Computer Privacy Digest Thu, 18 Nov 93

 

Computer Privacy Digest Thu, 18 Nov 93              Volume 3 : Issue: 078

Today's Topics: Moderator: Dennis G. Rears

                    GAO report Communications Privacy

          Re: Computer Bulletin Boards should NOT be censored.

          Re: Computer Bulletin Boards should NOT be censored.

        Re: Is there an effective way to stop junk phone calls?

                 Re: California Driver License and SSN

                       Re: Ownership and Privacy

   The Computer Privacy Digest is a forum for discussion on the

  effect of technology on privacy.  The digest is moderated and

  gatewayed into the USENET newsgroup comp.society.privacy

  (Moderated).  Submissions should be sent to

  comp-privacy@pica.army.mil and administrative requests to

  comp-privacy-request@pica.army.mil.

   Back issues are available via anonymous ftp on ftp.pica.army.mil

  [129.139.160.133].

----------------------------------------------------------------------

cc:       comp-privacy@PICA.ARMY.MIL

From:     KH3@cu.nih.gov

Date:     Wed, 10 Nov 1993  18:26:57 EST

Subject:  GAO report Communications Privacy

GAO recently issued a report "Communications Privacy:

Federal Policy and Actions", GAO/OSI-94-2, dated

November 4, 1993, that may be of interest to members

of your group.  The report focused on the following issues:

    --The need for information privacy in computer and

      communications systems--through such means as

      encryption, or conversion of clear text to an

      unreadable form--to mitigate the threat of economic

      espionage to U.S. industry;

    --federal agency authority to develop cryptographic

      standards for the protection of sensitive,

      unclassified information and the actions and policies

      of the National Security Agency (NSA), Department of

      Defense, and of the National Institute of Standards

      and Technology (NI ST), Department of Commerce,

      regarding the selection of  federal cryptographic

      standards;

    --roles, actions, and policies of NSA and the

      Department of State related to export controls for

      products with encryption capabilities and industry

      rationale for requesting liberalization of such

      controls; and

    --the Federal Bureau of Investigation's (FBI)

      legislative proposal regarding telephone systems that

      use digital communications technology.

I have placed an electronic version of the report named

OSI-94-2.TXT in the GAO-REPORTS anonymous FTP directory at

NIH (cu.nih.gov) or (ftp.cu.nih.gov).

Joe Sokalski, GAO--Los Angeles

              kh3@cu.nih.gov

------------------------------

From: Donald Burr <picard@coyote.rain.org>

Subject: Re: Computer Bulletin Boards should NOT be censored.

Date: 17 Nov 1993 13:11:48 -0800

Organization: Regional Access Information Network

Hmm, this looks like something interesting to start a discussion on.

Following are MY viewpoints on the issue -- feel free to keep the ball

rolling.

Lyle Lexier <lexier@sfu.ca> writes:

>Computer Bulletin Boards should not be censored.  People should have freedom

>of speech in saying or writing what they want to say, even if the material has

>to do with sexual or racial matters.

>Do you agree with this statement?  I will keep your names confidential, but

>I will poll X - yes, and Y - no      and the reason why YES or NO was chosen.

>send your responses to lexier@sfu.ca

Though I am a strong proponent of freedom of speech (for example, I strongly

disagree with censoring of USENET, i.e. the alt.sex.* type postings, nudity

and sex gifs, etc.)  however, BBS's are another matter.  I do not believe

that external authorities (i.e. the FBI, FCC, etc.) should censor BBS's,

because this would be in violation of freedom of speech.  HOWEVER, I do

believe that the individual SYSOPS of each BBS should decide which is

appropriate and which is not.

I live in Santa Barbara, CA, a town with a pretty active BBS scene.  Sadly,

many of the real good BBS's have gone to hell in a handbasket because they have

just gone out of control -- the sysops became lax in their "no profanity"

laws, users start getting cocky and post more obscene material, and the

signal to noise ratio of the BBS drops tremendously (i.e. there is now more

"noise" [profanity, etc.] than there is "signal" [i.e. worthwhile messages])

There are some BBS's where profanity, etc. is inappropriate -- for example,

in the nationwide nets such as FidoNet, which are accessed mainly by "family-

oriented" systems.  You don't want your kids to be exposed to that profane

kind of stuff.  also many adults find it distasteful or profane, and we

should not condemn them becaus of the way they were raised (traditional family

values, etc.) nor should we force them to be exposed to this kind of stuff.

(I also include materials such as sexually explicit pictures, GIFs, stories,

etc. in my definition of "profane.")

I believe there is a "right" way to handle this.  Most states define a

"adult" as an individual being over 21.  California is one of these, I

believe.  Many of the local BBS's have "adult-only" areas, where you are

required to send in some sort of proof of age (driver's license, perhaps)

in order to gain access to them.  This is a good thing, IMHO, because

the information ITSELF is not censored -- it is just not made available to

people of an inappropriate age.  (just like you aren't allowed to buy liquor

until you're 18, or go to R-rated movies until you're of age.)

-- 

Donald Burr (aka Captain Picard, Picard, Picards, and SuperTribble)

EMAIL: picard@rain.org; AMERICA ONLINE: CapnPicard

A Trekker, and DAMN proud of it! -+- Want FREE Unix for 386/486? EMAIL ME!!

"We're just two lost souls / Swimming in a fish bowl" -- Pink Floyd

------------------------------

From: Bernie Cosell <cosell@world.std.com>

Subject: Re: Computer Bulletin Boards should NOT be censored.

Organization: Fantasy Farm Fibers

Date: Thu, 18 Nov 1993 02:14:20 GMT

In article <comp-privacy3.75.6@pica.army.mil>, Lyle Lexier writes:

} Computer Bulletin Boards should not be censored.  People should have freedom

} of speech in saying or writing what they want to say, even if the material has

} to do with sexual or racial matters.

} 

} Do you agree with this statement?  I will keep your names confidential, but

} I will poll X - yes, and Y - no      and the reason why YES or NO was chosen.

I don't mean to be negative, but I think these sorts of surveys/polls

are massive wastes of time and effort.  Not only is the audience almost

certainly skewed [we're hardly a crosssection of the US] the sampling

is totally uncontrolled, making the "results" little more than random

noise.  [or, perhaps, a foregone conclusion if you're careful about

where you post your request].

In terms of this forum, I think the only reasonable purpose for

such a question is to *discuss* it, not to *vote* on it.  And

reasoned discourse certainly serves the topic better than just a

collection of un-argued, un-examined "sound Bytes" [the reasons

why].  [I assume that for the "reason why" you're not expecting two

or three megabytes per 'voter' of reasoned discourse on the pros

and cons of the matter, no?]

As such, I'll just respond...

Repeating your thesis:

} Computer Bulletin Boards should not be censored.  People should have freedom

} of speech in saying or writing what they want to say, even if the material has

} to do with sexual or racial matters.

I disagree.  I think that the folks that own and operate bulletin boards

ought to be free to run them *precisely* as they please, just so long

as they make the ground rules clear up front.  As long as you're using

someone *else's* equipment, I think it is A-OK that they insist that

you play by their rules, but that once you agree on the rules they

should only be changeable by mutual consent [that is, treat such

as matters of contract law].

If you don't like their rules, as long as you're free to go to some

other forum or start your own, I claim you've gotten all that

you're entitled to in terms of "freedom of speech".

Now, this is not to make light of the legal situation in the US:

there are a lot of complicated legal matters having to do with

"limited public forums", when liability attaches to a sysop [for

things like libel or distribution of pornographic materials],

wiretap laws, etc.  But if you're just asking a *moral* question:

as a matter of principle I'm very much in the "freedom of the

press is for those who own them" camp.

  /Bernie\

-- 

Bernie Cosell                               cosell@world.std.com

Fantasy Farm Fibers, Pearisburg, VA         (703) 921-2358

------------------------------

From: laine@ctp.bilkent.edu.tr

Subject: Re: Is there an effective way to stop junk phone calls?

Date: Wed, 17 Nov 1993 20:58:35

Organization: Youngstown State/Youngstown Free-Net

>In article <comp-privacy3.75.4@pica.army.mil>

>pete ritter <cpritter@netcom.com> writes:

> 

>>At long last, federal law now requires telemarketers to remove from their

>>call lists, anyone who requests it.  The law also requires them to give

>>the name of the telemarketing firm, its address and telephone number if

>>you request it.

>>

> 

In article <comp-privacy3.76.6@pica.army.mil> Tom Evert <O1EVERT@vm1.cc.uakron.edu> writes:

>Good advise!  This law is called the Telephone Consumer Protection Act

>of 1991.  Interesting reading - especially the part under "Findings"!

> 

But still nobody has told us poor illiterates where to find a copy of this 

law.  Anyone?

------------------------------

From: Nevin Liber <nevin@cs.arizona.edu>

Subject: Re: California Driver License and SSN

Date: 18 Nov 1993 02:28:06 -0700

Organization: University of Arizona CS Department, Tucson AZ

In article <comp-privacy3.74.6@pica.army.mil>,

Bob Sherman  <bsherman@mthvax.cs.miami.edu> wrote:

>Errrr, excuse me, but there are many ways for you to use the roads your

>taxes pay for without needing a drivers license. You can for example ride

>a bike, use public transportation, take a taxi, ride as a passenger in

>a car while someone else does the driving, run, jog, walk etc.. All of the

>above are better done on a paved roadway than through the woods..

Plus there are many ways that we all indirectly use roads.  Do you buy

food at a supermarket that is trucked in?  If someone breaks into your

house, wouldn't it be nice if the police drive over to save you or your

belongings?  Etc., etc.

-- 

Nevin ":-)" Liber nevin@cs.arizona.edu (602) 293-2799

------------------------------

From: Rob Kling <kling@ics.uci.edu>

Subject: Re: Ownership and Privacy

Newsgroups: comp.society.privacy

Date: 18 Nov 93 16:30:18 GMT

Hi ... you might find parts of this paper helpful for your paper. /Rob Kling

===========================

Fair Information Practices with Computer Supported Cooperative Work

Rob Kling

Department of Information & Computer Science

and

Center for Research on Information Technology and Organizations

University of California at Irvine,

Irvine, CA 92717, USA

kling@ics.uci.edu

May 12, 1993 (v. 3.2)

Based on a paper which appears in SIGOIS Bulletin, July 1993

 ---------------------

The term "CSCW" was publicly launched in the early 1980s. Like other

important computing terms, such as artificial intelligence, it was coined

as a galvanizing catch-phrase, and given substance through a lively stream

of research. Interest quickly formed around the research programs, and

conferences identified with the term advanced prototype systems, studies of

their use, key theories, and debates about them. CSCW offers special

excitement: new concepts and possibilities in computer support for work.

CSCW refers to both special products (groupware), and to a social movement

by computer scientists who want to provide better computer support for

people, primarily professionals, to enhance the ease of collaborating.

Researchers disagree about the definition of CSCW, but the current

definitions focus on technology. I see CSCW as a conjunction of certain

kinds of technologies, certain kinds of users (usually small self-directed

professional teams), and a worldview which emphasizes convivial work

relations. These three elements, taken together, differentiate CSCW from

other related forms of computerization, such as information systems and

office automation which differ as much in their typical users and the

worldview describing the role of technology in work, as on the technology

itself (Kling, 1991). CSCW is the product of a particular computer-based

social movement rather than simply a family of technologies (Kling and

Iacono, 1990).

The common technologies that are central to CSCW often record fine grained

aspects of people activities in workplaces, such as typed messages, notes,

personal calendar entries, and videotapes of personal activity. Electronic

mail is the most popular of the CSCW technologies (Bullen and Bennett,

1991) and is a useful vehicle for examining some of the privacy issues in

CSCW. Many electronic mail messages contain personal communications which

include opinions and information which many senders would prefer not to be

public information. However, most electronic mail system users I have

spoken to are ignorant of the conditions under which their transmissions

will be maintained as private communications by their own organizations.

(They often assume that their electronic communications will be treated as

private by their organizations. Others are extremely sensitive to the

possible lack of privacy/security of email transmissions.)

Discussions of computerization and privacy are highly developed with

respect to personal record systems which contain information about banking,

credit, health, police, schooling, employment, insurance, etc. (Kling and

Dunlop, 1991:Section V). Definitions of personal privacy have been examined

in extensive literature about personal privacy and record-keeping systems.

Analysts have been careful to distinguish security issues (e.g., lock and

keys for authorized access) from privacy issues -- those which involve

people's control over personal information. There has also been significant

discussion of the interplay between privacy and other competing social

values. The privacy issues in CSCW both have important similarities and

differences when compared with the issues of personal record systems. We

can gain helpful insights by building on this body of sustain thinking

about privacy and record systems to advance our understanding of privacy

issues in CSCW.

Another related and helpful set of inquiries examines the surveillance of

workers in measuring activities related to quality of service and

individual productivity (Attewell, 1991; Kling and Dunlop, 1993). Some of

the most intensive fine grained electronic monitoring involves listening to

the phone calls of service workers such as reservationists, and

fine-grained productivity counts, such as the number of transactions that a

worker completes in a small time period. While all managers have ways of

assessing their subordinates' performance, clerks are most subject to these

fine grained forms of electronic surveillance. The CSCW community has

focussed on professionals as the key groups to use groupware and meeting

support systems. Consequently, electronic monitoring has seemed to be

implausible.

The computing community is beginning to be collectively aware of the

possible privacy issues in CSCW applications. Professionals who use CSCW

can lose privacy under quite different conditions than clerks who have

little control over the use of electronic performance monitoring systems.

And personal communications, like electronic mail or systems like gIBIS

which supports debates, record personally sensitive information under very

different conditions than do information systems for regulatory control

such as systems of motor vehicle, health and tax records.

The use of email raises interesting privacy issues.  In the case of email,

privacy issues arise when people lose control over the dissemination of

their mail messages. When should managers be allowed to read the email of

their subordinates? One can readily conjure instances where managers would

seek access to email files. These can range from curiosity (such as when a

manager wonders about subordinates' gossip, and requests messages which

include his name in the message body), through situations in which a legal

agency subpoenas mail files as part of a formal investigation.  A

different, but related set of issues can occur when a manager seeks mail

profiles: lists of people who send more than N messages a day, lists of

people who read a specific bulletin board or the membership of a specific

mailing list.

CSCW systems differ in many ways that pertain to informational control. For

example, systems such as email and conferencing systems retain electronic

information which can be reused indefinitely with little control by the

people who were writing with the system. One can imagine cases in which

managers may wish to review transcripts of key meetings held by computer

conferencing to learn the bases of specific decisions, who took various

positions on controversial issues, or to gain insight into their

subordinate's interactional styles. Other systems, such as voice and video

links, are often designed not to store information. But they can raise

questions about who is tuning in, and the extent to which participants are

aware that their communication systems is "on."  In the literature about

computerization and privacy, similar questions have been closely examined

-- regulating the duration of records storage, the conditions under which

people should be informed that a third party is seeking their records, and

conditions under which individuals may have administrative or legal

standing in blocking access to their records (See Dunlop and Kling, 1991,

Section V).

One of the peculiarities of CSCW in contrast with traditional record

keeping systems is the nature of the social settings in which systems are

being developed and explored. Most personal record systems are developed in

relatively traditional control-oriented organizations. In contrast, most

CSCW applications have been developed in academic and industrial research

labs. These settings are protective of freedom of speech and thought and

less authoritarian than many organizations which ultimately use CSCW

applications. In fact, relatively few CSCW applications, other than email

and Lotus Notes, are used by the thousands of people in traditional

organizations (Bullen and Bennett, 1991). Further, CSCW systems are

primarily designed to be used by professionals rather than technicians and

clerks. Professionals generally have more autonomy than clerks, who are

most subject to computerized monitoring (Attewell, 1991). As a consequence,

many CSCW developers don't face problems of personal privacy that may be

more commonplace when prototype systems are commercialized and widely used.

These contrasts between R&D with CSCW and the likely contexts of

application should not impede us from working hard to understand the

privacy issues of these new technologies. CSCW applications are able to

record more fine grained information about peoples' thoughts, feelings, and

social relationships than traditional record keeping systems. They can be

relatively unobtrusive.  The subject may be unaware of any scrutiny. In R&D

labs, we often have norms of reciprocity in social behavior: monitoring can

be reciprocal. However, in certain organizations, monitoring may follow a

formal hierarchy of social relations. For example, supervisors can monitor

the phone conversations of travel reservationists and telephone operators,

but the operators cannot monitor their supervisors. The primary

(publicized) appropriations of "private email" have been in military

organizations, NASA, and commercial firms like Epson, rather than in

university and industrial laboratories.

CSCW creates a new electronic frontier in which people's rights and

obligations about access and control over personally sensitive information

have not been systematically articulated. I believe that we need to better

understand the nature of information practices with regard to different

CSCW applications that balance fairness to individuals and to their

organizations.

It is remarkable how vague the information practices regulating the use of

the few commonplace CSCW applications are. Yet we are designing and

building the information infrastructures for recording significant amounts

of information about people thoughts and feelings which are essentially

private and not for arbitrary circulation, without the guidelines to

safeguard them. People who use computer and telecommunications applications

need to have a basic understanding about which information is being

recorded, how long it is retained (even if they "delete" information from

their local files, who can access information about them, and when they can

have some control over restricting access to their information.

In the late 1970s the U.S. Privacy Protection Study Commission developed a

set of recommendations for Fair Information Practices pertinent to personal

record keeping systems (PPSC, 1977:17-19). A concern of Commission members

was to maximize the extent to which record systems would be managed so that

people would not be unfairly affected by decisions which relied upon

records which were inaccurate, incomplete, irrelevant or not timely.

Commission members believed that record keeping systems in different

institutional settings should be regulated by different laws. For example,

people should have more control over the disclosure of their current

financial records than over the disclosure of their current police records.

On the other hand, the Commission proposed that each institutional arena

should be governed with an explicit set of Fair Information Practices. In a

similar way, different families of CSCW applications or different

institutional settings may be most appropriately organized with different

Fair Information Practices. In the case of CSCW applications, fairness may

have different meanings than in the case of decisions based upon personal

records systems.

We need fearless and vigorous exploratory research to shed clear light on

these issues. This rather modest position contrasts strongly with that

taken by Andy Hopper of Olivetti, one of the panelists at this plenary

session on CSCW'92. He was enthusiastic about the use of "active badges"

(Want, Hopper, Falcao, and Gibbons, 1992) and insisted on discussing only

their virtues. He argued that one can imagine many scenarios in which

people are harmed by some uses of a particular technology, but that

discussing such scenarios is usually pointless. Hopper's 1992 co-authored

article about active badges examines some of the privacy threats their use

can foster. But on the plenary panel he was critical of people who asked

serious questions about the risks, as well as the benefits of new CSCW

technologies. In this way, he took a position similar to that taken by

spokespeople of many industries, including such as automobiles, who have

delayed serious inquiries and regulatory protections for environmental and

safety risks by insisting on unambiguous evidence of harm before

investigating plausible problems.

The active badge systems which Hopper described seem to be regulated by

Fair Information Practices in his own research laboratory (e.g., no long

term storage of data about people's locations, reciprocity of use,

discretion in use). These sorts of Fair Information Practices may be

required to help insure that active badges are a convenient technology

which do not degrade people's working lives. Other kinds of information

practices, such as those in which location monitoring is non-reciprocal,

and non-discretionary may help transform some workplaces into electronic

cages. Hopper and his colleagues briefly mention such possibilities in

their 1992 ACM TOIS article about active badges. And their article deserves

some applause for at least identifying some of the pertinent privacy

problems which active badges facilitate. However they are very careful to

characterize fine grained aspects of the technological architecture of

active badges, while they are far from being comparably careful in

identifying the workplace information practices which can make active

badges either primarily a convenience or primarily invasive. I believe that

CSCW researchers should be paying careful attention to social practices as

well as to technologies. Richard Harper's (1992) ethnographic study of the

use of active badges in two research labs illustrates the kind of nuanced

analyses which we need, although Harper also glosses the particular

information practices which accompanied the use of active badges in the two

labs.

Unfortunately, delays in understanding some risks of emerging technologies

have led the public to underestimate the initial magnitude of problems, and

to make collective choices which proved difficult alter. Our design of

metropolitan areas making individually operated cars a virtual necessity is

an example. In the early stages of use, the risks of a new family of

technologies are often hard to discern (See Dunlop and Kling, 1991, Part

VI). When major problems develop to the point that they are undeniable,

amelioration may also be difficult.

I characterized CSCW, in part, as a social movement (Kling and Iacono,

1990). Most of us who study, develop, or write about CSCW enthusiastically,

(and sometimes evangelistically) encourage the widespread use of these new

technologies. However, as responsible computer scientists, we should temper

our enthusiasms with appropriate professional responsibility. CSCW

applications open important organizational opportunities, but also opens

privacy issues which we don't understand very well.

The new ACM Ethical Code (ACM, 1993) also has several provisions which bear

on privacy issues in CSCW. These include provisions which require ACM

members to respect the privacy of others (Section 1.7), to improve public

understanding of computing and its consequences (Section 2.7), and to

design and build information systems which enhance the quality of working

life (Section 3.2). The ACM's code is rather general and does not give much

specific guidance to practitioners. The CSCW research community is well

positioned to conduct the kinds of research into the social practices for

using these technologies which could shape meaningful professional

guidelines for their use in diverse organizations. Will we take a

leadership role in helping to keep CSCW safe for users and their

organizations?

=================================

Note: I appreciate discussions with Jonathan Allen, Paul Forester, Beki

Grinter, and Jonathan Grudin which helped clarify some of my key points.

REFERENCES

   1. Association of Computing Machinery. 1993. "ACM Code of Ethics and

      Professional Conduct." Communications of the ACM. 36(2)(Feb.):99-103.

   2. Attewell, Paul.  "Big Brother and the Sweatshop: Computer

      Surveillance in the Automated Office" in Dunlop and Kling 1991.

   3. Bullen, Christine and John Bennett. 1991.  Groupware in Practice: An

      Interpretation of Work Experience" in Dunlop and Kling 1991.

   4. Dunlop, Charles and Rob Kling (Ed). 1991. Computerization and

      Controversy: Value Conflicts and Social Choices. Boston: Academic

      Press.

   5. Harper, Richard H.R. "Looking at Ourselves: An Examination of the

      Social Organization of Two Research Laboratories" Proc. CSCW '92:

      330-337.

   6. Kling, Rob. 1991.  "Cooperation, Coordination and Control in

      Computer-Supported Work." Communications of the ACM

      34(12)(December):83-88.

   7. Kling, Rob and Charles Dunlop. 1993. "Controversies About

      Computerization and the Character of White Collar Worklife." The

      Information Society. 9(1) (Jan-Feb:1-29.

   8. Kling, Rob and Suzanne Iacono.  1990. "Computerization Movements"

      Chapter 19, pp 213-236  Computers, Ethics and Society, David Ermann,

      Mary Williams & Claudio Guitierrez (ed.) New York, Oxford University

      Press.

   9. Privacy Protection Study Commission. 1977. Personal Privacy in an

      Information Society, U.S. Government Printing Office, Washington D.C.

      (briefly excerpted in Dunlop and Kling, 1991.)

   10.Want, Roy, Andy Hopper, Veronica Falcao and Jonathan Gibbons. 1992.

      "The Active Badge Location System" ACM Transactions on Information

      Systems. 10(1)(January): 91-102.

------------------------------

End of Computer Privacy Digest V3 #078

******************************