(00:00:00) The computer itself can be the object of crime or the computer could be an instrument in perpetrating a crime or the computer. In fact might be incidental to the perpetrating of a crime yet. We still sometimes associate the computer with the crime and call it computer crime. It's really crime involving a computer might be a better term but there are Economic Consequences to a lot of those things and whenever there's an economic consequence we might call that computer crime when we speak of privacy. We're really talking about an individual right an individual right of privacy can be violated privacy invaded by because personal data is stored on the computer and somebody else gets a hold of it who's not supposed to have it or and misuses it in a way that the individual did not Spect so we've got the issue of privacy that pertains to the individual and sort of crime that pertains to Economic Consequences in computer systems of use of computers and security is something that can underlay both of those security is the state of a system and a set of mechanisms that can counteract. Invasions of privacy privacy through improper disclosure of data or theft of computer time or the use of a computer to perpetrate other kinds of fraud. (00:01:34) I certainly couldn't do it Gordon, but I have the impression that with a little bit of basic knowledge. It can't be all that difficult to break into a number of computer systems. (00:01:42) No, it's not it's not difficult at all. What are (00:01:46) some of the more lurid examples of the abuse that has taken place (00:01:49) in the biggest examples of abuse that have taken place are abuses that have occurred because the individual Who perpetrated the crimes are perpetrated the penetration had an inherent right to the system in the first place. It's the head teller who starts to shuffle bank account balances around to their own advantage to their own account. It's the person who who is programming a payroll program and rounds everybody's paycheck down and adds the fractional sent to their own account. And when you've got a thousand employees that fractional amount could be $50 on the average per paycheck, but these people have an inherent right to use the system. It's just that they're abusing that right doing something other than what was originally intended. (00:02:39) I'll put you on the spot for one example, what is one of the most sophisticated abuses of a computer system you have come across in your in your (00:02:47) studies. If it really involves the computer, I guess I guess one example took place a few years ago a fella. Literally got into a system through a terminal and with the terminal and knowing the telephone number of a computer you could call in and get in and then next thing is a computer asks you who are you and what's the password and so on and and if you've got enough knowledge of the system you can often break through that security and started creating dummy orders for telephone equipment. And the phone company would fill these orders and deliver the product where it was supposed to be delivered as specified in the order and then this person would pick it up and take it to a warehouse. He was finally caught and and they estimated that some five million dollars worth of equipment had been absconded. Person was caught charged guilty and put in jail. And today he runs one of the most successful computer security consulting firms in the (00:03:54) country. He's turned the tables very nicely good for him knows what it's all about and good for the computer company and I assume that this is a recurring nightmare for computer companies who manufacture this technology and created that it is a must continue to devise new ways of thwarting the computer thief and how successful are they (00:04:14) Some are very successful because they're willing to spend the time in the money necessary in sort of counter revolutionary activity. If you want to think of it that way the companies that don't are the ones that open themselves up to problems. However, top management people or people in a position to tell others how the computer system should be used. There's there's no amount of technical Thornton that can take place a good example is the equity funding Scandal there you had upper people in the company telling the lower people that company to create dummy policies and have them stored in the computer system. (00:04:57) Well, this is all very entertaining these examples of how computer thieves work, but it may not apply as directly to most of us who might not have a chance to get to a terminal and exercise some of the technology involved in create dummy accounts or whatever Gordon. I'm just thinking that whenever I apply for a driver's license or whenever I re-register my automobile for a year my social security number variety of other numbers in my possession my credit card numbers and all of the information attached to my credit card. I presume that a lot of that personal information and perhaps much more that I don't even know about. My magazine subscriptions are all stored someplace and they're being used by someone. I've never felt threatened by that all should I be worried about the way in which that information is being used? (00:05:45) Whether or not you should be worried. You don't know yet. And the reason why you don't know whether you should be worried is because you don't know what's happening to that data. And that's one of the central things that I've been arguing is that individuals must first know and that's a fundamental right cast in our constitution the right of an individual to know if bad date is floating around about them whether or not it's true. They should know about that particularly. If it's false they have they should have the right to correct it but if they don't know what's happening, they don't know who's using your data. What kind of data is floating around from company to company then they have no notion of whether or not they should be entering into a fight (00:06:22) the federal privacy study commission is apparently apparently concerned about this issue. What have they found in the way of abuse regarding the information that has held about (00:06:32) us? (00:06:34) Oh. (00:06:36) I guess a lot of the things are just things that people don't expect are going to happen you with the state government you go to the motor vehicles branch and you apply for a license and they take your name and address and so on. Well, it turns out that under Minnesota law that is considered to be a public record that simply means that it's available to anyone for any purpose. Well that mailing list is sold thousands of times over and people send out junk mail as a result of that (00:07:08) and the state gets the revenue from selling that list. That's right. And it's a substantial amount of (00:07:12) Revenue and they would they would like not to see it go away. Although I think there are just higher order concerns that really need to be brought to bear. I personally don't think that it should be public it should be available to some people with the need to know and there are lots of cases like that to (00:07:34) the federal privacy study commission as I understand it has made some recommendations about the use of information stored in computers about American citizens, and I'm the White House either by the time this conversation is aired will have or is in the process of issuing some proposals to Congress about legislation in this area. What do you Gordon Evers think that we We'll be seeing in the way of some protections for the average American regarding the use of informations that we information that we have given two (00:08:07) computers. Well, we already have a federal statute that that lays most of these rights on the table for the private citizen in dealing with federal government agencies and and the rights that we're talking about are the right of an individual to control who else should have information about them. And the second is the right of personal access the right of an individual to have access to their own data that's maintaining the government to know that it's there what it says and to dispute it if they feel it's inaccurate or old or incomplete and the third is the right of Public Access, which is directly in opposition to these previous rights. It's the right of other people to see data about you when they have a need to know where or when it's in the Public's interest and it is in the public interest if health and safety is involved or if there's a need to monitor the activities of our government. Well, that's the sort of have openness of (00:09:03) government. That's at the federal level. Now, what about the state level we (00:09:06) have a similar law. In fact, it was passed first in Minnesota. Minnesota was the first state to pass such a law. The next law was passed by the federal government and its since then eight other states have passed similar (00:09:16) legislation. Now there have been some decisions recently by the United States Supreme Court. I'm thinking of one in particular that are away from the issue for the moment perhaps Computer or privacy individual privacy, but may relate one of the recent decisions was that the Court ruled that it is not necessary for the telephone company. If I have this correct to notify in this case a reporter who made certain long distance calls, apparently the justice department or some other authorities were trying to locate a confidential source that the reporter had used. Now when we discuss this decision before we begin this interview you thought that that was an important decision I want if you could explain (00:09:58) why well, it's important and let me go back and give a just a little bit of history in 1976. The United States Supreme Court made a decision after after a case was was filed that said an individual does not have an expectation of confidentiality in the records that a bank holds about them and their bank account. and The Congress to me that was a very bad decision because it flies right in the face of any kind of individual rights that we might like to talk about it and basically what it says is that the bank can't withhold giving information any government agency if they ask for it. And in fact, that was the situation with the bank secrecy Act passed in (00:10:46) 1970, (00:10:48) then the United States Congress set to write that in the right to financial Privacy Act that was passed in October of 1978, which basically said no an individual does have a right of confidentiality in that data and Banks cannot just willy-nilly give out information. It can only be given out under certain circumstances and following certain procedures a couple of those procedures are that when a the government serves a subpoena for personal data on a bank, they must also serve a copy of that subpoena on the individual then and so that's the individual having noticed that a disclosure. About to take place very fundamental. Then the bank is required to drag its heels for 14 days and wait before making the actual disclosure giving the individual time to go to court and quash The subpoena if they want now this latest decision of the Supreme Court said it wasn't an issue of whether or not the disclosure should take place. It was an issue of whether the individual should even know that such a disclosure is has or is about to take place. And the court said no, the individual does not have a right to know and I think that that's a mistake of the first order. I think that's very I think it's a very bad decision and I think that the Congress is going to have to step in again and right that wrong incidentally there is a point to be made about the whole Judicial System the judicial system Supreme Court down is is required not to make new law. They must always interpret a case and make a decision based upon precedent and based upon existing law. We don't have much law in place to guide them today, which again is part of my motivation is to get this least laws in place. (00:12:43) We talked a bit earlier Gordon about all of the types different types of information on file about Americans and you mentioned the federal statutes in effect here that we are able to check on the information that has been stored about our lives and I'm just thinking that would be a full-time occupation for someone if they really wanted to make a concerted effort to track down all the information stored about them. Do you have any shorthand recommendations that people can use if they have some concern there is something that is popped up that has led them to believe there may be erroneous information about them somewhere what can people do okay? (00:13:19) If they think it's with the federal government agency, then they can go to that agency. Now, they may not know what agency is involved and all of the agencies are required annually to publish in the Federal Register a statement of the kinds of data that they keep on file personal data how it's used where it is and what procedure they should follow in finding out what the data is that they might have on the individual now, that's not an easy thing. They probably should annually and it's a book that's an inch thick itself just the statement from the various federal agencies. If it's with the state agency, they could go to the state agency or in the case of Minnesota. We do have in the department of administration a privacy unit that that can offer some help some information to individuals seeking to find out where information on there might be stored. When you get into the private sector, it's a slightly different question the central mission of the federal private privacy protection study commission was to evaluate the experiences with the federal law and to investigate its application in the private sector and they came up and made recommendations on a sort of sector-by-sector basis recommendations for education for insurance for banks for mailing lists for ETC many different areas like that. There are a few laws in place in the private sector. For example, there's the Fair Credit Reporting Act that says if you are denied a job denied credit or denied insurance on the basis of a credit report, then that whoever was denying you that service must tell you where they got the information and then you have a right to go there and find out what that information was and that's all spelled into the law what you right sir, but there aren't many other. Laws like that in the private sector. That's what's coming. From the federal Congress and that's its recommendations in that area that will be in the president's privacy initiative when it (00:15:20) comes as you were describing how all of the information about individual US citizens can be misused. I was thinking about corporate US citizens and I presume that the amount of information which seems to me to be mountainous at times that the corporations must file with the Department of Commerce or Department of Labor and so on that they would be very concerned to about how their information is used or perhaps misused and do I understand correctly that there is very little apple legislations very few laws speaking to that as well the protection of business information. (00:15:53) Yeah, very few lives. In fact in the United States states and federal. We've made a very clear distinction. The laws privacy laws that we're talking about do not apply to Non natural persons. In other words, they do not apply to organizations in Europe. It's a different matter their laws. Some of them now are starting to include legal persons or businesses organizations here. We haven't done that and I personally don't think that we should businesses have enough resources at their command either individually or as trade associations or whatever to give effect to whatever kinds of privacy principles. They want to private citizens do not and it's very difficult for private citizens to band together. I should make a point here before the federal privacy protection study commission was established in 1974. There was a special committee to report to the department of health education and Welfare on automated personal Data Systems. This was set up by Elliot Richardson, then the secretary in 1968. And in the speech that kicked off this committee. He said the issues in our society are not going to be between Democrat and Republican between liberal and conservative between government and big business the issues in our society are going to be between individuals and organizations, whether in the public sector or the private sector organizations whether business government business or government, And he said privacy and he was very perceptive on this privacy is at the Nexus between individuals and organizations, and we've got to think about making the conditions for an open honest and fair relationship between people and organizations, and that's the central thrust between behind all of this privacy legislation is to have an open honest and fair (00:17:49) relationship. We've been talking with Gordon Everest professor of management information systems and database Management systems at the University of Minnesota. Thanks Gordon for joining us today as part of midday. Thank you, dude.