Subject: RISKS DIGEST 10.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 23 January 1991 Volume 10 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Lotus Marketplace (various sources) UK firms poor on computer health (Olivier M.J. Crepin-Leblond) Data privacy abuse in Australia (Phil Clark) MasterCard policy opens door to crooks (Marv Westrom) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 10, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 23 Jan 91 15:00:23 PST From: Peter G. Neumann Subject: Lotus Marketplace Excerpted [by PGN] from today's Wall Street Journal (23 Jan 91) and AP items. [Lotus Development Corp. was expected to announce today that it will drop its plans to place on the marketplace Lotus Marketplace, discussed here copiously in earlier issues (RISKS-10.61,62,63,68,74).] ``The turnaround on Marketplace suggests that technology companies are slowly learning how to strike a publicly acceptable balance between privacy and the explosion of electronic data. One example came last year when phone companies introduced "Caller ID" options that flash a caller's number on the other party's phone. In response to consumer complaints, some phone companies are adding a feature that lets callers block their numbers.'' [WSJ] ``Lotus said it also would discontinue shipment of Lotus MarketPlace: Business, a database of information on 7 million U.S. businesses. That product had been offered since October.'' [AP] [The WSJ article implied that this product would NOT be cancelled.] ``Marketplace touched a raw nerve among consumers, and took on a broad symbolic significance in the debate over electronic privacy. When Lotus offered to delete data about anyone who called or wrote, it was flooded with about 30,000 requests. Consumers learned about the product through widespread news reports. ... Marketplace also became one of the hottest topics on the computer networks linking technology students and professionals. Complaints and protest letters were posted an copied on hundreds of networks. Opponents circulated Lotus's phone number and the electronic-mail address of Jim Manzi, its chief executive officer. "If you market this product, it is my sincere hope that you are sued by every person for whom your data is false, withe the eventual result that your company goes bankrupt," declared one letter to Lotus that was posted on several networks.'' [WSJ] ``Privacy advocates' chief objection to Marketplace was that it wouldn't be easy enough for consumers to delete their data, or correct any inaccuracies. They worried that even if Lotus offered to update the disk with corrections and deletions, offending earlier versions would still go on sale.'' [WSJ] ``Lotus and Atlanta-based Equifax spent two years developing Marketplace Household. Lotus spokesman Richard Eckel declined to estimate Lotus' development costs.'' [AP] ``"There was no effective way to make sure that everyone listed on that product had freely consented," says Marc Rotenberg, Washington director of Computer Professionals for Social Responsibility. The nonprofit group was one of Marketplace's loudest opponents.'' [WSJ] And then there was this item, contributed roundabout, in a memo today from Jim Manzi to Lotus and Equifax folks, announcing the demise of both products: ``Unfortunately, we feel the majority of concern over the Households product has been generated by misinformation about the product's content and a general lack of understanding about the direct marketing industry. From the very beginning, Lotus and its data partner, Equifax Marketing Decision Systems, implemented a number of privacy-related controls that exceeded traditional direct marketing industry practices. We felt confident that these procedures limited any potential abuse of the product. Consumers should demand that future products of this type be as scrupulous and responsible.'' [Jim Manzi] [The WSJ item was noted by Sean Kirkpatrick and others. The AP item was noted by Steve Bellovin ; an earlier personal phone call to Lotus attempting to get himself removed from the database resulted in Scott Wilson being told that there would be no database from which he could be removed. On Monday, Roger H. Goun noted an article in the Boston Globe Business section, T.G.I.M. column, 21 January 1991, the writer of which included the following premonition to those who wanted to object to their being in the database: Save your breath, and save Lotus the dime. They're getting the message. If I were a betting man, I'd bet you won't see Lotus in this Marketplace much longer. And yes, for you skeptics, there are still 10-cent payphone calls in Massachussetts, among other places, although the incoming 800 number is probably not exactly 10 cents per call. PGN] ------------------------------ Date: Thu, 17 Jan 91 16:19 BST From: "Olivier M.J. Crepin-Leblond" Subject: UK firms poor on computer health This article has appeared in a specialised publication in UK called Technology Graduate, Nov/Dec 1990 issue. British companies are not doing enough to safeguard their employees against the health hazards of working with computer technology. Only a quarter of businesses take formal health and safety measures, according to a survey published in "Which Computer ?" magazine. A sixth of the organisations who took part in the survey reported staff illness directly related to the use of information technology equipment, injuries such as headaches, repetition strain injuries (RSI), eye problems and back, neck, wrist and finger ailments. A third of them said they received staff complaints about the health risks associated with computers. However, employers will soon be compelled to take statutory action on the welfare of staff. By the end of 1992, EC member states have to put up with a directive which lays down minimum health and safety requirements for work with IT. Employers will become legally responsible for ensuring that all new equipment installed meets its requirements; existing equipment must be brought up to standard within four years. The directive also governs mandatory inspections of computer equipment and sets down minimum standards for the ergonomic design of computer screens and keyboards, desks, seating and lighting. It provides for training and organisation of time to allow for periodic breaks from screen work and regular free eye tests and glasses where necessary. Display screens must be flicker-free and fully adjustable. The keyboard must also be separate from the screen. Sufficient desk space must be provided for hand and arm support. Computer users' chairs must be adjustable and a footrest must be available on request. Many of the companies surveyed were ignorant of both the risks and of where so seek advice on computer health and safety. Less than a quarter had consulted the Government's Health and Safety Executive on computer users' rights and only one in 10 had taken advice from an ergonomist. " - Typing this has given me a backache. - Olivier M.J. Crepin-Leblond, Elec. Eng. Dept, Imperial College London, UK. [Cogito, ergo nomics.] ------------------------------ Date: 17 Jan 91 00:44:26 GMT From: pgc@csadfa.cs.adfa.OZ.AU (Phil Clark) Subject: Data privacy abuse in Australia The following items appeared in the "Canberra Times" of Monday 14th January 1991 and Tuesday 15th July 1991. These show how computer information, databases, banking and credit records are being abused in Australia, with little or no recourse for the general public. IN 199O THE Commonwealth Privacy Commissioner published a thick report listing the extensive tabs the Government keeps on its citizens, including details on people's sexual lifestyles and relationships, held by the Department of Immigration, local Government and Ethnic Affairs. It showed that dossiers are created on people who write to government ministers, and that the Federal Government has access to all state birth, death and marriage registers and state vehicle and licence authorities' records, which it matches up with Medicare, taxation and social-security files. The Taxation Office collects information on Medicare records, bank accounts, land-title records, car registration and virtually every immigration movement into and out of Australia, and the Department of Employment, Education and Training has access to most university records. The flow of personal data in Australia is generally freely swapped between state and federal governments. In 1990 the Government passed the Cash Reporting Transactions Act, which effectively makes the banking industry an arm of government, providing details on major transactions, and which is rapidly moving towards the Government having full on-line computer access to people's bank accounts. Even the NRMA (*NSW motoring organisation) gives its three-million-name membership list to help the authorities track down unpaid parking fines. Australia lags far behind France, Germany, Singapore, Belgium and Austria, which have detailed laws protecting privacy. This prompted, by the mid-80s, a series of European media reports detailing Australia's departure from the norms of developed countries. Among examples are NSW laws allowing people to be taken into custody without being charged and forced to give blood, and, more recently, laws dealing with the search and seizure of private property. One of the most far-reaching of recent laws is the one that confiscates assets `SUSPECTED' of being the proceeds of crime or even associated with crime. It can deny the accused access to his money for legal representation, and in some cases reverse the onus of proof. Some of these state laws directly depend upon the ever-increasing information flow to round up suspects. Many people so accused have been innocent, chosen for investigation simply because they fitted a certain computer profile, such as a businessman arrested because he travels overseas a lot and appears to the computer as if he might be a drug courier. In a recent radio interview presented by the wife of the NSW Premier, Kathryn Greiner, it was revealed that a woman had wrongly been reported to the Taxation Office as running a brothel. The information was reported to the Government by her credit union, to which she had applied for a loan. The Cash Transactions Reporting Act in the past six months has caused dozens of innocent individuals' lives to be invaded by the authorities. In some cases their homes have been seized. Most Western European countries strictly prohibit the collection and networking of data. The next step is the introduction of a Bill in a few months requiring Australian citizens to have an exit visa before being allowed to leave the country. Partly in response to the criticism of the European Press and growing concern of Australians about privacy, the Commonwealth Government enacted the Privacy Act. The preamble specifically recites Australian obligations to protect personal privacy under the International Covenant on Civil and Political Rights. The main Act relating to Commonwealth records was passed in 1988, with an accompanying Bill which purported to regulate the activities of credit-rating bureaus. After heavy lobbying by the finance industry and the Credit Reference Bureau of Australia Ltd, the Bill was delayed. The Act gains nation-wide coverage by a backdoor method to overcome constitutional limitations. The thinking of the Government in drafting the legislation relies upon reform of the way organisations collect and manage information. The linchpin is the commissioner's power to create a Code of Conduct which if breached gives the commissioner the power to award compensation - a duty he has been given to enforce with just 11c per Australian. As the general manager of the Credit Reference of Association of Australia Ltd points out, at the time of drafting the prosecution provisions were rarely (if ever) expected to be used. The reality is that the privacy legislation already a complex 90-page hotchpotch of provisions unable to be read without reference to other legislation, offers little real protection of privacy and even less compliance with the spirit of the treaty to which it supposedly gives effect. The Privacy Act is being used by the Government to add a further obstacle on top of the already restricted Freedom of Information Act to deny information legitimately sought by journalists. An example is where ministers' officers refuse to comment on cases by saying erroneously that the Act prohibits them from saying anything. It exempts intelligence agencies, the National Crime Authority, most activities of government enterprises, and Royal commissions and government ministers. The information can be used for any purpose or exchanged "for any other purpose" where the Government believes a person impliedly agreed to such a release. Because most government-agency forms contain broad boilerplate clauses which provide for the exchange of information, implied consent "for other purposes" will nearly always be present. For example, the Department of Immigration, Local Government and Ethnic Affairs places on its forms that it is the department's "usual practice [to] pass on some or all such information to agencies which deal with education, health community services, social welfare, employment and labour, intelligence, law enforcement, taxation and statistics". As it stands, the legislation is sufficiently vague to offer Commonwealth agencies wide discretion in deciding what constitutes implied consent and what is meant by the word "reasonable". Similarly, the legislation provides a blanket clause that allows private information to be given out where it is "reasonably" necessary for the "enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue". It allows Social Security to match up its records against tax and income details held by other departments, a practice recently entrenched by data-swapping legislation passed in the last week of parliamentary sittings. The exchange of information currently extends to Social Security getting lists of drivers from taxi companies so it can look for pensioners and the unemployed attempting to earn a few undeclared dollars. Its computer combs state death registers to identify deceased beneficiaries. Unfortunately the same procedure has led to embarrassing errors where innocent people have had their income stopped because of a mistaken identity. Social Security and Taxation also use the Credit Reference Association of Australia Ltd to investigate people's finances. The legislation is wide enough to cover also the release of information for ANTICIPATED evasion of any law, such as state stamp duties, investigations or, for that matter, nearly any act of a state government which has a connection or responsibility of administering a government Act. In other words, the exceptions are so wide as to empty the legislation of any real clout. The legislation fails to address a general fear of the spectre of a 1984 "big brother" that is an all-knowing omnipresent surveillance, because it does nothing to control effectively the real mischief which lies in cross-linking the records which affect a person's life. Except for tax-file-number information, few controls are put on what state governments do with information given to them by the Commonwealth. With up to a dozen government agencies swapping data, a large number of people learn secrets, and information may become less accurate on each transfer. In recent times there have been a number of prosecutions against Social Security staff, tax officers and other public servants selling data-base information, police in various states accused of selling motor-traffic and other government information, and other illegal passages of information. Private investigators have boasted of how easy it is to extract information. The average person has reason to have serious doubts as to privacy within state government records with which the Commonwealth freely swaps data. The Privacy Commissioner, former barrister Kevin O'Connor, appointed to administer the Act operates under a number of fetters, including a curious provision requiring him to have regard to "social interests that compete with privacy including the general desirability of a free flow of information and the recognition of the Government and business to achieve their objectives in an efficient way". This is wide enough to force the commissioner to take into account government policy aimed at matching up its records and creating detailed profiles of people's spending patterns for taxation or any other type of investigations the Government thinks desirable. At present the commissioner works on a tiny budget of just over $2 million a year, which is grossly inadequate to carry out his enormous task. He is also muzzled by extraordinary provisions which' enable the Attorney-General to certify that he may not investigate certain breaches of the Act by the Government for such ill-defined reasons as national security, international relations or where an investigation is planned or where the matter concerns the methods and practices adopted by law-enforcement or intelligence-type agencies, despite that it is in this very area that the greatest fears for personal privacy exist. The commissioner has limited powers to award compensation in certain cases although the legislation is silent as to how much and when this provision may operate. How can a person put a value on having put on public display his personal affairs, which will never be the same again? How to value the feeling of being personally invaded and the hassle of clearing it up? To give the legislation some teeth, the commissioner will need to take a robust attitude in order to make organisations responsive and to encourage aggrieved individuals to take the time and trouble to make and follow through a complaint. Yet even where compensation is awarded, if the person against whom the order is made refuses to pay, then the whole matter is reheard by the Federal Court, an expensive and time-consuming process where legal costs can quickly wipe out any compensation payment. Tomorrow: Credit reporting agencies. The Credit Reference Association of Australia is the largest credit-reporting bureau in Australia and is jointly owned by the banks, insurance companies and to a lesser extent its smaller subscribers. It has records on about nine million adult Australians. Amendments to the Privacy Act that claim to control this agency were passed in the last fortnight of the 1990 Parliament and heralded by Senator Nick Bolkus (Lab, SA) as one of the great reforms of the Labor Party. The Bill was originally introduced in 1988 but stalled for two years while heavy lobbying took place behind the scenes. According to the general manager of the association, Bruce Bagon, it hired former Commonwealth Ombudsman Jack Richardson to draft model legislation for its own governance. Contrary to the great achievement claimed by the Government, the recent amendments to the Commonwealth Privacy Act were not new because the association had already been restricted since the 1970s under various state legislations and by its own internal policies. The effect of the new legislation, which does not become law for another nine months, claims to restrict who can gain access to consumer files by allowing access to only "credit providers". This means that many peripheral users such as real- estate agents, Telecom and insurance companies can no longer get credit information. It also prevents "positive reporting" being placed on a file - something the association had at one stage planned to introduce. Positive reporting puts a person's current details on file, whether positive or adverse, such as current credit accounts held and balances owing on each account, payment details and so on. Other provisions force the association to separate - but not delete - a person's "commercial" activities, such as whether a person is a director or otherwise associated with a failed company or a business. It also requires publicly available records such as electoral-roll information and telephone-book information to be stored separately, but not deleted. The law still allows court judgments and bankruptcy notices to be included on a person's file. Similarly, insurance records will be separated. The result will be that most people will have three files, one for personal credit, another for insurance, with a last one holding information on any "commercial" activities. As with the provisions of the Privacy Act that claim to regulate government files, the parts that regulate the credit bureaus contain numerous loopholes. The association's general manager says the legislation adds very little to its existing practices, except to cause the separation of files. It creates a vague list of "privacy principles" and requires a "code of conduct" yet to be formulated to cover the nitty-gritty details of regulation, such as how to decide what constitutes a person's "commercial", as opposed to personal, financial activities. The federal legislation does not give consumers a specific right to directly ask the credit bureau to remove errors, in contrast to legislation in countries such as the United States, which has had a Fair Credit Reporting Act since 1971. This weakness forces customers to go through their credit providers to have the error completely removed. As the credit provider has no financial incentive to correct records actively, it in effect puts consumers in the position that the banks decide when and what to tell the credit bureau. There is virtually no chance of successful prosecution. The only restriction placed on the credit provider is that it must tell the bureau "as soon as practicable" that a person has paid an outstanding bill or denies liability. In practice this allows the banks the flexibility to delay making corrections while it "investigates" any other type of error. The consumer's only direct right is to have a note added to his file stating that there is an error. But, unfortunately for the consumer, the maxim "no news is good news" is especially relevant in the credit industry. Despite any note on the file, a consumer is unlikely to be given the benefit of the doubt by another potential credit provider. The result is that the consumer is effectively at the mercy of the banks as to when they decide to act on a complaint - a disheartening prospect considering the poor service that seems prevalent with banking nowadays. The US legislation, by contrast, foresaw this problem and requires any disputed negative items to be removed until (and if) the matter is cleared up. The bank that made the negative report has 30 days to justify its claim, after which the negative item permanently lapses. Although the legislation claims to restrict the use of information for the purposes of assessing credit applications, it can be used for many other purposes if it believes on "reasonable grounds" that a consumer is no longer willing to comply with his obligations. Then the legislation allows the information to be used "in connection" with the consumer's alleged lack of compliance. This gives great latitude to credit providers. In modern credit-management practices, if a person refuses to return phone calls, refuses to do as the creditor asks or perhaps refuses to discuss the matter, the consumer runs the risk of being labelled as "delinquent" or as a "skip", with the result that other credit providers are given the names on a special alert list. Just what "reasonable grounds" means to a credit provider or in-house debt collector is unspecified, unlike the US law, which sets up a specific regime. There is little chance of successfully prosecuting credit providers or reporting bureaus. A prosecution must prove corporate criminal liability - difficult to establish at the best of times but almost impossible under the new legislation. The Privacy Act requires that the entity must knowingly or recklessly breach the Act; show that the employee who committed the act in question did so within the scope of his actual or apparent authority; have the requisite state of mind; and finally requires proof that it failed to take reasonable precautions and to exercise due diligence. Each of the four criteria must be proved beyond reasonable doubt. Privacy legislation in Australia therefore offers very little to the public. The various principles and unstated practice codes are so widely defined as to be meaningless and/or easily interpreted in such a way that nearly any act can be justified with-in its framework. With the likelihood of successful prosecution virtually nil, the legislation does protect tax-file numbers but, far from the breakthrough claimed by the Government, it remains little more than window dressing. The Government needs to bite the bullet and use its external-affairs power to create a uniform and detailed law on privacy for the whole of Australia, written m plain English in a consolidated Act. Phil Clark [VK1PC] Department of Computer Science, Australian Defence Force Academy, Northcott Drive, Campbell, Canberra, Australia, 2600. +61 6 268 8157 ------------------------------ Date: Mon, 21 Jan 91 09:56:48 PST From: Marv_Westrom@mtsg.ubc.ca Subject: MasterCard policy opens door to crooks. I have a MasterCard account which I use regularly. I keep my receipts and match them to the line items on the statement each month. On January 15th I received a regular statement which contained an item for which I did not have a receipt. A phone number is provided on the statement; I telephoned Customer Inquiry to ask further about the charge. Possibly I had lost the receipt; or possibly the charge was made incorrectly. A man identifying himself as Warren informed me that they could not provide me with a copy of the sales receipt, and the only way to address this matter was for me to write a letter (to Julia) explaining that the charge was incorrect. There was a second charge to the same merchant (an EXXON station) on the same day and upon learning that I still had my copy of this sales slip, he explained that a photocopy of it would be required with my letter so that they would have proof of an erroneous charge. I felt that these demands defied common business practice and all common sense but he assured me that this was company policy. MasterCard is a significant presence in our society. I use both MasterCard and Visa as a part of my regular personal financial activities. These two companies have a virtual monopoly on this form of credit; I do not have the opportunity to take my business elsewhere. So perhaps they can use their monopoly power to institute a policy that is contrary to common sense. But I don't think they should be allowed to do so. An unscrupulous person knowing that this was MasterCard policy could set up a system of generating unwarranted charges with some cover of plausible deniability. Many of these charges would be paid simply because customers do not check their accounts closely. But even those who notice the spurious charges now have the onus of taking action and proving that they did not incur the charge. For a charge of $30 or so, many people would pay up rather than get involved in the hassle of proving that they did not owe it. What protection do I have from spurious and unwarranted charges to my MasterCard account, from unscrupulous merchants who could note my number and then put through fictitious charges and from errors by cooperating merchants and MasterCard itself? I can see that MasterCard would wish to be relieved of the burden of being honest and accurate, but surely the onus for proving that I owe money has to be on them. Notwithstanding that this is contrary to company policy. I will write my letter to Julia and enclose the proof that she requires. But I think that MasterCard's policy in this matter is a significant and serious deviation from acceptable practice and poses a significant risk to us all. ------------------------------ End of RISKS-FORUM Digest 10.79 ************************