Department of Homeland Security

Home | Privacy Links | Opt-Out



PRIVACYnotes #1

PRIVACYnotes #2
PRIVACYnotes #3
PRIVACYnotes #4
PRIVACYnotes #5
PRIVACYnotes #6
PRIVACYnotes #7
PRIVACYnotes #8
PRIVACYnotes #9
PRIVACYnotes #10
PRIVACYnotes #11
PRIVACYnotes #12
PRIVACYnotes #13
PRIVACYnotes #14
PRIVACYnotes #15
PRIVACYnotes #16
PRIVACYnotes #17
PRIVACYnotes #18
PRIVACYnotes #19
PRIVACYnotes #20
PRIVACYnotes #21
PRIVACYnotes #22
PRIVACYnotes #23
PRIVACYnotes #24
PRIVACYnotes #25
PRIVACYnotes #26
PRIVACYnotes #27
PRIVACYnotes #28
PRIVACYnotes #29
PRIVACYnotes #30
PRIVACYnotes #31
PRIVACYnotes #32
PRIVACYnotes #33
PRIVACYnotes #34
PRIVACYnotes #35
PRIVACYnotes #36
PRIVACYnotes #37
PRIVACYnotes #38
PRIVACYnotes #39
PRIVACYnotes #40
PRIVACYnotes #41

PRIVACYnotes Discussion List
Security Protecting Privacy is Good for Business

Respecting Privacy on the Web

Privacynotes Digest Protecting Privacy is Good for Business
Published by: Mike Banks Valentine Privacynotes
January 9, 2003 Issue #039

.....IN THIS DIGEST.....


// -- NEW DISCUSSION -- //

"Cars Invading Your Privacy" ~ Neil Schwartzman

// -- PRIVACY NEWS -- //

"The Latest in Privacy Issues"



Even though our editor at Privacynotes was on vacation for two weeks, the news on privacy has not slowed much while we've been away for the Christmas and New Year's Holidays. Hence the majority of this issue is dedicated to the dozen or so news stories in our Privacy News section.

I'd like to point out a particularly spooky story by Declan McCullagh at CNet news and encourage everyone to read it and shiver at the implications.

I'd also like to raise again the question that I posed in issue #38 three weeks ago to refresh everyone's memory about an issue that I believe to be important to the entire web industry, that of the new Verisign service called "Online Consumer Identity Verification Service." I have seen NO news coverage on this issue and wonder if Verisign is doing a bang-up business with this new service or if businesses are ho-hum about it too. I've certainly not been asked by any online businesses to "click the I AGREE button" in any of my personal or business transactions.

Verisign will verify consumer identity for paying business clients as per the press release at where the "Consumer Authentication Service (CAS)" system is described as follows,

"The authentication data entered by the consumer is automatically routed using XML and encryption through VeriSign's services and checked against a wide variety of best of breed data sources to cross-verify and risk-rank consumer identity in real time."

I wrote to the press contact on that corporate release at Verisign, Dave Berkowitz asking him what those "data sources" were and whether the consumer was aware that it was occurring. His response was,

"My understanding is that we collect information from a number of public sources. Before entering information, consumers are asked in a prompt to confirm that they understand that by clicking on the I AGREE button immediately following an initial notice, they are providing "written instructions" under the Fair Credit Reporting Act authorizing the merchant and/or its partners to obtain information about them. Our customers using the data are not allowed to make decisions about the nominal applicant based on the data (e.g., John Doe has bad credit or lives in a bad area, so I won't take his order). If the consumer still wishes to "opt out" of sharing personal information, they simply DO NOT click on the I AGREE button."

They will surely be denied their purchase or site access at the point they decline to click that button. I'll agree that this is enough notice for most, but they will still have no idea what is going on and that those "public sources" are actually commercial sources that sell your information for a fee. I predict those sources will eventually be a target of consumer wrath if it leads to being unable to make online purchases of trivial or inexpensive items or allowing access to needed information online because you don't want to be "verified". I'd fully expect that my credit information not be shared unless I'm making a purchase with credit for a substantial amount of money, paid over time -- not visiting a web site simply to access information. The web services I am attempting to access should never be declined based on "Consumer Authentication Service (CAS)". I can understand rooting out fraud, but I can't understand why I'd agree to being "verified" at a web site.

An even bigger concern is what information Verisign then shares back with those "sources" over the course of multiple contacts with those consumers who are "verified" multiple times by CAS. Do the web services that they access become a part of a profile of their data? What web services are they using, how often do they use them and how is that information stored and shared over time and with whom? Verisign would then seem a great resource for TIA at that point. How does this differ from Microsoft Passport and other web services identity schemes? It is simply a matter of too much information under the control of one single source.

I have a new proposal for 'Total Information Awareness' logo since they have removed the previous version from their web site. Take a look at this wonderful javascript tip of the hat to TIA and Admiral Poindexter! This comes from sister publication I-HelpDesk WebReview.

Mike Banks Valentine Privacynotes Discussion List
Protecting Privacy is Good for Business


// -- NEW DISCUSSION -- //


From: Neil Schwartzman

In Privacynotes #38 in a News Story link about Sensing Diagnostic Modules is new GM cars said:

>> In 1996, General Motors began installing "Sensing Diagnostic Modules" (SDMs) in many of its new cars, unknown to those who bought them. The SDMs have the ability to record such data as the speed a car is driven and whether its occupants are wearing their seat belts. GM--which was subsequently sued over the use of SDMs by owners of GM vehicles who didn't like it one bit that the automaker was, in effect, recording their driving behavior without their knowledge or consent--claimed the SDMs were simply a means by which accurate data could be culled, especially as it related to motor-vehicle accidents. <<

Your readers should be made aware of the fact that this technology is not limited to GM. My New Beetle records speed, etc. as well. I had an engine warning light come on, and the diagnostic print out was quite revealing - time, date, and speed at which the problem occurred.

The problem is not inherent in the actual recording of said data, but the potential of use by organizations other than Volkswagen. Say, the constabulary, who wish to prove a speed limit was exceeded. Not that I would ever even consider infracting any laws, of course.

Neil Schwartzman, peteMOSS Publications <> <> <>


// -- PRIVACY NEWS -- //

Moderator note: There are two ways to access previously listed privacy news stories. One is to visit Privacynotes archives, the other (simpler) way is to visit where I also keep a privacy news archive.

The Bush administration has reduced by nearly half its initiatives to tighten security for vital computer networks, giving more responsibility to the new Department of Homeland Security and eliminating an earlier proposal to consult regularly with privacy experts. An internal draft of the administration's upcoming plan to improve cybersecurity also no longer includes a number of voluntary proposals for America's corporations to improve security, focusing instead on suggestions for U.S. government agencies, such as a broad new study assessing risks. The draft, however, continues to challenge the need for any new regulations, saying mandates for private industry would violate the nation's "traditions of federalism and limited government." It said broad regulations would hamstring security by creating a "lowest-common-denominator approach" and could result in even worse security.

According to a survey from Harris Interactive, less than one-half of US consumers believe online privacy notices are easy to find, while 44% are certain that these notices often contain confusing terms. For some industries, such as financial and health services, consumer privacy elements are mandated by federal and state laws. For other sectors, such as retail, not to post a privacy notice online is a kiss of death. On the other hand, a prominent privacy notice, with a consumer-friendly policy in place, can act as a marketing boost. Too many people wind up in wrestling matches with website privacy notices.

Editorial writers and other guardians of privacy have had a field day with the reports that former Reagan National Security Adviser John M. Poindexter has come back as a cross between Dr. Strangelove and Big Brother. Poindexter is watching you, or soon will be, his detractors suggest, as they lovingly detail his 1990 convictions (later reversed on appeal) for his lies to Congress about the Iran-Contra affair. The Web site for Poindexter's "Total Information Awareness" program at the Pentagon foolishly fans such fears, featuring the slogan "Scientia Est Potentia"—Knowledge Is Power—complete with an ominous, all-seeing eye atop a pyramid.

Imagine a world where every street corner is dotted with disposable microcameras, equipped with face-recognition software that identifies pedestrians and constantly updates their individual files with up-to-the-minute location information. (Wearing masks won't help: Many states already have antimask laws, and the rest would follow suit if masks became sufficiently popular.) The microcameras are linked through a network modeled on existing 802.11 wireless technology. The wireless mesh also includes cameras devoted to spotting and recording license plates and a third type that identifies people by the way they walk.

To help identify potential terrorists, government agencies rely heavily on the Interagency Border Inspection System. Known as IBIS, it is a vast database of information on suspect individuals, businesses, vehicles, aircraft and vessels. IBIS is derived from the combination of dissimilar databases kept by the United States Customs Service, the Immigration and Naturalization Service, the State Department and 21 other federal agencies. A single name — particularly a transcribed, transliterated or mistyped name — can easily disappear in such a system.

Activists target Pentagon internet information head Internet activists have a message for John Poindexter, the head of a controversial Pentagon research project to find terrorists by searching the everyday transactions of Americans: Threaten to invade our privacy, we'll invade yours. They've plastered Poindexter's email address and home phone number on dozens of web sites, forcing him to block all incoming calls. They've posted satellite images of his suburban Washington house and maps showing how to get there. And they've created online forms to collect even more personal data on him.

In the Pentagon research effort to detect terrorism by electronically monitoring the civilian population, the most remarkable detail may be this: Most of the pieces of the system are already in place. Because of the inroads the Internet and other digital network technologies have made into everyday life over the last decade, it is increasingly possible to amass Big Brother-like surveillance powers through Little Brother means. The basic components include everyday digital technologies like e-mail, online shopping and travel booking, A.T.M. systems, cellphone networks, electronic toll-collection systems and credit-card payment terminals.

The Denver police have gathered information on unsuspecting local activists since the 1950's, secretly storing what they learned on simple index cards in a huge cabinet at police headquarters. When the cabinet filled up recently, the police thought they had an easy solution. For $45,000, they bought a powerful computer program from a company called Orion Scientific Systems. Information on 3,400 people and groups was transferred to software that stores, searches and categorizes the data. Then the trouble began. After the police decided to share the fruits of their surveillance with another local department, someone leaked a printout to an activist for social justice, who made the documents public. The mayor started an investigation.

The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users. The proposal is part of a final version of a report, "The National Strategy to Secure Cyberspace," set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks.

"A typical tech-savvy consumer is likely to maintain separate usernames and passwords for more than a dozen online resources, including email servers, instant messaging clients, favorite retailers, bank accounts, and so on. While this password glut may seem like a simple annoyance for end users, in fact it's a concern that online businesses should take seriously. Managing multiple online accounts often means using the same password over and over, or resorting to other, equally bad habits like writing account information on Post-It notes and leaving them in obvious places. Every time a user selects an easy-to-guess password, reuses a password at multiple locations, or leaves one in plain view, that user compromises not only his or her own identity, but system security as well. And every time a user forgets a password, some company must expend IT resources to reset it -- a cost that quickly adds up for businesses with thousands of customers."

A special Foreign Intelligence Surveillance Court of Review ruled on November 18, 2002 that the USA PATRIOT Act gave the Justice Department the authority to use in criminal cases the special and in some ways looser rules created for foreign intelligence investigations. The court, which rejected arguments made by CDT, ACLU and others in a friend of the court brief, nevertheless emphasized that the law still required a finding of probable cause to believe that the target of the surveillance was an agent of a foreign power and was engaged in terrorism or activities in preparation therefore. But oversight is difficult, as many targets are never told they were the subject of surveillance.

The court's decision

CDT's brief, lower court decision / government's briefs

A team of scientists led by a Stanford University researcher has been able to determine the ancestral history of more than 1,000 people not by seeing their faces or asking their family histories, but by simply looking at their genes. The findings, published today in the journal Science, suggests that though humans are remarkably alike, a few telltale genetic mutations say more about our ancestry than our eyes, skin or surnames. These tiny genetic markers, once revealed, tell powerful stories about human migration and history. 5318 E. 2nd St. #789 Long Beach, CA 90803