The RISKS Digest
Volume 10 Issue 79

Wednesday, 23rd January 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Lotus Marketplace
various sources
o UK firms poor on computer health
Olivier M.J. Crepin-Leblond
o Data privacy abuse in Australia
Phil Clark
o MasterCard policy opens door to crooks
Marv Westrom
o Info on RISKS (comp.risks)

Lotus Marketplace

Peter G. Neumann <>
Wed, 23 Jan 91 15:00:23 PST
Excerpted [by PGN] from today's Wall Street Journal (23 Jan 91) and AP items.

[Lotus Development Corp. was expected to announce today that it will drop its
plans to place on the marketplace Lotus Marketplace, discussed here copiously
in earlier issues (RISKS-10.61,62,63,68,74).]

``The turnaround on Marketplace suggests that technology companies are slowly
learning how to strike a publicly acceptable balance between privacy and the
explosion of electronic data.  One example came last year when phone companies
introduced "Caller ID" options that flash a caller's number on the other
party's phone.  In response to consumer complaints, some phone companies are
adding a feature that lets callers block their numbers.''  [WSJ]

``Lotus said it also would discontinue shipment of Lotus MarketPlace: Business,
a database of information on 7 million U.S. businesses. That product had been
offered since October.'' [AP] [The WSJ article implied that this product would
NOT be cancelled.]

``Marketplace touched a raw nerve among consumers, and took on a broad symbolic
significance in the debate over electronic privacy.  When Lotus offered to
delete data about anyone who called or wrote, it was flooded with about 30,000
requests.  Consumers learned about the product through widespread news reports.
... Marketplace also became one of the hottest topics on the computer networks
linking technology students and professionals.  Complaints and protest letters
were posted an copied on hundreds of networks.  Opponents circulated Lotus's
phone number and the electronic-mail address of Jim Manzi, its chief executive
officer.  "If you market this product, it is my sincere hope that you are sued
by every person for whom your data is false, withe the eventual result that
your company goes bankrupt," declared one letter to Lotus that was posted on
several networks.''  [WSJ]

``Privacy advocates' chief objection to Marketplace was that it wouldn't
be easy enough for consumers to delete their data, or correct any
inaccuracies.  They worried that even if Lotus offered to update the
disk with corrections and deletions, offending earlier versions would
still go on sale.''  [WSJ]

``Lotus and Atlanta-based Equifax spent two years developing Marketplace
Household. Lotus spokesman Richard Eckel declined to estimate Lotus'
development costs.''  [AP]

``"There was no effective way to make sure that everyone listed on that product
had freely consented," says Marc Rotenberg, Washington director of Computer
Professionals for Social Responsibility.  The nonprofit group was one of
Marketplace's loudest opponents.''  [WSJ]

And then there was this item, contributed roundabout, in a memo today from Jim
Manzi to Lotus and Equifax folks, announcing the demise of both products:

  ``Unfortunately, we feel the majority of concern over the Households product
  has been generated by misinformation about the product's content and a general
  lack of understanding about the direct marketing industry.  From the very
  beginning, Lotus and its data partner, Equifax Marketing Decision Systems,
  implemented a number of privacy-related controls that exceeded traditional
  direct marketing industry practices.  We felt confident that these procedures
  limited any potential abuse of the product.  Consumers should demand that
  future products of this type be as scrupulous and responsible.''  [Jim Manzi]

    [The WSJ item was noted by Sean Kirkpatrick <sean@NISD.CAM.UNISYS.COM> and
    others.  The AP item was noted by Steve Bellovin <>; an
    earlier personal phone call to Lotus attempting to get himself removed from
    the database resulted in Scott Wilson <> being told
    that there would be no database from which he could be removed.

    On Monday, Roger H. Goun  <> noted an article in
    the Boston Globe Business section, T.G.I.M. column, 21 January 1991, the
    writer of which included the following premonition to those who wanted to
    object to their being in the database:

      Save your breath, and save Lotus the dime.  They're getting the message.
      If I were a betting man, I'd bet you won't see Lotus in this Marketplace
      much longer.

    And yes, for you skeptics, there are still 10-cent payphone calls in
    Massachussetts, among other places, although the incoming 800 number is
    probably not exactly 10 cents per call.  PGN]

UK firms poor on computer health

"Olivier M.J. Crepin-Leblond" <>
Thu, 17 Jan 91 16:19 BST
This article has appeared in a specialised publication in UK called Technology
Graduate, Nov/Dec 1990 issue.

        British companies are not doing enough to safeguard their employees
against the health hazards of working with computer technology.  Only a quarter
of businesses take formal health and safety measures, according to a survey
published in "Which Computer ?" magazine.
    A sixth of the organisations who took part in the survey reported staff
illness directly related to the use of information technology equipment,
injuries such as headaches, repetition strain injuries (RSI), eye problems and
back, neck, wrist and finger ailments.  A third of them said they received
staff complaints about the health risks associated with computers.
    However, employers will soon be compelled to take statutory action on
the welfare of staff. By the end of 1992, EC member states have to put up with
a directive which lays down minimum health and safety requirements for work
with IT. Employers will become legally responsible for ensuring that all new
equipment installed meets its requirements; existing equipment must be brought
up to standard within four years.
    The directive also governs mandatory inspections of computer equipment
and sets down minimum standards for the ergonomic design of computer screens
and keyboards, desks, seating and lighting.
    It provides for training and organisation of time to allow for periodic
breaks from screen work and regular free eye tests and glasses where necessary.
    Display screens must be flicker-free and fully adjustable.  The
keyboard must also be separate from the screen. Sufficient desk space must be
provided for hand and arm support. Computer users' chairs must be adjustable
and a footrest must be available on request.
    Many of the companies surveyed were ignorant of both the risks and of
where so seek advice on computer health and safety.  Less than a quarter had
consulted the Government's Health and Safety Executive on computer users'
rights and only one in 10 had taken advice from an ergonomist. "

 - Typing this has given me a backache. -

Olivier M.J. Crepin-Leblond, Elec. Eng. Dept, Imperial College London, UK.

                                                        [Cogito, ergo nomics.]

Data privacy abuse in Australia

Phil Clark <pgc@csadfa.cs.adfa.OZ.AU>
17 Jan 91 00:44:26 GMT
The following items appeared in the "Canberra Times" of Monday 14th January
1991 and Tuesday 15th July 1991. These show how computer information,
databases, banking and credit records are being abused in Australia, with
little or no recourse for the general public.

IN 199O THE Commonwealth Privacy Commissioner published a thick report listing
the extensive tabs the Government keeps on its citizens, including details on
people's sexual lifestyles and relationships, held by the Department of
Immigration, local Government and Ethnic Affairs.

It showed that dossiers are created on people who write to government
ministers, and that the Federal Government has access to all state birth, death
and marriage registers and state vehicle and licence authorities' records,
which it matches up with Medicare, taxation and social-security files. The
Taxation Office collects information on Medicare records, bank accounts,
land-title records, car registration and virtually every immigration movement
into and out of Australia, and the Department of Employment, Education and
Training has access to most university records.

The flow of personal data in Australia is generally freely swapped between
state and federal governments. In 1990 the Government passed the Cash Reporting
Transactions Act, which effectively makes the banking industry an arm of
government, providing details on major transactions, and which is rapidly
moving towards the Government having full on-line computer access to people's
bank accounts. Even the NRMA (*NSW motoring organisation) gives its
three-million-name membership list to help the authorities track down unpaid
parking fines.

Australia lags far behind France, Germany, Singapore, Belgium and Austria,
which have detailed laws protecting privacy. This prompted, by the mid-80s, a
series of European media reports detailing Australia's departure from the norms
of developed countries. Among examples are NSW laws allowing people to be taken
into custody without being charged and forced to give blood, and, more
recently, laws dealing with the search and seizure of private property.

One of the most far-reaching of recent laws is the one that confiscates assets
`SUSPECTED' of being the proceeds of crime or even associated with crime. It
can deny the accused access to his money for legal representation, and in some
cases reverse the onus of proof.

Some of these state laws directly depend upon the ever-increasing information
flow to round up suspects. Many people so accused have been innocent, chosen
for investigation simply because they fitted a certain computer profile, such
as a businessman arrested because he travels overseas a lot and appears to the
computer as if he might be a drug courier.

In a recent radio interview presented by the wife of the NSW Premier, Kathryn
Greiner, it was revealed that a woman had wrongly been reported to the Taxation
Office as running a brothel. The information was reported to the Government by
her credit union, to which she had applied for a loan.

The Cash Transactions Reporting Act in the past six months has caused dozens of
innocent individuals' lives to be invaded by the authorities.  In some cases
their homes have been seized. Most Western European countries strictly prohibit
the collection and networking of data. The next step is the introduction of a
Bill in a few months requiring Australian citizens to have an exit visa before
being allowed to leave the country.

Partly in response to the criticism of the European Press and growing concern
of Australians about privacy, the Commonwealth Government enacted the Privacy
Act. The preamble specifically recites Australian obligations to protect
personal privacy under the International Covenant on Civil and Political

The main Act relating to Commonwealth records was passed in 1988, with an
accompanying Bill which purported to regulate the activities of credit-rating
bureaus. After heavy lobbying by the finance industry and the Credit Reference
Bureau of Australia Ltd, the Bill was delayed.

The Act gains nation-wide coverage by a backdoor method to overcome
constitutional limitations. The thinking of the Government in drafting the
legislation relies upon reform of the way organisations collect and manage
information. The linchpin is the commissioner's power to create a Code of
Conduct which if breached gives the commissioner the power to award
compensation - a duty he has been given to enforce with just 11c per
Australian. As the general manager of the Credit Reference of Association of
Australia Ltd points out, at the time of drafting the prosecution provisions
were rarely (if ever) expected to be used.

The reality is that the privacy legislation already a complex 90-page
hotchpotch of provisions unable to be read without reference to other
legislation, offers little real protection of privacy and even less compliance
with the spirit of the treaty to which it supposedly gives effect.

The Privacy Act is being used by the Government to add a further obstacle on
top of the already restricted Freedom of Information Act to deny information
legitimately sought by journalists. An example is where ministers' officers
refuse to comment on cases by saying erroneously that the Act prohibits them
from saying anything.

It exempts intelligence agencies, the National Crime Authority, most activities
of government enterprises, and Royal commissions and government ministers. The
information can be used for any purpose or exchanged "for any other purpose"
where the Government believes a person impliedly agreed to such a release.

Because most government-agency forms contain broad boilerplate clauses which
provide for the exchange of information, implied consent "for other purposes"
will nearly always be present. For example, the Department of Immigration,
Local Government and Ethnic Affairs places on its forms that it is the
department's "usual practice [to] pass on some or all such information to
agencies which deal with education, health community services, social welfare,
employment and labour, intelligence, law enforcement, taxation and statistics".

As it stands, the legislation is sufficiently vague to offer Commonwealth
agencies wide discretion in deciding what constitutes implied consent and what
is meant by the word "reasonable". Similarly, the legislation provides a
blanket clause that allows private information to be given out where it is
"reasonably" necessary for the "enforcement of the criminal law or of a law
imposing a pecuniary penalty, or for the protection of the public revenue". It
allows Social Security to match up its records against tax and income details
held by other departments, a practice recently entrenched by data-swapping
legislation passed in the last week of parliamentary sittings.

The exchange of information currently extends to Social Security getting lists
of drivers from taxi companies so it can look for pensioners and the unemployed
attempting to earn a few undeclared dollars. Its computer combs state death
registers to identify deceased beneficiaries. Unfortunately the same procedure
has led to embarrassing errors where innocent people have had their income
stopped because of a mistaken identity.

Social Security and Taxation also use the Credit Reference Association of
Australia Ltd to investigate people's finances.

The legislation is wide enough to cover also the release of information for
ANTICIPATED evasion of any law, such as state stamp duties, investigations or,
for that matter, nearly any act of a state government which has a connection or
responsibility of administering a government Act. In other words, the
exceptions are so wide as to empty the legislation of any real clout.

The legislation fails to address a general fear of the spectre of a 1984 "big
brother" that is an all-knowing omnipresent surveillance, because it does
nothing to control effectively the real mischief which lies in cross-linking
the records which affect a person's life.

Except for tax-file-number information, few controls are put on what state
governments do with information given to them by the Commonwealth.  With up to
a dozen government agencies swapping data, a large number of people learn
secrets, and information may become less accurate on each transfer.

In recent times there have been a number of prosecutions against Social
Security staff, tax officers and other public servants selling data-base
information, police in various states accused of selling motor-traffic and
other government information, and other illegal passages of information.
Private investigators have boasted of how easy it is to extract information.
The average person has reason to have serious doubts as to privacy within state
government records with which the Commonwealth freely swaps data.

The Privacy Commissioner, former barrister Kevin O'Connor, appointed to
administer the Act operates under a number of fetters, including a curious
provision requiring him to have regard to "social interests that compete with
privacy including the general desirability of a free flow of information and
the recognition of the Government and business to achieve their objectives in
an efficient way". This is wide enough to force the commissioner to take into
account government policy aimed at matching up its records and creating
detailed profiles of people's spending patterns for taxation or any other type
of investigations the Government thinks desirable.

At present the commissioner works on a tiny budget of just over $2 million a
year, which is grossly inadequate to carry out his enormous task. He is also
muzzled by extraordinary provisions which' enable the Attorney-General to
certify that he may not investigate certain breaches of the Act by the
Government for such ill-defined reasons as national security, international
relations or where an investigation is planned or where the matter concerns the
methods and practices adopted by law-enforcement or intelligence-type agencies,
despite that it is in this very area that the greatest fears for personal
privacy exist.

The commissioner has limited powers to award compensation in certain cases
although the legislation is silent as to how much and when this provision may
operate. How can a person put a value on having put on public display his
personal affairs, which will never be the same again? How to value the feeling
of being personally invaded and the hassle of clearing it up? To give the
legislation some teeth, the commissioner will need to take a robust attitude in
order to make organisations responsive and to encourage aggrieved individuals
to take the time and trouble to make and follow through a complaint.

Yet even where compensation is awarded, if the person against whom the order is
made refuses to pay, then the whole matter is reheard by the Federal Court, an
expensive and time-consuming process where legal costs can quickly wipe out any
compensation payment.

Tomorrow: Credit reporting agencies.

The Credit Reference Association of Australia is the largest credit-reporting
bureau in Australia and is jointly owned by the banks, insurance companies and
to a lesser extent its smaller subscribers. It has records on about nine
million adult Australians.

Amendments to the Privacy Act that claim to control this agency were passed in
the last fortnight of the 1990 Parliament and heralded by Senator Nick Bolkus
(Lab, SA) as one of the great reforms of the Labor Party. The Bill was
originally introduced in 1988 but stalled for two years while heavy lobbying
took place behind the scenes.

According to the general manager of the association, Bruce Bagon, it hired
former Commonwealth Ombudsman Jack Richardson to draft model legislation for
its own governance.

Contrary to the great achievement claimed by the Government, the recent
amendments to the Commonwealth Privacy Act were not new because the association
had already been restricted since the 1970s under various state legislations
and by its own internal policies.

The effect of the new legislation, which does not become law for another nine
months, claims to restrict who can gain access to consumer files by allowing
access to only "credit providers". This means that many peripheral users such
as real- estate agents, Telecom and insurance companies can no longer get
credit information.

It also prevents "positive reporting" being placed on a file - something the
association had at one stage planned to introduce. Positive reporting puts a
person's current details on file, whether positive or adverse, such as current
credit accounts held and balances owing on each account, payment details and so

Other provisions force the association to separate - but not delete - a
person's "commercial" activities, such as whether a person is a director or
otherwise associated with a failed company or a business.

It also requires publicly available records such as electoral-roll information
and telephone-book information to be stored separately, but not deleted. The
law still allows court judgments and bankruptcy notices to be included on a
person's file.

Similarly, insurance records will be separated.

The result will be that most people will have three files, one for personal
credit, another for insurance, with a last one holding information on any
"commercial" activities.

As with the provisions of the Privacy Act that claim to regulate government
files, the parts that regulate the credit bureaus contain numerous loopholes.
The association's general manager says the legislation adds very little to its
existing practices, except to cause the separation of files. It creates a vague
list of "privacy principles" and requires a "code of conduct" yet to be
formulated to cover the nitty-gritty details of regulation, such as how to
decide what constitutes a person's "commercial", as opposed to personal,
financial activities.

The federal legislation does not give consumers a specific right to directly
ask the credit bureau to remove errors, in contrast to legislation in countries
such as the United States, which has had a Fair Credit Reporting Act since

This weakness forces customers to go through their credit providers to have the
error completely removed. As the credit provider has no financial incentive to
correct records actively, it in effect puts consumers in the position that the
banks decide when and what to tell the credit bureau. There is virtually no
chance of successful prosecution.

The only restriction placed on the credit provider is that it must tell the
bureau "as soon as practicable" that a person has paid an outstanding bill or
denies liability. In practice this allows the banks the flexibility to delay
making corrections while it "investigates" any other type of error. The
consumer's only direct right is to have a note added to his file stating that
there is an error.

But, unfortunately for the consumer, the maxim "no news is good news" is
especially relevant in the credit industry. Despite any note on the file, a
consumer is unlikely to be given the benefit of the doubt by another potential
credit provider.

The result is that the consumer is effectively at the mercy of the banks
as to when they decide to act on a complaint - a disheartening prospect
considering the poor service that seems prevalent with banking nowadays.

The US legislation, by contrast, foresaw this problem and requires any disputed
negative items to be removed until (and if) the matter is cleared up. The bank
that made the negative report has 30 days to justify its claim, after which the
negative item permanently lapses.

Although the legislation claims to restrict the use of information for the
purposes of assessing credit applications, it can be used for many other
purposes if it believes on "reasonable grounds" that a consumer is no longer
willing to comply with his obligations.

Then the legislation allows the information to be used "in connection" with the
consumer's alleged lack of compliance. This gives great latitude to credit

In modern credit-management practices, if a person refuses to return phone
calls, refuses to do as the creditor asks or perhaps refuses to discuss the
matter, the consumer runs the risk of being labelled as "delinquent" or as a
"skip", with the result that other credit providers are given the names on a
special alert list.

Just what "reasonable grounds" means to a credit provider or in-house debt
collector is unspecified, unlike the US law, which sets up a specific regime.

There is little chance of successfully prosecuting credit providers or
reporting bureaus. A prosecution must prove corporate criminal liability -
difficult to establish at the best of times but almost impossible under the new

The Privacy Act requires that the entity must knowingly or recklessly breach
the Act; show that the employee who committed the act in question did so within
the scope of his actual or apparent authority; have the requisite state of
mind; and finally requires proof that it failed to take reasonable precautions
and to exercise due diligence.  Each of the four criteria must be proved beyond
reasonable doubt.  Privacy legislation in Australia therefore offers very
little to the public.

The various principles and unstated practice codes are so widely defined as to
be meaningless and/or easily interpreted in such a way that nearly any act can
be justified with-in its framework.

With the likelihood of successful prosecution virtually nil, the legislation
does protect tax-file numbers but, far from the breakthrough claimed by the
Government, it remains little more than window dressing.

The Government needs to bite the bullet and use its external-affairs power to
create a uniform and detailed law on privacy for the whole of Australia,
written m plain English in a consolidated Act.

Phil Clark [VK1PC] Department of Computer Science, Australian Defence Force
Academy, Northcott Drive, Campbell, Canberra, Australia, 2600.  +61 6 268 8157

MasterCard policy opens door to crooks.

Mon, 21 Jan 91 09:56:48 PST
I have a MasterCard account which I use regularly. I keep my receipts and match
them to the line items on the statement each month. On January 15th I received
a regular statement which contained an item for which I did not have a receipt.
A phone number is provided on the statement; I telephoned Customer Inquiry to
ask further about the charge. Possibly I had lost the receipt; or possibly the
charge was made incorrectly.

A man identifying himself as Warren informed me that they could not provide me
with a copy of the sales receipt, and the only way to address this matter was
for me to write a letter (to Julia) explaining that the charge was incorrect.
There was a second charge to the same merchant (an EXXON station) on the same
day and upon learning that I still had my copy of this sales slip, he explained
that a photocopy of it would be required with my letter so that they would have
proof of an erroneous charge. I felt that these demands defied common business
practice and all common sense but he assured me that this was company policy.

MasterCard is a significant presence in our society. I use both MasterCard and
Visa as a part of my regular personal financial activities. These two companies
have a virtual monopoly on this form of credit; I do not have the opportunity
to take my business elsewhere. So perhaps they can use their monopoly power to
institute a policy that is contrary to common sense. But I don't think they
should be allowed to do so.

An unscrupulous person knowing that this was MasterCard policy could set up a
system of generating unwarranted charges with some cover of plausible
deniability. Many of these charges would be paid simply because customers do
not check their accounts closely. But even those who notice the spurious
charges now have the onus of taking action and proving that they did not incur
the charge. For a charge of $30 or so, many people would pay up rather than get
involved in the hassle of proving that they did not owe it.

What protection do I have from spurious and unwarranted charges to my
MasterCard account, from unscrupulous merchants who could note my number and
then put through fictitious charges and from errors by cooperating merchants
and MasterCard itself? I can see that MasterCard would wish to be relieved of
the burden of being honest and accurate, but surely the onus for proving that I
owe money has to be on them. Notwithstanding that this is contrary to company

I will write my letter to Julia and enclose the proof that she requires. But I
think that MasterCard's policy in this matter is a significant and serious
deviation from acceptable practice and poses a significant risk to us all.

Please report problems with the web pages to the maintainer