Subject: RISKS DIGEST 13.18
REPLY-TO: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Tuesday 25 February 1992  Volume 13 : Issue 18

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
California data-privacy/comp.crime bill [PART TWO] (Jim Warren)

 The RISKS Forum is moderated.  Contributions should be relevant, sound, in 
 good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive 
 "Subject:" line.  Others may be ignored!  Contributions will not be ACKed.  
 The load is too great.  **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
 especially .UUCP domain folks.  REQUESTS please to RISKS-Request@CSL.SRI.COM.     
 Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 13, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
 The COLON in "CD RISKS:" is essential.  "CRVAX.SRI.COM" = "128.18.10.1".
 <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Mon, 17 Feb 92 19:19:18 PST
From: autodesk!megalon!jwarren@fernwood.mpk.ca.us (Jim Warren)
Subject: California data-privacy/comp.crime bill [Part TWO]

                                               [PART ONE IS IN RISKS-13.17.]

=============== background comments by legislative assistant ===============

[[**** In this section, since underlining is for emphasis, only, and has no 
legal meaning, I changed Mr. Firschein's underlined text to all-caps. ****]]

                       California State Senate
                            Bill Lockyer
                      Tenth Senatorial District
                       Southern Alameda County
                           State Capitol
                    Sacramento, California 95814
                           (916)445-6671

TO: Interested parties
FROM: Ben Firschein, Senator Lockyer's Office
DATE: February 14, 1992

RE: BACKGROUND INFORMATION ON SB 1447 (LOCKYER, PRIVACY)
   You should have received a copy of SB 1447 (Lockyer, Privacy) in the mail 
recently.  Senator Lockyer introduced the bill in an effort to address some 
of the concerns raised at the privacy hearing on December 10, 1991.
   This memorandum is intended to explain the intent of the various sections 
of the bill, but it is not a committee analysis.
   (A committee analysis will be forthcoming at a later date, when the bill 
is set for a hearing).  We welcome suggestions as to how to clarify the 
language of the bill, or otherwise improve the bill.


SECTION 1: CITATION
   The bill may be cited as the "Privacy Act of 1992"

SECTION 2: INFORMATION OBTAINED FROM DRIVER'S LICENSES
   This section requires the written consent of a consumer for a business 
entity to (1) sell information obtained from the consumer's driver's license 
or (2) use such information to advertise goods or services.
   The section is intended to cover instances where a consumer presents a 
driver's license or identification card for identification purposes during a 
business transaction.  The section is not intended to prevent businesses from 
using driver's license information for business record-keeping, or for other 
purposes related to the transaction (i.e. authorizing a transaction).
   The section is not intended to change existing law with respect to the 
ability of businesses to obtain driver's license information from other 
sources (such as DMV records).
   The need for this section is heightened by the new "magstripe" drivers 
license developed by the Department of Motor Vehicles.  This license has a 
magnetic stripe on the back which contains much of the information on the 
front of the license.  The stripe will enable a business entity to store 
information contained on a driver's license simply by scanning the card 
through a reader.
   A publication by the Department of Motor Vehicles dated May 1991 
("Department of Motor Vehicles Magnetic Stripe Drivers License/Identification 
Card") states that "using point of sale (POS) readers and printers, the 
business community can electronically record the DL [driver's license] /ID 
number on receipts and business records."  The publication notes that 
"magnetic stripe readers are readily available, relatively low in cost, and 
are already available in many retail outlets."  
   However, a merchant might access much more than the driver's license/ID 
number; the publication notes that "readers have been produced, and market 
available readers can be modified that will read the three tracks of 
information contained on the California card."  According to the publication, 
the tracks contain information such as license type, name, address, sex, 
hair-color, eye-color, height, weight, restrictions, issue date.

SECTION 3: 
DEPRIVATION OF THE RIGHT TO PRIVACY OF EMPLOYEES OR PROSPECTIVE EMPLOYEES
   This section provides that an employer shall be liable to an employee or 
prospective employee for damages caused by subjecting an employee to 
discipline or discharge or denying employment to a prospective employee, on 
account of the exercise by that person of privacy rights guaranteed by the 
California Constitution. 
   This section is modeled after Connecticut Labor Code Section 31-51q.  The 
Lockyer bill goes further than the Connecticut statute in that it applies to 
prospective as well as current employees. 
   The bill would allow punitive damages and reasonable attorney's fees to be 
awarded pursuant to Section 3 (page 3 lines 10-12).
   The bill would specify that if the court decides that an action for 
damages was brought by an employee or a prospective employee without 
"substantial justification," the court may award costs and reasonable 
attorney's fees to the employer (page 3, lines 12-15).
   As with the Connecticut statute, an employee's cause of action would only 
exist if the activity for which the employee was disciplined or discharged 
did not "substantially interfere with the employee's bona fide job 
performance or working relationship with the employer." (Page 3, lines 4-5). 
   POSSIBLE AMENDMENT: The language in the bill covering prospective 
employees (page 3, lines 6-9) omits the "substantial interference" language 
contained in the section covering existing employees.  Perhaps the bill 
should specify that a prospective employee lacks a cause of action if the 
prospective employer has a compelling business interest in rejecting someone 
because they engaged in certain acts (even though those acts were protected 
by the constitutional right to privacy).
   Such an amendment would be consistent with cases such SOROKA V. DAYTON 
HUDSON CORPORATION, 91 Daily Journal D.A.R. 13204 (1st Appellate District).  
The court in SOROKA found that a psychological screening test administered to 
Target Store security officer applicants violated the applicants' state 
constitutional right to privacy when it inquired about their religious 
beliefs and sexual orientation, because there was no compelling need for the 
test.
   POSSIBLE AMENDMENT # 2: One of the participants in the privacy hearing 
suggests language making it clear that the rights and remedies set forth in 
the section are not exclusive and do not pre-empt or limit any other 
available remedy. 
   POTENTIAL ARGUMENTS AGAINST THIS SECTION: Some may argue that in light of 
cases such as Soroka, this statute is unnecessary, because these rights are 
already set forth in existing case law. 
   They may also point out that the California Supreme Court held in WHITE V. 
DAVIS that the right to privacy is self-executing, meaning that every 
Californian has standing to sue directly under Article I, Section I of the 
California Constitution for a privacy violation.  WHITE V. DAVIS (1975) 13 
Cal.3d 757, 775.  Given that the right to privacy is self-executing, why is a 
statute needed?
   The answer is that case law is in a state of flux, and there is no 
guarantee that future courts will construe Article I in such a liberal 
fashion.  Also, the bill is an improvement over existing case law in that it 
specifically lists the types of damages that may be awarded, including 
punitive damages, and reasonable attorney's fees.

SECTION 4. COMPUTER CRIMES
   Jim Warren (one of the witnesses at the hearing) posted the Leg Counsel 
draft of the bill on one of the networks and showed me some of the responses.
This section generated most of the comments, some of which were quite vocal.
   First a word of caution to those uninitiated in the ways of the 
Legislature: MOST OF THE LANGUAGE IN THIS SECTION IS EXISTING LAW.  Our 
proposed additions are contained in language that is in italics or 
underlined.  IF IT IS NOT IN ITALICS OR UNDERLINES, IT IS EXISTING LAW.
   PROPOSED ADDITION #1 (page 7, line 25): Extend the existing computer crime 
statute [Penal Code Section 502] to allow civil recovery by any injured party 
against someone convicted under Section 502 of breaking into a computer. (The 
existing law just allows recovery by the owner or lessee of a computer 
system). For example, if someone is convicted under Section 502 of breaking 
into TRW's computers and altering credit records, the existing statute would 
allow TRW to recover against the hacker in a civil suit, but the statute 
would not allow someone whose credit history was injured by the hacker to sue 
the hacker under statute.
   PROPOSED ADDITION #2 (page 7, lines 30-33): Extend Penal Code Section 502 
to allow civil recovery against a convicted hacker for more than just the 
cost of expenditures necessary to verify that a computer system was or was 
not altered, damaged, or deleted by the access.  The proposed language would 
allow civil recovery for ALL CONSEQUENTIAL OR INCIDENTAL DAMAGES resulting 
from the intrusion. 
   PROPOSED ADDITION #3 (page 7, lines 38-40 & page 8, lines 1-6): Create a 
cause of action against those who "recklessly store or maintain data in a 
manner which enables a person to commit acts leading to a felony conviction 
under this section."
   The section is intended to address the situation where someone stores 
information (e.g. credit data) in a manner which easily allows unauthorized 
access, and the person who is able to access the information as a result of 
the lack of safeguards injures a third party (e.g. a creditor, or a person 
whose credit history is altered).
   The source of the section is the case of PEOPLE V. GENTRY 234 Cal.App.3d 
131 (1991).  In that case, a hacker figured out that if he queried the credit 
databases of TRW, CBI, or Trans Union, about a nonexistent person, each 
system would create a new file for that non-existent person.  The non-
existent person would have an exemplary credit history, because there was no 
negative credit information in the new file.  The hacker in the GENTRY case 
went into the business of rehabilitating people's credit history by having 
them change their name, and then creating credit files on these "new" people.
   The court stated in a footnote "we do not address the potential liability 
to innocent third parties who might be harmed by this feature of the software 
program.  Although Gentry found a weakness in the program and exploited it, 
responsibility should not rest solely with the felon. Credit reporting 
companies should recognize that this flaw is needlessly risky and remedy it." 
(GENTRY, page 135, footnote 3). 
   POTENTIAL CONCERNS:  some people who have seen the bill worry that section 
4 would apply to someone (e.g. a computer bulletin board operator) who stores 
information on a computer about how to commit a crime (e.g. information about 
how to break into a computer, or how to build a bomb)
   The section is intended to be limited to reckless storage of data in a 
manner which enables a person to commit acts LEADING TO A FELONY CONVICTION 
UNDER SECTION 503 (not other types of criminal acts).  "Reckless storage" is 
intended to mean maintaining a system that lacks appropriate security 
safeguards; it is not intended to include storing information about how to 
commit crimes. Hopefully any potential ambiguities can be clarified through 
amendments. 
   PROPOSED ADDITION #4: The bill requires the reporting to local law 
enforcement of violations of the computer crime statute (Penal Code Section 
503) within 60 days after such violations become known to the owner or lessee 
of a computer system (page 8, lines 26-34).  The bill states that "failure to 
report a previous violation of this section to a local law enforcement 
agency...may constitute evidence of [reckless storage of data]."
   This is intended to ensure that people report such crimes to law 
enforcement.  There are anecdotal reports that some of these crimes are not 
being reported because people are concerned about bad publicity resulting 
from reports that their systems were broken into.
   POSSIBLE AMENDMENT: it has been suggested that the reporting requirement 
be limited to certain types of systems, or to a certain level of monetary 
loss.  Objections have been raised that the bill would apply equally to 
someone who operates a home computer and to a business that operates a large 
mainframe.  One could argue that the reporting requirement is more essential 
where a computer owner has a fiduciary or quasi-fiduciary duty to the people 
whose records are stored on the system (e.g. accounting or credit records).  
An accountant's or a credit company's failure to report a computer break-in 
is more serious than a computer game bulletin board operator's failure to 
report a break in.
   One possible objection to restricting the reporting requirement to a 
certain level of financial loss is that financial loss is hard to quantify.
   However, Section 503 already uses amount of financial loss to determine 
the type of criminal penalty to apply, so one could argue that amount of 
monetary loss could similarily be used as an indication of the need to 
report.

SECTION 5. AUTOMATIC VEHICLE IDENTIFICATION SYSTEMS
   Existing law directs Caltrans to develop specifications for automatic 
vehicle tracking systems for toll facilities, such as those on bridges 
(Streets and Highways Code 27565).  People will soon be able have a device 
installed in their car which allows them to drive through a toll facility 
without stopping.  The device will send a signal to a computer,  which will 
keep track of their use of the facility.  At the end of the month, they will 
get a bill. Presumably there will continue to be booths that people can drive 
through and pay cash.
   At the December 10 privacy hearing, concern was expressed that the device 
offers potential for abuse.  For example, if you know a particular vehicle is 
driving through the facility, why not program the system to:
   1. Stop all people with outstanding warrants
   2.  Stop all people who have not paid their vehicle registration 
   3.  Compile lists of all people who drove through the facility during a 
given month and sell the lists to the private sector.
   One could argue that uses 1 and 2 are legitimate uses of this technology, 
because people who have broken the law should expect to come into contact 
with the police when they drive on public roads and highways.  But one could 
also argue that people have an expectation of privacy when they drive and are 
not breaking the law at the time they are stopped (e.g. they are not 
speeding, driving under the influence, or otherwise doing anything to attract 
the attention of the police). 
   Use # 3 is harder to justify.  Why should people have to reveal their 
personal lives to the private sector in order to use a device that will speed 
up their commute?
   WHAT THE BILL DOES: The bill allows people the option of prepaying their 
tolls, and then using the facility anonymously. People would continue to have 
the option of being billed, rather than prepaying tolls.  
   Under the bill, people who prepaid their tolls would be given an 
identification number unrelated to the vehicle owner's name, address, social 
security number, or driver's license number, or the vehicle's license number, 
vehicle identification number, or registration (page 10, lines 34-40).  When 
they drive through the facility, the facility would look at their account, 
and let them through if there was still money in the account.
   The bill provides that once a numbered account has been established, 
neither Caltrans nor a private facility shall keep any record of the vehicle 
owner's name, address, social security number, or driver's license number, or 
the vehicle's license number, vehicle identification number, or registration 
(Page 11, lines 1-7).
   The user could make additional prepayments under the bill by specifying 
the account number and furnishing payment (Page 11, lines 8-10).

[[**** END OF MR. FIRSCHEIN'S BACKGROUNDER ON SB 1447 OF FEB. 14, 1992 ****]]

                  ==================================

[[**** Both of these documents were edited by word-processor, rather than 
by retyping most of the text.  I believe it is faithful to the original. 
Any errors are mine; not those of Mr. Firschein nor Sen. Lockyer.  
  --Jim Warren ****]]

------------------------------

End of RISKS-FORUM Digest 13.18
************************