Date: Fri, 04 Mar 94 09:00:25 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#038
Computer Privacy Digest Fri, 04 Mar 94 Volume 4 : Issue: 038
Today's Topics: Moderator: Leonard P. Levine
NTIA Proceeding on Privacy
Biometrics
We {Will} Find you...
Re: Computer databases of information
Databases etc.
Re: Privacy and Sexual Crimes
RE: Unsolicited Advertising - A Proposal
Re: Electronic Banking - CheckFree
Re: Van Eck Radiation
Re: FBI Digital Telephony Proposal and PCS mobile phones
Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs
RE: Unsolicited Advertising - A Proposal
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: "BETH GIVENS, 619-260-4806" <B_GIVENS@USDCSV.ACUSD.EDU>
Date: Thu, 3 Mar 1994 17:44:57 -0800 (PST)
Subject: NTIA Proceeding on Privacy
Organization: Privacy Rights Clearinghouse
3/3/94 Important NTIA proceeding on privacy.
Please post and otherwise distribute. Thanks.
=============================================
NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES
CONTACT: Larry Williams
(202) 482-1551
MARCH 1, 1994
The National Telecommunications and Information
Administration (NTIA) is undertaking a comprehensive review of
privacy issues relating to private sector use of
telecommunications-related personal information associated with
the National Information Infrastructure (NII).
Public comment is requested on issues relevant to such a
review. After analyzing the comments, NTIA will issue a report
and make recommendations as needed.
The inquiry will focus on potential uses of personal
information generated by electronic communications, including
interactive multimedia, cable television and telephony. NTIA is
studying the issues that arise when such telecommunications-
related information is used to create detailed dossiers about
individuals. NTIA seeks to determine whether any overarching
privacy principles can be developed that would apply to all firms
in the telecommunications sector. In addition, NTIA is
soliciting comment on other countries' actions to ensure the
privacy of information transmitted over telecommunications
networks, and to ascertain how any U.S. policies in this area
will affect the international arena.
The Notice of Inquiry and Request for Comments appears
in Part IX of the February 11, 1994, Federal Register and is
also available on the NTIA Bulletin Board at (202) 482-1199.
Set communications parameters to no parity, 8 data bits and 1
stop. Go into the menu "Teleview-Public Notices and Comments."
File size is 48,514 bytes or about 18 pages of text. Internet
users can telnet into the BBS at ntiabbs.ntia.doc.gov.
Comments should be filed on or before March 30, 1994.
NTIA is accepting comments in writing or posted electronically
via its BBS.
If you have further questions, please contact Carol E.
Mattey or Lisa I. Leidig at the Office of Policy Analysis and
Development, NTIA, 202-482-1880.
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: Wed, 2 Mar 1994 22:42:24 -0500 (EST)
Subject: Biometrics
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
'Biometrics' refers to the use of physical charactersistics as
identification. Human beings use this in that when we see a friend, we
identify them by face, size, hair color, etc. Changes in Biometric data
usually return an identification when positive ("Are you losing weight?",
"Gee your hair looks teriffic") while negative changes are usually
not stated publicly ("I see he's getting married, but his bride-to-be
looks somewhat plumper than before; perhaps they _had_ to...").
However, when someone else needs to identify you and doesn't know you,
they usually have to rely on authentication. Usual forms of
authentication are various forms of paper, photographic/multimedia,
and/or magnetic authentication issued by a government or trusted third-party.
With the increased sophistication of duplicating equipment, relyance on
documentary authentication is becoming unreliable. Witness the fact that
anyone giving out a social security number is presumed to be the holder
of that number. When they aren't, the actual holder is usually
chagrinned to find out how much expense and damage they have to suffer
to rectify the situation.
With this, various organizations are working on means of real-time automatic
biometric identification of individuals. The implications of this can be
both good and bad. As the actual article is rather complicated, I'll
summarize it in a separate article here.
The dangers to people is that if, for example, biometric photographic
measurements are used, that real-time tracking of people could be done as
the technology gets cheaper. Further, you may never even know that
you've been tracked unless and until something happens that it comes to
your attention.
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: Wed, 2 Mar 1994 23:17:29 -0500 (EST)
Subject: We {Will} Find you...
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
In an article on the cover of the February 10, 1994 {Washington
Technology} magazine of the same name, talks about a specialized use of
biometrical information (specific details unique to a person like size,
etc.) to identify them.
The idea behind this is that in an airport, an infrared camera is mounted
near the arriving passengers section, taking pictures of every person who
is passing through the facility. This captures the 'aura' or underlying
facial vascular system (pattern of blood vessels and such). In 1/30 of
one second, it captures the data and forwards it via high-speed data lines
to an FBI database that has stored auras of the worlds most-wanted
criminals and terrorists, then matches generate an order to nab a suspect,
supposedly producing "a piece of evidence that is as rock-solid as any
presented to a court."
Currently, infrared cameras are being attached to desktop computers to
create digitized thermograms of people's faces in 1/30 of a second. The
company that is working on this technology, Betae Corp, an Alexandria, VA
government contractor, claims that the aura is unique for every single
person. The photos in the front of the article show two clearly
different thermographic images that are claimed to be from identical twins.
The facial print does not change over time (and would allegedly require
very deep plastic surgery to change it), retains the same basic patterns
regardless of the person's health, and can be captured without the
person's participation. The technology will have to show it is a better
choice than current biometric techniques such as retinagrams (eye
photographs, voice prints and the digital fingerprint.
A Publicity-Shy Reston, VA company called Mikos holds the patent for
certain technology uses of this concept. Dave Evans of Betac who has
obtained certain "non exclusive" rights in the technology claims that
"thermograms are the only technology he has seen in his more than two
decades of security work that meet the five major criteria of an ideal
identification system: They are unique for every individual, including
identical twins; they identify individuals without their knowing
participation; they perform IDs on the fly; they are invulnerable to
counterfeiting or disguises; they remain reliable no matter the subject's
health or age," the article said. Only retinal photos are equivalent,
but potential assasins aren't likely to cooperate in using them.
Right now it takes about 2-4K per thermograph, (it says '2-4K of computer
memory' but I suspect they mean disk space) and that's not really a
problem for a PC-Based system of 2000 or so people going to and from a
building; it's another magnitude of hardware to handle millions of
aircraft travelers in airports. Also, infrared cameras are not cheap, in
the $35,000 to $70,000 range, which, for the moment is likely to keep
small law enforcement facilities from thermographing all persons arrested
the way all persons arrested are routinely fingerprinted. But we can
expect the price to come down in the future.
The writer apparently had to agree with Evans not to raise privacy and
security issues in the article, it says, since first they have to show
the technology works. But even it raised questions:
- The technology could be a powerful weapon in a "big brother" arsenal,
with cameras in front of many stores and street corners, scanning for
criminals or anyone on the government's watch list?
- Does the government have the right to randomly photograph people for
matching them against a criminal database?
- What guarantees do we have that thermographs are actually unique for
every person, or that the system is foolproof?
- What is the potential for blackmail, with thermographs to prove people
were in compromising places and positions?
There are also my own points
- While this can be used to protect nuclear power plants against
infiltration by terrorists (as one example it gives), what is to stop it,
for example, to be used to find (and silence or eliminate) critics and
dissidents? I wouldn't give China 30 seconds before it would use
something like this to capture critics such as the victims of Tianamen
Square.
- Long history indicates that better technology is not used to improve
capture of criminals who violate the lives and property of other private
parties, it is used to go after whatever group the government opposes.
That's why people who defend themselves with guns against armed
criminals in places where gun controls are in effect, can expect to
be treated harsher than the criminal would have been. Existence of
criminals supports the need for more police and more police-state laws;
defending oneself against criminals shows the ineffectiveness of those
laws.
------------------------------
From: rinewalt@GAMMA.IS.TCU.EDU
Date: Thu, 03 Mar 1994 11:27:14 -0600
Subject: Re: Computer databases of information
chiang@berdis.ecn.purdue.edu (Ray Lon Chiang) writes:
> 4) Federal Records
> ...
> - Medical information in the MIB.
MIB is a commercial, not governmental, database.
Quoting from RISKS 10.63 (which was quoting from
the Christian Science Monitor):
Perhaps one of the most mysterious consumer-reporting
companies is MIB, formerly the Medical Information Bureau,
in Brookline, Mass. "It's a very difficult company to
learn very much about," says Massachusetts state senator
Lois Pines. "They don't want people to know that they
exist or what they do."
Dick Rinewalt Computer Science Dept Texas Christian Univ
rinewalt@gamma.is.tcu.edu 817-921-7166
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: Fri, 4 Mar 1994 04:25:22 -0500 (EST)
Subject: Databases etc.
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
chiang@berdis.ecn.purdue.edu (Ray Lon Chiang), writes:
> 4) Federal Records
>
> The government probably has the single largest combined database of
> information on most individuals, law-abiding or otherwise. :) I
> would expect that most of this information is distributed across
> many departments. I suppose some of the more obvious would be:
>
> - Criminal records with the FBI (in the NCIC).
> - Tax records in the IRS.
> - Medical information in the MIB.
To the best of my knowledge, the MIB (Medical Information Bureau) is a
_private_ organization operated by the insurance industry, since they are
the ones who query (and supply) its databases.
------------------------------
From: mea@intgp1.att.com (Mark Anderson)
Date: Thu, 3 Mar 94 19:50 CST
Subject: Re: Privacy and Sexual Crimes
swayne@draper.com (A. Steven Wayne) writes:
Chuck Weckesser <71233.677@CompuServe.COM> wrote: Should Rapist's
And Pedophiles Be Forced To Register With The Authorities Every
Time They Move Away?
There are two issues here: the rights of the individual (who I
assume to have been previously convicted) and the security of
society. [A. Steven Wayne chooses the security of society]
Your proposal scares me a little bit, not because you mention it here
in this mailing list, because I think your attitude towards these types
of crimes reflects the norm of society. It's now becoming acceptable
to sacrifice any kind of privacy or liberty if it prevents just one
child from being molested or one woman from being raped. The nightly
TV tabloid^H^H^H^H^H^H^Hnews seems to create enough hysteria about this
crime that if a proposal to place electronic monitoring devices on these
people for the rest of their lives, there wouldn't be much objection.
For people convicted of these crimes, databases already exist that allow
interested parties access. If you, as a concerned neighbor, investigated
every new neighbor coming into the neighborhood, you could find out
convicted rapists and molesters using the laws already on the books. Having
these people report to the authorities after they've served their debt
to society can have dangerous side effects. Personally, I'd also want to know
about the murderers, home burglars, and drug dealers moving into my
neighborhood.
The problem with child molestation is that it has gotten totally out of
hand. People are being accused of this crime more and more based on
flimsier and flimsier evidence. The recent Cardinal Bernadin case attests
to that fact. Therefore, if people can be accused of this crime so
easily, convictions can also easily follow. It's bad enough to go to
jail, lose your reputation, lose everything you worked for your whole life
based on false accusation. To be forced to report to the "authorities"
everywhere you move for the rest of your life will basically also brand you
a second hand citizen. You will have no way to ever rebuild your life.
Personally, I've chosen to stay away from all non-relative kids. I had
been paying a 14 year old below minimum wages to do work around my building.
The same kind of work I used to do at 14. My dad convinced me not to
have this kid around. All he had to do is make up a story and his family
could take my building. The risk isn't worth it anymore. So much for
community service and being a role model.
------------------------------
From: jnc@ginger.lcs.mit.edu (Noel Chiappa)
Date: Fri, 4 Mar 94 09:33:05 -0500
Subject: RE: Unsolicited Advertising - A Proposal
It's only junk mail if you have no interest in the material at all. ...
Adversising is only "junk" if its concerning things that you don't want.
I think there is a "signal/noise" ratio issue. Lists like the IETF list have a
definite purpose in mind, and once we start to allow non-IETF related traffic
on it, we could get a lot of traffic to it. If there's only one IETF related
message in 100, we'd lose a lot of people we need to have on. (I got off
TCP-IP because the S/N ratio fell too far.)
I don't *know* this will happen; advertisers seem to be working on technology
to be more selective, and there's no reason to think it won'tbe true on the
Internet too. However, I don't want to chance it, by allowing advertising on
the IETF list.
This seems to imply that there is *no place at all* for advertising on the
Internet. I think this statement in and of itself to be false on its face.
I don't think that those of us who don't like advertising posts are saying
this. We just object to "anything goes" rules, which would allow forums with a
general good, like the IETF list, to be effectively destroyed by people who
are out for individual return. Not that individual return is bad, mind you;
far from it! It's just there are times and places when it's appropriate, and
times and places when it's not.
the question which needs to be asked is: what is the standard by which you
say that 'this activity is wrong' but 'this activity isn't'? ... is ALL
unsolicited E-Mail wrong?
We all know advertising when we see it. Just because it may be hard to exactly
define it ("unsolicited communications whose principle and immediate purpose
is to make money for the sender by speading knowledge of their commercial
activity" isn't bad, but there are bugs with it) doesn't change that.
But let's define under what circumstances it is and is not acceptable for
someone to be sending out unsolicited mail to another person, before we
exclude the class of 'advertisement.' What about advertisements posted to
mailing lists or news groups?
I think it's up to each mailing-list/news-group. The IETF community has
repeatedly expressed the opinion that *no* advertising is acceptable on this
list.
The problem may be in part that there is an "anti-commercial" bias with
many of the people on the Internet, and with people in general.
Balderdash. I had a lot of fun, and made a lot of money, at Proteon, as have
many others on this list with similar stories. We aren't being hypocritical in
rejecting commercial activity in the IETF; we just recognize that there are
times and places for commercial activity, and the IETF isn't one of them.
almost everything they own they obtained as a result of advertising
telling them about it or raising a desire they were unaware of
Speak for yourself... most of the contents of this room, looking around, are
a result of deliberate searches for outlets (e.g. yellow pages, which are a
*very* different form of advertising from unsolicited personal communication),
or information gained from other sources.
But (in the given example) we have a precisely targeted audience (bicyle
enthusiasts) being targeted for something related to them.
So what, if that group of people has made clear that their community channel
is *not* to be used for advertising?
While courts have given some leeway to banning the distribution of pure
advertisements, an advertisement attached to an editorial becomes material
protected under the 1st Amendment.
So what? Last time I looked, the 1st Amendment didn't allow you entry to
private clubs to post whatever ads (or editorials) you saw fit. Anyway, the
IETF list is not a solely US entity (although it's current primary distributor
is in the US, but this could be changed), so please stop appealing to US law.
the implied threat of having an organization whose charter is the
examination of Criminal activities ...keeping lists of people because some
other people don't like their messages
Clearly, the suggestion of involving the CERT was way off base.
------------------------------
From: kbass@sdesys1.hns.com (Ken Bass)
Date: Thu, 3 Mar 1994 20:35:15 GMT
Subject: Re: Electronic Banking - CheckFree
Organization: Hughes Network Systems, Inc.
Matthew Lyle (matt@ra.oc.com) wrote:
: Hyatt_Edward_R@byu.edu writes: I have thought about using the
: CheckFree service, but I am worried about the prospect of giving
: them my SS#, bank account #, etc. Can I trust their claim of
:
: They will set up the account without having your SS#. Mine is set up
: with CheckFree that way.
But I don't want them to have my bank number either!!! ;)
------------------------------
From: wbe@psr.com (Winston Edmond)
Date: Thu, 3 Mar 1994 17:44:57 GMT
Subject: Re: Van Eck Radiation
Organization: Panther Software and Research
herronj@MAIL.FWS.GOV writes:
Don't think that just because you have many computers that they
wouldn't be able to pick out one from the crowd and monitor it.
I would expect, though, that a room full of the same model and brand
would pose more of a challenge.
Normal keyboards, printers and monitors are the worst. Imagine
sitting a mile away and picking up every scan line that your
monitor generates and reconstructing it.
Are LCD displays less radiative/monitorable than CRTs?
------------------------------
From: mckeever@cogsci.uwo.ca (Paul McKeever)
Date: 3 Mar 1994 00:28:29 GMT
Subject: Re: FBI Digital Telephony Proposal and PCS mobile phones
Organization: University of Western Ontario, London, Ont. Canada
In line with the discussion of tracking is the following addition
to the Canadian Criminal Code, introduced by Kim Campbell while
she was Justice Minister of the Federal Government:
section 492.1(1) A justice who is satisfied by information
on oath in writing that there are reasonable grounds
to suspect that an offene under this or any other Act
of Parliament has been or will be committed and that
information that is relevant to the commission of
that offence, including the whereabouts of any person,
can be obtained through the use of a tracking device,
may at any time issue a warrant authorizing a person
named therin or a peace officer
(a) to install, maintain and remove a tracking
device in or on any thing...
(unfortuneately, I'm missing page 19 of Bill C-109, but
you get the idea).
I find it sort of disturbing that the suspected offence need not
be criminal for someone's location to be tracked by a police
officer or anyone else to whome the warrant is awarded.
Not having page 19, I am unsure that the circumstances listed
under subsection (1) are the only ones which allow such a huge
violation of privacy. For example, another addition to the
Criminal Code that was introduced by Bill C-109:
section 184.4: A peace officer may intercept, by means of any
electro-magnetic, acoustic, mechanical or other device,
a private communication where
(a) the peace officer *believes* [my emphasis] on
reasonable grounds that the urgency of the
situation is such that an authorization could
not, with *reasonable* diligence, be obtained
under any other provision of this Part;
(b) the peace officer believes on reasonable grounds
that such an interception is immediately necessary
to prevent an unlawful act that would cause
serious harm to any person or to property; *and*
(c) either the originator of the private communication
or the person intended by the originator to receive
it is the person who would perform the act that is
*likely* to cause the harm or is the victim, or
intended victim of the harm.
[in other words, if the "officer *believes*" that the situation
is too urgent to wait for a warrant, he doesn't have to wait:
he can just proceed with the wire tapping/privacy invasion].
If I get some time, I'll see if such a lax set of requirements is
all that need be met in order to track a person's location. Either
way, it's interesting to note that this new legislation got little
or no press, and met with little, if any resistance from the public.
This may be, in part, because the changes re: easing restrictions
on wire taps were imbedded in a slew of other additions to the
Canadian Criminal Code...a technique that U.S. privacy advocates
should keep an eye out for.
Just thought you all might be interested.
------------------------------
From: bernie@fantasyfarm.com
Date: Thu, 3 Mar 1994 23:49:39 GMT
Subject: Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs
Organization: Fantasy Farm Fibers
[Note: I originally posted this to comp.org.eff.talk. However, since
Prof Levine has reposted the EFF's commentary here, I'm following with
a slightly edited form of my original comments on Stanton's posting.
I think the topic merits a more balanced discussion than it has received.]
[second note: I apologize for the extensive quotes from the original
post. The problem is that this is *NOT* a freestanding essay on
the Digital Telephony proposal, but is _specifically_ a response
to the EFF statement on it. As such, I had to include enough of
the EFF's original text to make clear to what I was responding and
also to ensure that I didn't give people the idea that I was trying
to divert the discussion by lifting things out of context....]
In article <2kj0gc$q12@eff.org>, Stanton McCandlish writes:
} Subject: Digital Telephony - FBI "Wiretap Bill" Resurrected
} -----------------------------------------------------------
}
} The Clinton Administration is backing a proposal by law enforcement
} agencies that could make the entire communications infrastructure
} susceptible to surveillance. ...
}
} In short, the bill lays the groundwork for turning the National Information
} Infrastructure into a nation-wide surveillance system, to be used by law
} enforcement with few technical or legal safeguards.
Would you elaborate [as you did *NOT* in what followed [see below] just
how the use of the term "turning ... into" is appropriate?
} Although the FBI suggests that the bill is primarily designed to maintain
} status quo wiretap capability in the face of technological changes, in
} fact, it seeks vast new surveillance and monitoring tools. Among the new
} powers given to law enforcement are:
}
} 1. Real-time access to transactional information creates the ability to
} monitor individuals "live".
Is this information not available now? At best, it is only _difficult_
to collect now, and it, again, brings up the question of whether [and
to what extent] it is proper to call something that is in line with
the 4th amendment as being an intrusion.
=-=-=-=-=-=-=-=-=-=-=-=-=-= Side comment =-=-=-=-=-=-=-=-=-=-=-=
This harks back to a common theme I see in many of the 'privacy'
advocacy postings that are frequent in many discussion groups [not
just clipper and digital telephony, but such things as consumer
information and other databases of private citizen information].
It seems to be that many folk are futilely attacking the
*messenger*, while they basically ignore the message.
The message, of course, is that some information about you is
just-plain-public-info and a LOT of other info about you is available
to LEOs when they get a warrant. Putting your head in the sand and
feigning surprise when you learn of an aspect of one or the other
[and attacking the *specific*whatever*] is not either an effective
or scholarly strategy [what was that previous attack.. Lotus
marketplace? Folks seemed to think it was a victory for privacy,
but of course it was only a victory for "ostriching". The information
is still there, and anyone who wants it can easily get it... it is
just easier to _pretend_ that it isn't about having beaten Lotus
Marketplace down].
There are two substantive issues lurking behind statements like the
one EFF made here, and I'm very dismayed that EFF seems not
inclined to address either issue:
1) The information: was that information *already* available to
an LEO with a warrant? That is, is the claim that what you
have now is, at the *very*best* "security by obscurity" [in
that the info might have been difficult to collect]? If you
think that information is *currently* inviolate, then I'd
think that the advocates would be shouting LOUD AND CLEAR
about the violation [since that'd be a *substantive* rock you
can throw]. On the other hand, if that information is NOT
particularly 'privileged' now, then I think you have the
obligation to *make*a*case* for why that information _should_
be dignified with being beyond the 4th amendment.
2) The third-party: is it proper for the LEOs to mandate that
a third-party manage information in such a way
that it is *subject* to subpoena?
On (1), I confess that I think that most of the arguments posted
don't seem to have a leg to stand on. I've been pushing [pretty
hard at times] to uncover the (1)-type issues, and in *EVERY* case
[so far] in the end it turned out that the answer was "No, that
info *would*be* subject to subpoena now...this is really *not* a
"new" intrusion". I cannot say whether this is the case here [I
hope that an advocate of the EFF position can elaborate], but I
suspect the real point here is the "real time"... that is, what we
have now is security-by-obscurity in that the info is somewhat
tricky to collect, but the *info* **IS** available to LEOs, and
what is happening here is that it is being made easier to collect.
[Footnote to comp.society.privacy readers: *no*one* from EFF
stepped forward to provide any support to their implied position
that the matter mentioned here is actually a new or precedent
setting intrusion. So I can only conclude that this, too, is
another instance of "No, that info *would*be*... etc"]
(2) is the by-far more interesting issue. You can phrase it in
various ways [depending on your political bias], but the sense will
usually be: "It is proper [legal?] for it to be a matter of *law*
that a third-party holding information about _you_ mnust do so in a
form that keeps it subject to surrender upon presentation of a
warrant." Note that such third-parties are not bound by the 5th, and
so cannot use self-incrimination as a justification for non-compliance
with a warrant.
Note that there *are* some precedents in this area [if I understand the
law right]: various IRS and currency laws *require* that third-parties
*keep* records [and in fact, in many cases *require* that the information
be turned over to the gov't, directly]. The question is not the security
of the information, per se, but the obvious conclusion: there is NO
way to prevent any such information from being surrendered to a warrant.
=-=-=-=-=-=-=-= Back to the EFF's statement =-=-=-=-=-=-=-=-=-=-=
} The bill would require common carrier networks (telephone companies
} and anyone who plans to get into the telephone business, such as cable TV
} companies) to deliver, in real-time, "call setup information." ...
} ... As we all come
} to use electronic communications for more and more purposes, however, this
} simple call setup information could also reveal what movies we've ordered,
} which online information services we've connected to, which political
} bulletin boards we've dialed, etc. ...
Nice-reading words aside, on what basis do you think this information should
be confidential? Isn't that information available NOW? And moreover,
unlike merely-encrypting-your-phone [and/or email], there's *no* way to
prevent its disclosure, since as far as I know the third-party [in this
case, the telco] has no basis for denying a warrant. Is there some
principle which I'm not privvy to by which this information should be
immune from collection by warrant [or however it is collectable now]?
Again the key question: is this something *new*?
} .. With increasing use of
} telecommunications, this simple transactional information reveals almost as
} much about our private lives as would be learned if someone literally
} followed us around on the street, watching our every move.
Isn't that last part legal, too? And actually, I suspect this is
rather an exaggeration, at least for telecommunications. More and
more, the telecommunications services we use are going to be
interconnected and so I suspect that over time, you'll get *LESS*
info fromm your phone record about these sorts of activities: the
only data bit you'll get is that I called my internet provider [or
my SLIP/PPP provider or whatever] for X hrs yesterday. Where my IP
packets went, what services I used, in a real sense, what I was
_doing_ is all opaque to traffic analysis.
Of course, this'll bring us around to the question of whether your *IP*
provider can be compelled to disclose info about what you were doing.
I suspect the answer is an unequivocal "YES" [cf, The Cuckoo's Egg], and
so you have no protection _there_.
} We are all especially vulnerable to this kind of surveillance, because,
} unlike wiretapping the *content* of our communications, it is quite easy
} for law enforcement to get permission to obtain this transactional
} information. Whereas courts scrutinize wiretap requests very carefully,
} authorizations for access to call setup information are routinely granted
} with no substantive review.
Ah, so your complaint doesn't have to do with the proposed legislation,
but is actually a complaint about the *current* state of affairs?
I suspected as much... More ostriching, to my view...
} 2. Access to communication and signalling information for any mobile
} communication, regardless of location allows tracking of an individual's
} movements.
Is that information confidential/not available now? And "allows
tracking" is cute: allows tracking ONLY if you use a cellular
phone. And only grossly [unless I misunderstand the technology].
That is, they'll know which cell you're in, but not where you are
in the cell or what you're doing or anything else. Moreover, it is
hard to believe that someone would broadcast that kind of
information willy-nilly and then act surprised that an LEO might
collect it with a warrant.
} The bill requires that carriers be able to deliver either the contents or
} transactional information associated with any subscriber, even if that
} person is moving around from place to place with a cellular or PCS phone.
Why is that unreasonable? More precisely, what about that situation do you
find in violation of the 4th?
} It is conceivable that law enforcement could use the signalling information
} to identify that location of a target, whether that person is the subject
} of a wiretap order, or merely a subpoena for call setup information.
Straw man alert. *what* is "conceivable"?
} This provision takes a major step beyond current law in that it allows for
} a tap and/or trace on a *person*, as opposed to mere surveillance of a
} telephone line.
First off, I was under the impression that one *could* "tap and/or
trace" a person. Is it really illegal/unconstitutional for an LEO
[with a warrant] to follow you around and note what you do, who you
talk to, etc? Maybe I've watched too many crime movies, but I thought
that kind of stuff was SOP police/investigator work.
Moreover, I note that you took a string of hypotheticals and
conditions, didn't actually justify, much, ANY step along the way.
And now have the audacity to state the end of this squishy logical
chain as a conclusion. The leap from cell-by-cell [at best]
tracing of cellular phone calls to continuous point-by-point tracking
of a *person* is one that is pretty huge and so requires a LOT of
justification if the claim is to carry any weight whatever.
} 3. Expanded access to electronic communications services, such as the
} Internet, online information services, and BBSs.
}
} The privacy of electronic communications services such as electronic mail
} is also put at grave risk. Today, a court order is required under the
} Electronic Communications Privacy Act to obtain the contents of electronic
} mail, for example. Those ECPA provisions would still apply for the
} contents of such messages, but the FBI bill suggests that common carriers
} might be responsible for delivering the addressing information associated
} with electronic mail and other electronic communications.
Are you admitting that ECPA is _silent_ on the matter of headers
and addressing information? [much as it is different to observe
the addess on an envelope you're mailing than it is to look at the
contents?] That strikes me as a *longstanding* distinction in the
application of the 4th. Is there some problem here?
} ... For example, if
} a user connects to the Internet over local telephone lines, law enforcement
} might be able to demand from the telephone company information about where
} the user sent messages, and into which remote systems that user connects.
} All of this information could be obtained by law enforcement without ever
} receiving a wiretap order.
Of course not: it is *NOT* a wiretap. Sounds perfectly fair to me.
On what basis do you think that any of those players you mention has any
duty, obligation, prerogative, or right *NOT* to comply with a warrant for
that information?
Moreover, I think that in the time scale you're talking about, the model
is wrong. Users are probably NOT going to be connecting to a huge number
of different systems, but it seems pretty obvious that the direction
of things is to have a provider to the 'superhighway' and you go
where you will from there. Which, again, brings us to the question of
whether network providers allow one to trace *network*packets*, and
I think the answer there is _yes_.
} Subject: What YOU Can Do
} ------------------------
} You've been following the newspapers and reading EFFector Online.
} You know that today there are several battles being fought over the future
} of personal privacy. The Clipper Chip, export restrictions, the Digital
} Telephony Proposal - the arguments are numerous and complex, but the
} principles are clear. Who will decide how much privacy is "enough"?
Indeed, and the answer is "each person will". *NO*ONE*ELSE* has any duty,
moral or legal, to protect _your_ privacy. I can't see why folks have
such a hard time with that. Nothing I've seen in the current round
of ongoing discussions seems to have shifted ANY balance of
'privacy' [other than Clipper which will unquestionably *IMPROVE*
your privacy]
} The Electronic Frontier Foundation believes that individuals should be
} able to ensure the privacy of their personal communications through any
} technological means they choose.
Yes!!! And I note that *NOTHING* in the essay that came before that
statement had _any_ bearing on this matter.
} ... However, the government's current
} restrictions on the export of encrytion software have stifled the
} development and commercial availability of strong encryption in the U.S.
Say again?? I thought that *export* meant "sending stuff out" not
bringing it in. I was under the impression that in consumer
products [that *IS* what you're talking about, I assume, since
you're concerned about largish-scale economic matters] the US was
*king* and that by and large, if the US consumers want something
that is, by itself, a more than large enough market. How does the
export restriction prevent US folks from obtaining what they want?
But I can't complain much here, since [as I mentioned in my
comments on the JPB article] this is a potentially substantive
criticism: *SHOULD* crypto stuff fall within the purview of ITAR?
How _should_ ITAR work in a post-cold-war world? but on the other hand,
that's not really all that much of a domestic privacy matter.
------------------------------
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Date: Thu, 3 Mar 94 23:20 EST
Subject: RE: Unsolicited Advertising - A Proposal
From: Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring MD USA
---
Bob Raisch <raisch@internet.com>, writes to the IETF and
COM-PRIV lists, as follows:
> Recently, there have been a number of incidents where
> individuals or organizations have posted commercial advertising
> to a broad range of mailing lists and individual electronic mail
> addresses.
Err, Bob, If I hadn't seen *your company's announcement* of its
service, (which only appeared on the Internet), I wouldn't have
purchased the proxy domain service from your company. And I would
not have obtained a service I wanted, and your company would not
have made a sale. Yet perhaps 99% of the people who saw the
message probably did not have an interest in it.
> There is a marketing firm (J.S. McBride of Los Altos, CA) which
> is selling lists of electronic mail addresses which it has
> gathered from various online sources. By collecting names and
> addresses of all those who have posted to Usenet in the
> rec.bicycles newsgroup, for example, this firm would then sell
> this direct marketing mail list to companies selling bicycling
> products. This places anyone who participates in the online
> community at risk.
It's only junk mail if you have no interest in the material at
all.
I used to have a PO Box in Washington DC (70970) that got
tremendous amounts of mail, most of it advertising. The only
thing I considered "junk mail" was the stuff that was supposed to
go to the CIA, which had the PO Box above mine (70967), and that
the Post Office kept putting their mail in my box. (In case
anyone cares to correct me, I know the technical name of the
holder of that box is the "National Photo Interpretation Center"
but they did get mail marked "US CIA" so I think that counts.)
The advertising kept me aware of trends in the computer industry,
pricing, what is being sold, what is available. A very intensive
education in what is offered by the marketplace. For free.
> "Myth: No Unsolicited Advertising -- Fact: Unsolicited
> Advertising has been taking place on the Internet for quite
> some time, but you must proceed with caution"
I think the point at which I knew that I had arrived on the
Internet was when I got my first "Junk Email" message, which was
an ad for something, I forget what. The only reason I could have
gotten it is someone looked up my fidonet address in the WHOIS
directory, some three or four years ago.
The only reason I subscribed to MCI Mail is that our company got
a "junk telex" from them regarding their telex service.
Adversising is only "junk" if its concerning things that you don't want.
In fact, some people would classify visits by the Jehovahs
Witnesses as in the same class as Junk Mail, but no one expects
they make a lot of money selling Awake and Watchtower.
> And... "Unsolicited advertising (via email) is a gray area of
> Internet culture which requires very careful planning and
> execution to avoid the wrath of an extremely vocal community."
>...(Personally, I find this sentiment to be very distasteful in that
> it suggests that it is acceptable to steal from the individual
> and from the community as long as you do not "get caught.")
The tone of this implies that unsolicited mail sent to someone is
stealing from them. Or that unsolicited advertisements are. I
think these points are incorrect.
This seems to imply that there is *no place at all* for
advertising on the Internet. I think this statement in and of
itself to be false on its face. Now, perhaps some people who are
on rec.bicycles might not want advertisements, some people would
be interested in *factual* information about bicycles, including
the advertiser's specifications and prices.
Now maybe the point being that because one can duck messages in
newsgroups, while E-Mail has to be read to be noticed, the
question which needs to be asked is: what is the standard by
which you say that 'this activity is wrong' but 'this activity
isn't'?
Let's look closer: is ALL unsolicited E-Mail wrong? Well, first,
any time someone makes a public posting to a mailing list or news
group, they have to accept the fact that someone may send them a
personal response to their message, even if they have not asked
for one.
Second, any "public figure" is bound to get some e-mail from
someone who might ask them a question. Bill Gates of Microsoft
had his mailbox publicly postable by anyone on the Internet.
He's been getting over 3,000 messages a week since a story about
this came out; as such, he may have to have someone read his
E-Mail for him.
But let's define under what circumstances it is and is not
acceptable for someone to be sending out unsolicited mail to
another person, before we exclude the class of 'advertisement.'
What about advertisements posted to mailing lists or news groups?
Ads that are clearly marked as such in the first 5 lines? Ads
marked so in the Subject?
> This behavior is considered by many to be unacceptable for two
> primary reasons.
>
> --Many consider the sending of unsolicited advertising to be
> socially irresponsible and about as valuable to the public good
> as littering. This, I believe is partly based on the history of
> direct marketing in the actual world and its failure to
> effectively target narrow demographic groups.
The problem may be in part that there is an "anti-commercial"
bias with many of the people on the Internet, and with people in
general. Neglecting the fact that almost everything they own
they obtained as a result of advertising telling them about it or
raising a desire they were unaware of, is something quickly
forgotten. People seem to be unaware that supermarkets don't
fill themselves, it takes transport trucks, and an
infrastructure, and a demand for the product for it to show up.
But (in the given example) we have a precisely targeted audience
(bicyle enthusiasts) being targeted for something related to
them.
> --There is also the more measurable reason that any information
> one receives without request costs the recipient money -- both
> in terms of the time required to process and discard the
> information and in the actual cost of the reception itself.
I have to wonder how many services people are subscribing to that
charge for information that don't cause people to "vote with
their feet" to another place. MCI Mail doesn't charge to receive
internet mail. I also use Digital Express which doesn't charge
for mail received, only for online time in excess of 6 hours a
day. Your own Private Domain service doesn't cost me anything
for mail sent to domain TDR.COM.
Sprintmail is one of the ridiculous providers and extremely
expensive, costing 10c per K sent or received, plus monthly
charges. AT&T Mail has allegedly started charging 2c/K for
incoming Internet mail due to the volume involved. I think
charging for incoming mail is likely to be a relic of the past.
> Any complete solution to this problem would need to be deployed
> ubiquitiously and would require rather fundamental changes to the
> underlying mechanisms we use to send and receive email. Thus, I
> believe that a complete solution may not be easily attained -- at
> least, not until the deployment of IPng, which I believe
> represents a unique opportunity to "remake" many of the Internet
> services.
I have been thinking about this too, from a different and yet
complimentary angle. I hereby propose the creation of several
new "non geogaphic" internet base level domain names. The exact
3-letter combination need not be the same, but the idea should be
considered:
.SVC - Explicit Commercial Services (not just commercial domains, but
services which either operate over the Internet or use the
Internet as part of the service). This is supposed to be the
equivalent of the indication that U.S. Area Code 900 and prefix
976 numbers make. If you write to an address on a .SVC domain,
you consent to receiving ads; a service on an .SVC domain may
require you to pay for use (for which "payment" could include
receiving advertising.)
.PVT - Private Domains. Domain names where the entire domain belongs
to a single individual. Currently, people like myself, David
Sternlight, T William Wells, Paul Vixie, and others
that through context and usage, are running domain
names that only one person subscribes to, can only
use the .COM domain. If someone wants to display
a business presence, that's fine. But other people may want
to use a non-geographic name without having to declare themselves
a commercial site.
I had considered ".IND" as the other name for private domains,
except it might be confused with the ".INT" domain.
I think I need to find out who is in charge of the groups that
handle this issue that I can propose it for adoption as a
standard.
> I believe that with a simple change to the agency which
> actually receives mail at one's local site
Oh yeah, people just love rewriting their SENDMAIL.CF files, now
you suggest they accept patches for Sendmail when they don't even
know all the bugs in that program yet! (BSD Sendmail with the
IDA patches is probably the most common SMTP mail transport on
Internet, probably 90% of all sites using it, since it's free and
comes with source, which probably nobody touches.)
> coupled with some reasonable administrative support from an
> agency like the Computer Emergency Response Team (CERT), we can
> dramatically reduce the impact which unsolicited advertising has
> on the global Internet.
CERT can't even get out reports about spoilage in software
("bugs") in any reasonable fashion short of 'once every alternate
leap year' and until those security defects have been exploited
many times, by the assumption that "if we don't tell anyone about
a weakness, nobody else will find it," and yet you expect them to
take any interest in stopping Junk Email? In fact, I suspect the
whole purpose of creating CERT was the same reason there are Bar
Associations and Medical Boards: so that the incompetent
practicioners can hide their screwups privately. No wonder
people are hiring programmers from India.
> I also believe that CERT is a very appropriate agency for this
> project as I believe strongly that the proliferation of
> unsolicited advertising via electronic mail represents a real
> threat to the security of the global Internet --
Oh great, I can see the headlines; Imminent Death of the
Internet Predicted; Cause of death: Suicide by Unsolicited Junk
E-Mail Poisoning.
> security in the sense that any use of my local computing
> facilities without my express permission is theft of service.
Hmm. Have you tried to raise that issue in a court?
Seriously, have you tried to find someone who has sent
unsolicited advertisements as E-Mail and either filed charges or
sued them civilly?
I think you are doing a bit of a reach here, Mr. Raisch. :) (Pun
Intentional) Or let's try another tack; a company sends out
articles to people that contain ads along with textual material.
While courts have given some leeway to banning the distribution
of pure advertisements, an advertisement attached to an editorial
becomes material protected under the 1st Amendment. A court
would be very hard pressed to allow a 'theft of service' argument
to be used as a form of restraint, I suspect.
> This proposal contains three elements: administration,
> implementation, and distribution.
>
> The administration portion would require:
>
>--CERT act as a clearinghouse for announcements of incidents of
> this kind; ...collect reports on the receipt of unsolicited
> email;... list offenders which exceed some pre-defined limit;
> post this list both to a subscription list of interested
> parties as well as on Usenet.
I think CERT has more important things to ignore than Junk E-Mail; it's
probably kept busy enough ignoring calls for more information.
> --A method of guaranteeing the validity of this data would be used.
What criterion is to be used? And how do we know what is a mailing to
five or six people on a newsgroup versus mail from five or six people
complaining about unsoliticed mail?
> The implementation portion would require:
>
> --Patches be made in the standard "mail reception agents" which
> would allow them to refuse to deliver mail from certain
> indentified sources through the use of a stop-list or "kill
> file."
>
> --Development of adminstrative tools to manage the local kill file.
This assumes (1) the issue is serious enough to warrant this,
e.g. that the administrator take time out from more important
things like taking his secretary to a cheap motel during working
hours or banning everyone else from access to alt.sex, to put in
filters for unsolicited junk mail; (2) the sender can't change
its domain name every time it does a mailing, e.g ordering 50 or
60 different domain names and using ONE once a week, means a
whole year of uninterupted junk mailing before they have to think
up new ones. Of course, you can filter by the originating dotted
quad address, but then that's another story.
> CERT would not function -- and should not, in my opinion -- as an
> arbiter of "correct behavior", only as an informational resource
> which allows the community to implement their own local policy.
But your particular argument does _exactly_ that.
> Upon receipt of reports of violation, CERT would send out a
> statement to the sender (to be written by the community) that
> many sites on the global Internet consider such behavior to be
> unacceptable
I thought CERT would not be arbiter of acceptable behavior?
I note that your original message mentions the "SEATTLE WINDOWS
BACKGROUND" issue but misses the famous "Dave Rhodes
MAKE.MONEY.FAST" incident. Perhaps the reason you have to ignore
that one is the firestorm of protest that the recipients
generally get from such issues, which would make this campaign
totally unnecessary.
I think The Net can take care of itself quite nicely without
requiring the net.police to come in like the FBI at Waco, thank
you.
> I would be very interested in coordinating this effort and
> welcome comments, suggestions and offers of support.
I commend you on your efforts to offer the service you indicate
(the mailing list for reports). I doubt that we need anything as
drastic as your proposals suggest; I dislike the idea of being
bombarded by lots of advertisements, but I dislike content
restrictions and the implied threat of having an organization
whose charter is the examination of Criminal activities
investigating people or keeping lists of people because some
other people don't like their messages, a lot more.
How long before some unpopular religion like Wicca, Jehovah's
Witnesses', or the First Church of Satan is 'voluntarily banned'
from The Net?
------------------------------
End of Computer Privacy Digest V4 #038
******************************
.