Computer underground Digest Fri Feb 28, 1997 Volume 9 : Issue 13 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Field Agent Extraordinaire: David Smith Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.13 (Fri, Feb 28, 1997) File 1--ITALY: PEACELINK COORDINATOR SENTENCED TO JAIL File 2--CyberPatrol File 3--Re: Boston Public Library query File 4--Concerns with www.reference.com File 5--More problems with the Cyber Patrol software File 6--Maryland E-Mail BILL (fwd) File 7--Calif Law and Blocking Software in Schools File 8--CLO #22 "Your clickstream is showing" File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Fri, 28 Feb 1997 12:09:42 -0800 From: Bernardo Parrella Subject: File 1--ITALY: PEACELINK COORDINATOR SENTENCED TO JAIL ------> ------> Please redistribute widely <------ <------ ITALY: PEACELINK COORDINATOR SENTENCED TO JAIL Giovanni Pugliese, co-founder and current secretary of Peacelink Association, has been sentenced to three months of jail for "illegally owned, copied, and distributed software." The news, arrived at his home by snail mail on February 25, is the unexpected follow-up to the May-June 1994 crackdown against more than a hundred Fidonet BBSs. Quickly known as "Fidobust," the world's largest raid against local BBSs was aimed to stop "software piracy" throughout the country. Its several investigative branches led however to the arrest of a couple of well-organized "pirates" while in the related investigation, downplayed also due to the attention of public opinion and media worldwide, most of the charges were dropped and/or came to terms with those allegedly guilty. The operation decimated the local BBS scene: most Fido sysops were never been able to recover the damages suffered. In this scenario, on June 3, 1994, custom police officials searched and seized Peacelink BBS PC, owned and run by Giovanni Pugliese in his home nearby Taranto. After a few days, the network was again up and running, but the investigation had to follow its own way in compliance with the 1992 anti-piracy legislation. Amost three years later Giovanni Pugliese found himself unmistakebly "guilty": he was using on his PC an unregistered copy of MS Word, according to the sentence. That software however was not included in the Peacelink BBS files and for the Italian law any personal use of unregistered software can only be punished with a modest fine. Why three months in jail, then? And why the valuation has been conducted by an "audio technician" instead of a CMC expert, as Giovanni claims? Why both the defendant and his lawyer have never been informed or questioned about such a prosecution underway? "Someone tried to silence Peacelink three years ago, and it didn't work. Today here they are again -- to no avail." Giovanni Pugliese said. "I won't (and can't) pay a dime for a crime I didn't committed. There is no evidence whatsoever about anything. Our network is stronger than ever and we are ready to go all the way through until this absurdity until will be fully repaired." To avoid jail terms, Peacelink coordinator should pay around 3.000.000 It. lira (US $ 2,000), but in any case he must pay a fine of 500.000 It. lira (US $ 300) and more than 9.000.000 It. lira (US $ 5,500) for judicial expenses. According to Giovanni's attorney, this scenario seems to suggest that local prosecutors are inviting to a plea bargain in order to archive the case. While supportive messages are flooding Peacelink mailbox, the appeal has already been filed: next move to local authorities. Founded in December 1992 as a local BBS by Alessandro Marescotti and Giovanni Pugliese, Peacelink Association network has currently more than 70 nodes all along Italy, and hosts about 30 conferences and several mailing lists on pacifism, ecology, anti-Mafia, human rights issues. As a non-profit and self-sustained organization, Peacelink is currently involved in several campaigns about solidiarity actions in Italy and in Africa as well. Last year the Association produced a successful book ("Telematica per la pace") and finally has its own server up and running: http://www.freeworld.it/peacelink. To contact Giovanni Pugliese: For more information about his case (in Italian): http://www.freeworld.it/gp/senten.html ------------------------------ Date: Sat, 22 Feb 1997 09:56:36 -0800 From: Jonathan Wallace Subject: File 2--CyberPatrol CuD recently ran a letter I wrote Microsystems Software, publishers of CyberPatrol, protesting the blocking of my web pages. Your readers should know that a few days later I received mail from the company acknowledging that my site was blocked in error. A copy of that letter is below. However, the unblocking of my site should not lead anyone to change their opinion of the company or its product. CyberPatrol continues to block sites such as the Electronic Frontier Foundation archives (www.eff.org) and Nizkor (www.nizkor.org), the premier Holocaust resource on the Web. Subject-- re--Cyberpatrol senselessly blocks my site Date-- Wed, 19 Feb 1997 13:48:04 -0500 From-- Cyber Info for Microsystems To-- jw@bway.net Hi Jonathan, Thank you for brining this to our attention. This site was blocked in error. I have removed this site from the CyberNOT list. This change will take effect with the next build of the CyberNOT list, by next Tuesday. Please accept my apologies for any inconvenience this has caused. Debra Greaves Internet Research Supervisor Microsystems Software Inc. http://www.microsys.com/cyber ------------------------------ Date: Tue, 25 Feb 1997 12:45:54 -0800 From: Mike Godwin Subject: File 3--Re: Boston Public Library query Source - fight-censorship@vorlon.mit.edu I had forwarded EFF's and my responses to these questions from Dan Kennedy of the Boston Phoenix to Declan on the assumption that he would forward that posting to this list. For some reason, I haven't yet seen it appear here, so I'm taking the liberty of reforwarding our statements about the library censorship problem in Boston in the hope some FC readers, at least, will find EFF's position "unambiguous." (I assume that Declan isn't running Cybersitter, which we know screens out EFF content.) --Mike --- begin forwarded text Date--Mon, 24 Feb 1997 16:00:00 -0800 To--Dan Kennedy From--Mike Godwin Subject--Re--Boston Public Library query In response to questoins from Dan Kennedy at the Boston Phoenix: >-- What is your position (and/or EFF's position) as to whether children >ought to have complete access to everything on the Internet, and all that >that entails? 1) First and foremost, EFF is dead-solid opposed to placing public librarians in role of content cops. The role of public libraries is to facilitate access to information. It's perverse of government officials to force them to do the opposite. 2) EFF takes no position on what constitutes proper parenting. That's up to parents. If we were to tell parents we know better than they do what kinds of content they're supposed to guide their kids to, we'd be no less presumptuous than Congress or the radical right when they do the same. (One may ask why would anyone think that EFF, a civil-liberties organization, could claim to be experts on children? I'm a lawyer and a parent, but not a child psychologist or pediatrician. The question is misconceived.) My personal view as a parent is that filtering software is an inadequate substitute for the teaching of values, and that, if one teaches one's children values, there remains no arguable case for the use of such software in parenting. When she begins to explore it, my little girl will have as much access to the Internet as she likes. >-- The City of Boston plans to install blocking software, although they've >stepped back from their original intention of installing Cyber Patrol and >are now studying it. The criticism of these programs, of course, is that >they block access to politically controversial sites as well as to >pornography. Are you aware of any good software available for such >purposes, or do all of the programs have these problems? EFF does not endorse any particular filtering software, nor will we ever do so. We have not undertaken to evaluate "all of the programs" or any of them. Anecdotally, we know that some products currently on the market incorporate some stupid or inane blocking decisions or decision criteria. We know further that EFF has itself been blocked by some of the software manufacturers; as civil libertarians, we support their right to make even silly decisions like that one. We think the proper response to bad blocking decisions or criteria should be public criticism and consumer education. We absolutely support the role people like Brock Meeks, Declan McCullagh, and Bennett Haselton have played in informing the public about these products. From time to time, we ourselves are likely to be critical of particular products that incorporate such decisions when we hear about them. (Again, we have no comprehensive review or testing program in place for such products.) >-- Where are we likely to evolve on this issue -- assuming atrocities such >as the CDA are thrown out and that the Internet continues to contain a lot >of stuff the average person wouldn't want his eight-, 10-, or 12-year-old >to see, what do you think the ultimate solution is going to be? If you're worried abour your child's accidentally seeing content you disapprove of, you shouldn't be -- there's little that one sees on the Net accidentally. If you're worried about your child's choosing to see content you disapprove, there is only one solution that works reliably (in my view), and that is to teach your child to disapprove of the same things you do. This also happens to be the solution most consistent with the values of an open society. ------------------------------ Date: Mon, 24 Feb 1997 15:00:34 -0800 (PST) From: Stanton McCandlish Subject: File 4--Concerns with www.reference.com [Sorry for the long intro to the forwarded item, but it bears a lot of examination. The basic gist of the item is: "Reference.COM makes it easy to find, browse, search, and participate in a wide range of Internet discussion forums, including more than 150,000 newsgroups, mailing lists and web forums", way beyond what DejaNews does.] The forwarded advertisement from reference.com below is interesting for three reasons: 1) This is a new form of spam - use a spider to find all web references to your competitor, mail the admins of those site and try to convert them. It's virtual "slamming". And if something like this shows up in my mbox more than once in a blue moon, it's going to get very irritating very fast. WORD TO THE WISE: If you are thinking of doing this kind of marketing, don't. Webmasters like me will deliberately NOT link you in, for having the gall to spam us about it. If you are genuinely looking at each site and seeing if it's appropriate for them to list you, as it is at EFF's site (we link to pretty much any search engine in our Net Tools & Resources section), then mail to the webmaster should contain enough cues to make it plain that message isn't spam, but a person-to-person message. 2) It's a very interesting and useful new service, from a user's point of view. 3) It looks to me like it is archiving lists willy-nilly, by subscribing an archiving script to the lists, with no regard to whether or not the list *participants* consider it a public list or not, know about the archival, indexing and profiling, consent to having their material made available outside the forum it was posted to, and so on. This has serious privacy implications, and less serious but interesting philosophical (though not legal - no state action here) freedom of association implications, as well as definite intellectual property implications. It depends largely, I would think, on whether the list admin has told the readership of the archival. Reference.com says it only archives lists with the list owner's permission. I'm not sure that's good enough. In fact, I dare say it's not nearly good enough. The silliest objection to DejaNews was that it violated privacy and copyrights solely by virtue of saving Usenet posts and making them searchable. This is silly because how Usenet operates is by saving Usenet posts for however long each site wants to and making them available to be read. (DejaNews in effect is a Usenet node that turned off article expiration). All newsreaders I'm aware of support threading and search functions, DejaNews's is just better. DejaNews is different from another news reader and news host only in degree. I think there are legitimate privacy concerns *outsite* just the issue of saving News posts. The profiling DejaNews does is a little scary, as is the fact that informed consent is not involved - people talk freely in usenet, not knowing in the majority of cases that DejaNews even exists. The server then cobbles together a sometimes very revealing record of conversations that could be used against the poster, e.g. to cost them jobs because of unpopular political opinions, etc. Reference.com on the other hand raises all of these issues, and none of them are silly in this case. Usenet is public. Everyone who uses it understands that, even if the majority of users (wrongly) assume it is necessarily only ephermerally public. But there is an overwhelming perception among mailing list users that mailing lists (other than the 1-way announcement kind) are a private, members-only forum, in which no ones' posts are being archived except by other partipants for themselves, unless the charter (most often in the form of that "Welcome to the list!" message you get when you subscribe, though some lists keep charters as separate documents on a web page) explicitly says the list is archived. Likewise, it is generally expected that posts are not redistributed to others, except narrowly to friends or to directly relevant discussion forums if at all publicly, unless the list has an explicit policy that posts may be reposted at will. Reference.com changes all that. Unless the admin is conscientious and informs the readership, they clearly will in most cases have an expectation of privacy and distribution control (IANAL - it may not be a legally meaningful expectation of privacy, but certainly a socially meaningful one, that has implications for the future development and use of the medium). Another way of looking at this: I don't care if Doug Bakerfeld "owns" the Fight-Stupidity list. No one owns a mailing list in any meaningful sense - mailing lists consist of the conversations and intellects driving those conversations, for the relevant context here. Doug has no real right to tell reference.com it can archive the Fight-Stupidity list without telling subscribers like me that Fight-Stupidity is so being archived and profiled, with enough advance notice that I can unsubscribe - because Doug does not own my words, only the software that runs the list (essentially the same distinction as that between a book on the one hand and the presses and trucks that produce and deliver it on the other.) It's worth noting that (at present anyway) reference.com doesn't seem to do the kind of "intelligent" profiling of authors that DejaNews does, but it's advanced search function is plenty spiffy enough to do a search on "Stanton McCandlish" and "sex" or "drugs" for example, which is enough like profiling that the distiction is irrelevant. NB: I have no absolute proof that reference.com does not require list owners to inform list members, and update charters to mention this archival and indexing by reference.com. I just see no evidence that they are doing so, and their service seems geared to sucking up as much posted material as possible and indexing it, so I remain skeptical. That they are loudly advertising in a banner "Get rich quick:'multi-level marketing'" makes me doubly, nay, trebly suspicious. That reference.com claims to have indexed 100,000 mailing lists alone, plus all of Usenet, makes me dodecatuply suspicious (100,000 list admins have agreed to let their lists be profiled, and have told their users about it? Yeah, right.) Although, this blustery 100,000-indexed claim may simply mean they have a list of the names of 100,000 mailing lists, and have archived only a fraction thereof. Who knows? Please note my phrasing: "It looks to me like it is archiving lists willy-nilly..." This is not an accusation, but a description of how things look to me. If reference.com is responsibly informing, or insisting that listmasters inform, participants in profiled/indexed lists, that's good but the company has a PR problem and needs to make such good actions considerably clearer, since people like me can't tell that it's being done that way. All of this is another example of online *trust* being an issue. Many users will now be very suspicious of every mailing list they join and demand to know if it's part of reference.com's stable. I have to say this twisting of the net.paranoia knob one notch higher does not do anyone any good. All it does is contribute to the general unease, that feeling in the back our minds every time a new database like this comes online, that every thing we say and do is going into someone's secret dossier, not matter how innocent, no matter how "private" we think it may be. Last study I saw on Internet usage said that the main reason Net holdouts refused to get online was privacy concerns. Online commerce isn't going to work if such concerns are not responsibly, and pretty promptly, addressed by the industry generating the worries in the first place. IMNERHO, - S.McC. P.S.: Anyone who thinks I'm simply an unimaginative rabid privacy-obsessed nut who can't see legitimate uses for such things doesn't know me at all. Among other things I'm also a genealogist. I pore over online search engines like this for other McCandlishes with far more zeal than the FBI or NSA search all of our news postings for keywords like "bomb" or "secret". I love online search engines, (though I don't necessarily want my HOME phone number and address in Four11.Com). But I would like to see some RESPONSIBILITY exercized. [Disclaimer I don't like having to make, but recent tumid and turgid flames make me dig it out again: This is just an informational forward and personal commentary, and does not represent official EFF positions or statements in any way. NOTE: I'm not the original author of the forwarded item, so please look at the original headers carefully if you mean to reply to him/her.] [begin forward] From-- user-bounces@reference.com Mon Feb 24 12:54:40 1997 Date--Mon, 24 Feb 1997 12:40:48 -0800 (PST) Hi, We saw the link to dejanews on your website and thought you might like to know about our service, Reference.COM. Reference.COM makes it easy to find, browse, search, and participate in a wide range of Internet discussion forums, including more than 150,000 newsgroups, mailing lists and web forums. The official launch of the service occurred on February 3. We are different from other 'usenet-only' search engines in several important ways: -More Internet forums. Reference.COM is the only service tracking newsgroups AND mailing lists and webforums. Our directory and archive cover far more forums than our nearest competitor. -Powerful search capabilities. Reference.COM allows you to search by keyword, author, organization, date, and forum. The service supports word stemming, and search operators like AND, OR, NOT and NEAR. -Active Queries. Active Queries allow you to passively monitor the discussion in any/all Internet forums tracked by Reference.COM. You store queries on the Reference.COM server which are automatically rerun at an interval you specify. The results (since the last search) are emailed to you. In essence, an Active Query functions as a 'cyberclipping' service. You can see for yourself by visiting the Reference.COM web site at http://www.Reference.COM. If you like our service, we'd appreciate your support. Regards, Jack Zoken President InReference, Inc. ------------------------------ From: David Smith Date: Wed, 26 Feb 1997 23:46:28 +0000 Subject: File 5--More problems with the Cyber Patrol software Source -- fight-censorship@vorlon.mit.edu One of the things that I noticed about Cyber Patrol when I sat down to test it at the Austin Public Library was that it not only blocked according to a hotlist of URLs, but also keywords. For example, I looked up on a search engine for "marijuana" and was blocked by Cyber Patrol. A document which contains the word "marijuana" could just easily be anti-drug literature as well as any other perspective. Similarly, "hacker" means you won't ever be able to find out about Bruce Sterlings The Hacker Crackdown. I sure you can all come up with examples. It seems that the hotlist is something one could constantly refine, adjust, and update, but that keyword blocking will never be able to discriminate intelligently. Speaking of the keyword list, btw, I was also surprised to discover that the word "nigger" was not on the blocked keyword list. If that is acceptable then I am not clear on what it takes to be blocked for intolerance. That no one except Microsystems really knows, I guess, is the point. David Smith (http://www.realtime.net/~bladex/index.html) bladex@bga.com President, EFF-Austin (http://www.eff-austin.org) Board of Directors, Central Texas Civil Liberties Union 512-304-6308 ------------------------------ Date: Wed, 26 Feb 1997 23:55:18 -0500 (EST) From: "noah@enabled.com" Subject: File 6--Maryland E-Mail BILL (fwd) From -Noah ---------- Forwarded message ---------- Date--Thu, 27 Feb 97 04:28:29 GMT From--Albatross ***************************************************** Maryland Recycles Law On "Annoying" E-Mail ***************************************************** A Maryland bill that would make it illegal to send "annoying" or "embarrassing" e-mail was introduced this week by Democratic General Assembly member Samuel Rosenberg. The bill got little support when it was introduced last year, but Rosenberg hopes to play off of recent murders involving electronic mail to see the bill passed. Civil liberties groups argue that the law would be unconstitutional, and that the terms "annoy" and "embarrass" are too vague to be meaningful. If passed, House Bill 778 would amend the state's criminal harassment law to prohibit the use of e-mail to annoy, abuse, torment, harass, or embarrass other people, with violators receiving a fine up to $500 and three years in jail. A similar bill introduced last year is quietly progressing through New York's state legislature. Senate Bill 1414, introduced by Democratic State Senator Ray Goodman, could be voted on in the House early this year. Full text of the Maryland bill can be found at http://mlis.state.md.us/1997rs/billfile/HB0778.htm. ------------------------------ Date: Mon, 24 Feb 97 23:02:13 -0800 From: cmarson@well.com Subject: File 7--Calif Law and Blocking Software in Schools In the event you haven't seen this beauty yet, I think the attached proposed California legislation deserves the widest distribution. It would require all school districts in California that are connected to the Net to purchase and use software that would filter out any "sites that contain or make reference to any of the following:" "(a) Harmful matter as defined in subdivision (a) of Section 313 of the Penal Code. (b) Sexual acts. (c) Drugs or the drug culture. (d) Gambling. (e) Illegal activity. (f) Alcoholic beverages and tobacco." Poor Bill Bennett; his denunciation of the drug culture will never make it into K-12. Come to think of it neither will the Congressional record, where Newt denounces it. And the State of the Union and State of the State speeches mention illegal activity, and so they're out, and the Bible mentions all kinds of mating, rape and procreation, and so it's out, and the kids will never get an anti-smoking message or learn of the evils of alcohol, and, and, and,... This is pretty far out even for an Assemblyman from Orange County. Maybe you can have some fun with it. And notice, of course, that "contain or make reference to" probably includes hyperlinking. Chuck Marson AB132 AB 132 Education technology. BILL NUMBER: AB 132 INTRODUCED 01/15/97 INTRODUCED BY Assembly Member Campbell JANUARY 15, 1997 An act to add Section 51870.5 to the Education Code, relating to education technology. LEGISLATIVE COUNSEL'S DIGEST AB 132, as introduced, Campbell. Education technology. Existing law, the Morgan-Farr-Quackenbush Educational Technology Act of 1992 (hereafter the act), has the primary mission of ensuring that the procurement and use of technology is clearly guided by the needs of pupils, and the act is established to accomplish specific purposes, including providing access to education technology to every learner. The act provides for school-based education technology grants to develop, adopt, or expand existing technological applications to support general education, English acquisition, and non-English-speaking parent education programs pursuant to specified conditions. Existing law also declares the Legislature's intent that all school facilities construction projects be designed and constructed to maximize the use of educational technology. This bill would require a school district that provides pupils with access to the Internet or an on-line service to purchase, install, and maintain a software program to control the access of pupils to Internet and on-line sites and to prohibit access to sites that contain or make reference to harmful matter, as defined, sexual acts, gross depictions, drugs or the drug culture, gambling, illegal activity, alcoholic beverages and tobacco. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. SECTION 1. This act may be cited as the Children's Internet Protection Act of 1997. SEC. 2. Section 51870.5 is added to the Education Code, to read: 51870.5. A school district that provides pupils with access to the Internet or an on-line service shall purchase, install, and maintain a software program to control the access of pupils to Internet and on-line sites and to prohibit access to sites that contain or make reference to any of the following: (a) Harmful matter as defined in subdivision (a) of Section 313 of the Penal Code. (b) Sexual acts. (c) Drugs or the drug culture. (d) Gambling. (e) Illegal activity. (f) Alcoholic beverages and tobacco. SEC. 3. Section 2 of this act shall be operative July 1, 1998. ------------------------------ Date: Mon, 10 Feb 1997 11:40:36 +0100 From: "William S. Galkin" Subject: File 8--CLO #22 "Your clickstream is showing" Published by Challenge Communications ============================================================= January, 1997 Computer Law Observer Issue No. 22 ============================================================= The Computer Law Observer is distributed monthly for free by Challenge Communications (ChallComm@aol.com or (410)356-1238). To subscribe, send an e-mail message to lawobserver-request@charm.net with the word "subscribe" typed in the message area (leaving out the quotation marks). To unsubscribe, follow the same instructions substituting the word "unsubscribe". Back issues can be found at http://www.lawcircle.com/observer . Copyright 1997 by Challenge Communications. ------------------------------------------------------------ ++++++++++++++++++++++++++++++++++++++++++++++ YOUR CLICKSTREAM IS SHOWING Privacy of online consumer information ++++++++++++++++++++++++++++++++++++++++++++++ by William S. Galkin, Esq. (biography at end) Where we are Surfing the Internet often resembles meanderings through a mega-book store. Wander into the politics section ... glance at a few books ... next into poetry, religion ... perhaps listen to a few CD's ... then flip through the newspapers and magazines ... How would you feel if the bookstore monitored your activities and kept a record of every section you entered, every book or magazine you looked at, every CD you listened to? What if the record included every page of every book or magazine you looked at, or even every person you spoke to in the bookstore? What if the bookstore used this information to create a detailed consumer profile which it then used to market products to you, or sells to others for the same purpose? Imagine - while in the store, you read a review in a magazine discussing a new model car, then the next day you get direct mail, or a phone call, from the local auto dealer, who bought this information from the bookstore. Sound far fetched? Not on the Internet. Many believe that commercial success on the Internet hinges on the ability to collect and maximize the use of highly specific and detailed consumer data. At the same time, consumers are very concerned how this data will be used - or abused. However, both commercial and consumer interests acknowledge that unless consumer privacy concerns can be adequately addressed, consumer activity on the Internet will remain subdued. The Federal Trade Commission's Bureau of Consumer Protection held a public workshop on Consumer Privacy on the Global Information Infrastructure on June 4-5, 1996. The workshop was part of the Bureau's Consumer Privacy Initiative, an ongoing effort to bring consumers and businesses together to address consumer privacy issues posed by the emerging online marketplace. On January 6, 1997, the Bureau of Consumer Protection issued a staff report regarding Consumer Privacy in the Online Marketplace based on the workshop and subsequent comments received. The Report can be found at the FTC's website (http://www.ftc.gov ) under "Conferences, Hearings, and Workshops". The Report also discusses privacy of medical and financial information as well as privacy relating to information about children. However, this article focuses only on the consumer information privacy issues discussed in the Report. Some are disappointed that the Report is no more than a review of various positions and options. It does not state the FTC's position - which, apparently, is still in the development stage. The problem - When you surf the Internet, your connection runs through your Internet Service Provider's (ISP) system. A record can be maintained of every website, and every page of every website, that you access, which newsgroups you participate in, which distribution lists you receive, the e-mail addresses of mail you send and receive, and more. Traveling the Internet creates a trail that has been referred to as a "clickstream." In addition to your ISP, websites themselves often have the capability of gathering and storing information. For instance, a website might automatically know your e-mail address, what kind of browser you are using, what kind of computer you are using, what pages in the site you looked at, where you linked from and where you are linking to next. Websites sometimes create a profile of your activities and store it in a text file (known as a cookie and discussed more later) which is placed on your computer so that the next time you visit, the site will know better how to serve you. Much information is gathered invisibly, usually without the knowledge or consent of the consumer. It should be noted that accessing websites through commercial services like America Online, Compuserve or Prodigy, or through a firewall, blocks your e-mail identity from the websites. However, these services themselves, of course, continue to have full access to all your activity information. In addition to all the automatically collected information just described, a lot of information is volunteered by consumers. For instance, you might fill out an online questionnaire or registration form in order to receive access to a particular site, or to be included in one of many online directories. The vast amount of consumer data being collected is extremely valuable, and is currently being compiled, combined, analyzed and sold with little or no legal restrictions. The solutions? The possible solutions fall into three categories: (1) self regulation, (2) technological protections and (3) government regulation. Self regulation - Sites and ISP's can prepare information policy statements that can be available to view as users enter the site. These statements could include information such as: what information is being gathered, what the intended uses are for the information, whether it will be transferred to third parties, whether users can review the gathered information for accuracy, whether the users can restrict use of the information, how long information will be retained, how information is secured to protect against unauthorized access and disclosure and misuse. To date, few sites have developed such policies. Whether such statements will be effective in increasing consumer confidence will depend upon whether such statements are (1) prominently displayed, (2) uniform in structure, (3) easily understood, or (4) represent obligations enforceable against the collectors by either industry self regulation or legal action. Both commercial and consumer interests agree that consumers should have a choice as to how the information is used. However, how this choice is exercised is in dispute. Commercial interests prefer the "opt-out" approach, where consumers must affirmatively "opt-out." This approach allows use of personal information unless and until a consumer opts-out. However, some privacy groups view personal information as a property right. Under this approach, consumers should have to affirmatively "opt-in" or consent before personal information could be used. Technological protections - There are several technologies now available that could be used to enhance consumer privacy online. More options will undoubtedly become available as technology further develops. Universal registration systems - Users register a wide array of personal information at a single registry and are assigned a unique identification number. When a user accesses a website in the registry's system, only the unique identifier and anonymous demographics about the user are revealed to the website. The registry will perform anonymous market research for websites in the registry. The registry will only reveal a user's identity to a website with the user's express consent. All websites in the system are contractually bound not to share or sell user information. This is effective only when visiting sites in the system. Cookies - Cookies are a technology that allows a website to create a text file on your computer that contains information gathered during a visit to the site. Next time you visit the site, the site will retrieve this information and already know some of your preferences. For example, you have demonstrated an interest in golf and golf related information may be presented to you upon your next visit. The use of this technology has been criticized because users are not aware that websites are creating and storing these text files on user's hard drives. Newer versions of web browsers have mechanisms to alert users before creation of a cookie file occurs. However, this technology could be used so that when users express privacy preferences in response to an information policy statement, upon a user's return, the privacy preferences will be known and honored. Filtering technology - The Platform for Internet Content Selection (PICS) was developed by the World Wide Web Consortium at MIT. PICS allows for the labeling of websites (e.g., excessively violent or explicit sexual material). Labels are attached to the sites by owners or third parties, and software utilizing PICS can read the labels and then block access to the site. PICS could be used to identify sites that follow certain privacy standards that a particular user feels comfortable with, and exclude other sites. Government Regulations - Consumer representatives disagree as to whether self regulation and technology can be, without legal enforcement capabilities, sufficient for protection. Some consider the technology too complicated for consumers to use effectively. They also argue that the technology unfairly shifts the responsibility for protecting privacy to consumers. Industry and trade associations advise that government should stay out of the picture and let market pressures define the protections. They warn that government regulations would be imprecise and would quickly become obsolete due to fast pace of technological development. Whether or not personal privacy becomes law, we are certain to see multiple bills introduced in Congress and the states this year as well as various privacy studies undertaken by different agencies. On January 7, the Consumer Internet Privacy Protection Act of 1997 (H.R. 98) and the Fair Health Information Practices Act of 1997 (H.R. 52) were introduced in Congress, both primarily designed to address some of these issues. Complications - While commercial and consumer groups seem to agree on many privacy principles, such as consumer choice, discussed above, or the right of consumers to access and correct stored information, they disagree on how to achieve or even define the solutions. For instance, even the definition of "personal information" is a matter of dispute. Many view PICS as having a lot of potential for providing privacy. However, PICS offers protection only between a consumer and an online entity using the information. It does not address use by third parties. An additional weakness of PICS is that in order to use PICS for privacy, websites would need to be labeled. How will the labeling occur? Labeling by independent entities might provide a level of consistency, but this might be impossible to administer due to the large numbers of new websites opening daily. Self labeling has its own obvious weaknesses. However, self labeling with third party certification of label accuracy might be more feasible. On the other hand, even if a labeling system can become operative, commercial groups are concerned that filtering technology such as PICS will be used to block out whole categories of information, thereby severely restricting commercial speech. This concern might be alleviated if the blocking were targeting specific sites rather than whole categories. Where are we? In the end, education of both consumers and commercial interests is an essential component of effective online privacy. Currently, consumers often do not understand how information is being gathered and used. Businesses also are too often not aware of the privacy issues and options. ABOUT THE AUTHOR: Mr. Galkin can be reached for comments or questions about the topic discussed in this article as follows: E- MAIL: wgalkin@lawcircle.com WWW: http://www.lawcircle.com/galkin TELEPHONE: 410-356-8853/FAX:410-356-8804 MAIL: 10451 Mill Run Circle, Suite 400 Owings Mills, Maryland 21117. Mr. Galkin is an attorney who represents small startup, midsized and large companies, across the U.S. and internationally, dealing with a wide range of legal issues associated with computers and technology, such as developing, marketing and protecting software, purchasing and selling complex computer systems, launching and operating a variety of online business ventures, and trademark and copyright issues. He is a graduate of New York University School of Law and the adjunct professor of Computer Law at the University of Maryland School of Law. ------------------------------ Date: Thu, 15 Dec 1996 22:51:01 CST From: CuD Moderators Subject: File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #9.13 ************************************