Subject: RISKS DIGEST 10.63 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 21 November 1990 Volume 10 : Issue 63 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Lotus Marketplace cont'd (Marc Rotenberg, Eric Dittman) Insurance Perfidy (Sharon Cregier) [anonymous] author identifies anonymous referee (anonymous) Reuters Holdings PLC and shouldering the blame? (Sameer Mithal, PGN abstracting) MD-11 test flights over the pole (Henry Spencer) Soc.Sec.No. on Driver's Lic. in Mass. (William Ricker) Tomatoed 911 (Tim Steele) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 19 Nov 90 22:20:17 -0800 From: mrotenberg@cdp.uucp Subject: Lotus Marketplace cont'd I think Lotus got off easy in the Wall Street Journal story (11/14/90, B1). The reporter did not pursue the interesting and novel privacy issues with the Marketplace product. For example, the "opt-out" approach will probably not work with a list published on CD-ROM. How does a person remove a name once the product is available? Also, once the data is in digital form isn't matching against other databases, such as phone directories, more likely? Traditionally, mailing lists were exchanged in paper formats and available only for one-time use. These are a few of the reasons that I disagreed with the comment in RISKS 10.61 that the privacy debate is on familiar grounds. This is the first time that a company has prepared to sell a large consumer database on CD-ROM. This raises new privacy issues and new risks that should be evaluated before the product is sold. Another interesting point about the Marketplace product -- no restrictions on previewing sets. You are charged when you print labels, but not when you view sets on the screen. The product also allows piping to other application programs. And here's the interesting risks problem: Lotus has said that the encryption scheme will prevent individual record access. Brute-force searching will almost certainly work since there are no charges for previewing a list, but it's slow for searches on multiple record subjects. So, what is the likelihood that someone will break the encryption scheme? Marc Rotenberg, CPSR Washington office. ------------------------------ Date: Tue, 20 Nov 90 17:56:15 -0600 From: dittman@skbat.csc.ti.com (Eric Dittman) Subject: Lotus MarketPlace brochure I received a brochure on Lotus MarketPlace the other day in the mail. Nowhere in the brochure is there mention of any limit to the distribution of the database. According to what I have read in the brochure, both MarketPlace:Business and MarketPlace:Households will be available at dealers, so anyone should be able to buy MarketPlace. Eric Dittman, Texas Instruments - Component Test Facility ------------------------------ Date: Tue, 20 Nov 90 09:11:01 -0800 From: 34AEJ7D@CMUVM.BITNET Subject: Insurance Perfidy [forwarded] Written by: CREGIER@UPEI.CA (Sharon Cregier) [Reprinted with permisson -- see copyright notice at end of article] Computer records, even erroneous ones, allow insurance companies to discriminate against applicants and clients. The following is a copy of an article in the August 1, 1990 issue of the Christian Science Monitor (Boston) article, FROM DATABASE TO BLACKLIST, section heading: Insurance risks targeted. Perhaps one of the most mysterious consumer-reporting companies is MIB, formerly the Medical Information Bureau, in Brookline, Mass. "It's a very difficult company to learn very much about," says Massachusetts state senator Lois Pines. "They don't want people to know that they exist or what they do." "The purpose of MIB is to help keep the cost of insurance down for insurance companies and for consumers by preventing losses that would occur due to fraud or omissions," says MIB's president, Neil Day. MIB's files are used by more than 750 insurance companies throughout the United States and Canada. MIB stores its records in a specially coded format, which the company refuses to share with regulators, legislators, or consumer groups. There are codes for medical conditions and mental health, as well as nonmedical conditions like "hazardous sport participation" and "hazardous driving records." In the past, says Robert Ellis Smith, editor of the Privacy Journal, other MIB codes have stood for "sexual deviance" and "sloppy appearance." Mr Day refuses to release a list of the current codes used by his company, saying that to do so would compromise his firm's confidentiality. Although MIB will tell a person if he or she has medical records on file, it will send those records only to a medical professional. The company receives 15,000 requests by individuals to have their report sent to their physician every year, says Day. Between 250 and 300 people argue with their reports. A person applying for life insurance enjoys none of the privacy rights and protections that a person applying for credit does, says Josh Kratka, an attorney with the Massachusetts Public Interest Research Group (MASSPIRG). "MIB has agreed to abide by [the FCRA]. They will send those codes to your physician. Your insurance company is not under those obligations....If you are denied life insurance, you have no way of knowing whether it was legitimate or based on an error in your records that is going to follow you around for the rest of your life," says Mr Kratka. In one case, says Kratka, a Mass. man told his insurance company that he had been an alcoholic but had managed to remain sober for several years and regularly attended Alcoholics Anonymous meetings. The insurance company denied him coverage and forwarded a code to MIB: "alcohol abuse; dangerous to health." The next company the man applied to for insurance, Kratka says, learned of the "alcohol abuse" through the information bureau and charged the man a 25% higher rate. In another case he says, a clerical error caused a woman's records at MIB to say that she carried the AIDS virus. "It was only after unusual intervention by the state regulatory board," because the woman worked for a physician, that the records were corrected, Kratka says. MASSPIRG has filed state legislation that would extend many of the FCRA's protections to medical records. As health-care costs continue to rise, say experts, consumers can expect less and less privacy regarding their medical records. "Doctors, in order to get paid, are being asked more and more to identify a chargeable condition in their clients....The breach in confidentiality is a natural consequence of the way in which third party billing of physician's time is structured in this country," says Dr Paul Billings, chief of genetic medicine at the Pacific Presbyterian Medical Center in San Francisco. No federal law ensures the confidentiality of medical records. Some hospitals, Mr Smith says, have even started using them for target marketing. Reprinted with permission from the Christian Science Monitor Copyright 1990 by the Christian Science Publishing Society, All rights reserved ------------------------------ Date: 20 Nov 90 From: [anonymous] Subject: [anonymous] author identifies anonymous referee I'm not sure if this is a technology-based risk or a process-based one. Recently, I had a paper rejected from a technical conference. As usual, the committee returned to me the reviewers' comments with the identifying header removed. However, they neglected to remove the small line of type placed at the head of the page by the reviewer's fax machine. This machine kindly gave me the reviewer's place of employment (down to the building and department names) and fax number. Better than caller ID, since I can correlate that with the (small and public) list of reviewers for this conference and arrive at the reviewer's name. We can see this as a technology-based risk in that the reviewer didn't know that his identifying information was going to be publicized. Or we can see it as a process-based risk in that no one involved remembered to remove the identifying line (and that the reviewer was in a sufficient hurry that he used the fax rather than another transport medium). ------------------------------ Date: Wed, 21 Nov 90 07:12:23 PST From: (Sameer Mithal) Subject: Reuters Holdings PLC and shouldering the blame? [Abstracted by PGN] An article entitled ``Who takes the blame when trades short-circuit?'' in the Wall Street Journal, 20-Nov-90, p. C1, discusses the problem the general problem of how to resolve liability questions in case transactions are messed up by computer-related screwups. In particular, pending resolution of the liability issue, Reuters Holding PLC has announced an indefinite delay in the development of Dealing 2000-2, a network of systems for foreign-exchange trading. Clearly Reuters would like to limit their risks. The article is not overly informative, but does sound the English horns of the dilemma. [PGN] ------------------------------ Date: Sun, 18 Nov 90 23:05:09 EST From: henry@zoo.toronto.edu Subject: MD-11 test flights over the pole Interesting item in the 22 August issue of Flight International: the prototype of McDonnell-Douglas's new MD-11 airliner (a DC-10 derivative) made a test flight partly aimed at testing performance of navigation software in the vicinity of the North Pole, making four passes directly over the pole and one nearby. On two of the pole passes, the flight-management computers were deliberately "failed" to see if the backup equipment would function. No problems, they say. (This is not as trivial as it sounds, because the vicinity of the poles is a severe worst case for navigation algorithms. The distance between degrees of longitude goes to zero while latitude remains unaffected, trig functions are pushed to extrema of their behavior, and there is a singularity in the coordinate system at the pole itself.) Henry Spencer at U of Toronto Zoology ------------------------------ Date: Mon, 19 Nov 90 20:23:54 EST From: wdr@wang.com (William Ricker) Subject: Soc.Sec.No. on Driver's Lic. (was Re: Sprint's New Calling Card) Jerry Glomph Black, black@MICRO.LL.MIT.EDU writes: >Even the police-state People's Republic of Massachusetts allows you to specify >a bogus SS No. for your driver's license, instead of your real one, so long as >your bogus no. doesn't duplicate somebody else's license no. Bad news -- the Mass. Registry of Motor Vehicles now requires that their computer contain your SSN as well as your bogus number. I requested and was given a "S-number", an 8-digit number with an S prefix, as my drivers license number years ago. but on my most recent birthday -- election day, this month -- I was informed that to renew, I must supply my SSN in confidence to the computer, but not to worry, it wouldn't be printed on my license. Yes ma'am, it is your computer that I don't want to have it. I protested ... and was informed by Registry's legal department that Mass. Law overrides any federal law, and if I didn't want to comply, I didn't have to renew my license to drive, did I? The Mass chapter of the ACLU has informed me that the Mass. RVM has the right to demand this number from me. I must call them back and get the chapter and verse on that; I would like to see a full opinion. One angry camper, /bill ricker/ wdr@wang.com a/k/a wricker@northeastern.edu ------------------------------ Date: Tue, 20 Nov 90 17:52:00 GMT From: Tim Steele Subject: Tomatoed 911 (Boudrie RISKS-10.62, re: RISKS-10.60) [...] My best guess at What Really Happened is: The answering machine does in fact have a built in phone (otherwise why would it be able to dial?) The phone probably has a memory button programed to dial 911. The tomato juice probably dripped on to the button and 'shorted' it out (the dialler chip is probably expecting a rubber membrane keyboard and will accept a fairly high resistance as a valid key press. Tim ------------------------------ End of RISKS-FORUM Digest 10.63 ************************