Date: Mon, 11 May 92 16:36:17 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#020
Computer Privacy Digest Mon, 11 May 92 Volume 1 : Issue: 020
Today's Topics: Moderator: Dennis G. Rears
Re: TRW Reports
Re: E-mail privacy should be independent of carrier.
Re: E-mail privacy should be independent of carrier.
Re: is email private?
Re: Personal Info. Privacy and companies
Re: Cordless Phones
Re: Cordless phones
Re: Cordless Phones
Re: Cordless phones
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
From: James Davies <jrbd@craycos.com>
Subject: Re: TRW Reports
Date: Sun, 10 May 92 04:42:06 GMT
Apparently-To: <comp-society-privacy@uunet.uu.net>
In article <comp-privacy1.17.3@pica.army.mil> zimmer@gw.wmich.edu writes:
>
>Montgomery Wards, when successfully soliciting business over the phone
>with you, does ask for private information you've previously supplied
>them to verify you are who they think you are.
It's been my experience that most organizations use the same piece of
"private information" for verification -- your mother's maiden name.
This is about as secure as using your social security number in some sense,
in that someone who cared could easily find it out with a little research.
AT&T asked for this when I called their Universal Card 800 number with
a change request last week. I've been tempted to make up a different
"mother's maiden name" for each organization that asks (including, in the
past, various utility companies and banks), but I worry that I'll forget it
and they won't have any way of resetting my "password" (after all, your
mother's maiden name isn't supposed to change, right?).
------------------------------
Date: Sun, 10 May 92 21:10:45 EDT
From: Brinton Cooper <abc@brl.mil>
cc: Bob Weiner <rsw@cs.brown.edu>
Subject: Re: E-mail privacy should be independent of carrier.
Bob Weiner <rsw@cs.brown.edu> writes, in response to my posting on
whether one has an expectation of privacy in e-mail:
> The ignorance that yields this kind of widespread corporate view on
> information privacy comes from a biased analysis that asks only "What
> can we do with this technology?" not "What should we do, given what we
> know we can do?"
The poster's question was whether there IS an expectation of privacy,
not whether there SHOULD BE. I addressed this question and did not
state my position on it's correctness. I believe that, taken to the
presently-constituted Supreme Court, the "corporate view" would
prevail. (Incidentally, I do not hold corporate views. I have no
connection with any corporations.)
> No such right has been widely recognized in our electronic mediums
> such as e-mail within a private network, even though it should be easy
> to recognize the direct parallels to both paper mail and telephony. A
> call that goes from one extension of a PBX to another of its
> extensions never passes through any "common carrier" network, yet I am
> fairly certain, it is protected in the same way, because we recognize
> that there is more to the issue at stake than just the status of the
> carrier that transfers the signals.
We may recognize it, but the machines' owners may not. In any case,
the machines' owners can, in fact, get access to any file on the
machine. Do you expect an employee to obtain a federal court injunction
denying a machine's owners access?
> So answers to issues of privacy that we can socially tolerate are not
> to be found in asking questions such as "who's equipment was involved"
> but only in "who were the conversants," "what was the conversation
> on," "in what capacity was the conversation held," etc.
I rather like the concept embodied in the last three "questions," but I
believe that, in the present climate, they represent only wishful
thinking.
_Brint
------------------------------
From: Steve Barber <cmcl2!panix.com!sbarber@uunet.uu.net>
Subject: Re: E-mail privacy should be independent of carrier.
Date: Mon, 11 May 1992 01:35:10 GMT
In <comp-privacy1.17.1@pica.army.mil> rsw@cs.brown.edu (Bob Weiner) writes:
>No such right has been widely recognized in our electronic mediums
>such as e-mail within a private network, even though it should be easy
>to recognize the direct parallels to both paper mail and telephony. A
>call that goes from one extension of a PBX to another of its
>extensions never passes through any "common carrier" network, yet I am
>fairly certain, it is protected in the same way, because we recognize
>that there is more to the issue at stake than just the status of the
>carrier that transfers the signals.
While I agree that "personal" communications made from the place of business
ought to be private, when made by telephone they just aren't. Courts have
ruled that companies may listen into employee phone calls, since, after all
the company owns the PBX. Sigh. Privacy activists (and workplace rights
activists like 9to5) are busting their guts just to get companies to
even *notify* employees about surveillance policies. Getting them to
stop monitoring is a long way off. Solution? Get a cellular phone and
take it to work. Get one with a modem and jack into the internet via a
public access host that ensures your privacy by contract or statute (i.e.
the ECPA of 1986), from your own laptop. Ridiculous? Sure.
--
Steve Barber sbarber@panix.com
"The direct deed is the most meaningful reflection." - Bill Evans
The above is not a legal advice. It is, at best, a discussion of
generalities. Consult your attorney before acting in a specific situation.
------------------------------
Date: Mon, 11 May 1992 10:13:01 EDT
From: Stacy Veeder <SBVEEDER%SUVM.bitnet@cunyvm.cuny.edu>
Subject: Re: is email private?
Some electronic mail is covered by the Electronic Communications
Privacy Act of 1986 (ECPA). Specifically, 18 USC 2701 states:
(a) Offense.-- Except as provided in subsection (c) of this
section whoever--
(1) intentionally accesses without authorization
a facility through which an electronic commmunication
service is provided; or
(2) intentionally exceeds an authorization to access
that facility;
and thereby obtains, alters, or prevents authorized access
to a wire or electronic communication while it is in electronic
storage in such system shall be punished as provided in subsection
(b) of this section.
[subsection b (punishment) omitted here--sbv]
(c) Exceptions.--Subsection (a) of this section does not apply
with respect to conduct authorized--
(1) by the person or entity providing a wire or electronic
communications service;
(2) by a user of that service with respect to a communication
of or intended for that user; or
(3) in section 2703, 2704 or 2518 of this title.
Section 2703 discusses requirements for governmental access, section 2704
provides for back-up preservation, and section 2518 describes the procedure
necessary for obtaining a warrant to intercept electronic communications.
Earlier sections of 18 USC provide similar protections for the interception
of electronic communications while they are in transmission. What all this
means is that a nosy user is prohibited from reading another user's mail,
but system owners, administrators and operators, properly authorized law-
enforcement officials, etc., may carry out their duties unimpeded by this
statute.
The law also distinguishes between public and private networks. In other
words, mail sent by one MCI Mail/GEnie/etc. user to another on the system
is protected to a much greater extent than mail sent by one user to another
on a private (e.g., corporate in-house) network. So, if you work for
Company X and send mail to a colleague within the same company through
your employer's system, you have no federal guarantee of privacy.
BUT- there are two buts here, actually... The first is that the ECPA
is a _minimum standard_. There exist approximately 200 _state_ statutes
that carry privacy protections much further than the federal minimum.
One of these states is California, where even the state constitution
explicitly guarantees certain kinds of privacy. Roughly half a dozen
lawsuits are currently pending, mostly in California, under these
state statutes, and these cases introduce the second "but."
The ECPA does not explicitly address situations in which electronic
communications that are carried over public networks originate on or are
sent to private networks. Alana Shoars, who is suing Epson in the first
test case of this kind of situation, was fired for mail she sent from
her Epson computer (private) through a gateway to MCI Mail (public).
(The lower court has dismissed the case on the grounds that the state
statute she cited does not cover electronic mail, but she is appealing.)
This class-action suit is remarkable only because it is the first.
Other suits (mostly not class-action), none of which have yet been
heard, as far as I know, describe similar circumstances. The outcome
of these lawsuits will create the first case law on the subject.
Stacy B. Veeder
Bitnet: SBVEEDER@SUVM.BITNET
Internet: sbveeder@suvm.acs.syr.edu
DISCLAIMER: I may be married to a lawyer, but that doesn't make me one.
I'm just a layman, not an attorney, and views expressed here
should be regarded as legally useless.
------------------------------
From: Jacob DeGlopper <jrd5@po.cwru.edu>
Subject: Re: Personal Info. Privacy and companies
Date: Mon, 11 May 92 15:22:39 GMT
Apparently-To: comp-society-privacy@uunet.uu.net
In a previous article, newhaven@leland.stanford.edu (Eric Sword) says:
>For both my personal interest, and as assistence for a presentation I am giving
>next week, I would be interested in hearing from people (specifically,
>companies that deal in large scale information transfer for profit) of the
>benefits to having so much information about an individual be public knowledge.
>
>For example, having your medical history encoded on your drivers license
>to assist paramedics in case you are in a car wreck.
A few thoughts on this... It's not a bad idea. I don't routinely go
digging through my patient's wallets, however. Although it might be
justified, it leaves me open to yet another avenue of attack -- "they
stole my money!" If there's a need to look in someone's wallet, usually
the call is such that we have police on the scene as well, and I'll let
them do it.
Currently, we have Medic Alert bracelets which can include a reference
to a wallet card. Again, I don't like digging around to try to find
that particular card. The bracelet can hold enough information to give
you an idea of what the patients signifigant previous medical history
has been.
Inside a house, there's a program known as Vial of Life. (Usually)
elderly patients will have a form filled out by their doctor with a
history, current meds, and any comments in a vial in the freezer.
It's easier to look in someone's freezer than wallet, and there's a sticker
which goes on the outside of the freezer to indicate that there is a
vial inside. I've used them a few times, although it's never made
a life or death difference.
--
Jacob DeGlopper, EMT-A, Wheaton Volunteer Rescue Squad
-- CWRU Biomedical Engineering - jrd5@po.cwru.edu --
------------------------------
From: Ted Lemon <lupine!mellon@uunet.uu.net>
Subject: Re: Cordless Phones
Date: 11 May 92 17:14:58 GMT
>And even if you can [receive signals from a telco microwave], aren't
>those signals multiplexed in some fashion to make better use of the
>available bandwidth? Someone correct me if this impression is
>incorrect.
They're completely digital. The transmission standard is well
documented and you can get it - if you were willing to spend a lot of
money (perhaps ~$1 million for the first unit, and $20k thereafter),
you could intercept such transmissions. This means that you and I
really can't decode the signals, but Uncle Sam wouldn't have any
trouble at all.
In the future, it will probably be possible to decode microwave
transmissions even more cheaply, because more and more flexible
equipment is becoming cheaper and cheaper - you can now buy a card for
your IBM PC that's capable of talking to a Switch over a T1 connection
as if it were also a Switch; decoding microwave transmissions is
harder, but not that much harder.
_MelloN_
------------------------------
From: "Ehud Gavron 602-570-2000 x. 2546" <sunquest!spades.aces.com!gavron@uunet.uu.net>
Subject: Re: Cordless phones
Date: 11 May 92 17:17:00 GMT
Reply-To: sunquest!Diamonds.ACES.COM!gavron@uunet.uu.net
In article <comp-privacy1.15.3@pica.army.mil>, alaric@smurfsti.com
(Phil Stracchino) writes...
#To give an analogy:
#
#He who glances out of his window one night and happens, by chance, to
#observe the attractive young woman who lives in the building opposite
#in the process of undressing, is merely fortunate.
#
#He who buys a telescope and scans the windows of the building opposite
#in the hope of observing some attractive young woman undressing, is a
#Peeping Tom.
#
#'Nuff said?
No, and not by a long shot. He who puts a telescope within
the confines of his property, who through looking out the
glass of a closed window is able to spy an attractive young
woman undressing (or a drug deal, or the neighbor's TV, or
the neighbor beating his kids) is merely exercising his right
to keep his eyes open, augmented or not.
#--
# The Renaissance Man | "Pack your bags full of guns and ammunition
# Alaric of Dare | Bill's come due for the Industrial Revolution
# alaric@sti.com | Scorch the Earth 'till the Earth surrenders...."
# phils@sti.com | -- Midnight Oil
Ehud
--
Ehud Gavron (EG76)
gavron@vesta.sunquest.com
This ASEXUAL PIG really BOILS my BLOOD... He's so..so.....URGENT!!
------------------------------
From: Ted Lemon <lupine!mellon@uunet.uu.net>
Subject: Re: Cordless Phones
Date: 11 May 92 17:32:29 GMT
>The only legitimate use of privacy is to protect secure information
>that can be used by competitors to gain a market advantage. Other
>than that, the only reason for privacy is to protect something that
>someone has to hide from the government or insurance companies.
Hm. I think you've missed an entire wide range of reasons to protect
privacy. Privacy is a good way to protect yourself from the tyranny
of the majority if you are in the minority.
For example, gay couples in states where homosexuality is against the
law must use their right to privacy to protect themselves - if the
police could legally tap their phone to find out when they were
planning on having a romantic evening, then they would have probable
cause to step in and make an arrest.
Religion is another good reason for one to protect one's privacy.
There are countless communities in the U.S. where, regardless of
actual constitutional law, the fact that you are a Jew or an atheist
(or, heaven forfend, a Pagan), can wind up costing you your ability to
function in the community, and sometimes your job or even your life.
Privacy *is* important. While it's impossible to prevent Joe Random
Loser from listening in on your cellular phone conversations,
establishing the legal precedent that such listening is an illegal
invasion of privacy means that if the information obtained in that way
is openly used against you, you have grounds for both a lawsuit and
for the dismissal of any charges that may be made against you. If
there is no such precedent, then there are no grounds for either a
civil suit or the dismissal of any resulting charges. Laws don't
always have to be generally enforceable to be useful.
_MelloN_
------------------------------
From: Mike Percy <grimlok@hubcap.clemson.edu>
Subject: Re: Cordless phones
Date: Mon, 11 May 1992 17:33:27 GMT
Apparently-To: comp-society-privacy@uunet.uu.net
fitz@wang.com (Tom Fitzgerald) writes:
>alaric@smurfsti.com (Phil Stracchino) writes:
>> I've watched with amazement as this particular debate has gone back and
>> forth, and frankly I can only say that this argument is totally fatuous.
>> Merely the fact that someone is using a cordless phone and unintentionally
>> broadcasting their conversation does not _compel_ anyone with the capability
>> to listen in to do so.
>Of course it doesn't compel. But it doesn't prohibit, either. Or are
>you using the argument that "everything not mandatory is forbidden?"
>> He who buys a telescope and scans the windows of the building opposite
>> in the hope of observing some attractive young woman undressing, is a
>> Peeping Tom.
>Peeping-Tomism is _unethical_. And listening in on someone else's cordless
>phone conversation is tacky by any standard. But it is and will remain
>legal, because the invasion of privacy necessary to detect and prove
>listening is far worse than the invasion of privacy caused by the listening
>itself. Since the EM waves caused by your conversation pass through the
>inside of your neighbors' houses, and can be received without you being
>able to detect it, the only way to prove that your neighbors aren't
>listening in is to search their houses for receivers. A law against
>listening would give us a solution worse than the crime, to the limited
>extent that it's enforceable at all.
But - if the federal gvt decides that those EM waves are "owned" by
private corporations, then you can and will eb arrested for trying to
receive them. Veering from cordless phones somewhat...
A federal seizure operation was run in South Carolina (probably other
areas too) last year. Busted were dealers and owners of "illegal"
satellite TV receivers/decoders. I maintain that satellite TV
broadcasters (HBO, etc.) who want to earn money off their broadcasts
(using what should be considered a public resource - the EM spectrum and
basic physics) then the onus should be on _them_ to protect their
investments. I see two ways for them to do this:
1) provide enough goodies in a subscription that people would rather pay
than "steal" (assumes a decent price too);
2) use adequate encryption techniques that render it much more difficult
to "steal" signals than it currently is.
Currently they rely on encoding that is so simple to break (as evidenced
by the huge number of "pirates") that it cannot be viably called
encryption. Since this method is bound to fail, a backup plan is to use
the might of the federal gvt to hassle its citizens.
I can understand a need for some sort of regulation (not necessarily by
the gvt!) for broadcasting rights. But passive reception of EM signals
should always be permitted, and once received, a person should be able
to use them in any way he/she choses.
[I don't have a satellite dish.]
Mike Percy | grimlok@hubcap.clemson.edu | I don't know about
Sr. Systems Analyst | mspercy@clemson.clemson.edu | your brain, but mine
Info. Sys. Development | mspercy@clemson.BITNET | is really...bossy.
Clemson University | (803) 656-3780 | (Laurie Anderson)
>---
>Tom Fitzgerald Wang Labs fitz@wang.com
>1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz
------------------------------
End of Computer Privacy Digest V1 #020
******************************