============================================================= @@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @@@ @ @ @@@@@ @ @@@ @@@ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @ ============================================================ Volume 1.07 November 11, 1994 ------------------------------------------------------------ Published by the Electronic Privacy Information Center (EPIC) Washington, DC (Alert@epic.org) ======================================================================= Table of Contents ======================================================================= [1] Ohio Court Upholds Privacy of SSNs [2] NTIA to Hold Virtual Conference on Privacy [3] Court Rejects Steve Jackson Appeal [4] Canadian Gov't Releases Discussion Paper on NII Privacy [5] GATT Legislation Requires SSN Issued at Birth [6] New Files in the Archive [7] Upcoming Conferences and Events ======================================================================= [1] Ohio Court Upholds Privacy of SSNs ======================================================================= In a decision handed down on October 26, the Ohio Supreme Court has ruled that governmental disclosure of Social Security numbers (SSNs) violates individuals' constitutional right to privacy. At issue was a request by the Akron Beacon Journal for release of computer tape records of the City of Akron's year-end employee master files. The payroll files contain various information including employees' names, addresses, telephone numbers, SSNs, birth dates, education, employment status and positions, pay rates, service ratings, annual and sick leave information, overtime hours and pay, and year-to-date employee earnings. The City had provided the records to the newspaper, but deleted the SSNs on privacy grounds. EPIC staff, on behalf of Computer Professionals for Social Responsibility, joined with the Public Citizen Litigation Group in filing a "friend of the court" brief in the case. The CPSR/Public Citizen brief highlighted the privacy implications of SSN disclosures and argued in support of the City's decision to withhold the numbers. The brief urged the Ohio Supreme Court to follow the lead of the U.S. Court of Appeals for the Fourth Circuit in the case of Greidinger v. Davis, where Virginia's practice of requiring SSNs for voter registration purposes was held unconstitutional. EPIC staff had similarly participated in the Greidinger litigation as friends of the court. Significant excerpts from the Ohio Supreme Court decision: The city's refusal to release its employees' SSNs does not significantly interfere with the public's right to monitor governmental conduct. The numbers by themselves reveal little information about the city's employees. ... While the release of all city employees' SSNs would provide inquirers with little useful information about the organization of their government, the release of the numbers could allow an inquirer to discover the intimate, personal details of each city employee's life, which are completely irrelevant to the operations of government. As the Greidinger court warned, a person's SSN is a device which can quickly be used by the unscrupulous to acquire a tremendous amount of information about a person. ... Thanks to the abundance of data bases in the private sector that include the SSNs of persons listed in their files, an intruder using an SSN can quietly discover the intimate details of a victim's personal life without the victim ever knowing of the intrusion. Coming a year after the Greidinger decision, the Akron Beacon Journal case continues a trend toward judicial recognition of the privacy implications of SSNs. EPIC will continue to participate in related litigation in an attempt to establish a body of caselaw protecting the confidentiality of SSNs and other personal information. A copy of the decision is available at cpsr.org /cpsr/privacy/ssn ohio_ssn_case_1994.txt. ======================================================================= [2] NTIA Virtual Conference -- Privacy Discussion ======================================================================= EPIC Director Marc Rotenberg and Computer Privacy Digest Moderator Prof. Leonard Levine will co-host the privacy discussion for the NTIA Virtual Public Conference next week. The Virtual Conference is part of the Administration's effort to gather information and opinions about the issues of universal service and open access. Regarding privacy, some of the questions that the Administration would like to pursue are: -- What potential is there for the telecommunications and information networks to compromise personal privacy? To what extent will perceptions of reduced privacy hinder widespread, seamless access to the telecommunications and information networks? The conference will begin on November 14th, 1994, and run through midnight November 18th, 1994. If there is sufficient interest, it may be extended an additional week. You may subscribe to the privacy discussion by sending email to: privacy@virtconf.ntia.doc.gov Your email address will be saved and you will be added to the subscription list for the topic. You will receive an introductory message about the conference. You do not need to supply any information in the subject line or in the message to pre-subscribe. If you wait and subscribe on November 14, 1994, you need to send email to a conference topic from the account where you want to receive the mailings. The message should have the single line in it: subscribe topic your name where subscribe is a keyword and topic is the name of one of the following topics: redefus, avail, intellec, privacy, standard, opnacces. In addition to the privacy discussion, you might also subscribe to: redefus@virtconf.ntia.doc.gov (Redefining Universal Service and Access) avail@virtconf.ntia.doc.gov (Affordability and Availability) standard@virtconf.ntia.doc.gov (Interoperability) intellec@virtconf.ntia.doc.gov (Intellectual Property) opnacces@virtconf.ntia.doc.gov (Access for Individuals with Disabilities) To find more about the NTIA conference, go to: http://ntiaunix1.ntia.doc.gov:70/0/press/virtcon.txt Participants in the Virtual Conference are also encouraged to review the following two documents recently issued by NTIA: (1) NII Field Hearings on Universal Service and Open Access: America Speaks Out; and (2) Notice of Inquiry (NOI) on Universal Service and Open Access Issues (written comments in response to this NOI are being received by NTIA and should be filed on or before December 14, 1994, to receive full consideration). Both documents already are available through NTIA's IITF Gopher Server at iitf.doc.gov, dial in to (202) 501-1920, and NTIA's Bulletin Board Service at (202) 482-1199, ntiabbs.ntia.doc.gov (telnet, gopher or world-wide web). Privacy materials may be found at the cpsr.org gopher site in the file /cpsr/privacy/epic. Back issues of Computer Privacy Digest are available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ======================================================================= [3] Court Rejects Steve Jackson Appeal ======================================================================= The US Circuit Court of Appeals for the 5th Circuit has ruled that the seizure of a bulletin board (BBS) which contains private electronic mail is not an unlawful interception prohibited by the Electronic Communications Privacy Act of 1986. The Court of Appeals upheld a lower court ruling that the seizure was not an intercept because it was not contemparanous with the transmission of the communications, and thus not protected under ECPA in this case. The Court reviewed the wording and the legislative history of the ECPA and determined that interception did not include messages that were electronically stored. It found that stored messages are covered under Title II of ECPA, which has less strict requirements for the access of electronic communications. In the lower court, damages and fees were awarded against the Secret Service for violations of Title II. A copy of the decision is available at our Internet Library. See below for details. ======================================================================= [4] Canada Asks for Comments on Information Superhighway Privacy ======================================================================= The Canadian Information Highway Advisory Council has released a discussion paper entitled "Privacy and the Canadian Information Highway." The Council is asking for comments on the paper and recomendations on how privacy should be protected on the Canadian information superhighway. The paper discusses privacy issues relating to transactional data and profiling, transaction security and individual identification, identity cards and single identifier numbers, and monitoring. It provides a general overview of Canadian and international privacy for both government and private sector data. The report reviews possible approaches to privacy protection: legislation and regulation; voluntary codes and standards; technological solutions; and consumer education and the possible benefits and drawbacks of each. It asks for comments from interested parties on possible approaches. Comments are due by December 23, 1994, and should be sent to Parke Davis, Director General, Information Highway Advisory Secretariat, Room 614, Journal Tower North, 300 Slater Street, Ottawa, Ontario Canada K1A 0C8 or emailed to council@istc.ca. An electronic version of the paper is avaiable from the CPSR Internet Library. See below for details. ======================================================================= [5] GATT Legislation Requires SSNs Issued at Birth ======================================================================= Buried in a section of the bill implementing the General Agreement on Tariff and Trade (GATT) is a requirement that Social Security numbers be issued at birth. Section 742 of H.R. 5110 requires that for the purposes of the Earned Income Tax Credit, SSN's must be issued at birth. Currently, parents can wait up to one year before filing. The requirement will put further pressure on hospitals to issue SSNs to all newborns, even if the parents do not plan to take advantage of the tax credit. The bill is scheduled to be heard in an unusual lame duck (after election) session of Congress late this month. A copy of the provision is available from cpsr.org /cpsr/privacy/ssn/gatt_ssn.txt ======================================================================= [6] New Files at the Archive ======================================================================= Court of Appeals for the 5th Circuit opinion on Steve Jackson Games. /computer_crime/jackson_ecpa_appeal_1994.txt Canadian Information Highway Advisory Council Privacy Paper /privacy/privacy_international/country_reports/canada canada_info_highway_privacy_eng.txt - English ASCII version canada_info_highway_privacy_eng.rtf - English RTF version canada_info_highway_privacy_fr.rtf - French RTF version The CPSR Internet Library is a free service available via FTP/WAIS/Gopher/listserv from cpsr.org:/cpsr. Materials from Privacy International, the Taxpayers Assets Project and the Cypherpunks are also archived. For more information, contact ftp-admin@cpsr.org. ======================================================================= [7] Upcoming Privacy Related Conferences and Events ======================================================================= Security and Privacy Issues for the National Information Infrastructure, Computer Security Institute Conference. Washington, DC. Nov. 14-15, 1994. Sponsored by Computer Security Institute. International Security Systems Symposium and Expo. Washington, DC. Nov. 16-18, 1994. Contact: Brad Smith (301) 986-7800. Free Speech and Privacy in the Information Age. Waterloo, Ontario. Nov. 26, 1994, Sponsored by University of Waterloo. Contact sfsp@graceland.uwaterloo.ca. The Technology for Information Security Conference '94 (TISC '94). Galveston, Texas. Dec. 5-8, sponsored by: NASA Johnson Space Center Mission Operations Directorate (MOD), MOD AIS Security Engineering Team, and the ISSA. Contact: John D'Agostino (dagostin@killerbee.jsc.nasa.gov). Fall Internet World 94. Washington, DC. December 6-9, 1994. Sponsored by Internet World Magazine. Contact: iwconf@mecklermedia.com. Health Data Initiatives: 1995. Washington, DC. Dec. 12-13, 1994. Sponsored by National Association of Health Data Organizations. Contact: NAHDO (703) 532-3282. 1995 Data Security Conference. Jan 9-11, 1995. Redwood City, CA. Sponsored by RSA Data Security. Contact: kurt@rsa.com Second International Conference on Information Warfare: "Chaos on the Electronic Superhighway" Jan 18-19, Montreal, CA. January 18, 1995, Sponsored by NCSA. Contact: Mich Kabay (75300.3232@compuserve.com). Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19, 1995. Sponsored by Medical Records Institute. Contact: 617-964-3926 (fax). INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet Society. Contact inet95@isoc.org. Key Players in the Introduction of Information Technology: Their Social Responsibility and Professional Training. July 5-6-7, 1995. Namur, Belgium. Sponsored by CREIS. Contact: nolod@ccr.jussieu.fr (Send calendar submissions to Alert@epic.org) ======================================================================= To subscribe to the EPIC Alert, send the message: SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname to listserv@cpsr.org. You may also receive the Alert by reading the USENET newsgroup comp.org.cpsr.announce. Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org /cpsr/alert and on Compuserve at Keyword: NCSA, Library 2 (EPIC/Ethics) ======================================================================= The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues relating to the National Information Infrastructure, such as the Clipper Chip, the Digital Telephony proposal, medical record privacy, and the sale of consumer data. EPIC is sponsored by the Fund for Constitutional Government and Computer Professionals for Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports, pursues Freedom of Information Act litigation, and conducts policy research on emerging privacy issues. For more information email info@epic.org, or write EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax). The Fund for Constitutional Government is a non-profit organization established in 1974 to protect civil liberties and constitutional rights. Computer Professionals for Social Responsibility is a national membership organization of people concerned about the impact of technology on society. For information contact: cpsr-info@cpsr.org ------------------------ END EPIC Alert 1.07 ------------------------