[comp.org.eff.talk] What is private information?

brad@looking.on.ca (Brad Templeton) (12/25/90)

I wrote earlier about a possible act declaring an implied contract of
confidentiality on personal information given as part of a commercial
transaction.  Let's expand on this a bit more.

First of all, let me list some "levels of privacy" that I can think of for
a transaction.   I will refer mostly to privacy of the buyer, but we could
also extend this to the vendor.


A) Total Privacy:  The vendor doesn't even know who the buyer is.  For example,
a purchase form a coin-operated vending machine.   This is rare, but not too
rare.

B) Strong Privacy:  The vendor (or its agent) sees the buyer during the
transaction, but keeps no record of the buyer's identity.  Ie. buying something
cash and carry.   This is a very common form of transaction today.

C) Courteous Privacy: The vendor knows who the buyer is and has that on file
long enough to complete the transaction -- processing a cheque or delivering
the item, for example.   The information is eventually destroyed.

D) Common Privacy:  The vendor knows who the buyer is and keeps a
semi-permanent record of the transaction for the files.  This is used to
things like customer support and other actions relating to the sale.  The
information does not leave the vendor, except perhaps in being passed to
a delivery service or fulfillment house.

E) Follow-up Privacy:  The vendor records the buyer's identity, and uses it
to solicit new business directly related to the past purchase.  Ie. magazine
renewal, sale of accessories, etc.

F) Vendor-only: The vendor records the buyer's identity, and does not pass
it to outsiders, but uses it to solicit new business of any kind.

G) Controlled-Public: The vendor records the buyer's identity, and passes
it on to outsiders in a controlled fashion -- as part of general mailing
list sales or demographic info, for example.  The vendor does *not* release
info on any one specific buyer on request.

H) Requested-Public: The vendor provides the information to anybody who
requests it, either for pay or not.

Z) Published: The vendor actively publishes the identity of the buyer,
in varying degrees of detail.  Ie. the telephone book.

-----

I can think of degrees of most of these, and some cases in between.  We
might all like the world to run on class A privacy, but it can't.

However, I think we might not feel too bad about classes C through F as
standard default rules for transactions.

I would suggest that a default be set of C through E based on the type of
transaction, allowing vendors to specify F just by announcing it (implicit
agreement) and explicit agreement required for G and beyond.

Comments?
-- 
Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473

abrams@cs.columbia.edu (Steven Abrams) (12/26/90)

In article <1990Dec25.062336.16836@looking.on.ca> brad@looking.on.ca
(Brad Templeton) writes: 

 [ Excellent list of "levels of privacy" deleted...]

>However, I think we might not feel too bad about classes C through F as
>standard default rules for transactions.
>
>I would suggest that a default be set of C through E based on the type of
>transaction, allowing vendors to specify F just by announcing it (implicit
>agreement) and explicit agreement required for G and beyond.
>
>Comments?

In level D, where the vendor keeps semi-permanent records (for
customer support, etc) and perhaps gives info to a delivery service or
something, we need to guarantee that the third party service bureau
maintains class C privacy (destroys information after transaction is
complete), but other than that, I think the classes are very well
defined.

It seems fair to allow solicitation by the original vendor by implicit
agreement, so long as the customer has a method of discontinuing this
"service."  And it is also important that a customer's failure to
agree to a worse level of privacy can not be sufficient to refuse that
customer a sale.  

~~~Steve

--
/*************************************************
 *
 *Steven Abrams             abrams@cs.columbia.edu
 *
 **************************************************/
#include <std/dumquote.h>
#include <std/disclaimer.h>

brad@looking.on.ca (Brad Templeton) (12/26/90)

Yes, I forgot to mention that you also want to define the level of
privacy when your information is going to a delivery company, or credit
company, or bank, etc.

Somebody once pointed out to me that American Express has very detailed
knowledge of the economy.  They know down to the day almost every retailer's
sales levels, and something about the buying habits off their members.  He
suggested that the investment end of A.E. could use that to buy and sell
shares.  "Hey, Sears sales are really up this month.  Gonna be a good quarter
for them...."

We don't always want immediate destruction of the info by delivery companies.
For example, often one signs for delivery, and you want that record around
later if there's trouble relating to the product or delivery.  Same applies
to bank transactions or credit cards -- clearly the credit card info stays
at least until you pay it, and the cheque info until the canceled cheque
is returned to you.

I also didn't point out that there are often many different types of
information exchanged in a transaction that go at different levels.  The
Telco publishes your name and number.  You expect it to keep the records
of who you called highly confidential.   You would like them destroyed after
the bill it settled, although you would be glad to let them collect general
stats before destroying them.

While I am in favour of implicit or explicit contracts of confidentiality,
I do not want to force them on people.  Those who wish to waive the terms
may.  And companies can be free to refuse service to those who insist on
too much confidentiality, unless they're monopolies, or there is
"privacy fixing."  (like price fixing)   You can always take your business
elsewhere.   Today few care.  In the future, they will care.
-- 
Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473

abrams@cs.columbia.edu (Steven Abrams) (12/28/90)

In article <1990Dec26.081615.27988@looking.on.ca> brad@looking.on.ca
(Brad Templeton) writes: 
>Somebody once pointed out to me that American Express has very detailed
>knowledge of the economy.  They know down to the day almost every retailer's
>sales levels, and something about the buying habits off their members.  He
>suggested that the investment end of A.E. could use that to buy and sell
>shares.  "Hey, Sears sales are really up this month.  Gonna be a good quarter 
>for them...."

How does A.E. get this info on the retailers -- just from their
knowledge of what percent of the sales comes from AE?  And are there
any laws about their use of this information?

Inquiring minds want to know...

~~~Steve
--
/*************************************************
 *
 *Steven Abrams             abrams@cs.columbia.edu
 *
 **************************************************/
#include <std/dumquote.h>
#include <std/disclaimer.h>

peterm@sumax.seattleu.edu (Peter Marshall) (12/28/90)

Re: AmEx, inquiring minds might also want to be aware of an interesting
conjunction of AmEx and AT&T, a joint venture, if I recollect correctly,
put together 1-2 years ago.

Peter Marshall

brad@looking.on.ca (Brad Templeton) (12/29/90)

I am not saying that American Express does indeed collect the information
in this way.  But it certainly has the information in its files.  It, and
even moreso the Visa company, probably know much more about the state of
the economy, and sooner, than any government department -- if they want to.

I am sure that all three Credit Card companies have excellent figures on
their market share at various types of stores.
-- 
Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473

johne@hp-vcd.HP.COM (John Eaton) (01/11/91)

<<<
< I am sure that all three Credit Card companies have excellent figures on
< their market share at various types of stores.
----------
They know a lot more than you think. About a year ago police in Seattle
arrested a suspect in the Green River Serial Killings. An article about
the arrest listed dozens of actual credit card purchases the suspect
made that placed him in the vicinty of a known killing. Some of the
information was eight years old at the time but they were able to
get it.

Now that supermarkets have scanners that give you an itemized list
the next step is to let you pay with your ATM card. Safeway will be
able to create mailing lists that precisely target customers. "I want
a list of families who spend more than $100 a week and who also
purchase Pepsi products". or "I want a list of customers who purchase
at least a dozen condoms ever two weeks".

Computers have made it possible to collect and use a lot of information
that in the past was defacto private. Sure it was available but nobody
was going to spend the time or money to collect,sort,file or access it.
Now they can and this information can be used against you. Big Brother
is getting bigger every day.


John Eaton
!hpvcfs1!johne

new@ee.udel.edu (Darren New) (01/11/91)

In article <6750001@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
>Now that supermarkets have scanners that give you an itemized list
>the next step is to let you pay with your ATM card. 

This is already happening at the local stores here in Delaware.
I don't know what kind of lists they keep, tho.

>able to create mailing lists that precisely target customers. 

Actually, if it was just the sales companies that could get this
information, it would probably make for a *better* world.  I would no
longer get junk mail about IBM PCs (which I don't use and never owned)
or coupons for products which I don't buy.  I would consider this a
*good* thing.  Advertising costs would go down, allowing that money to
be put into better goals (research, lower prices, etc).  I would no
longer get phone calls from computers because it would now be possible
to call few enough people that you still hit most that would buy what
is being sold without having to hit so many that it isn't even worth
paying a human to make the phone calls.

Being a precisely targetted *customer* is not a problem for me.  It's
being a precisely targetted something else that makes me nervous.

	  -- Darren
-- 
--- Darren New --- Grad Student --- CIS --- Univ. of Delaware ---
----- Network Protocols, Graphics, Programming Languages, 
      Formal Description Techniques (esp. Estelle), Coffee, Amigas -----
              =+=+=+ Let GROPE be an N-tuple where ... +=+=+=

rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) (01/11/91)

In article <6750001@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
>Now that supermarkets have scanners that give you an itemized list
>the next step is to let you pay with your ATM card. Safeway will be
>able to create mailing lists that precisely target customers. "I want
>a list of families who spend more than $100 a week and who also
>purchase Pepsi products". or "I want a list of customers who purchase
>at least a dozen condoms ever two weeks".

They have already started doing this with another method. A local supermarket
chain in Houston has started a program with Citicorp to provide "cash-back" if
you buy a certain number of items over a month period. This is done by placing
a bar-code strip on the back of your check-cashing card. Then they scan the bar
code whenever you pay for stuff. Each month you get a statement of what you
bought (as far as the program goes) and a coupon to be used the next time you
shop. 

However, this is separate from the ATM/check validation system. You have the
option of paying for your purchases with either your ATM card, a credit card,
check or cash. If you use the first three, you use a small ATM terminal and if
approved, the checker must copy the approval code into the scanner to clear the
POS system. The two systems are not tied together *yet). Participation is
voluntary in both systems.


-- 
Richard H. Miller                 Email: rick@bcm.tmc.edu
Asst. Dir. for Technical Support  Voice: (713)798-3532
Baylor College of Medicine        US Mail: One Baylor Plaza, 302H
                                           Houston, Texas 77030

rcd@ico.isc.com (Dick Dunn) (01/11/91)

rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) writes:
> ...A local supermarket
> chain in Houston has started a program with Citicorp to provide "cash-back" if
> you buy a certain number of items over a month period. This is done by placing
> a bar-code strip on the back of your check-cashing card. Then they scan the bar
> code whenever you pay for stuff. Each month you get a statement of what you
> bought (as far as the program goes) and a coupon to be used the next time you
> shop...

Safeway (a national chain) is doing essentially the same thing here in
Colorado.  You have a personal card, scanned at the start of your order, to
track what you buy and give you "free" groceries (based on what you buy) at
the end of the month.

Mind you, I would never *think* of getting one of these things...but I did
check out the application you sign.  There's a note on it saying, in
effect, that you authorize them to collect information about you and they
can do whatever they want with it!  Now, the idea is obvious--things like
giving you coupons or freebies for stuff you actually buy--and there are
other plausible uses, such as in-depth marketing analysis.  It's valuable
information, and they want it so they can sell it.  There are all sorts of
interesting correlations that might be drawn among your various purchase
habits.  But it need not stop there--if you get the card, they can do just
about anything they want with the info...
	1.  Let's see--guy buys rubber bands for ponytail; he's a
	longhair.  Buys too many plastic bags--must be into dope.  Let's
	keep track of him; next time he's buying chips and donuts after
	midnight, it's cause he's stoned; let's tell the cops and have them
	go bust him.  (I constructed this fun one because it almost fits
	the things I do!  I do have a ponytail.  Like many old-time
	computer folk, I do stay up late, and get the munchies at the most
	unreasonable hours, tho not because I'm a doper.  And we do buy a
	lot of plastic "baggies"--because that's what we use for repack-
	aging cat food in quantity.)
	2.  Think about what an unscrupulous employee might do with the
	information:  Hmmm...guy started buying condoms all of a sudden.
	Must be cheating on his wife; looks like a good blackmail target.
	3.  Women - if you're often a last-minute sort of purchaser, do
	you want the information recorded about your purchases to give
	Safeway your menstrual schedule???  Or, on a more mundane level,
	will it be "only her hairdresser and the Safeway purchase database
	know for sure..."?
	4.  How much info could an insurance company use out of this to
	deny insurance or raise premiums?  (They could find out not just
	the obvious stuff like smokers, but unhealthy dietary habits,
	unusual amounts of over-the-counter medicine,...)
Perhaps I should offer a prize for most outlandish invasion of privacy that
could be conducted with this database.

I'm not surprised that people will sell some of their privacy for con-
venience or money...but in this case I'm surprised that people are willing
to sell so much privacy for so little gain.  Over a longish period--a year
or so--you can learn an awful lot about a person or family if you have a
complete record of items/quantities purchased, with date/time of each.

Pay cash!
-- 
Dick Dunn     rcd@ico.isc.com -or- ico!rcd       Boulder, CO   (303)449-2870
   ...Mr. Natural says, "Use the right tool for the job."

jgd@Dixie.Com (John G. DeArmond) (01/12/91)

rick@pavlov.ssctr.bcm.tmc.edu (Richard H. Miller) writes:

>However, this is separate from the ATM/check validation system. You have the
>option of paying for your purchases with either your ATM card, a credit card,
>check or cash. If you use the first three, you use a small ATM terminal and if
>approved, the checker must copy the approval code into the scanner to clear the
>POS system. The two systems are not tied together *yet). Participation is
>voluntary in both systems.

IT's worse than that.  They ARE now tied together at the data concentration
point.  I can't say how I know this but I do.  And the situation is
getting worse.  I recently had myself removed as project manager of what
turned out to be a competitor to Citi.  It's interesting to look back
and see how ethical programmers were conned into working on this project.

Within a year, the grocery store will know exactly what you bought and
when you bought it and so will the manufacturers who are footing a large
part of the implementation bill.  The system exists now to create a very
complete personal consumption profile of you.  In case I don't have you
panicing yet, consider what will happen to your life or health or disability
insurance when the insurance pool finds out that you like to eat a LOT
of red meat or that you smoke or that you buy a significant quantity of 
birth control devices even though you are single?

There are people on this group who have poo-poo'ed the  dangers to personal
liberty involved with the collection of personal data.  I have to assume
that they either are not informed or are part of the problem.  The RAW
fact is that this information is being collected explicitly to make your
life miserable by reducing the risk assumed by big corporations such
as insurance companies.  And they are using first class propaganda and are
playing on peoples' greed in order to entice the people into voluntarily
(in some cases at least) submitting to this travesty.  By the time the
average joe realizes what has been done to him, it is too late; the
data is already committed to multiple databases.  What usually drives it
home is when the person is suddenly denied insurance or finds his 
rates jacked through the ceiling.  Or worse, finds the IRS on his 
case because he lives better than the model says he should.

NOW is the time to start pressuring your congresslime for some protection.
It will take vast pressure, as many politicians are securely in the 
insurance industry's pocket.  Wait around or poo-poo the dangers and 
one day you will be harshly reminded that you are not the average person
as defined by the models and as a result are out in the cold.

John

-- 
John De Armond, WD4OQC        | "Purveyors of speed to the Trade"  (tm)
Rapid Deployment System, Inc. |  Home of the Nidgets (tm)
Marietta, Ga                  | "To be engaged in opposing wrong offers but 
{emory,uunet}!rsiatl!jgd      |  a slender guarantee of being right."

johne@hp-vcd.HP.COM (John Eaton) (01/12/91)

<<
< Perhaps I should offer a prize for most outlandish invasion of privacy that
< could be conducted with this database.
----------
You are nominated for the Supreme Court and a video store releases a list
of dirty movies that you have rented.


John Eaton
!hpvcfs1!johne

cyberoid@milton.u.washington.edu (Robert Jacobson) (01/12/91)

Watch it!  Wherehouse Records and Video maintains a database of your
video rentals.  On the back of your membership agreement, in very
small type, it says, notwithstanding the appropriate federal and
state laws, The Wherehouse may sell this data for marketing and other
purposes.  It says you can opt out by telling the salesperson to 
so modify your records.  But if you don't see the small print, fat
chance for you.

Bob Jacobson

bzs@world.std.com (Barry Shein) (01/12/91)

It seems to me that the best way to curtail the abuses described would
be a good liability suit. Corporations hear that, and if they don't
hear that, then their insurance companies hear it and they'll see it
in their rates. One would, of course, have to produce some real harm,
and perhaps even change what is perceived as harm by the courts, but
that's the challenge of frontiers.

The advantage to this approach is that it doesn't question the RIGHT
to own or publish data, it punishes its abuse and defines what is
considered harm and potentially litigious.

I know that most places I've worked various court decisions were
always affecting company's behavior (memos etc go out.) For example,
some decision regarding what you can say about an ex-employee
certainly changed things at large companies (managers are now
generally told by corporate counsel that it's much safer to be silent
than to ever say anything negative about an ex-employee.)
-- 
        -Barry Shein

Software Tool & Die    | {xylogics,uunet}!world!bzs | bzs@world.std.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD

cyberoid@milton.u.washington.edu (Robert Jacobson) (01/13/91)

People applying for work are regularly denied employment based on past
filings for workers compensation (injuries on the job), but the evidence
is apochryphal...it seldom makes it into print!  Same for applicant
renters who have challenged a landlord's upkeep, etc.  These databases
are more public, available usually only to landlords.  Doctors have
databases about patients who have filed malpractice suits, and will
refuse to attend to these patients' needs.  Finally, about five years
ago when the Southern California ACLU exposed a police officer's 
loading of "leftists'" private records into a right-wing political
group's computers, it was intimated that police department "red squads"
in several cities maintain an underground network to trade information
for political purposes.

It would be refreshing for higher level law enforcement to look into
these technology-aided civil-rights abuses, and thus display a more
even hand than when they only go after private hackers.

Bob Jacobson

bzs@world.std.com (Barry Shein) (01/14/91)

From: cyberoid@milton.u.washington.edu (Robert Jacobson)
>People applying for work are regularly denied employment based on past
>filings for workers compensation (injuries on the job), but the evidence
>is apochryphal...it seldom makes it into print!

Although we can dicker about the use of the term "regularly" I find
this a little hard to believe in general.

The purpose of Worker's Comp is to make sure you get NO MORE than
$1000 (e.g.) for your lost finger, eye, etc. It establishes a "fair
rate" for recompense for various injuries.

I would expect it is people who have refused to accept worker's comp
settlements and sued to be avoided by employers. But people who
quietly accept their $5000 for the hand that got cut off by the unsafe
bandsaw would generally be considered desireable (other than their
one-handedness perhaps...) You can chop them into little pieces and
you know in advance the limits of your liability.
-- 
        -Barry Shein

Software Tool & Die    | {xylogics,uunet}!world!bzs | bzs@world.std.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD

cyberoid@milton.u.washington.edu (Robert Jacobson) (01/14/91)

This isn't an argument about the worth of workers compensation, Barry,
but rather a discussion about how personal data is misused.  When
BUSINESS WEEK repeatedly talks about misuse of workers comp data, I'm
inclined to believe its true.  Jeff Rothfeder at BW is an expert in
this; wish he were here.

Bob Jacobson

johne@hp-vcd.HP.COM (John Eaton) (01/15/91)

<<<
<  And they are using first class propaganda and are
< playing on peoples' greed in order to entice the people into voluntarily
< (in some cases at least) submitting to this travesty.  By the time the
< average joe realizes what has been done to him, it is too late; the
----------
One plan that I have heard of is a store "coupon card". You give them
your ID card at checkout and you receive credit for all manufactor
coupon discounts that are applicable at that time. Apparently with
the handling costs and fraud it is cheaper for them to do this than
to handle individual coupons. It also produces an record of your
individual purchases.

Computers in the checkout line can create many unexpected problems
for the unwary public. These problems should be addressed beforehand
rather than waiting for disaster to strike. If we wait it will be
to late.

When the phone company installed automatic switches they did not
consider some the potential problems that would occur. You could
now use the phone for obscene or threatening calls that could
not be made through a live operator. If this had been considered
then some means could have been incorporated into the switch to
prevent it. For example if a called phone remains off-hook for
30 seconds after the calling phone hangs up the switch could
print a log of both numbers before clearing the line. You then
call the phone company and they can look up the offending 
number. But people didn't realize the problem until it was
to late so little was done.


John Eaton
!hpvcfs1!johne

johne@hp-vcd.HP.COM (John Eaton) (01/15/91)

<<<
< Being a precisely targetted *customer* is not a problem for me.  It's
< being a precisely targetted something else that makes me nervous.
----------
Something else = taxpayer.

Everyone got upset when the SSA started sharing data with TRW. Imagine
TRW sharing data with the IRS. If the infomerchants in this country can
collect enough data to realisticly estimate your annual income then it
would be worth the trouble for the IRS to compare this estimate with your
reported income.


John Eaton
!hpvcfs1!johne

ian@airs.UUCP (Ian Lance Taylor) (01/15/91)

In article <14285@milton.u.washington.edu> cyberoid@milton.u.washington.edu (Robert Jacobson) writes:
>
>People applying for work are regularly denied employment based on past
>filings for workers compensation (injuries on the job), but the evidence
>is apochryphal...it seldom makes it into print!  Same for applicant
>renters who have challenged a landlord's upkeep, etc.  These databases
>are more public, available usually only to landlords.  Doctors have
>databases about patients who have filed malpractice suits, and will
>refuse to attend to these patients' needs.

If the evidence is apocryphal, then I assume the problem is as well? :-).
Seriously, do you have any documentation of any sort for this?  I'm
somewhat inclined to believe it, but I know that if I showed this
posting to anybody who was not a conspiracy-theory buff they would
think it was hogwash.  I have worked at a small company in which I was
involved in employment decisions, I am a landlord of sorts, and my
mother is a doctor; none of us have ever seen such information or been
offered access to it.  Is it only available to *THEM*?
-- 
Ian Taylor
uunet!airs!ian         |  If I were employed, my opinions would not be
airs!ian@uunet.uu.net  |  my employer's.  As it is, they are not anyone's.

cyberoid@milton.u.washington.edu (Robert Jacobson) (01/15/91)

Jeff Rothfeder of BUSINESS WEEK has collected a fairly substantial
number of accounts of this sort of discrimination -- employment,
housing, medical, etc. -- taking place.  He has written about it in
both cover stories and shorter pieces.  In the California Legislature,
bills were introduced to curtain landlords using databases to 
discriminate against "undesirable" tenants (i.e., those who complained
about maintenance, illegal rent hikes, etc.).  The bills were passed
but enforcement remains difficult.  I'm glad you're so ethical, Iain,
or out of touch.  It makes you a better person.

Bob Jacobson