Date:       Sun, 20 Mar 94 20:49:50 EST
Errors-To:  Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From:       Computer Privacy Digest Moderator  <comp-privacy@uwm.edu>
To:         Comp-privacy@uwm.edu
Subject:    Computer Privacy Digest V4#044

Computer Privacy Digest Sun, 20 Mar 94              Volume 4 : Issue: 044

Today's Topics:			       Moderator: Leonard P. Levine

                     Re: Video tape rental records
                     Re: Video tape rental records
                     Re: Video tape rental records
                     Re: Video tape rental records
                             video privacy
                        Bork Bill (video Rental)
                           Loss of Good Name
                          Re: Network Security
                          Re: Network Security
                      Re: Time Magazine on Clipper
              Re: Highly Efficient Electronic Cash Systems
                           IRS Purchase Order

   The Computer Privacy Digest is a forum for discussion on the effect 
  of technology on privacy.  The digest is moderated and gatewayed into 
  the USENET newsgroup comp.society.privacy (Moderated).  Submissions 
  should be sent to comp-privacy@uwm.edu and administrative requests 
  to comp-privacy-request@uwm.edu.  Back issues are available via 
  anonymous ftp on ftp.cs.uwm.edu [129.89.9.18].  Login as "ftp" 
  with password "yourid@yoursite".  The archives are in the directory 
  "pub/comp-privacy".   Archives are also held at ftp.pica.army.mil
  [129.139.160.133].
----------------------------------------------------------------------

From: ramarti@hubcap.clemson.edu (Russell A. Martin)
Date: 17 Mar 94 22:28:50 GMT
Subject: Re: Video tape rental records
Organization: Clemson University

    O1EVERT@vm1.CC.UAKRON.EDU (Tom Evert) writes: I remember hearing
    that a court order is required to obtain video tape rental
    records.  (Why someone would want these records is beyond me!)

    If this is true - is this a federal law?

I believe that it is a federal law that was enacted soon after the
Robert Bork hearings for his Supreme Court nomination.

I think Bork's video preferences were brought up in the conformation
hearings.


------------------------------

From: storm@access.digex.net (Don Melvin)
Date: 18 Mar 1994 15:24:58 -0500
Subject: Re: Video tape rental records
Organization: Trans-National Technology, Washington, DC

    Tom Evert <O1EVERT@vm1.CC.UAKRON.EDU> wrote: I remember hearing
    that a court order is required to obtain video tape rental
    records.  (Why someone would want these records is beyond me!)

    If this is true - is this a federal law?

In Washington, DC it is illegal to provide video tape rental records to
a third party without a court order.  This is a DC city law.

There is no requirement, federal or DC, that requires that records be
kept so that they can be subpoened.

-- 
America - a country so rich and so strong we can reward the lazy 
          and punish the productive and still survive (so far)


------------------------------

From: wb8foz@netcom.com (David Lesher)
Date: 18 Mar 1994 21:34:06 GMT
Subject: Re: Video tape rental records
Organization: NRK Clinic for habitual NetNews Abusers - Beltway Annex

    eck@panix.com (Mark Eckenwiler) writes: If this is true - is this a
    federal law?

    Yes.  See 18 USC sec. 2710.  The law was passed in 1988, largely as
    a consequence of the Washington, DC _City Paper_'s obtaining and
    describing in print Judge Bork's rental records.

As someone pointed out at today's Senate FBI Digital Telco hearings,
video tape records are better protected than pen register records!


------------------------------

From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 19 Mar 1994 21:28:26 GMT
Subject: Re: Video tape rental records
Organization: Fantasy Farm, Pearisburg, VA

    Mark Eckenwiler writes:
	 O1EVERT@vm1.CC.UAKRON.EDU sez: I remember hearing that a court
	 order is required to obtain video tape rental records.  (Why
	 someone would want these records is beyond me!)
     If this is true - is this a federal law?

    Yes.  See 18 USC sec. 2710.  The law was passed in 1988, largely as
    a consequence of the Washington, DC _City Paper_'s obtaining and
    describing in print Judge Bork's rental records.

I don't have particularly easy access to the USC from where I'm at
now:  could someone who does summarize what that law actually says?
Most video rental places do a brisk business in selling tapes, too
[both worn-out ones, for real cheap, or brand new ones that they'll
order for you].  I was musing that it might be the case that your
_rental_ habits have been declared as confidential matters by this law,
but that your video *purchasing* habits could still show up on the
front page of the local newspaper...



------------------------------

From: "BETH GIVENS 619-260-4806" <B_GIVENS@USDCSV.ACUSD.EDU>
Date: 18 Mar 1994 10:44:46 -0800 (PST)
Subject: video privacy
Organization: PRIVACY RIGHTS CLEARINGHOUSE


Regarding the video rental privacy law:  The law protects you from
having the *titles* of videos that you rent released to others, but not
the *subjects.* Here's the wording on the back of a receipt from the
Wherehouse, a video rental and music store:

"Mailing List: We may disclose the names and addresses of customers who
rent or purchase video materials to other persons. We may also disclose
the subject matter of the items rented or purchased for the purpose of
marketing goods and services directly to the customer. By renting or
purchasing an item, you consent to the foregoing for purposes of,
amoung (sic) other things, California Civil Code section 1799.3 in
compliance with the Video Privacy Protection act. You may prohibit such
uses of that information on our part by notifying the rental store."

This notice is in about 6-point print on the back of the receipt in
light gray letters. In other words, it is very difficult to read. The
upshot is that our video rental records are not very well protected.
Subject matter information can still be marketed.


------------------------------

From: Dave Banisar <Banisar@washofc.cpsr.org>
Date: 19 Mar 1994 15:10:21 GMT
Subject: Bork Bill (video Rental)
Organization: CPSR, Washington Office

    Tom writes: I remember hearing that a court order is required to
    obtain video tape rental records.  (Why someone would want these
    records is beyond me!) If this is true - is this a federal law?

The law was passed in 1988 in response to a Washington, DC newspaper
(the City Paper) obtaining Supreme Court Nominee Bork's video rental
records in the hope of finding that he watched "Debbie Does Dallas" or
some other incriminating movies. As it turns out, he liked mysteries.
When the bill was passed, there was also attempts to have it cover
other related records such as library records but were unsuccessful.

The Act also prohibits video rental stores from selling your records to
direct marketers.

>From the CPSR Internet Library cpsr/privacy/law

Video Privacy Protection Act of 1988 (Bork Bill)

18 USC S. 2710

S. 2710.  Wrongful disclosure of video tape rental or sale records

   (a) Definitions.  For purposes of this section--

   (1) the term "consumer" means any renter, purchaser, or subscriber of
goods or services from a video tape service provider;

   (2) the term "ordinary course of business" means only debt collection
activities, order fulfillment, request processing, and the transfer of
ownership;

   (3) the term "personally identifiable information" includes information
which identifies a person as having requested or obtained specific video
materials or services from a video tape service provider; and

   (4) the term "video tape service provider" means any person, engaged in
the business, in or affecting interstate or foreign commerce, of rental,
sale, or delivery of prerecorded video cassette tapes or similar audio
visual materials, or any person or other entity to whom a disclosure is
made under subparagraph (D) or (E) of subsection (b)(2), but only with
respect to the information contained in the disclosure.

   (b) Video tape rental and sale records.

   (1) A video tape service provider who knowingly discloses, to any
person, personally identifiable information concerning any consumer of
such
provider shall be liable to the aggrieved person for the relief provided
in
subsection (d).

   (2) A video tape service provider may disclose personally identifiable
information concerning any consumer--

   (A) to the consumer;

   (B) to any person with the informed, written consent of the consumer
given at the time the disclosure is sought;

   (C) to a law enforcement agency pursuant to a warrant issued under the
Federal Rules of Criminal Procedure, an equivalent State warrant, a grand
jury subpoena, or a court order;

   (D) to any person if the disclosure is solely of the names and
addresses
of consumers and if--

   (i) the video tape service provider has provided the consumer with the
opportunity, in a clear and conspicuous manner, to prohibit such
disclosure; and

   (ii) the disclosure does not identify the title, description, or
subject matter of any video tapes or other audio visual material;
however, the subject matter of such materials may be disclosed if the
disclosure is for the exclusive use of marketing goods and services
directly to the consumer;

   (E) to any person if the disclosure is incident to the ordinary course
of business of the video tape service provider; or

   (F) pursuant to a court order, in a civil proceeding upon a showing of
compelling need for the information that cannot be accommodated by any
other means, if--

   (i) the consumer is given reasonable notice, by the person seeking the
disclosure, of the court proceeding relevant to the issuance of the court
order; and

   (ii) the consumer is afforded the opportunity to appear and contest the
claim of the person seeking the disclosure.

   If an order is granted pursuant to subparagraph (C) or (F), the court
shall impose appropriate safeguards against unauthorized disclosure.

   (3) Court orders authorizing disclosure under subparagraph (C) shall
issue only with prior notice to the consumer and only if the law
enforcement agency shows that there is probable cause to believe that
the records or other information sought are relevant to a legitimate
law enforcement inquiry. In the case of a State government authority,
such a court order shall not issue if prohibited by the law of such
State. A court issuing an order pursuant to this section, on a motion
made promptly by the video tape service provider, may quash or modify
such order if the information or records requested are unreasonably
voluminous in nature or if compliance with such order otherwise would
cause an unreasonable burden on such provider.

   (c) Civil action.

   (1) Any person aggrieved by any act of a person in violation of this
section may bring a civil action in a United States district court.

   (2) The court may award--

   (A) actual damages but not less than liquidated damages in an amount of
$ 2,500;

   (B) punitive damages;

   (C) reasonable attorneys' fees and other litigation costs reasonably
incurred; and

   (D) such other preliminary and equitable relief as the court determines
to be appropriate.

   (3) No action may be brought under this subsection unless such
action is begun within 2 years from the date of the act complained of
or the date of discovery.

   (4) No liability shall result from lawful disclosure permitted by this
section.

   (d) Personally identifiable information.  Personally identifiable
information obtained in any manner other than as provided in this section
shall not be received in evidence in any trial, hearing, arbitration, or
other proceeding in or before any court, grand jury, department, officer,
agency, regulatory body, legislative committee, or other authority of the
United States, a State, or a political subdivision of a State.

   (e) Destruction of old records.  A person subject to this section shall
destroy personally identifiable information as soon as practicable, but no
later than one year from the date the information is no longer necessary
for the purpose for which it was collected and there are no pending
requests or orders for access to such information under subsection (b)(2)
or (c)(2) or pursuant to a court order.

   (f) Preemption.  The provisions of this section preempt only the
provisions of State or local law that require disclosure prohibited by
this section.


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 18 Mar 1994 10:22:59 -0600 (CST)
Subject: Loss of Good Name
Organization: University of Wisconsin-Milwaukee

    From: RISKS-LIST: RISKS-FORUM Digest  Thursday 17 March 1994
    (15:66) ACM Committee on Computers and Public Policy, Peter G.
    Neumann, moderator

       From: Mike Crawford <crawford@scipp.ucsc.edu>
       Date: 14 Mar 1994 11:35:07 -0800
       Subject: Sly Imposter Robs S.F. Man of Good Name

"Sly Imposter Robs S.F. Man of Good Name", by Catherine Bowman, *San
Francisco Chronicle*, 14 Mar 1994, p.1.

San Francisco attorney Charles Sentman Crompton II, dogged by a string
of arrest reports, mysterious credit card bills and a fake ID, is fed
up and frustrated - so frustrated, in fact, that he is taking Charles
Sentman

Crompton III to court.  [...] Using Crompton's name, address, and
Social Security number, the man has opened charge accounts at local
stores, rented an apartment and obtained a driver's license, Crompton
says.  He has allegedly run up nearly $3,000 in purchases at Macy's,
Radio Shack and other stores, buying a portable computer and other
items.  [...]

  (The suspect has been repeatedly arrested and set free by local
  police for stealing cars, etc., and gave Crompton's name.)  [...]
  (The real Crompton obtains the phony Crompton's driver's license
  after the suspect drops it while fleeing from a suspicious store
  clerk.) [...]

Crompton obtained a photocopy of that license, which he forwarded to
the state Department of Motor Vehicles with a letter explaining the
problem.  He then asked for a new license with a different number.

The DMV obliged.  Then in a monumental goof, the agency mailed the
license to the other Crompton.  [...]

  (The article includes a photo of the real Crompton and a physical
  description of both men.  Real Crompton states that phony Crompton
  could not possibly be a true Elvis fan like him.)

The punch line:

Crompton says he does not blame the system for allowing the case to
snowball.  Still, he worries about his credit record and being fingered
for crimes he did not commit.

Hmm... I'd say that this is a built-in feature of the system.

    ---

Mike's doomsday speech:

"We are just entering the Information Age.  Those who possess the
information, those who dispense it, and those who know how to
manipulate the information will be the rulers.  Those who do not will
be the peasants."

I conjecture that the DMV goof was caused by different people handling
the task of reissuing the license without communicating the nature of
the problem to each other.  One clerk dutifully issued a request for a
new license, and perhaps typed a memo explaining the problem.  Another
clerk printed the license and sent it to the address on file (along
with the letter explaining the problem, so the phony Crompton was
officially tipped off in writing by the state.)

The California DMV is one of the largest bureaucracies in the United
States, and possesses one of the largest management information systems
as well.  Well-defined lines of communication to handle such
exceptional situations probably do not exist.  I'd say we're lucky it
works at all for the normal case.

One solution might be a government debugging agency.  There should be a
single office that Crompton could go to, that would work with all of
the government agencies and credit bureaus to straighten out the
record.

Of course this agency would itself be a fertile ground for fraud.


------------------------------

From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 19 Mar 1994 21:31:49 GMT
Subject: Re: Network Security
Organization: Fantasy Farm, Pearisburg, VA

    Mike Gadda writes:  My university has a Novell Network and last
    year someone bugged the whole campus with a program called Lan
    Assist Plus.  This program allows *anyone* to mess with what others
    are doing by having another persons screen captured on there own.
    The person being watched has no idea. This person can be rebooted
    or messed with by unwanted keystrokes.  I couldn't believe it
    myself when I first saw it.  I wonder if Novell anticipated this
    problem when creating their networks.

I think you're not really understanding what is going on here.  *NO*
network protocols currently in use in and near the Internet were
designed to support any sort of security.  Novell didn't "create" their
network --- I assume they built their software on top of some kind of
standard network machinery [is it just ethernet?  or twisted-pair
ethernet?].  If so, the basic underlying technology, novell software or
not, is almost certainly inherently insecure.

What happens in ethernet-like LANS is that ALL stations on the LAN are
connected in parallel: when anyone on the LAN talks, _every_ station
hears it.  The actual interface boards have a serial number on them
[actually wired into the board at the factory... and yes, every
ethernet board ever made has its own, unique ID].  What your board
normally does is ignore packets not destined for -its- address, but
when it sees one that is actually addressed to _it_, it gobbles it up
and lets the software know that something has arrived.  BUT:  various
[legitimate!] network activities require that a system be able to
receive a message sent to _any_ address.  And so every LAN interface
I've ever seen has, at the hardware level, a toggle that says "ignore
the address, send me anything that comes in".  Needless to say, with a
little bit of smart software behind it, this can be used to cause a
fair bit of nasty trouble.

Basically, as I've been saying for some time [although if you're new
you've probably not seen it] is that essentially NOTHING out there for
networking has been engineered for security.  It just was not a
consideration when that stuff was all being put together.  Moreover,
there is a more difficult problem: properly managing, administering and
operating a network generaly involves a lot of fancy-doings and SOME
sort of high-power access to the devices.  This means that it is a bit
worse than I said: not only was there no real consideration for making
things secure, there was a *disincentive*: there was a push on the
make-it-insecure side *to*put*in* monitoring ports, diagnostic ports,
'operator' ports and such.

    Without a doubt I'd say this is an invasion of privacy.  Someone in
    their dorm room can watch an entire lab of computers somewhere else
    on campus.  I must say this is very impressive, but man, they don't
    tell anyone about it's existance.  Anyone else had experiences with
    programs like this?

Sorry, but as with other things: it may SEEM like an 'invasion of
privacy', but the fact is that anyone who has a clue about the
networking technology will tell you not to put an unencrypted packet on
a LAN that you don't want EVERYONE to see.  It is rather more akin to
painting your password on the outside wall of the dorm and having
everyone 'promise' not to look at it as they walk by.

    Another breach of security that has gone around on my campus is a
    program called keycopy.  Keycopy is a memory resident program that
    keeps track of every keystroke and writes it to a file on the C:
    drive every few minutes.  I couldn't believe it that this program
    was on a server available to everyone.  This is an incredibly easy
    way for someone to get passwords.

Since you say "C:" [and you're talking about Novell nets] it looks like
you're messing with PCs: does keycopy capture *your* keystrokes or
someone else's?  Capturing the _local_ keystrokes is generally not much
of a security problem, except in that it can be used as a cute trojan
horse on a shared system [just leave it running quietly in the
background all day and then each evening go through to see what you've
got].  But there are a thousand ways that systems like that can be
'bugged' --- even if you boot off the server, you can't be sure that
the stuff you download won't have some kind of trap or snoop in it, so
even rebooting won't help all that much, unless you reboot off of
floppies you carry with you and don't run _anything_ off of the
server.


------------------------------

From: rwilliam@seas.smu.edu (Robert Williams)
Date: 20 Mar 1994 18:18:57 GMT
Subject: Re: Network Security
Organization: SMU - School of Engineering and Applied Science

    Mike Gadda <GADDAM@columbia.dsu.edu> wrote: I'm kind of new here.
    In fact this is my first post.  I was wondering in any of you have
    had network security problems in the past?  My university has a
    Novell Network and last year someone bugged the whole campus with a
    program called Lan Assist Plus.  This program allows *anyone* to
    mess with what others are doing by having another persons screen
    captured on there own.  The person being watched has no idea. This
    person can be rebooted or messed with by unwanted keystrokes.  I
    couldn't believe it myself when I first saw it.  I wonder if Novell
    anticipated this problem when creating their networks.  In fact I
    think it is standard with their utilities.  Without a doubt I'd say
    this is an invasion of privacy.  Someone in their dorm room can
    watch an entire lab of computers somewhere else on campus.  I must
    say this is very impressive, but man, they don't tell anyone about
    it's existance.  Anyone else had experiences with programs like
    this?

I found a program available via anonymous FTP that allows me to watch
another person's X terminal without them knowing it.  I had to be on an
X terminal too, and I could only watch similar ones (black & white
could only see black & white, color could only see color), and it
wasn't very fast updating the screen, but I could still do it.  I could
read e-mail, news, anything that another person had on their screen.
There were a couple of times I couldn't connect to that display, but
there were only 3 or 4 cases like that.  Then I realized anyone else
could have that and be reading anything I wrote.  I very rarely use X
terminals now.

-- 
                  |   For the LORD your God is God of gods and Lord
Robert Williams --|-- of lords, the great God, mighty and awesome,
 <IX0YE><         |   who shows no partiality and accepts no bribes.
                  |     Deut. 10:17


------------------------------

From: laine@MorningStar.Com (Laine Stump)
Date: 20 Mar 1994 23:28:26 GMT
Subject: Re: Time Magazine on Clipper
Organization: Morning Star Technologies, Columbus, Ohio

    mea@intgp1.att.com writes: If all the government is doing is taking
    a marketing approach with this Clipper chip technology, what's all
    the fuss?  By simply adding another layer of encryption on top of
               --------------------------------------------
    Clipper will defeat its backdoor and threats from snooping.  The
    government rarely suceeds at anything when it comes to business --
    especially if it involves marketing.

This is a common, and dangerous, misconception. Cryptographers know
that it is much easier to break a code if they can analyze "chosen
text" that has been encrypted, in other words if they can get a look at
some sequence of input text they have chosen after it goes through the
encryption algorithm. It is very possible (some say likely) that the
Clipper algorithm puts patterns into the encrypted text which the NSA
can later use to aid them in breaking any encryption used "on top" of a
Clipper-encrypted data stream. It is widely rumored that the NSA
already does this with a voice compression algorithm it developed which
is widely used in telecommunications equipment.

    Is this really much ado about nothing?

Do you unconditionally trust anyone and everyone who works for the
U.S.  Government?


------------------------------

From: mckeever@cogsci.uwo.ca (Paul McKeever)
Date: 21 Mar 1994 01:50:22 GMT
Subject: Re: Highly Efficient Electronic Cash Systems
Organization: University of Western Ontario, London, Ont. Canada

Just a caution regarding electronic cash systems.

No matter how anonymous or private electronic cash transfers are made
they can never permit the anonymity or privacy of cash.

The reason for this is simple.  The means for transferring electronic
information is by electronic equipment.  The means for transferring
pieces of paper or metal is by body parts (usually, by hands).

The state finds relatively little resistance when it regulates the
possession, or operation of electronic equipment.  The state finds it
relatively difficult to regulate the possession or operation of human
limbs.

Thus, while electronic cash systems may be great mind candy, and while
they may make it (a) easier to carry money, and (b) more difficult to
steal money, they are in every case far more susceptible to government
regulation.  Such regulation includes laws against the possession or
operation of any given electronic cash device.

If one's motivation for perfecting electronic cash systems is rooted in
computer science or engineering academia, fine.  Those who wish to
preserve the freedom from government that physical cash (paper, coins,
etc.) imparts to the individual should seek to ensure that physical
cash continues to be available, because its electronic counterpart is
much more susceptible to regulation, and consequently, imparts a far
weaker guarantee of individual freedom.


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Mar 1994 08:02:05 -0600 (CST)
Subject: IRS Purchase Order
Organization: University of Wisconsin-Milwaukee

From: RISKS-LIST: RISKS-FORUM Digest  Friday 18 March 1994 (15:67)
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM
Committee on Computers and Public Policy, Peter G.  Neumann, moderator

  Date: 18 Mar 94 08:12:00 BST
  From: j.cooper6@genie.geis.com
  Subject: IRS Surveillance

>From COMMERCE BUSINESS DAILY, 940317 (Government notice of bids)
 
< -------< Department of the Treasury (DY), Internal Revenue Service,
Constellation Centre, 6009 Oxon Hill Rd., Rm. 700, M:P:O:S Oxon Hill,
 MD 20745
 
< 36 -- REMOTE DIAL NUMBER RECORDERS
 
SOL IRS-94-0051 POC Shirley Campbell, Contract Specialist, (202) 283-1144.
 
The Internal Revenue Service intends to procure 28 remote telephone data
collection units, including software. Capable of collecting and storing
information from the target line on at least 700 telephone calls (time of
call, length of call, number dialed, caller ID, call progress tone
detection, etc.). The unit must be no larger than 5.9x1.5x3.2 inches.
 
The unit is controlled and records are transmitted through the dial- up line
through a computer modem. The instrument must be transparent to the target
line. The unit will be powered through the dial-up line.
 
100% Small Business Set-Aside. Telephone requests for the solicitation
package will not be accepted. (0075)
 
   [Great for identifying anonymous callers who request information
   on whether illegal acts must be declared, and other such revealing
   queries?  PGN] 


------------------------------


End of Computer Privacy Digest V4 #044
******************************
.