THIS SEARCH     THIS DOCUMENT     THIS CR ISSUE     GO TO
Next Hit        Forward           Next Document     New CR Search
Prev Hit        Back              Prev Document     HomePage
Hit List        Best Sections     Daily Digest      Help
                Doc Contents      

STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS -- (Senate - November 10, 1999)

He's demanding language that would mean a Citigroup banker, say, couldn't tell a Citigroup insurance agent that Mr. Jones is a hot insurance prospect--unless Mr. Jones gives his permission in writing first. Mr. Shelby threatens to withhold his crucial

[Page: S14539]  GPO's PDF
vote unless this deal-breaker is written into the law.

   To inflict this inconvenience on Mr. Jones is weird enough: He has already volunteered to have a relationship with Citigroup. But even weirder is the urge to cripple a law whose whole purpose is to modernize an industry structure that forces consumers today to chase six different companies around to get a full mix of financial services. In essence, financial products all do the same thing: shift income in time. You want to go to college now based on your future earnings, so you take out a loan. You want to retire in 20 years based on your present earnings, so you get an IRA. And if a single cry goes up from modern man, it's ``Simplify my life.''

   A vote last Friday seemed, to put Mr. Shelby's peeve to rest. Under the current language, consumers would have an ``opt out'' if they don't want their information sh ared. But Mr. Shelby won't let go, and joining his chorus are Ralph Nader on the left, Phyllis Schlafly on the right and various gnats buzzing around the interest-group honeypot.

   He claims to be responding to constituent complaints about telemarketing, not to mention a poll showing that 90% of consumers respond favorably to the word ``privacy.'' Well, duh. Consumers don't want their information mad e available indiscriminately to strangers. But putting up barriers to free exchange inside a company that a customer already has chosen to do business with is a farfetched application of a sensible idea.

   Mr. Shelby was a key supporter of language that would push banks to set up their insurance and securities operations as affiliates under a holding company. Now he wants to stop these affiliates from talking to each other. Maybe he's just confused, but it sounds more like a favor to Alabama bankers and insurance agents who want to make life a lot harder for their New York competitors trying to open up local markets.

--

   Growing Compatibility Issue: Computers and User Privacy nter>[By John Markoff, New York Times, March 3, 1999]

   San Francisco, March 2--The Intel Corporation recently blinked in a confrontation with privacy adv ocates protesting the company's plans to ship its newest generation of microprocessors with an embedded serial number that could be used to identify a computer--and by extension its user.

   But those on each side of the dispute acknowledge that it was only an initial skirmish in a wider struggle. From computers to cellular phones to digital video players, everyday devices and software programs increasingly embed telltale identifying numbers that let them interact.

   Whether such digital fingerprints constitute an imminent privacy thr eat or are simply part of the foundation of advanced computer systems and networks is the subject of a growing debate between the computer industry and privacy gro ups. At its heart is a fundamental disagreement over the role of electronic anonymity in a democratic society.

   Privacy gro ups argue fiercely that the merger of computers and the Internet has brought the specter of a new surveillance society in which it will be difficult to find any device that cannot be traced to the user when it is used. But a growing alliance of computer industry executives, engineers, law enforcement officials and scholars contend that absolute anonymity is not only increasingly difficult to obtain technically, but is also a potential threat to democratic order because of the possibility of electronic crime and terrorism.

   ``You already have zero privacy--ge t over it,'' Scott McNealy, chairman and chief executive of Sun Microsystems, said at a recent news conference held to introduce the company's newest software, known as Jini, intended to interconnect virtually all types of electronic devices from computer to cameras. Privacy adv ocates contend that software like Jini, which assigns an identification number to each device each time it connects to a network, could be misused as networks envelop almost everyone in society in a dense web of devices that see, hear, and monitor behavior and location.

   ``Once information bec omes available for one purpose there is always pressure from other organizations to use it for their purposes,'' said, Lauren Weinstein, editor of Privacy For um, an on-line journal.

   This week, a programmer in Massachusetts found that identifying numbers can easily be found in word processing and spreadsheet files created with Microsoft's popular Word and Excel programs and in the Windows 95 and 98 operating systems.

   Moreover, unlike the Intel serial number, which the computer user can conceal, the numbers used by the Microsoft programs--found in millions of personal com puters--cannot be controlled by the user.

   The programmer, Richard M. Smith, president of Phar Lap Software, a developer of computer programming tools in Cambridge, Mass., noticed that the Windows operating system contains a unique registration number stored on each personal com puter in a small data base known as the Windows registry.

   His curiosity aroused, Mr. Smith investigated further and found that the number that uniquely identifies his computer to the network used in most office computing systems, known as the Ethernet, was routinely copied to, each Microsoft Word or Excel document he created.

   The number is used to create a longer number, known as a globally unique identifier. It is there, he said, to enable computer users to create sophisticated documents comprising work processing, spreadsheet, presentation and data base information. >   Each of those components in a document needs a separate identity, and computer designers have found the Ethernet number a convenient and widely available identifier, he said. But such universal identifiers are of particular concern to privacy adv ocated because they could be used to compile information on individuals from many data bases.

   ``The infrastructure relies a lot on serial numbers,'' Mr. Smith said. ``We've let the genie out of the bottle.''

   Jeff Ressler, a Microsoft product manager, said that if a computer did not have an Ethernet adapter then another identifying number was generated that was likely to be unique. ``We need a big number, which is a unique identifier,'' he said. ``If we didn't have, it would be impossible to make our software programs work together across networks.''

   Indeed, an increasing range of technologies have provisions for identifying their users for either technical reasons (such as connecting to a network) or commercial ones (such as determining which ads to show to Web surfers). But engineers and network designers argue that identify information is a vital aspect of modern security design because it is necessary to authenticate an individual in a network, thereby preventing fraud or intrusion.

   Last month at the introduction of Intel's powerful Pentium III chip, Intel executives showed more than a dozen data security uses for the serial number contained electronically in each of the chips, ranging from limiting access to protecting documents or software against piracy.

   Intel, the largest chip maker, had recently backed down somewhat after it was challenged by privacy adv ocates over the identity feature, agreeing that at least some processors for the consumer market would be made in a way that requires the user to activate the feature.

   Far from scaling back its vision, however, Intel said it was planning an even wider range of features in its chips to help companies protect copyrighted materials. It also pointed to software applications that would use the embedded number to identify participants in electronic chat rooms on the Internet and thereby, for example, protect children from Internet stalkers.

   But in achieving those goals, it would also create a universal identifier, which could be used by software applications to track computer users wherever they surfed on the World Wide Web. And that, despite the chip maker's assertions that it is working to enhance security and privacy, ha s led some privacy adv ocates to taunt Intel and accused it of a ``Big Brother Inside'' strategy.

   They contend that by uniquely identifying each computer it will make it possible for marketers or Government and law enforcement officials to track the activities of anyone connected to a computer network more closely. They also say that such a permanent identifier could be used in a similar fashion to the data, known as ``cookies,'' that are placed on a computer's hard drive by Web site to track the comings and goings of Internet users.

   PUTTING PRIVACY ON THE DEFENSIVE

   Intel's decision to forge ahead with identity features in its chip technology may signal a turning point in the battle over privacy in the electronic age. Until now, privacy con cerns have generally put industry's executives on the defensive. Now questions are being raised about whether there should be limits to privacy in an Inernet era.

   ``Judge Brandeis's definition of privacy was `the right to be left alone,' not the right to operate in absolute secrecy,'' said Paul Saffo, a researcher at the Institute for the Future in Menlo Park, Calif.

   Some Silicon Valley engineers and executives say that the Intel critics are being naive and have failed to understand that all devices connected to computer networks require identification features simply to function correctly.

   Moreover, they note that identifying numbers have for more than two decades been a requirement for any computer connected to an Ethernet network. (Although still found most widely in office settings, Ethernet connections are increasingly being used for high-speed Internet Service in the home via digital telephone lines and cable modems.)

   All of Apple Computer's popular iMac machines come with an Ethernet connection that has a unique permanent number installed in the factory. The number is used to identify the computer to the local network.

   While the Ethernet number is not broadcast over the Internet at large, it could easily be discovered by a software application like a Web browser and transmitted to a remote Web site tracking the identities of its users, a number of computer engineers said.

   Moreover, they say that other kinds of networks require identify numbers to protect against fraud. Each cellular telephone currently has two numbers: the telephone number, which can easily be changed, and an electronic serial number, which is permanently put in place at the factory to protect against theft or fraud.

   The serial number is accessible to the cellular telephone network, and as cellular telephones add Internet browsing and E-mail capabilities, it will potentially have the same

[Page: S14540]  GPO's PDF
identity capability as the Intel processor serial number.

   Other examples include DIVX DVD disks, which come with a serial number that permits tracking the use of each movie by a centralized network-recording system managed by the companies that sell the disks.

   FEARING THE MISUSE OF ALL THOSE NUMBERS

   Industry executives say that as the line between communications and computing becomes increasingly blurred, every electronic device will require some kind of identification to attach to the network

   Making those numbers available to networks that need to pass information or to find a mobile user while at the same time denying the information to those who wish to gather information int o vast data bases may be an impossible task.

   Privacy adv ocates argue that even if isolated numbers look harmless, they are actually harbingers of a trend toward ever more invasive surveillance networks.

   ``Whatever we can do to actually minimize the collection of personal dat a is good,' said March Rotenberg, director of the Electronic Privacy Inf ormation Cen ter, one of three groups trying to organize a boycott of Intel's chips.

   The groups are concerned that the Government will require ever more invasive hardware modifications to keep track of individuals. Already they point to the 1994 Communications Assistance for Law Enforcement Act, which requires that telephone companies modify their network switches to make it easier for Government wiretappers.

   Also, the Federal Communications Commission is developing regulations that will require every cellular telephone to be able to report its precise location for ``911'' emergency calls. Privacy gro ups are worried that this feature will be used as a tracking technology by law enforcement officials.

   ``The ultimate danger is that the Government will mandate that each chip have special logic added'' to track identifies in cyberspace, said Vernor Vinge, a computer scientist at San Diego State University. ``We're on a slide in that direction.''

   Mr. Vinge is the author of ``True Names'' (Tor Books, 1984), a widely cited science fiction novel in the early 1980's, that forecast a world in which anonymity in computer networks is illegal.

   Intel executives insist that their chip is being misconstrued by privacy gro ups.

   ``We're going to start building security architecture into our chips, and this is the first step,'' said Pat Gelsinger, Intel vice president and general manager of desktop products. ``The discouraging part of this is our objective is to accomplish privacy. >   That quandry--that it is almost impossible to compartmentalize information for one purpose so that it cannot be misused--lies at the heart of the argument. Moreover providing security while at the same time offering anonymity has long been a technical and a political challenge.

   ``We need to find ways to distinguish between security and identity,'' said James X. Dempsey, a privacy exp ert at the Center for Democracy and Technology, a Washington lobbying organization.

   So far the prospects are not encouraging. One technical solution developed by a cryptographer, David Chaum, made it possible for individuals to make electronic cash payments anonymously in a network.

   In the system Mr. Chaum designed, a user employs a different number with each organization, thereby insuring that there is no universal tracking capability.

   But while Mr. Chaum's solution has been widely considered ingenious, it has failed in the marketplace. Last year, his company, Digicash Inc. based in Palo Alto, Calif., filed for bankruptcy protection.

   ``Privacy nev er seems to sell,'' said Bruce Schneier, a cryptographer and a computer industry consultant. ``Those who are interested in privacy don 't want to pay for it.''

--

   Privacy Isn 't Dead Yet

[By Amitai Etzioni]

   It seems self-evident that information abo ut your shoe size does not need to be as well guarded as information abo ut tests ordered by your doctor. But with the Federal and state governments' piecemeal approach to privacy pro tection, if we release information abo ut one facet of our lives, we inadvertently expose much about the others.

   During Senate hearings in 1987 about Robert Bork's fitness to serve as a Supreme Court justice, a reporter found out which videotapes Mr. Bork rented. The response was the enactment of the Video Privacy Pro tection Act. Another law prohibits the Social Security Administration (but hardly anybody else) from releasing our Social Security numbers. Still other laws limit what states can do with information tha t we provide to motor vehicle departments.

   Congress is now seeking to add some more panels to this crazy quilt of narrowly drawn privacy law s. The House recently endorsed a bill to prohibit banks and securities and insurance companies owned by the same parent corporation from sharing personal med ical information. An d Congress is grappling with laws to prevent some information abo ut our mutual-fund holdings from being sold and bought as freely as hot dogs.

   But with superpowerful computers and vast databases in the private sector, personal inf ormation can 't be segmented in this manner. For example, in 1996, a man in Los Angeles got himself a store card, which gave him discounts and allowed the store to trace what he purchased. After injuring his knee in the store, he sued for damages. He was then told that if he proceeded with his suit the store would use the fact that he bought a lot of liquor to show that he must have fallen because he was a drunkard.

   Some health insurers try to ``cherry pick'' their clients, seeking to cover only those who are least likely to have genetic problems or contract costly diseases like AIDS. Some laws prohibit insurers from asking people directly about their sexual orientation. But companies sometimes refuse to insure those whose vocation (designer?), place of residence (Greenwich Village?) and marital status (single at 40-plus?) suggest that they might pose high risks.

   Especially comprehensive privacy inv aders are ``cookies''--surveillance files that many marketers implant in the personal com puters of people who visit their Web sites to allow the marketers to track users' preferences and transactions. Cookies, we are assured, merely inform marketers about our wishes so that advertising can be better directed, sparing us from a flood of junk mail.

   Actually, by tracing the steps we take once we gain a new piece of information, co okies reveal not only what we buy (a thong from Victoria's Secret? Antidepressants?) but also how we think. Nineteen eighty-four is here courtesy of Intel, Microsoft and quite a few other corporations.

   All this has led Scott McNealy, the chairman and chief executive of Sun Microsystems, to state, ``You already have zero privacy--ge t over it.'' This pronouncement of the death of privacy is premature, but we will be able to keep it alive only if we introduce general, all-encompassing protections over segmented ones.

   Some cyberspace anonymity can be provided by new technologies like anti-cookie programs and encryption software that allow us to encrypt all of our data. Corporate self-regulation can also help. I.B.M., for example, said last week that it would pull its advertising from Web sites that don't have clear privacy pol icies. Other companies like Disney and Kellogg have voluntarily agreed not to collect information abo ut children 12 or younger without the consent of their parents. And some new Government regulation of Internet commerce may soon be required, if only because the European Union is insisting that any personal inf ormation abo ut the citizens of its member countries cannot be used without the citizen's consent.

   Especially sensitive information sho uld get extra protection. But such selective security can work only if all the other information abo ut a person is not freely accessible elsewhere.

--


THIS SEARCH     THIS DOCUMENT     THIS CR ISSUE     GO TO
Next Hit        Forward           Next Document     New CR Search
Prev Hit        Back              Prev Document     HomePage
Hit List        Best Sections     Daily Digest      Help
                Doc Contents