Security Protecting Privacy is Good for Business
Published by: Mike Banks Valentine Privacynotes
December 19, 2002 Issue #038
.....IN THIS DIGEST.....
// -- MODERATOR COMMENT -- // ~ Mike Banks Valentine
// -- NEW DISCUSSION -- //
"Department of Homeland Security" ~ Bruce Schneier
// -- CONTINUING DISCUSSION -- //
"TIA" ~ R.K. Stephenson ~ Roy Troxel ~ John Bearins
// -- PRIVACY NEWS -- //
"The Latest in Privacy Issues"
// -- MODERATOR COMMENT -- //
First, some housekeeping notes. There will be no Privacynotes
until January 9 following this issue to allow some vacation time
for our dear editor who plans to spend that time in the sunshine.
Any posts in response to this issue will not see sunshine until
In a continuing effort to keep informed on privacy issues, I
discovered a new source this week in a recommendation from subscriber
Lynn Bernstein and would like to share that source with everyone.
It is Declan McCullagh's Politech at http://www.politechbot.com/
where much discussion on TIA can be found. Much of that discussion
was forwarded to me, but I recommend that you visit Politech yourself
and read all the privacy commentary there. Very thoughtful stuff
from some bright tech minds there. Declan McCullagh's contributions
to CNET are a good read as well . . . see "Tech's Answer to Big
Brother" at http://news.com.com/2010-1069-977908.html
A new concern this week comes to us from Internet Powerhouse,
Verisign, Inc. where they are pitching a system called "Online
Consumer Identity Verification Service" to businesses in support
of web services where Verisign will verify consumer identity for
paying business clients as per the press release at http://www.verisign.com/corporate/news/2002/pr_20021210c.html
where the "Consumer Authentication Service (CAS)" system is described
"The authentication data entered by the consumer is automatically
routed using XML and encryption through VeriSign's services and
checked against a wide variety of best of breed data sources to
cross-verify and risk-rank consumer identity in real time."
I wrote to the press contact on that corporate release at Verisign,
Dave Berkowitz asking him what those "data sources" were and whether
the consumer was aware that it was occurring. His response was,
"My understanding is that we collect information from a number
of public sources. Before entering information, consumers are
asked in a prompt to confirm that they understand that by clicking
on the I AGREE button immediately following an initial notice,
they are providing "written instructions" under the Fair Credit
Reporting Act authorizing the merchant and/or its partners to
obtain information about them. Our customers using the data are
not allowed to make decisions about the nominal applicant based
on the data (e.g., John Doe has bad credit or lives in a bad area,
so I won't take his order). If the consumer still wishes to "opt
out" of sharing personal information, they simplly DO NOT click
on the I AGREE button."
They will surely be denied their purchase or site access at
the point they decline to click that button. I'll agree that this
is enough notice for most, but they will still have no idea what
is going on and that those "public sources" are actually commercial
sources that sell your information for a fee. I predict those
sources will eventually be a target of consumer wrath if it leads
to being unable to make online purchases of trivial or inexpensive
items or allowing access to needed information online because
you don't want to be "verified". I'd fully expect that my credit
information not be shared unless I'm making a purchase with credit
for a substantial amount of money, paid over time -- not visiting
a web site simply to access information. The web services I am
attempting to access should never be declined based on "Consumer
Authentication Service (CAS)". I can understand rooting out fraud,
but I can't understand why I'd agree to being "verified" at a
An even bigger concern is what information Verisign then shares
back with those "sources" over the course of multiple contacts
with those consumers who are "verified" multiple times. Do the
web services that they access become a part of a profile of their
data? What web services are they using, how often do they use
them and how is that information stored and shared over time and
with whom? Verisign would then seem a great resource for TIA at
that point. How does this differ from Microsoft Passport and other
web services identity schemes? It is simply a matter of too much
information under the control of one source.
// -- NEW DISCUSSION -- //
== > TOPIC: DEPARTMENT OF HOMELAND SECURITY
From: Bruce Schneier
[Moderator comment ]: The following is an exerpt from the newsletter
titled Crypto-Gram at Counterpane Internet Security and you can
view the full commentary at the following address,
"Our nation would be less secure if the new Department of Homeland
Security took over all security responsibility from the other
departments. The last thing we want is for the Department of Energy,
the Department of Commerce, and the Department of State to say:
"Security; that's the responsibility of the Department of Homeland
Security." Security is the responsibility of everyone in government.
We won't defeat terrorism by finding a single thing that works
all the time. We'll defeat terrorism when every little thing works
in its own way, and together provides an immune system for our
society. The new Department of Homeland Security needs to coordinate
but not subsume."
Bruce Schneier Founder and CTO Counterpane Internet Security,
// -- CONTINUING DISCUSSION -- //
==> TOPIC: TIA
From: R.K. Stephenson
Re: Dirk Collins piece
I didn't have to read any further than the first sentence to
know that there was little point in reading the whole article.
>> If what I understand is correct concerning the new
Homeland Security Act, then the justice department won't have
to make false statements in eavesdropping applications anymore...
When you start your treatise with uninformed, unsubstantiated,
paranoid sounding assertion you leave yourself with little credibility.
From: Roy Troxel
Your comparison with Nazi Germany is absurd, and here's why:
1. Following the Versailles Treaty, Germany was stripped of
all its armed forces and weapons.
2. By 1930, the rate of unemployment in Germany was 25%, and
its currency had been so devalued it was worthless. Almost a third
of the population was living below the poverty line.
3. The German population was ethnically homogenous, so Hitler
could appeal to the Germans' racial pride by always emphasizing
their pain and deprivations following World War I.
There are no such parallel situations in present-day America.
I agree that the Homeland Security Department should be watched
and monitored, and I don't care for Ashcroft or Kissinger, but
"Nazi"?? Get real. Being paranoid is not going to solve the world's
Roy Troxel www.webservertimes.com
From: John Bearins
I assume that all my communication is "public". So I don't say
much that I think. (This possibility used to be referred to as
a "chill on public discourse") Now we are all suppose to march
in the same goose step, led by John Ashcroft and his Storm Troopers.
That being said, if you read about the rise of the Third Reich,
I believe there are shocking parallels. I don't intend to wait
until 1934 or later to respond. Next month I will be touring some
other countries that still seem to value liberty and plan to move
my family within the year.
It has been a good run in the U.S., but unfortunately all good
things seem to come to an end at some point. That point is now.
Goodbye, the Bear
// -- PRIVACY NEWS -- //
Moderator note: There are two ways to access previously listed
privacy news stories. One is to visit Privacynotes archives, the
other (simpler) way is to visit
where I also keep a privacy news archive.
Total Information Awareness Commentary
In their continuing struggle against telemarketers, consumers
are powerless no more. Telemarketers who call hear this recorded
message: "The number you are calling has Call Intercept, a service
that requires callers whose telephone number does not appear on
the Caller ID display to identify themselves before the call can
continue." Few telemarketers take the trouble. Today, the Federal
Trade Commission is expected to announce plans for a nationwide
do-not-call list. Consumers have already signed up by the millions
for the growing number of statewide do-not-call lists in more
than half the states. And they are also turning to gadgets with
names like Telezapper, and to services like Call Intercept (in
effect, paying the phone company to help them cope with a nuisance
brought to them, yes, through the phone company).
Canada's new system for collecting detailed information about
airline passengers is gathering increased criticism from privacy
advocates, who say the system violates Canadian law. The system,
first announced two years ago and made operational in October,
uses information collected from the airlines to screen all passengers
on incoming flights as potential security threats.
Concerned about how federal access to their records would undermine
readers' privacy, thousands of librarians gathered today around
the country to hear televised advice about how to respond to government
requests under last year's antiterrorism law. Although some of
the librarians calling in from among the 250 sites in a national
teleconference suggested defiance of the 2001 USA Patriot Act,
all the speakers said proper federal requests for data should
be dutifully complied with, but only when a proper court order
was served and not just because an F.B.I. agent asked for information.
Homeland Security Faces Privacy, Tech Hurdles The federal government's
effort to integrate 22 different organizations into the new Department
of Homeland Security faces major technological, privacy and security
hurdles, according to a Bush administration official.
In 1996, General Motors began installing "Sensing Diagnostic
Modules" (SDMs) in many of its new cars, unknown to those who
bought them. The SDMs have the ability to record such data as
the speed a car is driven and whether its occupants are wearing
their seat belts. GM--which was subsequently sued over the use
of SDMs by owners of GM vehicles who didn't like it one bit that
the automaker was, in effect, recording their driving behavior
without their knowledge or consent--claimed the SDMs were simply
a means by which accurate data could be culled, especially as
it related to motor-vehicle accidents.
A national ID card--complete with "biometric" identifiers, such
as fingerprints or retinal scans--is coming. Only it's not being
called that. House Resolution 4633, the "Driver's License Modernization
Act of 2002," would, if passed, effectively create a national
ID, no matter what its advocates might call it. The bill would
require each state to adopt a "uniform standard" for driver's
licenses, make them link their motor-vehicle databases to a central
computer registry. In the language of the legislation, H.R. 4633
would "amend title 23, United States Code, to establish standards
for state programs for the issuance of drivers' licenses and identification
cards, and for other purposes," and would make use of "encoded
biometric data matching the holder of the license or card."
If the idea of national ID cards being pushed by the American
Association of Motor Vehicle Administrators gets traction, soon
every American will be "inked"--or tagged by another biometric
identifier, such as a retinal scan--all in order to make us "safer."
Whether we'll be as free as we used to be is another matter, of
course. The AAMVA wants $100 million from Congress to erect the
first-ever (for the United States) national ID system, complete
with centralized computer database to keep track of all 270 million