PRIVACYnotes

Department of Homeland Security
 

Home | Privacy Links | Opt-Out

   



Archive


PRIVACYnotes #1

PRIVACYnotes #2
PRIVACYnotes #3
PRIVACYnotes #4
PRIVACYnotes #5
PRIVACYnotes #6
PRIVACYnotes #7
PRIVACYnotes #8
PRIVACYnotes #9
PRIVACYnotes #10
PRIVACYnotes #11
PRIVACYnotes #12
PRIVACYnotes #13
PRIVACYnotes #14
PRIVACYnotes #15
PRIVACYnotes #16
PRIVACYnotes #17
PRIVACYnotes #18
PRIVACYnotes #19
PRIVACYnotes #20
PRIVACYnotes #21
PRIVACYnotes #22
PRIVACYnotes #23
PRIVACYnotes #24
PRIVACYnotes #25
PRIVACYnotes #26
PRIVACYnotes #27
PRIVACYnotes #28
PRIVACYnotes #29
PRIVACYnotes #30
PRIVACYnotes #31
PRIVACYnotes #32
PRIVACYnotes #33
PRIVACYnotes #34
PRIVACYnotes #35
PRIVACYnotes #36
PRIVACYnotes #37
PRIVACYnotes #38
PRIVACYnotes #39
PRIVACYnotes #40
PRIVACYnotes #41
HIPAA

PRIVACYnotes Discussion List
Security Protecting Privacy is Good for Business

Respecting Privacy on the Web

----------------------------------------------------------------------

Privacynotes Digest
Security Protecting Privacy is Good for Business

----------------------------------------------------------------------
Published by: Mike Banks Valentine Privacynotes
privacy@privacynotes.com www.privacynotes.com
----------------------------------------------------------------------
December 19, 2002 Issue #038
----------------------------------------------------------------------

.....IN THIS DIGEST.....

// -- MODERATOR COMMENT -- // ~ Mike Banks Valentine

// -- NEW DISCUSSION -- //

"Department of Homeland Security" ~ Bruce Schneier

// -- CONTINUING DISCUSSION -- //

"TIA" ~ R.K. Stephenson ~ Roy Troxel ~ John Bearins

// -- PRIVACY NEWS -- //

"The Latest in Privacy Issues"

----------------------------------------------------------------------

// -- MODERATOR COMMENT -- //

First, some housekeeping notes. There will be no Privacynotes until January 9 following this issue to allow some vacation time for our dear editor who plans to spend that time in the sunshine. Any posts in response to this issue will not see sunshine until then.

In a continuing effort to keep informed on privacy issues, I discovered a new source this week in a recommendation from subscriber Lynn Bernstein and would like to share that source with everyone. It is Declan McCullagh's Politech at http://www.politechbot.com/ where much discussion on TIA can be found. Much of that discussion was forwarded to me, but I recommend that you visit Politech yourself and read all the privacy commentary there. Very thoughtful stuff from some bright tech minds there. Declan McCullagh's contributions to CNET are a good read as well . . . see "Tech's Answer to Big Brother" at http://news.com.com/2010-1069-977908.html

A new concern this week comes to us from Internet Powerhouse, Verisign, Inc. where they are pitching a system called "Online Consumer Identity Verification Service" to businesses in support of web services where Verisign will verify consumer identity for paying business clients as per the press release at http://www.verisign.com/corporate/news/2002/pr_20021210c.html where the "Consumer Authentication Service (CAS)" system is described as follows,

"The authentication data entered by the consumer is automatically routed using XML and encryption through VeriSign's services and checked against a wide variety of best of breed data sources to cross-verify and risk-rank consumer identity in real time."

I wrote to the press contact on that corporate release at Verisign, Dave Berkowitz asking him what those "data sources" were and whether the consumer was aware that it was occurring. His response was,

"My understanding is that we collect information from a number of public sources. Before entering information, consumers are asked in a prompt to confirm that they understand that by clicking on the I AGREE button immediately following an initial notice, they are providing "written instructions" under the Fair Credit Reporting Act authorizing the merchant and/or its partners to obtain information about them. Our customers using the data are not allowed to make decisions about the nominal applicant based on the data (e.g., John Doe has bad credit or lives in a bad area, so I won't take his order). If the consumer still wishes to "opt out" of sharing personal information, they simplly DO NOT click on the I AGREE button."

They will surely be denied their purchase or site access at the point they decline to click that button. I'll agree that this is enough notice for most, but they will still have no idea what is going on and that those "public sources" are actually commercial sources that sell your information for a fee. I predict those sources will eventually be a target of consumer wrath if it leads to being unable to make online purchases of trivial or inexpensive items or allowing access to needed information online because you don't want to be "verified". I'd fully expect that my credit information not be shared unless I'm making a purchase with credit for a substantial amount of money, paid over time -- not visiting a web site simply to access information. The web services I am attempting to access should never be declined based on "Consumer Authentication Service (CAS)". I can understand rooting out fraud, but I can't understand why I'd agree to being "verified" at a web site.

An even bigger concern is what information Verisign then shares back with those "sources" over the course of multiple contacts with those consumers who are "verified" multiple times. Do the web services that they access become a part of a profile of their data? What web services are they using, how often do they use them and how is that information stored and shared over time and with whom? Verisign would then seem a great resource for TIA at that point. How does this differ from Microsoft Passport and other web services identity schemes? It is simply a matter of too much information under the control of one source.

 

// -- NEW DISCUSSION -- //

== > TOPIC: DEPARTMENT OF HOMELAND SECURITY

From: Bruce Schneier

[Moderator comment ]: The following is an exerpt from the newsletter titled Crypto-Gram at Counterpane Internet Security and you can view the full commentary at the following address,

http://www.counterpane.com/crypto-gram-0212.html#3

"Our nation would be less secure if the new Department of Homeland Security took over all security responsibility from the other departments. The last thing we want is for the Department of Energy, the Department of Commerce, and the Department of State to say: "Security; that's the responsibility of the Department of Homeland Security." Security is the responsibility of everyone in government. We won't defeat terrorism by finding a single thing that works all the time. We'll defeat terrorism when every little thing works in its own way, and together provides an immune system for our society. The new Department of Homeland Security needs to coordinate but not subsume."

Bruce Schneier Founder and CTO Counterpane Internet Security, Inc.

 

// -- CONTINUING DISCUSSION -- //

==> TOPIC: TIA

From: R.K. Stephenson

Re: Dirk Collins piece

I didn't have to read any further than the first sentence to know that there was little point in reading the whole article.

>> If what I understand is correct concerning the new Homeland Security Act, then the justice department won't have to make false statements in eavesdropping applications anymore... <<

When you start your treatise with uninformed, unsubstantiated, paranoid sounding assertion you leave yourself with little credibility.

R.K. Stephenson

 

==> TIA

From: Roy Troxel

Your comparison with Nazi Germany is absurd, and here's why:

1. Following the Versailles Treaty, Germany was stripped of all its armed forces and weapons.

2. By 1930, the rate of unemployment in Germany was 25%, and its currency had been so devalued it was worthless. Almost a third of the population was living below the poverty line.

3. The German population was ethnically homogenous, so Hitler could appeal to the Germans' racial pride by always emphasizing their pain and deprivations following World War I.

There are no such parallel situations in present-day America.

I agree that the Homeland Security Department should be watched and monitored, and I don't care for Ashcroft or Kissinger, but "Nazi"?? Get real. Being paranoid is not going to solve the world's problems.

Best wishes,

Roy Troxel www.webservertimes.com

 

==> TIA

From: John Bearins

I assume that all my communication is "public". So I don't say much that I think. (This possibility used to be referred to as a "chill on public discourse") Now we are all suppose to march in the same goose step, led by John Ashcroft and his Storm Troopers.

That being said, if you read about the rise of the Third Reich, I believe there are shocking parallels. I don't intend to wait until 1934 or later to respond. Next month I will be touring some other countries that still seem to value liberty and plan to move my family within the year.

It has been a good run in the U.S., but unfortunately all good things seem to come to an end at some point. That point is now.

Goodbye, the Bear

// -- PRIVACY NEWS -- //

Moderator note: There are two ways to access previously listed privacy news stories. One is to visit Privacynotes archives, the other (simpler) way is to visit

http://privacynotes.com/privacy_news.html where I also keep a privacy news archive.

Total Information Awareness Commentary

http://www.nytimes.com/2002/12/15/magazine/15TOTA.html

In their continuing struggle against telemarketers, consumers are powerless no more. Telemarketers who call hear this recorded message: "The number you are calling has Call Intercept, a service that requires callers whose telephone number does not appear on the Caller ID display to identify themselves before the call can continue." Few telemarketers take the trouble. Today, the Federal Trade Commission is expected to announce plans for a nationwide do-not-call list. Consumers have already signed up by the millions for the growing number of statewide do-not-call lists in more than half the states. And they are also turning to gadgets with names like Telezapper, and to services like Call Intercept (in effect, paying the phone company to help them cope with a nuisance brought to them, yes, through the phone company).

http://www.nytimes.com/2002/12/18/technology/18TELE.html

Canada's new system for collecting detailed information about airline passengers is gathering increased criticism from privacy advocates, who say the system violates Canadian law. The system, first announced two years ago and made operational in October, uses information collected from the airlines to screen all passengers on incoming flights as potential security threats.

http://www.nytimes.com/2002/12/12/international/americas/12CANA.html

Concerned about how federal access to their records would undermine readers' privacy, thousands of librarians gathered today around the country to hear televised advice about how to respond to government requests under last year's antiterrorism law. Although some of the librarians calling in from among the 250 sites in a national teleconference suggested defiance of the 2001 USA Patriot Act, all the speakers said proper federal requests for data should be dutifully complied with, but only when a proper court order was served and not just because an F.B.I. agent asked for information.

http://www.nytimes.com/2002/12/12/politics/12LIBR.html

Homeland Security Faces Privacy, Tech Hurdles The federal government's effort to integrate 22 different organizations into the new Department of Homeland Security faces major technological, privacy and security hurdles, according to a Bush administration official.

http://makeashorterlink.com/?A540210C2

In 1996, General Motors began installing "Sensing Diagnostic Modules" (SDMs) in many of its new cars, unknown to those who bought them. The SDMs have the ability to record such data as the speed a car is driven and whether its occupants are wearing their seat belts. GM--which was subsequently sued over the use of SDMs by owners of GM vehicles who didn't like it one bit that the automaker was, in effect, recording their driving behavior without their knowledge or consent--claimed the SDMs were simply a means by which accurate data could be culled, especially as it related to motor-vehicle accidents.

http://makeashorterlink.com/?K33945FC2

A national ID card--complete with "biometric" identifiers, such as fingerprints or retinal scans--is coming. Only it's not being called that. House Resolution 4633, the "Driver's License Modernization Act of 2002," would, if passed, effectively create a national ID, no matter what its advocates might call it. The bill would require each state to adopt a "uniform standard" for driver's licenses, make them link their motor-vehicle databases to a central computer registry. In the language of the legislation, H.R. 4633 would "amend title 23, United States Code, to establish standards for state programs for the issuance of drivers' licenses and identification cards, and for other purposes," and would make use of "encoded biometric data matching the holder of the license or card."

http://makeashorterlink.com/?K66912FC2

If the idea of national ID cards being pushed by the American Association of Motor Vehicle Administrators gets traction, soon every American will be "inked"--or tagged by another biometric identifier, such as a retinal scan--all in order to make us "safer." Whether we'll be as free as we used to be is another matter, of course. The AAMVA wants $100 million from Congress to erect the first-ever (for the United States) national ID system, complete with centralized computer database to keep track of all 270 million of us.

http://makeashorterlink.com/?Y17923FC2

privacy@website101.com 5318 E. 2nd St. #789 Long Beach, CA 90803