risks@CSL.SRI.COM (RISKS Forum) (11/22/90)
RISKS-LIST: RISKS-FORUM Digest Wednesday 21 November 1990 Volume 10 : Issue 63
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Lotus Marketplace cont'd (Marc Rotenberg, Eric Dittman)
Insurance Perfidy (Sharon Cregier)
[anonymous] author identifies anonymous referee (anonymous)
Reuters Holdings PLC and shouldering the blame? (Sameer Mithal, PGN abstracting)
MD-11 test flights over the pole (Henry Spencer)
Soc.Sec.No. on Driver's Lic. in Mass. (William Ricker)
Tomatoed 911 (Tim Steele)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM.
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>; j is TWO digits. Vol summaries in
risks-i.00 (j=0); "dir risks-*.*<CR>" gives directory; bye logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Mon, 19 Nov 90 22:20:17 -0800
From: mrotenberg@cdp.uucp
Subject: Lotus Marketplace cont'd
I think Lotus got off easy in the Wall Street Journal story (11/14/90,
B1). The reporter did not pursue the interesting and novel privacy issues with
the Marketplace product. For example, the "opt-out" approach will probably not
work with a list published on CD-ROM. How does a person remove a name once the
product is available? Also, once the data is in digital form isn't matching
against other databases, such as phone directories, more likely?
Traditionally, mailing lists were exchanged in paper formats and available only
for one-time use.
These are a few of the reasons that I disagreed with the comment in
RISKS 10.61 that the privacy debate is on familiar grounds. This is the first
time that a company has prepared to sell a large consumer database on CD-ROM.
This raises new privacy issues and new risks that should be evaluated before
the product is sold.
Another interesting point about the Marketplace product -- no
restrictions on previewing sets. You are charged when you print labels, but
not when you view sets on the screen. The product also allows piping to other
application programs.
And here's the interesting risks problem: Lotus has said that the
encryption scheme will prevent individual record access. Brute-force searching
will almost certainly work since there are no charges for previewing a list,
but it's slow for searches on multiple record subjects. So, what is the
likelihood that someone will break the encryption scheme?
Marc Rotenberg, CPSR Washington office.
------------------------------
Date: Tue, 20 Nov 90 17:56:15 -0600
From: dittman@skbat.csc.ti.com (Eric Dittman)
Subject: Lotus MarketPlace brochure
I received a brochure on Lotus MarketPlace the other day in the mail.
Nowhere in the brochure is there mention of any limit to the distribution
of the database. According to what I have read in the brochure, both
MarketPlace:Business and MarketPlace:Households will be available at
dealers, so anyone should be able to buy MarketPlace.
Eric Dittman, Texas Instruments - Component Test Facility
------------------------------
Date: Tue, 20 Nov 90 09:11:01 -0800
From: 34AEJ7D@CMUVM.BITNET
Subject: Insurance Perfidy [forwarded]
Written by: CREGIER@UPEI.CA (Sharon Cregier)
[Reprinted with permisson -- see copyright notice at end of article]
Computer records, even erroneous ones, allow insurance companies to
discriminate against applicants and clients. The following is a copy of an
article in the August 1, 1990 issue of the Christian Science Monitor (Boston)
article, FROM DATABASE TO BLACKLIST, section heading: Insurance risks targeted.
Perhaps one of the most mysterious consumer-reporting companies is MIB,
formerly the Medical Information Bureau, in Brookline, Mass. "It's a very
difficult company to learn very much about," says Massachusetts state senator
Lois Pines. "They don't want people to know that they exist or what they do."
"The purpose of MIB is to help keep the cost of insurance down for insurance
companies and for consumers by preventing losses that would occur due to fraud
or omissions," says MIB's president, Neil Day. MIB's files are used by more
than 750 insurance companies throughout the United States and Canada.
MIB stores its records in a specially coded format, which the company refuses
to share with regulators, legislators, or consumer groups. There are codes for
medical conditions and mental health, as well as nonmedical conditions like
"hazardous sport participation" and "hazardous driving records."
In the past, says Robert Ellis Smith, editor of the Privacy Journal, other MIB
codes have stood for "sexual deviance" and "sloppy appearance." Mr Day refuses
to release a list of the current codes used by his company, saying that to do
so would compromise his firm's confidentiality.
Although MIB will tell a person if he or she has medical records on file, it
will send those records only to a medical professional. The company receives
15,000 requests by individuals to have their report sent to their physician
every year, says Day. Between 250 and 300 people argue with their reports.
A person applying for life insurance enjoys none of the privacy rights and
protections that a person applying for credit does, says Josh Kratka, an
attorney with the Massachusetts Public Interest Research Group (MASSPIRG).
"MIB has agreed to abide by [the FCRA]. They will send those codes to your
physician. Your insurance company is not under those obligations....If you are
denied life insurance, you have no way of knowing whether it was legitimate or
based on an error in your records that is going to follow you around for the
rest of your life," says Mr Kratka.
In one case, says Kratka, a Mass. man told his insurance company that he had
been an alcoholic but had managed to remain sober for several years and
regularly attended Alcoholics Anonymous meetings. The insurance company denied
him coverage and forwarded a code to MIB: "alcohol abuse; dangerous to health."
The next company the man applied to for insurance, Kratka says, learned of the
"alcohol abuse" through the information bureau and charged the man a 25% higher
rate.
In another case he says, a clerical error caused a woman's records at MIB to
say that she carried the AIDS virus. "It was only after unusual intervention
by the state regulatory board," because the woman worked for a physician, that
the records were corrected, Kratka says. MASSPIRG has filed state legislation
that would extend many of the FCRA's protections to medical records.
As health-care costs continue to rise, say experts, consumers can expect less
and less privacy regarding their medical records.
"Doctors, in order to get paid, are being asked more and more to identify a
chargeable condition in their clients....The breach in confidentiality is a
natural consequence of the way in which third party billing of physician's time
is structured in this country," says Dr Paul Billings, chief of genetic
medicine at the Pacific Presbyterian Medical Center in San Francisco.
No federal law ensures the confidentiality of medical records. Some hospitals,
Mr Smith says, have even started using them for target marketing.
Reprinted with permission from the Christian Science Monitor
Copyright 1990 by the Christian Science Publishing Society, All rights reserved
------------------------------
Date: 20 Nov 90
From: [anonymous]
Subject: [anonymous] author identifies anonymous referee
I'm not sure if this is a technology-based risk or a process-based one.
Recently, I had a paper rejected from a technical conference. As usual, the
committee returned to me the reviewers' comments with the identifying header
removed. However, they neglected to remove the small line of type placed at
the head of the page by the reviewer's fax machine. This machine kindly gave
me the reviewer's place of employment (down to the building and department
names) and fax number. Better than caller ID, since I can correlate that with
the (small and public) list of reviewers for this conference and arrive at the
reviewer's name.
We can see this as a technology-based risk in that the reviewer didn't know
that his identifying information was going to be publicized. Or we can see
it as a process-based risk in that no one involved remembered to remove the
identifying line (and that the reviewer was in a sufficient hurry that he
used the fax rather than another transport medium).
------------------------------
Date: Wed, 21 Nov 90 07:12:23 PST
From: <mithal@aimt.enet.dec.com> (Sameer Mithal)
Subject: Reuters Holdings PLC and shouldering the blame? [Abstracted by PGN]
An article entitled ``Who takes the blame when trades short-circuit?'' in the
Wall Street Journal, 20-Nov-90, p. C1, discusses the problem the general
problem of how to resolve liability questions in case transactions are messed
up by computer-related screwups. In particular, pending resolution of the
liability issue, Reuters Holding PLC has announced an indefinite delay in the
development of Dealing 2000-2, a network of systems for foreign-exchange
trading. Clearly Reuters would like to limit their risks. The article is not
overly informative, but does sound the English horns of the dilemma. [PGN]
------------------------------
Date: Sun, 18 Nov 90 23:05:09 EST
From: henry@zoo.toronto.edu
Subject: MD-11 test flights over the pole
Interesting item in the 22 August issue of Flight International: the prototype
of McDonnell-Douglas's new MD-11 airliner (a DC-10 derivative) made a test
flight partly aimed at testing performance of navigation software in the
vicinity of the North Pole, making four passes directly over the pole and one
nearby. On two of the pole passes, the flight-management computers were
deliberately "failed" to see if the backup equipment would function. No
problems, they say.
(This is not as trivial as it sounds, because the vicinity of the poles is a
severe worst case for navigation algorithms. The distance between degrees of
longitude goes to zero while latitude remains unaffected, trig functions are
pushed to extrema of their behavior, and there is a singularity in the
coordinate system at the pole itself.)
Henry Spencer at U of Toronto Zoology
------------------------------
Date: Mon, 19 Nov 90 20:23:54 EST
From: wdr@wang.com (William Ricker)
Subject: Soc.Sec.No. on Driver's Lic. (was Re: Sprint's New Calling Card)
Jerry Glomph Black, black@MICRO.LL.MIT.EDU writes:
>Even the police-state People's Republic of Massachusetts allows you to specify
>a bogus SS No. for your driver's license, instead of your real one, so long as
>your bogus no. doesn't duplicate somebody else's license no.
Bad news -- the Mass. Registry of Motor Vehicles now requires that their
computer contain your SSN as well as your bogus number. I requested and was
given a "S-number", an 8-digit number with an S prefix, as my drivers license
number years ago. but on my most recent birthday -- election day, this month --
I was informed that to renew, I must supply my SSN in confidence to the
computer, but not to worry, it wouldn't be printed on my license. Yes ma'am,
it is your computer that I don't want to have it.
I protested ... and was informed by Registry's legal department that Mass. Law
overrides any federal law, and if I didn't want to comply, I didn't have to
renew my license to drive, did I?
The Mass chapter of the ACLU has informed me that the Mass. RVM has the right
to demand this number from me. I must call them back and get the chapter
and verse on that; I would like to see a full opinion.
One angry camper,
/bill ricker/ wdr@wang.com a/k/a wricker@northeastern.edu
------------------------------
Date: Tue, 20 Nov 90 17:52:00 GMT
From: Tim Steele <tjfs@tadtec.uucp>
Subject: Tomatoed 911 (Boudrie RISKS-10.62, re: RISKS-10.60)
[...] My best guess at What Really Happened is:
The answering machine does in fact have a built in phone (otherwise why would
it be able to dial?)
The phone probably has a memory button programed to dial 911.
The tomato juice probably dripped on to the button and 'shorted' it out (the
dialler chip is probably expecting a rubber membrane keyboard and will accept a
fairly high resistance as a valid key press.
Tim
------------------------------
End of RISKS-FORUM Digest 10.63
************************