Privacynotes Digest Protecting Privacy is Good for Business
Published by: Mike Banks Valentine Privacynotes
January 9, 2003 Issue #039
.....IN THIS DIGEST.....
// -- MODERATOR COMMENT -- //
// -- NEW DISCUSSION -- //
"Cars Invading Your Privacy" ~ Neil Schwartzman
// -- PRIVACY NEWS -- //
"The Latest in Privacy Issues"
// -- MODERATOR COMMENT -- //
Even though our editor at Privacynotes was on vacation for two
weeks, the news on privacy has not slowed much while we've been
away for the Christmas and New Year's Holidays. Hence the majority
of this issue is dedicated to the dozen or so news stories in
our Privacy News section.
I'd like to point out a particularly spooky story by Declan
McCullagh at CNet news and encourage everyone to read it and shiver
at the implications.
I'd also like to raise again the question that I posed in issue
#38 three weeks ago to refresh everyone's memory about an issue
that I believe to be important to the entire web industry, that
of the new Verisign service called "Online Consumer Identity Verification
Service." I have seen NO news coverage on this issue and wonder
if Verisign is doing a bang-up business with this new service
or if businesses are ho-hum about it too. I've certainly not been
asked by any online businesses to "click the I AGREE button" in
any of my personal or business transactions.
Verisign will verify consumer identity for paying business clients
as per the press release at http://www.verisign.com/corporate/news/2002/pr_20021210c.html
where the "Consumer Authentication Service (CAS)" system is described
"The authentication data entered by the consumer is automatically
routed using XML and encryption through VeriSign's services and
checked against a wide variety of best of breed data sources to
cross-verify and risk-rank consumer identity in real time."
I wrote to the press contact on that corporate release at Verisign,
Dave Berkowitz asking him what those "data sources" were and whether
the consumer was aware that it was occurring. His response was,
"My understanding is that we collect information from a number
of public sources. Before entering information, consumers are
asked in a prompt to confirm that they understand that by clicking
on the I AGREE button immediately following an initial notice,
they are providing "written instructions" under the Fair Credit
Reporting Act authorizing the merchant and/or its partners to
obtain information about them. Our customers using the data are
not allowed to make decisions about the nominal applicant based
on the data (e.g., John Doe has bad credit or lives in a bad area,
so I won't take his order). If the consumer still wishes to "opt
out" of sharing personal information, they simply DO NOT click
on the I AGREE button."
They will surely be denied their purchase or site access at
the point they decline to click that button. I'll agree that this
is enough notice for most, but they will still have no idea what
is going on and that those "public sources" are actually commercial
sources that sell your information for a fee. I predict those
sources will eventually be a target of consumer wrath if it leads
to being unable to make online purchases of trivial or inexpensive
items or allowing access to needed information online because
you don't want to be "verified". I'd fully expect that my credit
information not be shared unless I'm making a purchase with credit
for a substantial amount of money, paid over time -- not visiting
a web site simply to access information. The web services I am
attempting to access should never be declined based on "Consumer
Authentication Service (CAS)". I can understand rooting out fraud,
but I can't understand why I'd agree to being "verified" at a
An even bigger concern is what information Verisign then shares
back with those "sources" over the course of multiple contacts
with those consumers who are "verified" multiple times by CAS.
Do the web services that they access become a part of a profile
of their data? What web services are they using, how often do
they use them and how is that information stored and shared over
time and with whom? Verisign would then seem a great resource
for TIA at that point. How does this differ from Microsoft Passport
and other web services identity schemes? It is simply a matter
of too much information under the control of one single source.
I have a new proposal for 'Total Information Awareness' logo
since they have removed the previous version from their web site.
and Admiral Poindexter! This comes from sister publication I-HelpDesk
Mike Banks Valentine Privacynotes Discussion List
Protecting Privacy is Good for Business
// -- NEW DISCUSSION -- //
== > TOPIC: CARS INVADING YOUR PRIVACY
From: Neil Schwartzman
In Privacynotes #38 in a News Story link about Sensing Diagnostic
Modules is new GM cars said:
>> In 1996, General Motors began installing "Sensing Diagnostic
Modules" (SDMs) in many of its new cars, unknown to those who
bought them. The SDMs have the ability to record such data as
the speed a car is driven and whether its occupants are wearing
their seat belts. GM--which was subsequently sued over the use
of SDMs by owners of GM vehicles who didn't like it one bit that
the automaker was, in effect, recording their driving behavior
without their knowledge or consent--claimed the SDMs were simply
a means by which accurate data could be culled, especially as
it related to motor-vehicle accidents.
Your readers should be made aware of the fact that this technology
is not limited to GM. My New Beetle records speed, etc. as well.
I had an engine warning light come on, and the diagnostic print
out was quite revealing - time, date, and speed at which the problem
The problem is not inherent in the actual recording of said
data, but the potential of use by organizations other than Volkswagen.
Say, the constabulary, who wish to prove a speed limit was exceeded.
Not that I would ever even consider infracting any laws, of course.
Neil Schwartzman, peteMOSS Publications <http://spamNEWS.com>
// -- PRIVACY NEWS -- //
Moderator note: There are two ways to access previously listed
privacy news stories. One is to visit Privacynotes archives, the
other (simpler) way is to visit
where I also keep a privacy news archive.
The Bush administration has reduced by nearly half its initiatives
to tighten security for vital computer networks, giving more responsibility
to the new Department of Homeland Security and eliminating an
earlier proposal to consult regularly with privacy experts. An
internal draft of the administration's upcoming plan to improve
cybersecurity also no longer includes a number of voluntary proposals
for America's corporations to improve security, focusing instead
on suggestions for U.S. government agencies, such as a broad new
study assessing risks. The draft, however, continues to challenge
the need for any new regulations, saying mandates for private
industry would violate the nation's "traditions of federalism
and limited government." It said broad regulations would hamstring
security by creating a "lowest-common-denominator approach" and
could result in even worse security.
According to a survey from Harris Interactive, less than one-half
of US consumers believe online privacy notices are easy to find,
while 44% are certain that these notices often contain confusing
terms. For some industries, such as financial and health services,
consumer privacy elements are mandated by federal and state laws.
For other sectors, such as retail, not to post a privacy notice
online is a kiss of death. On the other hand, a prominent privacy
notice, with a consumer-friendly policy in place, can act as a
marketing boost. Too many people wind up in wrestling matches
with website privacy notices.
Editorial writers and other guardians of privacy have had a
field day with the reports that former Reagan National Security
Adviser John M. Poindexter has come back as a cross between Dr.
Strangelove and Big Brother. Poindexter is watching you, or soon
will be, his detractors suggest, as they lovingly detail his 1990
convictions (later reversed on appeal) for his lies to Congress
about the Iran-Contra affair. The Web site for Poindexter's "Total
Information Awareness" program at the Pentagon foolishly fans
such fears, featuring the slogan "Scientia Est Potentia"—Knowledge
Is Power—complete with an ominous, all-seeing eye atop a pyramid.
Imagine a world where every street corner is dotted with disposable
microcameras, equipped with face-recognition software that identifies
pedestrians and constantly updates their individual files with
up-to-the-minute location information. (Wearing masks won't help:
Many states already have antimask laws, and the rest would follow
suit if masks became sufficiently popular.) The microcameras are
linked through a network modeled on existing 802.11 wireless technology.
The wireless mesh also includes cameras devoted to spotting and
recording license plates and a third type that identifies people
by the way they walk.
To help identify potential terrorists, government agencies rely
heavily on the Interagency Border Inspection System. Known as
IBIS, it is a vast database of information on suspect individuals,
businesses, vehicles, aircraft and vessels. IBIS is derived from
the combination of dissimilar databases kept by the United States
Customs Service, the Immigration and Naturalization Service, the
State Department and 21 other federal agencies. A single name
— particularly a transcribed, transliterated or mistyped name
— can easily disappear in such a system.
Activists target Pentagon internet information head Internet
activists have a message for John Poindexter, the head of a controversial
Pentagon research project to find terrorists by searching the
everyday transactions of Americans: Threaten to invade our privacy,
we'll invade yours. They've plastered Poindexter's email address
and home phone number on dozens of web sites, forcing him to block
all incoming calls. They've posted satellite images of his suburban
Washington house and maps showing how to get there. And they've
created online forms to collect even more personal data on him.
In the Pentagon research effort to detect terrorism by electronically
monitoring the civilian population, the most remarkable detail
may be this: Most of the pieces of the system are already in place.
Because of the inroads the Internet and other digital network
technologies have made into everyday life over the last decade,
it is increasingly possible to amass Big Brother-like surveillance
powers through Little Brother means. The basic components include
everyday digital technologies like e-mail, online shopping and
travel booking, A.T.M. systems, cellphone networks, electronic
toll-collection systems and credit-card payment terminals.
The Denver police have gathered information on unsuspecting
local activists since the 1950's, secretly storing what they learned
on simple index cards in a huge cabinet at police headquarters.
When the cabinet filled up recently, the police thought they had
an easy solution. For $45,000, they bought a powerful computer
program from a company called Orion Scientific Systems. Information
on 3,400 people and groups was transferred to software that stores,
searches and categorizes the data. Then the trouble began. After
the police decided to share the fruits of their surveillance with
another local department, someone leaked a printout to an activist
for social justice, who made the documents public. The mayor started
The Bush administration is planning to propose requiring Internet
service providers to help build a centralized system to enable
broad monitoring of the Internet and, potentially, surveillance
of its users. The proposal is part of a final version of a report,
"The National Strategy to Secure Cyberspace," set for release
early next year, according to several people who have been briefed
on the report. It is a component of the effort to increase national
security after the Sept. 11 attacks.
"A typical tech-savvy consumer is likely to maintain separate
usernames and passwords for more than a dozen online resources,
including email servers, instant messaging clients, favorite retailers,
bank accounts, and so on. While this password glut may seem like
a simple annoyance for end users, in fact it's a concern that
online businesses should take seriously. Managing multiple online
accounts often means using the same password over and over, or
resorting to other, equally bad habits like writing account information
on Post-It notes and leaving them in obvious places. Every time
a user selects an easy-to-guess password, reuses a password at
multiple locations, or leaves one in plain view, that user compromises
not only his or her own identity, but system security as well.
And every time a user forgets a password, some company must expend
IT resources to reset it -- a cost that quickly adds up for businesses
with thousands of customers."
A special Foreign Intelligence Surveillance Court of Review
ruled on November 18, 2002 that the USA PATRIOT Act gave the Justice
Department the authority to use in criminal cases the special
and in some ways looser rules created for foreign intelligence
investigations. The court, which rejected arguments made by CDT,
ACLU and others in a friend of the court brief, nevertheless emphasized
that the law still required a finding of probable cause to believe
that the target of the surveillance was an agent of a foreign
power and was engaged in terrorism or activities in preparation
therefore. But oversight is difficult, as many targets are never
told they were the subject of surveillance.
The court's decision http://www.cadc.uscourts.gov/common/newsroom/02-001.pdf
CDT's brief, lower court decision / government's briefs http://www.cdt.org/security/usapatriot/implementation.shtml#surveillance
A team of scientists led by a Stanford University researcher
has been able to determine the ancestral history of more than
1,000 people not by seeing their faces or asking their family
histories, but by simply looking at their genes. The findings,
published today in the journal Science, suggests that though humans
are remarkably alike, a few telltale genetic mutations say more
about our ancestry than our eyes, skin or surnames. These tiny
genetic markers, once revealed, tell powerful stories about human
migration and history.