Date: Mon, 08 Jun 92 12:43:15 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V1#044
Computer Privacy Digest Mon, 08 Jun 92 Volume 1 : Issue: 044
Today's Topics: Moderator: Dennis G. Rears
Re: SSN's and blood
Re: How to defeat call block (and how to guard against it)
My view on Caller ID
Can I lose the rights to my name and address?
Privacy and Telco Microwave links
Re: Privacy in video rental records?
Computer Entrapment
is there a FAQ file for comp-privacy?
Re: SSN's and blood
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.200].
----------------------------------------------------------------------
From: Khan <tmkk@uiuc.edu>
Subject: Re: SSN's and blood
Date: Fri, 5 Jun 1992 19:41:19 GMT
In article <comp-privacy1.42.1@pica.army.mil> stevef@wrq.com (Steve Forrette) writes:
>In article <comp-privacy1.32.6@pica.army.mil> johnl@iecc.cambridge.ma.us (John R. Levine) writes:
>>>The local red cross wanted my ssn when I gave blood. They got really
>>>ugly when I refused.
>>
>>The people at the Red Cross can be remakably dense, particularly
>>considering that all their blood comes from unpaid volunteers. I donate both
>>here in Boston and at my beach house near Philadelphia. Both wanted my SSN.
>
>In California, there is a statewide database of people who should be
>excluded from donating blood for any reason. It is of course useful these
>days for donors with AIDS, but the database predates the AIDS epidemic.
Seems pretty silly to me. Not only is it a misuse of the SSN, but suppose
AIDS Mary, who got infected and is now bitter and wants revenge on the
world, decides to give blood in the hope of infecting others. She
gives blood once, they test it, find out it has AIDS. Her SSN is added
to the list. She gives blood again, only this time they refuse since her
SSN is on the list. She catches on quickly, and gives a fake SSN the
next time. They accept her blood. I sure hope they test each and every
donation, since she has easily circumvented the system. And since they have
to test each and every donated pint *anyway*, what's the point in keeping
the stupid database?
The earlier posters both neglected to report whether or not the red
cross actually GOT their SSNs out of them. It seems likely, however,
that the RC could easily get by without misusing the SSN.
------------------------------
Date: Fri, 5 Jun 92 17:27:47 CDT
From: Alan L Varney <varney@ihlpf.att.com>
Subject: Re: How to defeat call block (and how to guard against it)
In article <1992Jun1.104006.1194@drycas.club.cc.cmu.edu> perry@drycas.club.cc.cmu.edu writes:
>How to defeat call block for those who have caller ID.
>
>I have used this several times, so this method is based on fact, and works
>in Baltimore, Maryland. I post this so that people who use call block will
>be aware of this 'loophole'.
......
>3) Hang up and wait for call back. This should not be very long since the
>person who answered the phone in step 3 will hang up after nobody is there.
>
>4) Phone rings, and the 'blocked number' appears unblocked.
I'm not saying you are wrong, you understand. But *69 calls are
from your phone to the other person's phone. If Caller-ID shows up on
the "ring-back" to you (just before the call is made to the other party),
that must be an unusual implementation. And your number will be
sent to the *69-ed party, who can use the same mechanism (if it works)
on you....
> I have an AT&T cheap generic cordless phone, 1 channel, no digital
>coding, no security measures. If I drive around a neighborhood with the
>handset on, listening to the static, all of a sudden I'll get a dialtone.
>This works best in apartments. Moral of the story: Keep the handset on the
>base unit. I also discovered this by accident when I had the handset in
>my jacket and drove over my friends house. I felt the handset in my pocket
>and decided to try it. His neighbor's house had a cordless too..
>Baby Monitors have tremendous range. A good bearcat scanner will pick up
>a clear signal blocks away. Most people run these 24 hours. Very unwise.
>Anyone who has tried to listen to Celluar phone calls knows that you need
>two receivers to understand the call, since send and receive are on separate
>channels.
It's not surprising you make so many "accidental" discoveries:
you seem to be pushing the limits of "good behavior" in each of these
areas. How many people drive around with cordless handsets without
really planning on a little "trial" here and there? And are "bearcat"s
something the average person uses to scan "baby monitor" (and cordless)
frequencies? And cellular -- now you on the illegal side, somewhat, no?
Are you sure these are all "accidents"?
Al Varney - just my opinion
------------------------------
Subject: My view on Caller ID
From: Art Hunter <art@aficom.ocunix.on.ca>
Date: Sat, 6 Jun 1992 04:42:10 -0400
| Oh well, if they implement that system in Alberta I guess that my answering
| machine will be taking a lot more of my calls for me. (As it is with the
| only partially complete net up here I get more than enough Unknown Number
| signals than I like, but surprisingly few people have paid the $0.75 to get
| 411 to call me anonymously... So I don't think the MAJORITY of the people wan
| this service destroyed.... As free call blocking would do.
The CRTC has made a decision to permit free call blocking in Canada.
However, there is a catch. You must dial a prefix in front of every
call that is made and the service is not automatic. You must ask for
it first. Further, the called party knows that Call Blocking has been
turned on and can take the appropriate action by blocking the blocker
<electronic termination of the call>.
Call Blocking is not implemented here in Ottawa yet but it will be
soon. I will certainly be blocking the blockers as I presently do with
those pesky telemarketers and a few others that I have no desire to
talk to. I presently have a database of 1300 callers (all identified
by name) of which 30 are terminated as soon as CallerID tells the
computer who they are. The log of all this activity is very
interesting to see when those that have been locked out try several
times prior to getting the message.
------------------------------
From: "Daniel P. B. Smith" <dpbsmith@world.std.com>
Subject: Can I lose the rights to my name and address?
Date: Sat, 6 Jun 1992 18:09:42 GMT
The IBM PS/2 model 35SX and 40SX my company recently bought
come with the usual "you-don't-really-have-to-send-this-in-
but-let's-make-you-think-it-has-something-to-do-with-your
warranty-card." Specifically it is a Customer Response
Form, number 80X1040.
It asks where the machine was purchased, type, serial number,
how I would rate my satisfaction, did the seller set up and
test the system, what was my role in purchasing the system,
how much education I've had, and my name, address, and phone.
Now here's the interesting part. It says:
"IBM may use and distribute any of the information you supply
in any way it believes appropriate without incurring any
obligation whatsoever. You may, of course, continue to use
the information you supply."
It's that last sentence that really has me going. Are they
saying that when I mail in cards to LESS generous companies
I could be LOSING my right to use the information I supply --
such as my name and address? Can I expect a friendly lawyer
letter from Black and Decker or Maytag offering to let me
continue to use my name for a very reasonable royalty?
--Daniel P. B. Smith
dpbsmith@world.std.com
------------------------------
From: Joe Pistritto <oracle!jpistrit@uunet.uu.net>
Subject: Privacy and Telco Microwave links
Date: Sun, 7 Jun 1992 00:23:14 GMT
Well, actually, although it's only a small subset of people who have the
ability to listen in on telco microwave links, it IS possible with relatively
common equipment if you happen to be in the right spot. In particular, a
synthesized receiver and a home TVRO dish will work in the right place.
There a couple of tricks involved, but I've actually seen this done with
all parts involved available from Radio Shack (TM).
As a matter of face, the people who live in such places and own satellite
dishes tend be annoyed about the high level of microwave interference, which
is quite visible in the received picture. (A telco microwave link a mile
away has *A LOT* of power compared to the satellite in geosync orbit, you
don't have to be right on axis to receive the signals, which are in the
same band as used for downlinks of TV sats. Also, a TVRO dish is a very
high gain (>60db) antenna.)
I suppose your neighbors would start wondering if your satellite dish was
always pointed at a nearby tall building though...
Digitally multiplexed circuits are another matter entirely, requiring much
more advanced equipment to decode. But there's a lot of microwave analog
around these days. One of the more interesting uses of analog microwave
is for relaying network TV signals around the country, and for feeding from
mobile vans to the tv station.
-jcp-
--
Joseph C. Pistritto (jpistrit@oracle.com) +1 415 506 2866
"You may not be interested in strategy, but strategy is interested in You."
-Trotsky
------------------------------
From: Steve Forrette <stevef@wrq.com>
Subject: Re: Privacy in video rental records?
Date: Sun, 7 Jun 1992 05:29:57 GMT
In article <comp-privacy1.43.3@pica.army.mil> john@zygot.ati.com (John Higdon) writes:
>And is it not amusing that the California DMV database is secure from
>absolutely no one except "the people"? Any collection agency, bank,
>governmental agency from the Toonerville PD on up, or marketing firm
>can look at your DMV file with more ease than you can. Indeed,
>many credit and check verifying companies have direct connections to
>the DMV computer. Some privacy!
This wonderful law was passed in response to that actress that was murdered
in LA a few years ago. The killer got her home address from her DMV file.
Of course, everyone was "outraged" as they always are for a few days after
these things, so the CA legislature passed the "quick fix" bill. So, what did
they do? Did they amend the public availability of the driver record access
to exclude home address, but still leave access to the driving record part of
it? No, they made everything unaccessible, unless of course you're anyone
BUT Joe Public, as you point out.
This "quick fix" reminds me of another recent example from CA. Last year,
a taxicab driver was killed by a passenger, and it was thought that he would
have been able to get out of the car in time if it were not for is seat belt,
whose use is mandatory in California. Within a couple of weeks, the seat belt
law was amended to exclude taxicab drivers. It would be funny if it weren't
such a good example of our legislature at work. :-(
Steve Forrette, stevef@wrq.com
------------------------------
Date: Sun, 7 Jun 1992 12:38:26 GMT
From: "Mark P. Neely" <NEELY_MP@darwin.ntu.edu.au>
Subject: Computer Entrapment
Computer underground Digest Sun May 17, 1992 Volume 4 : Issue 22
The Defense of Entrapment
As it Applies to Bulletin Board System Operators
By Randy B. Singer, Esq.
For now, it is unclear how the law applies to protect speech
communicated through electronic bulletin boards. There are hundreds,
maybe thousands, of enthusiast-run bulletin boards across the country
provided for the free use of the public to exchange ideas and publicly
distributable software. The system operators of these bulletin boards
are providing a wonderful public service, out of the goodness of their
hearts, usually for no monetary gain (in fact, often at a considerable
loss). These sysops cannot afford to fall into a gray area of the law
and find themselves having to defend an expensive criminal suit or
having to do without their computer equipment because it has been
confiscated by the police as evidence.
Running a public bulletin board can expose a system operator (sysop)
to all sorts of legal problems that have yet to be adequately defined.
For instance: What happens if one user posts slanderous/libelous
information about another user? Is the sysop liable? Is a bulletin
board more like a newspaper in this regard or is it more like a
meeting hall? What happens if a user uploads something clearly
illegal, like child pornography, which other users download before the
sysop has a chance to review the material? Is the sysop liable? What
is the liability of the sysop if he runs a bulletin board in his/her
back room and he/she almost never monitors the activity on it? Is the
sysop required to constantly monitor the goings-on on their board to
prevent illegal activity?
It is therefore understandable that sysops have tried to protect
themselves legally the best that they have known how. Unfortunately,
there has been a lot of misinformation spread about what the law is
and how it pertains to the community of bulletin board users and
operators. Hopefully this text file will clear up one of the most
common legal misconceptions that is going around.
I have often seen posts that evidence a complete misunderstanding of
what constitutes the defense of entrapment. As an attorney I would
like to explain this law and its application, especially as it
pertains to electronic bulletin board operators.
Entrapment is a complete defense to a crime that a person has been
charged with. It varies in how it is interpreted in each state, and on
the federal level, but generally it is as I have defined it here.
Entrapment only exists when the crime involved is the creative product
of the police. (That is, the idea to commit this crime came from a
police officer, or an agent of the police. The alleged criminal never
would have thought of committing this crime if it hadn't been
suggested to him by the police, or if the means to commit the crime
had not been offered to the alleged criminal by the police.) AND the
accused was not otherwise predisposed to commit the crime involved.
(That is, the accused probably wouldn't have committed this or any
other similar crime if the police had never been involved.) BOTH
elements must exist for the defense of entrapment to apply.
For instance: When John DeLorean, owner of the (then about to fail)
DeLorean Motor Company, was arrested and tried for selling cocaine, he
was found not guilty by reason of the defense of entrapment because,
the jury determined, the police took advantage of the fact that his
failing company made him a desperate individual. The police sent in an
undercover officer to offer him a bag of cocaine to sell to raise
money to save his company. The entire idea for the crime came from the
police; they provided the instrumentality (the coke); and John
DeLorean probably would never in his life have sold drugs to anybody
if the police hadn't shown up to offer him the drugs to sell at the
exact right time.
The reason for the law is obvious: we don't want the police setting up
desperate people to get busted just because those people are
unfortunate enough to find themselves in desperate situations. In
fact, we don't want the cops to set up any law abiding citizens, even
if they are not desperate. Tempting people who would not ordinarily
commit a crime is not what we want police officers to do.
Now that you have the definition of entrapment, let's talk about what
entrapment is NOT. I've read a lot of posts from people on boards who
think that entrapment exists when a police officer goes undercover and
does not reveal his true identity when asked. This is NOT covered by
the defense of entrapment per se. The defense of entrapment does NOT
require a police officer to reveal himself when asked. Going
undercover is something that the police do all the time, and there is
nothing that prohibits them from doing so.
If you are predisposed to commit a crime (e.g., you are already
engaged in illegal activity before an undercover police officer comes
on the scene), and an undercover police officer simply gathers
evidence to convict you, the defense of entrapment does not apply.
So, for instance, if an undercover police officer logs onto a bulletin
board and lies and says that he/she is not a police officer when
asked, and he/she finds illegal material or goings-on on this bulletin
board, then whatever he/she collects and produces against the system
operator as evidence towards a criminal conviction is not precluded
from being used against the sysop in court. At least it is not
excluded by the defense of entrapment, because in this instance the
defense of entrapment does not apply. The police officer is allowed to
act undercover, and the illegal acts were not the creative product of
the police.
Also remember that the defense of entrapment is a COMPLETE defense.
So it does not act to exclude evidence, but rather it acts towards one
of three things: having a grand jury find that there is not sufficient
evidence that a conviction could be obtained to proceed to a criminal
trial against the sysop; having the case dismissed before trial; or a
finding of 'not guilty' after a criminal trial.
The defense of entrapment also doesn't necessarily apply if the police
officer simply asks the system operator to do something illegal and he
does it. In this case the district attorney would argue that the sysop
was predisposed to commit the illegal act, especially if the illegal
act was already going on in one form or another on the board. For
instance, if the police officer asks the sysop to download to him some
commercial software, the defense of entrapment will not apply if there
is already commercial software available in the files section of the
bulletin board.
What would probably be required for the defense of entrapment to apply
would be for the police officer to have enticed or misled the system
operator into doing the illegal act, and it would have had to have
been an illegal act that wasn't already going on on this bulletin
board. This MAY allow the use of the defense of entrapment. I say
"may" because it depends on the facts in each individual situation to
see how closely they meet the requirements for the defense of
entrapment to apply. You may surmise from my reticence to commit to
saying that the defense of entrapment definitely WOULD apply that the
defense of entrapment is not a defense that I recommend that you rely
on.
I've seen some bulletin boards say something to this effect in their
logon screen: "Access restricted. Police officers must identify
themselves, and are forbidden from gaining entry to this bulletin
board." This type of message not only does not protect a bulletin
board from the police (assuming that there is something that might be
interpreted as illegal going on on this board), but it actually alerts
any police officer who may casually log on to this board to
immediately suspect the worst about this board and its system
operator. There is nothing that I know of that would keep an agent of
the police from lying about his/her status and logging on as a new
user and gathering evidence to use against the sysop. In fact, I'm
not sure, but I would not be surprised to find in the current legal
climate that such a logon message is enough evidence to get a search
warrant to seize the computer equipment of the system operator of this
bulletin board to search for evidence of illegal activity!
At some future date I hope to write a file that will detail how sysops
can protect themselves from legal liability. (That is, by avoiding
participating in arguably illegal activity, and by avoiding liability
for the uncontrollable illegal acts of others. I have no interest in
telling sysops how to engage in illegal acts and not get caught.) But
for now, I hope that this file will give sysops a better understanding
of the law and how one aspect of it applies to them.
Disclaimer: The information provided in this document is not to be
considered legal advice that you can rely upon. This information is
provided solely for the purpose of making you aware of the issues and
should be utilized solely as a starting point to decide which issues
you must research to determine your particular legal status, exposure,
and requirements, and to help you to intelligently consult with an
attorney. No warrantees, express or implied, are provided in
connection with the information provided in this document. This
document is provided as is, and the reader uses the information
provided here at their own risk.
(Sorry for the necessity of covering my behind! Just remember, you get
what you pay for, so I cannot guarantee anything I have written here.
If you want legal advice that you can take to the bank, you should
hire an attorney. Besides, just like everyone these days, we need the
work!)
About the Author:
Randy B. Singer is an attorney in the San Francisco bay area. He does
business law, personal injury, computer law, and Macintosh consulting. He
also gives seminars at the Apple offices in downtown San Francisco for
attorneys and others who are interested in learning about the Macintosh
computer. He can be reached at 788-21st Avenue, San Francisco, CA 94121;
(415) 668-5445.
Copyright (C) 1992 Randy B. Singer. All rights reserved. This document
may be freely distributed as long as it is not for monetary gain or as
part of any package for sale. This work may not be modified in any way,
condensed, quoted, abstracted or incorporated into any other work, without
the author's express written permission.
This reprint taken from ST Report #8.19, used with permission
------------------------------
From: Edward Bertsch <eab@msc.edu>
Subject: is there a FAQ file for comp-privacy?
Date: Sun, 7 Jun 92 17:16:49 CDT
is there a FAQ file for this list? Perhaps it should be sent out
every month?
if it doesn't exist, I can think of some things that should be
in it.
current state of the laws regarding privacy/lack of on computers
variations by city/county/state/country
current state of the art, and law regarding encryption
known ftp sites with source code/descriptions
public key 'phone books'
index of references on cryptosystems use/development
current hot issues - legislation pending, dangerous implications
of a new technology (cellular, when first introduced,
would have been an excellent example)
ways to subvert current methods of privacy invasion
-Ed
--
Edward A. Bertsch (eab@msc.edu) Minnesota Supercomputer Center, Inc.
Operations/User Services 1200 Washington Avenue South
(612) 626-1888 work Minneapolis, Minnesota 55415
(612) 645-0168 voice mail [DISCLAIMER: MY OPINIONS; NOT MSCI'S]
------------------------------
Subject: Re: SSN's and blood
Date: 7 Jun 92 23:59:07 EDT (Sun)
From: "John R. Levine" <johnl@iecc.cambridge.ma.us>
[in response to my complaint about the Red Cross trying to pry an SSN out
of me when I donated]
>It would seem that with all the problems (many of them deadly) that having
>"bad" blood in the blood supply can cause, that there is a compelling public
>interest in maintaining such a database.
Perhaps, but as has been gone around a zillion times before, the SSN is a
rather poor ID, since there is no check digit, people have more than one,
some are used by many people deliberately or accidentally, etc.
If a malicious person wants to donate tainted blood, all he needs to do is
to give a fake SSN. Their data base is completely ineffective against that.
Furthermore, if they are serious about their donor database the first
thing they might to is to let me use my Massachusetts Red Cross assigned
donor ID when I give blood in New Jersey. Sheesh.
Regards,
John Levine, johnl@iecc.cambridge.ma.us, {spdcc|ima|world}!iecc!johnl
------------------------------
End of Computer Privacy Digest V1 #044
******************************