Date: Sun, 24 Apr 94 08:20:40 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#057
Computer Privacy Digest Sun, 24 Apr 94 Volume 4 : Issue: 057
Today's Topics: Moderator: Leonard P. Levine
HR 1900
Solicitation via the Internet
Helpful Police face Lawsuit
Re: Long Distance Companies
Re: Long Distance Companies
Lord Have Mercy On Us All :-(
Re: Lord Have Mercy On Us All :-(
Re: Lord Have Mercy On Us All :-(
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: jonescpp@aol.com
Date: 22 Apr 94 12:30:39 EDT
Subject: HR 1900
Professor Levine,
Attached is the article which was published in the March issue of Security
Concepts. I hope it is helpful to you and others in the newsgroup.
H.R. 1900, A Bill To Prevent Abuses of
Electronic Monitoring In The Work Place
Privacy vs. Security
by
Patrick Jones, CPP
copyright 1994
Permission given to reproduce and/or publish article.
Entire article must be printed.
If article is published, please send copy to:
Patrick Jones, CPP
1807 S. Washington
Suite 106
Naperville, Illinois 60565
Scenario #1
An airplane crashes. There was no communication with the aircraft or
crew prior to the crash. The investigation of the crash will be
severely hampered because there is no "Black Box". House Resolution
1900, if passed, will require each crew member to be notified in
writing as to electronic monitoring of their performance. This will
include the type of monitoring device used, the data to be collected
and the hour and day of the week of the monitoring. Scenario #2
A company doing very sensitive research and development of electronics
parts is missing valuable information. The information was taken
between Saturday morning 9:00 a.m. and Sunday afternoon 3:00 p.m.
There is no way to determine who entered the research labs. The access
control system does not record this information. House Resolution
1900, if passed, will severely limit the use of the audit control
function on the access control system. Scenario #3
A large sum of money is discovered to be missing from a financial
institution. Money was transferred by means of a computer to a foreign
account. House Resolution 1900, if passed, could limit the use of
software that would record these transactions and identify the
offender.
Why was not an appropriate electronic safeguard in place to either
prevent or apprehend the perpetrator? If H.R. 1900 reintroduced by
Representative Pat Williams (D-MT), is successfully adopted, these
safeguards will be extremely difficult to use to protect lives,
property and prevent loss. The bill does not prohibit most uses of
CCTV, Access Control Systems, or other electronic security measures.
It does, however require a complicated and detailed notification
process, adding costs and placing restrictions on already burdened
security. Record keeping alone, in a very large company may even
require the addition of a new department.
Surgical procedures recorded by CCTV for training and research may no
longer be used because of the extensive notification and record keeping
required by H.R. 1900. The information recorded could be used to
evaluate an employee's performance.
Access control systems that provide identification of entry and exit
times and dates would also be included because they provide data by
which an employee's performance could be judged. Computer software
identifying an individual and his log on and log off time and date
would be unusable for the same reasons. This bill appears to define
electronic monitoring to include: audit control software in access
control systems, guard watch clocks, CCTV and alarm systems that
provide opening and closing information by individual. In a very broad
interpretation, employee time clocks would be included as an electronic
monitoring item and would require notification and the keeping of
records. Only 100% mechanical time clocks would be excluded. The
litany of electronic security system devices goes on and on.
The intent of H.R. 1900, "A Bill To Prevent Potential Abuses of
Electronic Monitoring in the Workplace," is to limit the use of
electronic monitoring devices in the workplace, used to evaluate an
employee's performance. Regardless of its intent, the Bill, in its
present form eliminates or greatly restricts the use of a wide variety
of electronic monitoring devices currently in use today.
It is important to understand several definitions as they relate to the
bill. The legislation defines electronic monitoring as "the
collection, storage, analysis, and reporting of any information
concerning an employee's activities by means of a computer, electronic
observation and supervision, remote telephone surveillance, telephone
call accounting, or other form of visual, auditory, or computer based
surveillance conducted by any transfer of signs, signals, writing,
images, sounds, data or intelligence of any nature transmitted in whole
or in part by a wire,radio, electromagnetic, photo-electronic, or photo
optical system."
Personal data is defined in the bill as "any information concerning an
employee which, because of name, identifying number, mark, or
description, can be readily associated with a particular individual,
and such terms include information contained in printouts, forms, or
written analyses or evaluations."
Some requirements of the act are: Employers who engage in electronic
monitoring shall post and maintain such notice in conspicuous places on
his premises where notices to employees are customarily posted.
Employers shall provide notification to each employee who will be
electronically monitored, prior written notice describing: The forms
of electronic monitoring to be used, the personal data to be collected,
the use made of personal data collected, interpretation of personal
data collected, existing production standards, interpretation of
statistics and other records collected through electronic monitoring,
and methods used for determining production standards. [ Section 3
(a)] If the public may be monitored, they also must be given notice.
[Section 4 (e)]
There are exceptions to notification. If an employer has a "reasonable
suspicion" that an employee is engaged a criminal act or gross civil
misconduct, the employer must execute a statement stating the
circumstances of the suspicion, an identification of the specific
economic loss or injury to the business, and shall maintain the
statement for a three year period, or until judgment is rendered in an
action brought by the employee.
Random or periodic monitoring may not be conducted on an employee with
a cumulative employment period of at least five years [Section 5 (2)].
Restrictions vary as to time of employment.
The bills require notification in writing: when, where, how, and why
you are monitoring or may monitor an employee's activities. This may
be interpreted in the courts as prohibiting monitoring.
A great number of industries will be affected if this law is passed as
written: Airports, Department of Defense facilities, government
facilities, warehouse operations, jails, banks, retail establishments,
nuclear facilities, brokers and hospitals. If you suspect an employee
of theft, and wish to monitor that employee's computer transactions or
use CCTV to monitor his actions, you must inform him in writing in
advance of any such surveillance.
There is also a provision prohibiting the waiving of any rights granted
in the bill as a condition of employment.
The courts have ordered businesses, in judicial decisions, to provide a
safe environment to work and conduct business. In many cases, the
courts have indicated in their findings that there was not enough CCTV,
electronic security systems, or that accountable access control systems
were inadequate.
Electronic surveillance is a necessary and cost effective tool to
protect assets and personnel. It is used to prevent theft, keeping
companies solvent, protecting jobs - for the honest hardworking
employee. It is also used to promote and monitor safety procedures,
protecting the physical well being of employees.
An employee's rights should be protected. There are a number of
existing laws that provide for this protection. An employee may sue
civilly for damages both compensatory and punitive, in a court of law
if he feels he was unjustly treated. If unjustly fired, the court may
order reinstatement of his former position with back pay. Unions also
act as mediators when a grievance is made known.
This bill, may have good intentions but the effect of this law with it
its current language, handcuffs the protection of assets, the safety
and well being of employees and customers, and severely hamper the
apprehension of law breakers.
Copies of the House Bill can be obtained by contacting the Capital
switchboard at (202) 225-3456. Legislative status of Bills can be
obtained by calling (202) 225-1772.
Copyright 1994 Patrick Jones, CPP E-MAIL jonescpp@aol.com Patrick
Jones, CPP is a Security Consultant with the Jones Consulting Group,
Inc., Naperville, Illinois (708) 983-6877
------------------------------
From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: 22 Apr 94 15:38:42 EDT
Subject: Solicitation via the Internet
I received a missive from that follow who is soliciting readers to
obtain a copy of his book (I wish I would have kept the note). It was
*exactly* verbatim of what he posted to this group.
Below is my response to him.
"Thank you for the information but I look quite unfavorably on people
who swipe my name/address off of Usenet distribution lists and then use
it for other means."
By "other means" is a direct solicitation.
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093
FAX 1+(516) 282-7688
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Apr 1994 08:00:59 -0500 (CDT)
Subject: Helpful Police face Lawsuit
Organization: University of Wisconsin-Milwaukee
The San Francisco Examiner recently published a story entitled:
San Francisco Police Department facing suit by Stalking Victim
Edward Khoury was upset and needed help, so he called the San
Francisco police. He got exactly what he needed from the Police
Department. Trouble is, the police helped Khoury commit a felony:
stalking an ex-girlfriend who had fled the Bay Area to avoid him.
At Khoury's request, a police officer ran an illegal computer check on
the license plate of a car owned by a man dating Khoury's former
girlfriend. Once he learned the owner's address, Khoury went there --
in violation of a court order -- and allegedly threatened to kill them
both if they continued their relationship.
Khoury's five-year pursuit and harassment of his ex-girlfriend
eventually landed him in jail. He is serving a one-year sentence after
pleading no contest to felony stalking charges in San Bernardino County
and faces similar charges in Riverside County.
In San Francisco, meanwhile, police are facing a lawsuit in which his
former girlfriend accuses the department of adding to her trauma by
allowing its computers to be used to help Khoury find her and her
friends. It also accuses the department of failing to stop leaking
information to Khoury, although Corona police say they tipped San
Francisco to the leaks more than a year ago.
The data leaks are illegal, and are the subject of an internal police
investigation. Police Chief Tony Ribera said Monday that he planned to
institute a password system within the next 60 days that would limit
access to database information and make it easier to trace each user's
computer footprints.
Police have become more careful recently watching for such abuses, but
Khoury's case stands out because he was able to manipulate police,
courts, credit agencies and phone companies, as well as many unwitting
individuals, into helping him obtain information on every aspect of his
ex girlfriend's life -- and keep her living in fear.
"This guy is very slick," said Corona Detective Ron Anderson, who has
spent nearly two years investigating Khoury. "He was able to find out
all sorts of secure, unlisted numbers -- the phone company doesn't even
know how. He used other people's phone card numbers and phones to call
her. He had other people spread rumors about her. He would conceal his
identity and find out all her secrets."
The two people had had a romantic relationship which terminated finally
when the girlfriend filed the first of what was to become hundreds of
reports with Corona police in September 1991. Initially, she did not
want to file criminal charges against Khoury, said Detective Anderson
-- she just wanted to be left alone.
But from then until his arrest last November, Khoury made life
miserable for her. And he did it with the help of at least one person
within the San Francisco Police Department who helped Khoury obtain
addresses from a statewide Department of Motor Vehicles database only
legally accessible by law enforcement officials.
While all California police officers have access to DMV records via
computers, it is illegal to access those records for nonpolice business
or to provide confidential information to the public.
Because the department's computers lack a personalized password system,
investigators do not know who made the DMV inquiries, only the dates
they were made and the locations they were made from. The 10 searches
were conducted from four different police stations.
"It could have been a single officer on six different occasions or six
officers on six different occasions," Ribera said. "It could have been
a civilian employee. We just don't know. It appears that Mr. Khoury
had a friendly relationship with a number of officers."
Digested by L. P. Levine, all typos are mine.
------------------------------
From: swd_lrr@afds.cca.rockwell.com ()
Date: 22 Apr 94 15:26:07 GMT
Subject: Re: Long Distance Companies
Organization: Rockwell International
Rob Goldberg <rhg@cis.ufl.edu> writes: I recently ordered a second
phone line to my home and the operator asked if I wanted my social
security number to be released to whatever long distance company I
happened to use. I told her to forget it. I was wondering: what
possible reason would these long distance companies need this
information for?
More importantly, how did the operator get it?
------------------------------
From: dom@hermes.dna.mci.com (Eric Kessner)
Date: 22 Apr 1994 16:20:14 -0600
Subject: Re: Long Distance Companies
Organization: MCI Telecommunications
Rob Goldberg <rhg@cis.ufl.edu> writes: I recently ordered a second
phone line to my home and the operator asked if I wanted my social
security number to be released to whatever long distance company I
happened to use. I told her to forget it. I was wondering: what
possible reason would these long distance companies need this
information for?
The long distance companies use the SSN in the same way almost every
other business uses it, as a "unique" identifier for a customer. I'm
strongly against using SSNs for privacy reasons and have convinced the
team I work with not to expect that people will necessarily give it to
them when asked, or even worse, might just make one up. So, for at
least the projects I'm working on here at MCI, no one will tell you
that you must give them your SSN because the "computer needs it" :)
--
Eric Kessner, MCI Telecommunications | This message does not
ekessner@mcimail.com | necessarily reflect MCI
dom@hermes.dna.mci.com | policy and opinions.
------------------------------
From: "Arthur R. McGee" <amcgee@netcom.com>
Date: 22 Apr 1994 15:08:25 -0700 (PDT)
Subject: Lord Have Mercy On Us All :-(
If this doesn't scare you, nothing will. :-(
---------- Forwarded message ----------
THE WHITE HOUSE
Office of the Vice President
____________________________________________________________
For Immediate Release April 20, 1994
GORE JOINS BENTSEN, RENO IN CRIME TECHNOLOGY DEMONSTRATION
Vice President Announces Inter-Agency Agreements
WASHINGTON -- To illustrate how the use of technology
can help fight rising crime, Vice President Al Gore today
(4/20) joined Administration officials in a demonstration of
wireless and dual-use technologies that can be used for law
enforcement purposes. He also announced two inter-agency
agreements that will increase cooperation between the
Departments of Justice, Treasury, and Defense in using
technology to help combat crime.
"The technologies demonstrated today provide powerful
new weapons in the war against crime," the Vice President
said. "Technological advances make it possible to fight
crime safer and smarter than ever before. They increase
safety, enhance productivity for our law enforcement
officials, and save taxpayer dollars."
The Vice President joined Treasury Secretary Lloyd
Bensten, Attorney General Janet Reno, Deputy Secretary of
Defense John Deutch, and Office of National Drug Control
Policy Director Lee Brown in the demonstration, which
included a wide variety of technologies that will help fight
crime or support law enforcement.
In addition, the Vice President announced two inter-
agency Memorandums of Understandings. The first MOU,
between the Departments of Justice and Treasury, establishes
an agreement to develop a wireless telecommunications
network for use by federal, state, and local law enforcement
officials. This agreement implements one of the
recommendations of Vice President Gore's National
Performance Review to make the federal government work
better and cost less. The second MOU, between the
Departments of Defense and Justice, is a five-year agreement
to jointly develop and share technologies that are necessary
for both law enforcement and military operations other than
war.
Secretary Bentsen said, "We want to invest in crime-
fighting technology, we want to do it so local and state
police benefit, and we want to do it so costs don't go
through the roof. That's why I'm so eager to sign up
Treasury in a partnership with Justice to develop cost-
effective and efficient technology."
"New technologies increase the effectiveness of law
enforcement, offer police officers greater options for
apprehension, and improve the safety of the public," said
Attorney General Reno. "Today's agreements will unite the
efforts of the Justice Department with those of Defense and
Treasury to help make these technologies available to our
nation's law enforcement community."
Deputy Secretary Deutch said, "Today's Memorandum of
Understanding formalizes our ongoing relationship with the
Department of Justice. It comes at a time when budgets are
decreasing and yet we need different capabilities and
equipment to accomplish our peacekeeping and humanitarian
missions. We are finding that these requirements are
similar in many cases to the needs of law enforcement
agencies, and we look forward to cooperating in this area."
The demonstrations included an automated booking system
to electronically record fingerprints and mug shots, laser-
assisted computer imaging equipment for examining
ballistics, and a portable/hand-held/single-step device to
retrieve more readable fingerprints at crime scenes. They
also viewed technology that provides police cars with
mainframe database information such as criminal records and
traffic violations, and allows them to file reports from
their cars. Several non-lethal weapons for use in pursuit
of a suspect or while a suspect is in custody also were
displayed.
##
------------------------------
From: tim werner <werner@mc.ab.com>
Date: 23 Apr 1994 11:56:23 -0400
Subject: Re: Lord Have Mercy On Us All :-(
"Arthur R. McGee" <amcgee@netcom.com> states: if this doesn't scare
you, nothing will. :-(
---------- Forwarded message ----------
THE WHITE HOUSE
Office of the Vice President
____________________________________________________________
For Immediate Release April 20, 1994
GORE JOINS BENTSEN, RENO IN CRIME TECHNOLOGY DEMONSTRATION
Vice President Announces Inter-Agency Agreements
------end Forwarded message ----------
Why is this scary? It was just about police getting better methods of
communicating with each other, as far as I could tell. I am not
against the idea of police in general, just abuses of government
power.
How is the concept of police being better able to get fingerprints at
the crime scene scary? If you break into my house, I'd like the police
to be able to get your fingerprints.
The police are a Good Thing when they are protecting me from fraud,
theft, and physical attack.
------------------------------
From: Black Unicorn <unicorn@access.digex.net>
Date: 23 Apr 1994 15:53:28 -0400
Subject: Re: Lord Have Mercy On Us All :-(
tim werner said: The police are a Good Thing when they are
protecting me from fraud, theft, and physical attack.
The most efficent police are those under a dictator. They will protect
you from fraud, theft and physical attack too. Are they a good thing?
The communications network doesn't really bother me, The formation of a
group dedicated to empowering law enforcement with high technology
does.
------------------------------
End of Computer Privacy Digest V4 #057
******************************
.