home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
privacy
/
p04_009.txt
< prev
next >
Wrap
Text File
|
1996-09-03
|
32KB
|
703 lines
PRIVACY Forum Digest Friday, 21 April 1995 Volume 04 : Issue 09
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy,
and the Data Services Division
of MCI Communications Corporation.
CONTENTS
Privacy in a Complex World
(Lauren Weinstein; PRIVACY Forum Moderator)
Data Destruction-hire a carpenter (Kelly Bert Manning)
"Trip" report: USPS Advanced Technology presentation (Jacob Levy)
Playboy Endorses E-Mail Encryption (Tom Zmudzinski)
Family Privacy Protection Act of 1995 (Robert Gellman)
"Computer Privacy Handbook" Now Available (Andre Bacard)
Re: Medical Records Access (John Levine)
Decree on encryption in Russia [fwd] (Charles R. Trew)
Privacy and ITS (Phil Agre)
ACLU Files Amicus Brief in U.S. v Thomas (ACLU Information)
Databases and privacy (Barry Gold)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive. All PRIVACY Forum materials are available
through the Internet Gopher system via a gopher server on site
"gopher.vortex.com". Access to PRIVACY Forum materials is also available
through the Internet World Wide Web (WWW) via the Vortex Technology WWW
server at the URL: "http://www.vortex.com".
-----------------------------------------------------------------------------
VOLUME 04, ISSUE 09
Quote for the day:
"It is criminal, and it is evil."
-- President Clinton describing the bombing
of the Federal Building in Oklahoma City, Oklahoma
on 4/19/95.
----------------------------------------------------------------------
Date: Fri, 21 Apr 95 21:26 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Privacy in a Complex World
Greetings. I trust I'm speaking for the entire readership when I express my
sadness over this week's horrific event in Oklahoma. The deepest of
condolences for those who lost loved ones, and the best possible wishes for
recovery to the survivors--and unending respect and gratitude for the rescue
workers, local, state, and federal officials, and others who have been (and
still are) dealing with the continuing aftermath.
In coming weeks and months it seems likely that this event will again pull
into sharp focus the many conflicts in the U.S. (and the rest of the world)
over the boundaries, categories, and interactions of privacy with other
aspects of free societies. It will take stalwart determination and careful
consideration to be sure that the results strike a proper balance between
sometimes conflicting goals and needs. So long as we react with our heads
(and not solely with our emotions) with a view towards the future as well as
the past, we stand a good chance of continuing down a path that leads
neither to anarchy nor totalitarianism, but rather to the continuing
delicate balance between individual rights and the operational necessities
of civilized, democratic societies.
--Lauren--
------------------------------
Date: Sun, 9 Apr 1995 23:13:57 -0700 (PDT)
From: Kelly Bert Manning <ua602@freenet.victoria.bc.ca>
Subject: Data Destruction-hire a carpenter
The data center my application runs on converted from round reels to 3480
type cartridges several years ago. When they did so anyone driving along
the 6 lane arterial highway that runs past it could see a radial arm saw
set up by the loading dock. The carpenter who was hired quartered each round
reel before tossing it into a steel container for offsite destruction. He
seemed to have some sort of jig set up to keep the cut pieces flat for
the second pass.
How does this rate on the scale of data destruction? I supposed that
someone could have taken strips of tape and reread them, but it probably
would be very time consuming and difficult to seive thorugh all this data
for a particular item.
------------------------------
Date: Fri, 7 Apr 1995 11:12:21 -0700
From: jyl@riesling (Jacob Levy)
Subject: "Trip" report: USPS Advanced Technology presentation
INTRO
-----
This is a "trip report" of sorts. Thursday (4/6/95) evening I attended a
Smart Valley sponsored talk at Rickey's Hyatt by the VP of Advanced
Technology at the US Postal Service, Bob Reissler (sp?) and by the
technical architect, Richard Rothwell. The purpose of the talk was to give
USPS an opportunity to present their plans for "electronic mail and
electronic commerce for the general population".
I was the only one from Sun there as far as I could tell. There was a big
contingent of people from HP, Apple and some IBMers, many one-person
companies and startups, some trainers and educators and many unaffiliated
individuals - a total of about 150 people attended, standing room only.
OVERVIEW
--------
Mr Rothwell's talk was the more substantive and interesting among the two.
He presented USPS's plans for offering electronic access to their email
delivery system to the 80 million US households and businesses that are
currently not reached by online service providers or the Internet. After
his talk, Mr Rothwell presented a short video on how they intend to educate
their customers on the new product, and another USPS employee demoed the
client side of their system online. Their client side system works under
Windows 3.1 with MS Mail and Lotus Notes.
Overall points to note: They are very concerned about privacy. They do not
want to be in the business of managing or issuing escrowed key-pairs. They
are very concerned about the new possibilities for abuse of privacy that
become available when public keys and identity certificates are widely used
(I didn't understand this part - what would these oppties be?). They are
interested in working with whoever cares to make the US Govt and
legislative branch relax the rules about using crypto and the export
controls. They are working on a system that works globally, and active
collaboration with other postal services is high on their agenda. Canada
and European services were mentioned several times.
TECHNICAL POINTS
----------------
The system they are building is based on a transliteration of the basic
principles that make hardcopy mail work today, into the electronic world:
Stamp -> Digital Signature+digital money
Privace (envelope) -> Encryption
Dating+location -> Per-client digital time stamp (dts)
Identity (signature) -> Digital signature (ds)
In regular hardcopy mail, the stamp proves that you paid and provides a
guarantee that the postal service will deliver your hardcopy. The envelope
provides privacy and is protected by privacy laws from tampering. The
dating is provided by the cancellation on the stamp. The location is
provided by each post office having its own cancellation label with its
name and serial number listed. The identity is provided by the signature of
the sender on the hardcopy stored within the sealed envelope carrying the
cancelled stamp.
The postal service will offer:
- An electronic mechanism for stamping a message and adding a dts so that
it proves payment and dates the message
- Registered mail equivalent where the message gets signed by the USPS
private key and the signature is returned to sender
- Mechanisms for managing public keys (see below - no escrow)
- Certificate mechanisms (see below - no escrow)
- Archival services for both messages, certificates and message signatures
In their new system, the "stamp" will be replaced by a digital signature on
a receipt returned to the sender and archived by the service. The receipt
will contain "enough bits to track the message through the system" (his
words). The service replaces the traditional envelope with encryption: it
accepts messages that are already encrypted and it will also offer RSA
public key encryption as a service. Dating is achieved by adding a dts plus
a digital signature identifying the client from which the message was
received (if desire) or a more generic signature. Finally the service
offers extensive mechanisms for corporate and individual public key
management and certification with various levels of identity checking, all
the way from biometrics based to a simple send-in-by-mail "under penalty of
perjury I hereby certify that I am Jacob Levy and this key is my public
key". The service also offers a certificate and public key lookup service
based on an ISO 509 standard (?) without a publishing database, i.e.
modelled after the "Moscow city phonebook" (his words). The idea is you can
get anyone's public key if you know who they are but you cannot harvest the
phone book for, e.g., all postal employees living in San Mateo (apparently
they are concerned about e-mail bombs :).
Some new services that he talked about:
- Receipt notification through the equivalent of "sign here to receive
your package" and delivery of the signed receipt back to the sender
- "Bonded mail" which as far as I could tell includes archival and
delivery upon the occurrence of an event specified by the sender.
He called this "Forever mail", i.e. you send something which is
potentially never delivered, and he noted that this is already a
service offered by the current USPS (many laughs..) and so it should
be offered in the new system, in the interest of preserving their
current product offerings (more laughs).
- Automatic tamper-proofing through the addition of a USPS generated
signature that notarizes the text of your message.
--JYL
------------------------------
Date: Mon, 10 Apr 95 10:01:13 EST
From: "Tom Zmudzinski" <zmudzint@CC.IMS.DISA.MIL>
Subject: Playboy Endorses E-Mail Encryption
Playboy has endorsed the use of private encryption and the use of
remailers for e-mail privacy [March 1995 edition (the Nancy Sinatra
issue), on page 37, "Playboy Advisor", third letter]. I would have
captured both the letter and the response, but unfortunately Playboy
has a fairly draconian warning against electronic transmission of any
part of the magazine (which logically includes even the copyright
indicia -- which is why I've paraphrased the heck out of everything).
What is interesting is that the need for e-mail encryption is obvious
now even to the guy in the third stall on the left in the men's room.
------------------------------
Date: Fri, 14 Apr 1995 09:40:27 -0400 (EDT)
From: Robert Gellman <rgellman@cais.cais.com>
Subject: Family Privacy Protection Act of 1995
A privacy bill was approved by the House of Representatives
on April 4, 1995. The bill is the Family Privacy Protection Act
of 1995 (H.R. 1271). The Committee report is House Report 104-
94. The floor debate can be found in the Congressional Record of
April 4, 1995, at pages H 4125 to H 4141. The Act was part of
the Republican Contract With America.
The legislation requires the written consent of a parent
before a minor can be asked to respond to any survey or
questionnaire from a person funded in whole or in part by the
federal government if the survey or questionnaire is intended to
elicit information about --
1) parental political affiliations or beliefs
2) mental or psychological problems
3) sexual behavior or attitudes
4) illegal, antisocial, or self-incriminating behavior
5) appraisals of other individuals with whom the minor
has a familial relationship
6) relationships that are legally recognized as
privileged, including those with lawyers, physicians, and
the clergy
7) religious affiliations or beliefs
There must be written consent before this information can be
solicited, and there must be advance public availability of the
questionnaire or survey.
There is an exclusion for tests intended to measure academic
performance.
There are also four exceptions covering--
1) the seeking of information for the purpose of a
criminal investigation or adjudication
2) any inquiry made pursuant to a good faith concern
for the health, safety, or welfare of an individual minor
3) administration of the immigration, internal revenue,
or customs laws of the United States
4) the seeking of information required by law to
determine eligibility for participation in a program or for
receiving financial assistance
These rules would apply equally to surveys and
questionnaires that are anonymous and to those that are
identifiable.
I offer a few observations about the bill. First, it
appears that this is part of the agenda of the new right. Buried
in the Committee report is this sentence which may explain the
principal purpose of the bill:
In some cases, survey questions have been phrased
in a manner that suggests neutrality or even tacit
approval of behavior or attitudes which may be contrary
to the values held by parents.
Second, none of the key terms in the bill is defined.
"Sexual behavior" could arguably range from mating activities of
earthworms to fashion trends for seventh graders. Also, a survey
could arguably include a question asked by one teacher to one
student. It is also not clear what constitutes "antisocial"
behavior. Drinking? Rock concerts? Baseball strikes? Poorly
drafted legislation?
Third, the exclusion for tests of academic performance is
based on the intent of the test. Thus, prohibited questions
might be permissible in a test whose principal intent is the
measurement of academic performance. This may be true even if
the test is non-identifiable. On the other side, a sharp student
might argue that a biology test violates the rules without
parental consent and advance availability by questioning the
intent. This is not necessarily a winning argument, but it might
buy a postponement of an exam while the lawyers argue about
things.
Finally, the exceptions are worthy of note. You may not ask
a minor about sexual experiences without written parental
permission unless your purpose is to put the student or the
parent in jail or to collect taxes. This turns privacy
legislation on its head by denying anonymous and recourseless use
of information but permitting use of the information to harm the
provider. Thus, it is okay to ask children if their parents have
committed a crime if it is part of a criminal investigation but
not as part of a research project.
This legislation now goes to the Senate.
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman rgellman@cais.com +
+ Privacy and Information Policy Consultant +
+ 431 Fifth Street S.E. +
+ Washington, DC 20003 +
+ 202-543-7923 (phone) 202-547-8287 (fax) +
+ + + + + + + + + + + + + + + + + + + + + + + + +
------------------------------
Date: Fri, 14 Apr 1995 11:54:42 -0700
From: Andre Bacard <abacard@well.sf.ca.us>
Subject: "Computer Privacy Handbook" Now Available!!
I promised you that I'd tell you when "The Computer Privacy
Handbook" was released. I'm happy to say that the book is now
available! The book is already causing a stir, and Internet posters
have started calling me the "The Indiana Jones of Cyberspace."
You can now order "The Computer Privacy Handbook" directly from
Peachpit Press at (800) 283-9444. The book is also available in
some bookstores and in route to many more stores. Just about any
local bookstore can order the book for you. [Many databases list
the book under ISBN # 1-56609-171-3].
Peachpit Press is a subsidiary of Addison-Wesley, a global book
publisher. If you're outside the States, please contact your local
Addison-Wesley distributor, or ask me for a local address.
Attached is a press release with full details.
By the way, I'll be speaking at Computer Literacy Bookshop in San
Jose on May 3rd and at Stanford Bookstore on May 11.
If you like my book, please tell your friends. Of course, I'd value
your comments and suggestions. Thanks for your interest.
See you in the future,
Andre Bacard
------------------------------
Date: Mon, 17 Apr 1995 01:02:41 -0400
From: johnl@iecc.com (John Levine)
Subject: Re: MEDICAL RECORDS ACCESS
>Did you know that there is a leading credit information warehouser
>(Equifax) that is now proposing to create a mega-database comprised of
>your/our medical records? ...
>I don't know about you, but I want my medical information kept highly
>confidential. People can and will refuse you insurance should they have
>information about you that is not positive.
This particular battle is already lost. There is already an outfit in
suburban Boston called the Medical Information Bureau which insurance
companies routinely use to exchange claim information. The last time I
applied for medical insurance, in 1987, I had to fill out a form listing all
of the doctors I'd seen for the previous five years, and the insurance
company found a few I forgot, presumably from the MIB. Oddly, a few years
later when I wrote to the MIB and asked for a copy of my file, they claimed
they never heard of me. (I'm a wee bit sceptical. It's not like I was hard
to find, having been at the same address for 10 years.)
Nonetheless, it's still worth fighting Equifax's medical database proposal,
because Equifax has demonstrated that they have the morals of a slime mold.
The MIB, as far as I can tell, really only releases info to insurance
companies so they can decide whether they want to insure people. Equifax,
on the other hand, has shown that they'll cheerfully sell any info to
anyone, often in spite of laws to the contrary.
Regards,
John Levine, johnl@iecc.com
------------------------------
Date: Thu, 20 Apr 1995 13:59:57 -0400 (EDT)
From: "Charles R. Trew" <ctre@loc.gov>
Subject: Decree on encryption in Russia (fwd)
---------- Forwarded message ----------
Date: Thu, 20 Apr 1995 17:54:00 +0400
From: Igor V. Semenyuk <iga@sovam.com>
To: ctre@loc.gov
Subject: Decree on encryption in Russia
Gentle readers!
I want to bring your attention to the recent Yeltsin's decree
entitled "On the measures of law enforcement in design, production,
implementation and use of encrypting tools, and also in offering
services of information encyption".
The decree has been issued on April, 3, 1995 and is in force
from the publication date (April, 6, 1995, "Rossijskaja gazeta", N68).
I have no English translation available, volunteers are welcome
to do the translation (I can provide Russian KOI8 text).
It is the worst re-incarnation of "Clipper"'s case, with the
following pecularities:
- unlike Clipper the decree explicitly prohibits use of *any*
encryption technology that doesn't have a certificate from FAPSI (Federal
Agency of State Communications and Information - former KGB department).
- unlike Clipper there's no information about encryption technology
designed and implemented by FAPSI, which is supposed to be the
only allowed encryption technology
- unlike Clipper there are no provisions for securing the procedure
of (possible) "backdoor" decryption of data by law-enforcement
bodies (under court warrant or whatever)
- the decree prohibits import of non-certified encryption tools
The ground for all these points is "fighting organized crime".
The net result of the decree is that right now *any* encryption
tool/method but the one offered by FAPSI is illegal and individuals
and oragnizations using it may be prosecuted.
With liberate interpretation of the decree unix password encryption may be
found illegal, not mentioning zip and arj encryption.
This may have a disastrous impact on all information/communicaton.
I doubt anything similar to anti-Clipper movement can be done in
Russia... It's a difference between Democracy and "democracy".
Anyway may be media can bring attention to this problem.
PS. I'm crossposting this to FSUMedia and IPRussia lists.
Feel free to re-distribute the message.
--
Igor V. Semenyuk Internet: iga@sovam.com
SOVAM Teleport Phone: +7 095 956 3008
Moscow, Russia
------------------------------
Date: Thu, 20 Apr 1995 19:40:28 -0700
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Privacy and ITS
The Santa Clara Computer and High Technology Law Journal has just
published an excellent special issue on privacy issues in Intelligent
Transportation Systems (volume 11, number 1, March 1995). It derives
from a symposium on this topic that Dorothy Glancy organized at Santa
Clara University in July, 1994.
Here are some of the contents:
Norman Y. Mineta
Transportation, technology, and privacy
Jeffrey H. Reiman
Driving to the Panopticon
Sheldon W. Halpern
The traffic in souls
Robert Weisberg
IVHS, legal privacy, and the legacy of Dr. Faustus
Sheri A. Alpert
Privacy and intelligent highways: Finding the right of way
Ronald D. Rotunda
Computerized highways and the search for privacy in the case law
Philip E. Agre
Reasoning about the future
Dorothy J. Glancy
Privacy and intelligent transportation technology
According to the order form in the journal, single issues may be
purchased for US$20 (or US$25 for foreign addresses) from:
Computer and High Technology Law Journal
School of Law
Santa Clara University
Santa Clara, California 95053
(408) 554-4197
scchtlj@scuacc.scu.edu
I urge you to find out about these issues soon. ITS has the potential
to deliver a wide range of useful transportation-related services,
but it also has the potential to bring serious, systematic invasions
of personal privacy. Important decisions about ITS architecture and
privacy policy are being made now. The situation is hopeful in the
sense that the major players in ITS have little structural interest
in invading your privacy; privacy-invasive implementations of ITS are
being planned more from inertia than from bad intent. Still, once a
critical mass of systems is implemented and ITS system standards are
set (whether de jure or simply de facto), it will be very difficult to
change existing systems -- or even new systems that must be compatible
with the existing ones -- to a more privacy-friendly architecture.
For more information, see http://weber.ucsd.edu/~pagre/its-issues.html
Phil Agre, UCSD
(This message represents my own views and not those of the University
of California, Santa Clara University, or any other organization.)
------------------------------
Date: Fri, 21 Apr 1995 16:29:11 -0400
From: ACLU Information <infoaclu@aclu.org>
Subject: ACLU Files Amicus Brief in U.S. v Thomas (AABBC Case)
For Immediate Release
April 17, 1995
ACLU Files In Groundbreaking Computer Obscenity Case;
Friend-of-the-Court Brief Seeks to Overturn Tennessee Conviction
NEW YORK, April 17 -- The American Civil Liberties Union, seeking to
secure the future of free communication on the Internet, has filed a
friend-of-the-court brief in what is believed to be the first case involving
the cross-country prosecution and conviction of computer bulletin board
operators.
In its brief, filed with the U.S. Court of Appeals for the Sixth
Circuit in Tennessee, the ACLU urges the court to overturn the conviction of
Robert Thomas and Carleen Thomas of Milpitas, California. The Thomases own
and operate a computer bulletin board that specializes in the posting of
sexually explicit words and pictures.
The couple was indicted and convicted in the U.S. District Court in
Tennessee because a U.S. postal inspector learned of their bulletin board
and filed a fake application seeking access to its contents. Once he
obtained access, the postal inspector downloaded several pictures from the
California-based bulletin board, which a U.S. Attorney then deemed to be
~obscene~ under the "local community standards" of Tennessee.
In its brief, which was also filed on behalf of the ACLU affiliates
in Tennessee and Northern California and the National Writers Union,
Feminists for Free Expression and the Thomas Jefferson Center for the
Protection of Free Expression, the ACLU charges that the government is
engaged in a "clumsy attempt to censor communications in cyberspace through
application of an obscenity law and standards wholly inappropriate for this
new medium."
"Computer networks have created vast new fora for the exchange of
ideas," the ACLU's brief said. "They have created new communities with new
opportunities for people with similar interests to communicate with each
other.
"Until now," the brief continues, "computer networks have been
faithful to the values of the First Amendment. They have fostered,
encouraged and even nurtured the robust exchange of ideas.In this case the
government seeks to use a criminal law never intended to apply to computer
communications, to put a brake on that development, to stifle the explosive
creativity and breadth of expression occuring on computer networks."
The full text of the ACLU~s brief in Thomas vs. United States of
America is available in the ACLU's Free Reading Room, a gopher site (address
below) in the Court section, under National Office litigation.
--
ACLU Free Reading Room | American Civil Liberties Union
gopher://aclu.org:6601 | 132 W. 43rd Street, NY, NY 10036
mailto:infoaclu@aclu.org| "Eternal vigilance is the
ftp://ftp.pipeline.com | price of liberty"
------------------------------
Date: Fri, 21 Apr 95 16:54:48 PDT
From: Barry Gold <barryg@sparc.SanDiegoCA.ATTGIS.COM>
Subject: Databases and privacy
I think that the ability of large databases to cross-correlate data
about individuals is one of the top 3 current threats to privacy.
It seems likely that Congress will enact some sort of privacy
legislation in a few years, but it will probably be half-baked and
bass-ackward, given the history of government attempts to define
privacy. (For example, they frequently exempt themselves!)
I believe that AT&T GIS should be ahead of the curve on this one,
instead of waiting until privacy legislation looks likely to pass and
then trying to mold it into something we can live with. I think we
should already have privacy standards in place that we can point to
and say:
Look, we're already doing something about this. Why don't you
try our solution?
I believe that we should do the following:
1. Establish a policy, defining how database users should protect
user's privacy.
2. Apply that policy to our own databases, with respect to both
associates and customers.
3. Offer a discount to customers who contract to use the Database
in accordance with that policy. (If we were still the *only*
provider of terabyte-sized database products -- as TDAT was in
the '80s -- I would suggest we make appropriate privacy
agreements a *condition* of sale, but I think we no longer
have the market strength to do that.)
Just to get the ball rolling, here are some suggestions towards a
privacy policy:
. Information about individuals shall be used only for the
purpose it was gathered for. Information about associates will
not be used for marketing or sold to outside organizations;
information gathered from purchases will be used only for marketing
other products the customers may be interested in -- and in
particular not be used to deny a customer access to a product or
service.
Exceptions shall require the written permission of the subject to
whom the information applies.
. Individuals shall be given the option to stop receiving mailed
marketing offers. This "opt out" shall be handled either by a
call to a toll-free number or by sending in a prepaid or
business-reply notice.
. Invididuals shall be given the option to have their names
deleted from any lists sold outside the organization that
collected it, with the same "opt out" possibilities.
. Individuals shall not be contacted for telemarketing purposes
unless they have either:
a) given their permission to be so contacted
b) been given an "opt out" (as above) and sufficient time has
elapsed to be reasonably sure they have not exercised it.
. When information about individuals is sold outside the
organization, or used for any purpose other than the one given
the individual when the information was collected, the subject
shall be notified of this sale/use. To reduce the transaction
cost of such notification, subjects may be sent a "batch" of
notifications once a year.
. Taxpayer ID # shall not be used as an identifying key; it is
neither unique nor universal and such use is very far outside
the purpose for which it was created.
------------------------------
End of PRIVACY Forum Digest 04.09
************************