Date: Mon, 02 May 2005 20:23:58 -0400 To: WSFA members <WSFAlist at WSFA.org> From: "Mike B." <omni at omniphile.com> Subject: [WSFA] Re: Re" Phone Numbers Reply-To: WSFA members <WSFAlist at WSFA.org> At 06:46 PM 5/2/05 -0400, Candy Madigan wrote: >At 04:59 PM 5/2/2005, you wrote: >>At 01:38 PM 5/2/05 -0500, samlubell at verizon.net wrote: >>I'm objecting to the "opt-out" style of procedure. "Opt-in" would make more sense, all things considered. > >You're not thinking. Yes, I am, as should have been clear from what I've written. >Opt-in only works for new stuff that is not already on line. Which, until very recently, included the WSFA Journal. Opt-in is the way that should have been handled when it was made public too, or else the personally identifiable information should have been left out...not just the phone numbers, but all of it. >Old stuff would take *many* manhours to delete. I disagree. Phone numbers have very obvious formats, and are generally located very near the address info. From the quick check I did of a few old issues, the location of this data in the Journals is pretty obvious as well. Email addresses also tend to follow an easily recognized format, involving letters, " at " and generally some words separated by "." as well. The specifics of the format (case sensitivity, characters allowed, etc.) is well described by RFCs. >Unless you plan >to volunteer for that particular labor, you really don't have room to As I very obviously did in the same message you are responding to... >>databases for instance). It should be removed ASAP under the "better safe >>than sorry" rule in order to protect WSFA if nothing else...though I'd have >>hoped that those in authority in the organization would take that path >>which protects members regardless of legal threats. > >So I take it you are threatening to sue? Where did you hear that? Certainly not from anything I wrote...if you disagree, please quote the text that supports your claim and I'd be happy to explain what was actually meant. For instance, in the above the term "legal threats" is referring to prior posts on this thread that I made where I described potential scenarios that would result in WSFA being sued for publishing this data without permission, and where I brought up the potential for violations of the law being involved, but as I said at the time, I'm not certain about the law bit and will leave it to those who work with the law to confirm or deny. It's very clear that Lexus-Nexus is concerned about the idenity theft aspects of their unintended disclosure of personal information and the lawsuits that could result from this, as is Congress. Why WSFA should be so blase about doing something similar, on purpose, I don't quite understand. >>As someone who was around in the days before the net, in WSFA, and who >>provided the data with the understanding that it was for internal use in >>WSFA *only*, I would be *REALLY* pissed off to find that WSFA has now >>decided to hand it out to the world at large without so much as asking >>permission. That's an abuse of trust. > >WSFA did not make any decisions of that sort, WSFA merely republished old >publications that were already circulating to the world at large. I disagree. There's a huge difference between printing a newsletter for handing out at meetings and mailing to members or other subscribers on a very limited basis and putting that same information up on the World Wide Web where *anyone* can get it with no more work than typing a few keystrokes. Audience size really does matter. >an issue. Since he is not omniscient, I'm sure that he is making errors in >judgement, but since you're not omniscient either... I don't need to be omniscient to listen to or read the news. It doesn't take god-like powers to come up with scenarios that could go very badly for WSFA from this. I hope they don't happen of course, but they are not at all impossible. In doing risk analysis it isn't only the likelihood of an event that is of concern. The potential size of the loss is also a relevant factor. As the amount of harm goes up, the required chance of occurrence before it's worth taking steps to avoid the harm goes down. For instance, if the harm is that I lose a penny, I'm not going to waste much effort on avoiding the harm even if the chance of the loss is nearly 100%. If the loss will be my home, I'm willing to invest some time and money in avoiding that loss even if the chance of the loss happening is only 1 in 10,000, or even more. The chance that any harm will come to WSFA from posting this data worldwide is not high at all...but the potential loss is the treasury of the organization, and perhaps the organization itself. There are also potential losses, personally, for those involved directly as well...unless we have Director's insurance for them? How big a chance of this harm do we need to make it worthwhile to see that it can't happen at all? Especially since there is little or nothing to be gained from leaving things as they are? >>If the web version of the Journals >>was restricted to access only by WSFA members, that concern would be >>different...in that case we'd still be handling it under the terms it was >>acquired under. By opening these documents to the entire planet (and any >>others) WSFA has unilaterally changed the terms of the agreement, and >>that's just wrong. > >It was never acquired under the assumption that only WSFAns would see >it. Why do you keep changing what I say and pretending that I'm responsible for it? Where in anything I wrote did I say that WSFA guaranteed that non-WSFAns would find it impossible to see the information? Nowhere. What I said was that the data was collected for internal use by WSFA...i.e. by its members for activities related to WSFA. It was not collected with the intent of handing it out to everyone in the world. If it had been I, for one, wouldn't have provided it. There was always a chance that one of the members would leave the information lying around of course, and some visitor would glance at it, or the CIA would go through their trash and find an old copy, but this is a very different risk than having the information on the World Wide Web where *everyone* can see it. I trusted WSFA members, and I implicitly trusted those they trusted. I don't trust everyone in the world. >It was to be *published* anyone who could get their hands on a Journal >was free to read it. And Journals were available only in person, or perhaps by subscription, or from contacting someone who was at a meeting or got one mailed to them. This is not a huge risk to the membership in terms of identity thieves or mass marketers (neither of which were a big problem 20-30 years ago anyway)...the difficulty of getting the information that way makes it useless to such people. Now that a robotic scan of the web will turn up all of it in readily used forms the difficulty is almost nil, but the utility remains the same, or has increased. What are the chances that the information will find its way to the wrong hands now vs. when the Journals were published? The same? Not likely...and this is easily foreseen and failure to do so could be negligence. Hence the concern. >Why *Thank*you for volunteering to do the work since you are the one having >the hissy fit about it. You're welcome. I'd rather it was me having the "hissy fit about it" than someone who is actually harmed by the situation and chooses to take the matter to court. If we do what we can to limit the damage it not only reduces the chance of any harm in the first place, it also shows that we did give a damn about our members, past and present, had some desire to maintain a state of trustworthiness, and remediated to the extent possible once we recognized the situation for what it was. If we do nothing it will look pretty bad in court...if that ever happens (risk analysis again). It also looks pretty bad in general anyway. I won't be providing any private information to WSFA again any time soon for instance. The organization, and its officers, appear far too cavalier about keeping it safe. >WSFA's information has always been theoretically publicly >available. ANYone can come to a WSFA meeting. Therefore, ANYone already >has access to any Journal that happens to be available at that meeting. Theoretically publicly available and actually publicly available are very different things. Anything you say within earshot of another person (even amplified earshot) is theoretically publicly available. Passersby do overhear snippets of your conversations while strolling through the mall, but I doubt this bothers you any more than it bothers me...an occasional random person isn't likely to care about it, or to make any harmful use of it even if they did. However, would you like all of your conversations recorded and put up on the web for all to hear any time they like? That would be a very different thing, wouldn't it? If there's *anyone* with web access (pretty much everyone these days) who wants to use the information against you, the chances of them being nearby at the mall are very low, but the chances of them having web access are very high. That changes things. The chances of a SPAMmer or telemarketter being at a WSFA meeting, or even being a member, are very low, and the chances of them using anything they learn at a meeting to harass other members are even lower. The chances of lots of them being on the web are 100%. We can only hope that's the greatest danger that folks have been exposed to. -- Mike B. -- There is no substitute for incomprehensible good luck.