encourage the widespread availability to strong privacy and security technologies for the Internet, and repeal the out-dated regulations prohibiting the export of encryption technologies. This legislation is desperately needed because the Clinton administration continues to insist on restricting encryption exports, without regard to the harm this policy has on American businesses' ability to compete in the global marketplace or the ability of American citizens to protect their privacy online. Until we get the federal government out of the way and encourage the development of strong cryptography for the global market, electronic commerce and the potential of the Internet will not be realized. The last thing the Net needs are repressive and outdated regulations prohibiting the exports of strong privacy and security tools and making sure that the government has copies of the keys to our private communications. Yet this is exactly the situation we have today. My new bill, the Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996, would: - Allow for the unrestricted export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web browsers. - Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the United States. - Prohibit the federal government from imposing mandatory key-escrow encryption policies on the domestic market and limit the authority of the Secretary of Commerce to set standards for encryption products. Removing export controls will dramatically increase the domestic availability of strong, easy-to-use privacy and security products and encourage the use of the Internet as a forum of secure electronic commerce. It will also undermine the Clinton Administration's "Clipper" proposals which have used export restrictions as leverage to impose policies that guarantee government access to our encryption keys. The Pro-CODE bill is similar to a bill I co-authored with Senator Patrick Leahy of Vermont, except that it highlights the importance of encryption to electronic commerce and the need to dramatically change current policy to encourage its growth. My bill does not add any new criminal provisions and does not establish legal requirements for key-escrow agents. Over the coming months, I plan to hold hearings on this bill and encourage a public debate on the need to change the Clinton Administration's restrictive export control policies. I will need your support as we move forward towards building a global Internet that is good for electronic commerce and privacy. I look forward to working with the Internet community, online activists, and the computer and communications industry as this proposal moves through Congress. I'd like to hear from you, so please join me on two upcoming online events to talk about the new bill. The first is on America Online in the News Room auditorium at 9 p.m. Eastern Daylight Time on May 6. The second will be on Hotwired's Chat at 9 p.m. EDT on May 13. In the meantime, I need your help in supporting the effort to repeal cryptography export controls. You can find out more by visiting my web page http://www.senate.gov/~burns/. There you will find a collection of encryption education resources that my Webmaster has assembled. I trust that the entire Internet community, from the old-timers to those just starting to learn about encryption, will find this information useful. This bill is vital to all Americans, from everyday computer users and businesses to manufacturers of computer software and hardware. I very much look forward to working with you on this issue. Conrad Burns United States Senator @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ (The following program announcement comes from a CDT Policy Post. Email me if you want the whole newsletter, which discusses the current attempts to legalize encryption export.--Andy) * SENATORS TO GO ONLINE TO DISCUSS BILLS, TAKE COMMENTS FROM NETIZENS In an effort to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues, Senator Burns and Senator Leahy will participate in live, online discussions of the new legislation. CDT and VTW, who are helping to coordinate these events, will publish the transcripts of the sessions and encourage Netizens to participate. Please join Senator Burns live online to discuss the Pro-CODE bill on: * MONDAY, MAY 6 AT 9:00 PM ET IN AMERICA ONLINE'S NEWS ROOM AUDITORIUM Note that you will have to join AOL participate in this chat. (If you aren't currently an AOL member, you can obtain the software by either a) finding one of those pervasive free floppy disks, or b) by using ftp to get it from ftp.aol.com (ftp://www.aol.com/) * MONDAY, MAY 13 AT 9:00 ET AT HotWired's CLUB WIRED Visit http://www.hotwired.com/ for more information. Senator Leahy will also conduct sessions on America Online and HotWired in the next several weeks, dates and times are TBA (visit http://www.crypto.com for updates) -- Audrie Krause CPSR Executive Director PO Box 717 * Palo Alto, CA * 94302 Phone: (415) 322-3778 * Fax: (415) 322-4748 * * E-mail: akrause@cpsr.org * * * Web Page: http://www.cpsr.org/home.html * ------------------------------ From: "Prof. L. P. Levine" Date: 17 Mar 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #036 ****************************** .