Re: Automatic Entry and Forms

Murray Altheim (murray@spyglass.com)
Sun, 25 Feb 1996 19:23:52 -0400


Message-Id: <v02110102ad567996a944@[140.186.34.50]>
Date: Sun, 25 Feb 1996 19:23:52 -0400
To: "Phillip M. Hallam-Baker" <hallam@w3.org>,
From: murray@spyglass.com (Murray Altheim)
Subject: Re: Automatic Entry and Forms
Cc: www-html@w3.org

Phillip,

Phillip M. Hallam-Baker <hallam@w3.org> wrote in response to Robert Hazeltine:
>I think people are offended that you have attacked a position that
>nobody was actually proposing.

It's precisely what was *not* in the proposal that has some folks up in
arms. There are both technical and personal privacy aspects that have not
been addressed.

[...]
>I need no lessons in protecting personal privacy. I work in the security
>and payments areas and work on the same floor of MIT as Ron Rivest's
>cryptography group.

The first failure of science is the belief that one truly knows the scope
of possibility within a system. Your credentials hardly shield you from
making errors in judgement; I think this was why someone cited a quote from
Napoleon.

I think a weakness of the current proposal is precisely that it doesn't
address the privacy and security issues that surround placing sensitive
personal information in an accessible location on a computer. While perhaps
you don't feel Robert's visceral response was appropriate, I very much
share his concerns. Abuse of such a system does not seem very difficult at
all (examples have already been posted), and you have failed to even hint
at these possibilities in your proposal.

You've recently stated that this proposal does not deal with automated
submission of forms. This ignores the possibility that the user does not
know they have submitted a form, or that they may have submitted more
information than intended. This also ignores the possibility of the forms
default information being accessed through other means, such as a Java
applet. A 'next page' button on any web page is potentially a form
submission. Does this proposal deal at all with the fact that any link is
potentially an involuntary form submission containing hidden fields
containing private information? No, it does not.

Robert Hazeltine <rhazltin@bacall.nepean.uws.edu.au> writes:
[...]
>Maybe people two generations hence might find the ideas of transferring
>data - both personal and business - without human intervention acceptable
>as a principle.  I do not.
>
>I have already had enough to do with online government and business
>systems to know that I cannot accept the proposal as a wise one, as
>distinct from a good technical one.
>
>I guess I do not want to see the thin edge of the wedge become the block.
>Once this princple is accepted, there will be no constraints, especially
>in the hands of private enterprise (which is even more scary than
>government's intrusion into our private lives). For whatever its worth,
>government is at least subject to political scrutiny.

I can give you a personal example that potentially removes the governmental
barrier -- I worked for many years at California State University. Would it
frighten anyone if I stated that without too much effort I could get access
to the names, addresses, phone numbers, social security numbers, class
schedules (plus about 30-40 more fields) of all 18-22 year old female
students (or any other specific cohort)? Now I have *absolutely no
intention* of abusing this ability, but what about others? Someone
currently or previously employed in the credit or banking industry? The
military, CIA, FBI? I'm certainly not alone in being able to access
sensitive personal information.

Even within the law, direct marketing companies can (for a fee) provide
similar information on CD-ROM to clients, such as the names and addresses
of all teenage girls who've sent fan letters to the NFL (no I'm not making
that one up).  One direct marketing company [1] boasts of having processed
over 7.1 billion pieces of targeted mail representing over 10% of all
direct mail in the US. Their information comes not directly from consumers,
but purchased from anyone willing to sell private demographic and
transactional information.

As I said before, I do share the Fear, Uncertainty and Doubt of the common
lassitude over privacy issues. To hear someone state that because of their
position within the security community they understand the issues or share
my concerns, coupled with a proposal that doesn't even address these
issues, it only reinforces my uncertainty.

[...]
>Nothing in these proposals, and some of the comments on my original
>posting, inspires confidence that proper weight has been given to concerns
>for the integrity of privacy.

Agreed. I sincerely don't understand how anyone could believe that this
proposal *doesn't* impact personal privacy issues. I would suggest writing
a "Security" section that outlines security issues in detail.

Murray

[1] http://www.dmti.com/what.html

______________________________________________________
    Murray Altheim, Program Manager
    Spyglass, Inc., Cambridge, Massachusetts
    email: <mailto:murray@spyglass.com>
    http:  <http://www.stonehand.com/murray/murray.htm>