Date: Thu, 04 Aug 94 15:44:05 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#017
Computer Privacy Digest Thu, 04 Aug 94 Volume 5 : Issue: 017
Today's Topics: Moderator: Leonard P. Levine
What Is Propietary Information?
Privacy Book Project
Fingerprinting Rules
Set Top Boxes
The Best of Full Disclosure Magazine
Re: SSN Required by Sprint in U.S.
Re: SSN Required by Sprint in U.S.
Re: Many Phone Taps are now Legal
Re: Questions about using "discussion list" membership lists
---------------------------------------------------------------------
Housekeeping information is located at the end of this Digest.
----------------------------------------------------------------------
From: dave@lydian.scranton.com (Dave D. Cawley)
Date: 04 Aug 1994 00:21:59 GMT
Subject: What Is Propietary Information?
Organization: Internet Cafe, 426 Spruce Street, Scranton PA
I'm one of the owners of The Internet Cafe in Scranton, PA and we were
recently hacked into by one if not two people, the hacks were from two
different sites, but maybe the same person. One person from a local
educational institution ftped into us and ftped a password file that
had nothing in it. I talked to the sys manager about this and he has
the name of the person who did it, but is waiting to find out what kind
of information he can give us or what channels we need to go thru to
get the info on the guy.
Then a day later someone called and asked if we had a guest account.
Our sys manager told him no, but we could set up an account for him and
if he liked it he could pay on August 1st (three days away). He spent
his time on trying to unmount our disks, get into root and generally
trying to trash our system. He also ftped our password file to a local
BBS/Internet provider/competitor.
Then from an administrative account on that system, most of our users
were spammed with unsolicited mail telling them that accounts had been
setup and they had a full year of free access if they switched from our
service. The accounts *were* in fact set up on that system, we had
someone use their acccount on that system.
We called the people at that system and they said they knew nothing of
what happened, the account that the spam was mailed from doesn't exist
and that an account in their name can't be created. We asked how what
happened happened and their answer was it was some hacker that broke
into our system but kept saying that nobody could have done it from
their system. Meanwhile, we have that person in our ftp log ftped in
from 3 of their machines and from a Sprint Network machine (they are
part of sprintnet).
Now that you know my story...my questions are:
1. What is considered proprietary property?
2. Can this be considered wire fraud in anyway?
3. what legal recourse do we have?
4. What do we need to prove they were in the know?
And anything else you might think of...Thanks!
--
******************************************************************************
Dave D. Cawley | Listen, strange women lyin' in ponds distributing
Maitre d' | swords is no basis for a system of government.
The Internet Cafe | Supreme executive power derives from a mandate
Scranton, Pennsylvania | from the masses, not from some farcical aquatic
dave@lydian.scranton.com | ceremony. -Dennis
******************************************************************************
------------------------------
From: g.scott3@genie.geis.com
Date: 04 Aug 94 06:36:00 UTC
Subject: Privacy Book Project
PRIVACY BOOK PROJECT: REVIEWERS, QUOTES WANTED
I wanted to let all know that I have a book on privacy: THE BATTLE FOR
PERSONAL PRIVACY which will be published next year by Insight and
Plenum Books in New York, scheduled for the Spring. It is designed to
provide a broad overview of the subject for the general reader, and
covers a wide range of topics, including search and seizure, press and
publicity, government records, employment issues including drug testing
and monitoring, high tech privacy topics including BBs, E- mail, and
encryption, financial privacy, medical records, privacy in litigation,
etc. It includes some history of privacy from the 1800s to the
present, and focuses on the results of battles over privacy that have
ended up in court in the 1992 and 1993, and recent developments since
then.
The book has just gone to the typesetter for the first galleys. My
publisher has asked me to contact people in the field who might be
interested in reviewing the book, and if they like it, providing
comments that can be used in the book or in information about it.
Besides the people I already plan to contact, this is to let others
know about it. If you're interested, please contact me by E-mail, and
please include an address where my publisher can send the galleys. You
can reach me on E-mail through AOL at GiniS, Genie at G.SCOTT3, and on
Prodigy at MBMV32A. Also, please feel free to repost this message on
other BBs and newsletters.
--
Gini Graham Scott
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 04 Aug 1994 06:00:36 -0500 (CDT)
Subject: Fingerprinting Rules
Organization: University of Wisconsin-Milwaukee
The following was posted anonymously in alt.privacy. Since alt.privacy
is an unmoderated forum and since the user had posted through an
anonymous posting site, no permission was requested. Does anyone
reading this group know about this sort of job requirement?
Len Levine, CPD moderator
From: an64344@anon.penet.fi
Date: 02 Aug 1994 22:43:20 UTC
Subject: Need info about (Non)voluntary
Fingerprinting for employment in USA
Hello.
I recently got a job with a commercial bank in New York City (which
will remain unnamed.)
I went in and filled out all the forms they needed: tax, insurance,
medical stuff, job and education history, copy of my birth certificate,
etc.
Then I got to a form that was titled Fingerprint Authorization. It
read similar to the following, but this is from memory:
"I voluntarily give authorization to be fingerprinted, and give
permission my fingerprints to be used in a manner deemed necessary
by <name of bank>."
"I understand that I do not have to have my fingerprints taken and
this will not affect any current or future employment with <name of
bank>."
Seeing the second sentence, and feeling uneasy about giving my
fingerprints I decided that I didn't want to sign this form or be
fingerprinted.
I turned in all the forms and the secretary said that I needed to sign
this fingerprint form. I said I didn't want to be fingerprinted. She
looked confused for a second and said that they needed to keep my
fingerprints on record and send a copy them to Washington.
I said that since I didn't *have* to give my fingerprints, I wasn't
going to. I was trying to remain calm and be nice, but she kept
pushing. She said that I *had* to sign it. Then I said "But it says
right here that I don't have to give my fingerprints." She didn't know
what to do, so I asked to speak to someone who might know.
She goes back and a few seconds later she comes back with some guy who
I guess was a little higher up in the organization.
He said that I had to sign the form, everybody signs the form, there is
not alternative.
I asked why this sentence about not having to sign and give
fingerprints was on the form, if I *have* to be fingerprinted.
He said "the FDIC makes us put that on there" and that they had no
intention of following and that I had to sign the form.
Finally, because I wanted this job, and they had no alternative to
offer me, I broke down and signed the form and got fingerprinted.
I called the FDIC here in NYC, but got transfered to a few departments
and no one seemed to know what I was talking about.
Does anyone out there know if the FDIC has any rules on this? The guy
said that "the FDIC makes them" put that on there, or did I mishear
him? Is the FDIC in charge of this kind of thing? Do they have any
rules on this? Does some other agency control banks and fingerprints?
Do I have any recourse? Is there anybody I might call?
I don't feel comfortable with this situation. I don't really like to
have my personal stuff floating around. The drug piss-test upset me
more than enough, I didn't need this too.
Thanks for any information.
------------------------------
From: Jeremy D. Allaire <jallaire@skypoint.net>
Date: 04 Aug 1994 12:27:16 -0500 (CDT)
Subject: Set Top Boxes
(the author permits full re-distribution of the post.)
Commentary on the advantages and disadvantages of a "filter" or
"preference" based news service prompted me to recall the events from a
conference I recently attended. It may shed some light on how the
major Cable/Telco folks are thinking about bringing this into your
home.
Essentially, the conference was about how to leverage new interactive
technologies for marketing and advertising. Folks from Time-Warner,
TCI, US West, Prodigy, and others were there. The basic thrust was
that Interactive forms of information posed the threat of breaking the
reader/viewer away from the advertisement, because the cold stark fact
was that the majority of people prefer the entertainment/information
over the advertisements. And, in a world where more control is offered
to the user, that could cause some problems.
Besides the frequently referenced and revolting notion of turning
advertisements into interactive game shows where you win what are
essentially coupons, there were several points made about new
strategies for controlling the reader/viewer in the interactive age.
The upshot was this -- while computers (e.g. set tops or PCs) do allow
for refined choices by the consumer, they also allow for refined
choices by the advertisers. Major Telco/Cable folks are dying to make
deals with credit card companies and banks to get purchasing behavior
data with which they may "program" (oh my Orwell) your set-top box or
PC data flow.
So, one example was this. You go to the store and buy toothpaste, it
gets registered in a database, it gets referenced by another database
(here, the Cable/Telco company) which performs an operation (e.g. the
average time to use a roll of toothpaste equals 2 months) and then
programs your set-top to give you a toothpaste add 2 months down the
line.
The idea is to refine and control the incoming data to meet the
advertisers needs. Sound like freedom?
IMHO, the bottom line is that all of this technology will continue to
be advertiser driven, and, hence, the advertiser will shape the
contents of your box more than you shape the contents of your box.
We're obviously talking about a different phenomena than todays
PC/Online Newspaper service, but that is what is being built by the
Bells and Cable folks, and they are working with their traditional
sponsors.
--
Jeremy Allaire
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 04 Aug 1994 01:00:23 GMT
Subject: The Best of Full Disclosure Magazine
A rather full description of the book "The Best of Full Disclosure --
Volume One" is now available. According to the material sent to CPD,
over 160 pages of interesting and informative articles from Full
Disclosure Magazine are contained in it. It's just $24.95 postpaid
from the Superior Broadcasting Comnpany, Box 734, Antioch, IL 60002
(Ill res add 6.5% sales tax).
The document can be found in the library supported by this digest. You
can access the material via anonymous ftp on ftp.cs.uwm.edu
[129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The
document is in the directory "pub/comp-privacy/z-library".
People with gopher capability can access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: 03 Aug 1994 21:17:36 -0800
Subject: Re: SSN Required by Sprint in U.S.
dunn@nlm.nih.gov (Joe Dunn) wrote: From what I remember though,
there was provisions to give a number to someone who did not have a
SSN. The SSN is used by the system for several reasons. To get
adequate voice sample to verify your voice while at the same time
not reject you because it doesn't recognize your voice. To
facilitate this, the 800 number you call to gain access to the
system is determined by your SSN. In that way if it misidentifies
a digit, it can decide, that number should not be dialing this 800
number. You don't get billed for some- elses calls because of
misidentified numbers.
It seems that one simple thing would be to just have the person say the
800 number that they called. Nothing to remember, no SSN, nothing.
The person has to have the 800 number to call it and it's the right
number of digits plus the system knows that the number is supposed to
be that you're saying. Sure seems that it would work...
Just defending a legitimate use of a SSN.
Well, since you began by noting that the system had provisions for any
other number to be used, it's clearly NOT a legitimate use of the SSN.
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
------------------------------
From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: 04 Aug 94 07:29:44 EDT
Subject: Re: SSN Required by Sprint in U.S.
dunn@nlm.nih.gov (Joe Dunn) writes: Well, I worked on this project
for Sprint and feel pretty confident that there is no privacy issue
involved in this one. From what I remember though, there was
provisions to give a number to someone who did not have a SSN.
Oh there isn't? There are many privacy issues here: income, drivers
liscenses, credit cards held, etc.
You say "did not have a SSN." Well, why not just go ahead and assign
one instead for which you give reasons below.
The SSN is used by the system for several reasons. To get adequate
voice sample to verify your voice while at the same time not reject
you because it doesn't recognize your voice. To facilitate this,
the 800 number you call to gain access to the system is determined
by your SSN. In that way if it misidentifies a digit, it can
decide, that number should not be dialing this 800 number. You
don't get billed for some- elses calls because of misidentified
numbers.
Wouldn't any 9-digit number work as well?
The number has to be easily remember by you. When you receive your
calling card from Sprint, it tells you to speak a digit plus your
SSN. In that way you can carry around your calling card and not
worry about losing it and being usable by someone who finds it. If
Sprint were to assign you a number, rather than your SSN, you would
carry around that card until you memorized the number or to
remember the 800 number to dial. Using your SSN protects you and
Sprint from someone using your card to make calls that they can't
bill you for. The card does not have your SSN printed on it.
The protection would be there just the same if a random 9-digit number
were used that was familiar to the holder of the card.
Let's face it, if someone in Sprint wanted to and I'm not saying that
they would, any number of items about people could be found by having
access to a SSN.
I give my SSN to those entities, both corporate and governmental, that
have a LEGITIMATE need for it such as paying income taxes, paying
interest on credit card bills which has to be reported as income by the
receiver of the money, the bank that pays me what little interest it
does these days, etc. Those are real needs that they have..
Another area that is SSN based is medical records. Why should one more
item be available to a snoop if it doesn't have to be?
Sorry, but Sprint dropped the ball on this one.
--
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093
FAX 1+(516) 282-7688
------------------------------
From: "Harry P. Haas" <hhaas@rsd1000.gatech.edu>
Date: 04 Aug 1994 14:07:07 GMT
Subject: Re: Many Phone Taps are now Legal
Organization: Ga Tech Research Inst/Sensors & EM Applications Lab (GTRI/SEAL)
Johan Strandberg <johan@netcom.com> wrote:
Chuck Weckesser writes: [A cordless phone] available from the
Sharper Image (A Uniden model) operates on the 900 mghz range,
making "accidential" interception impossible.
Ha! My cordless headphones operate in the 900 MHz range too and
every time they are slightly de-tuned I get treated to numerous
phone calls. And I don't even try...
I am quite curious about this. I thought that most (all?) 900MHz
phones used digital transmission techniques. Is that not so? If it is,
what are you picking up if not a cordless phone? (or is this another
marketing ploy, i.e. "digital" in that the channel id is "digital")
--
Harry Haas GTRI/SEAL | Georgia Tech Research Institute
Research Engineer II | 225 North Ave.
harry.haas@gtri.gatech.edu | Atlanta Georgia, 30332
"I know engineers . . . . they *love* to change things" - Bones
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 04 Aug 1994 12:32:55 -0500 (CDT)
Subject: Re: Questions about using "discussion list" membership lists
Organization: University of Wisconsin-Milwaukee
John Palkovic <palkovic@x4u2.desy.de> stated: It seems worth
mentioning that if the computer serving the email list is on the
internet running sendmail, it is usually possible to query the
sendmail daemon remotely via telnet and have it print out all the
email addresses on the list.
Mr. Palkovic is right; the sendmail process has its problems. Any
person who knows the true name of the file that a group is using
as its mailing list can use sendmail to either mail to that group
or get the eMail addresses of the people on that list. However,
that person has to know the true name of the file and that name
can be made as cryptic as any other password. He also has to
find that file when it actually has data in it. That window can
be minimized by careful system design. He also has to know how
to probe without being detected if he expects to be successful.
There are other problems with the privacy issues of electronic
mail. One issue, for example, involves the way that MCI handles
its mailing lists. Any mailing to a list of users in that system
automatically sends, to each user on that MCI list, the names of
all other people on that list. It seems that MCI views mailing
lists as discussion groups of individuals who should know who
they are talking with. That is not an error on the part of MCI,
it is a difference of opinion as to how groups should interact.
Computer Privacy Digest is mailed to a list in MCI in such a way
that this problem is avoided.
There are exploder, or remailer files that are used by some
systems to allow a single posting to be made to a system and then
automatically remails that posting to an internal list which is
held private from external viewing. This can be done for
efficiency or for privacy reasons. Those exploder lists also can
be probed for the names contained in them. Computer Privacy
Digest cannot protect the content of those files. We do not
release the names of those files to the public however.
People who wish to violate the privacy of others know about these
leaks and people who feel otherwise know how to use the system so
as to afford adequate privacy wherever that is possible.
However, DAVID@SIMSC.SI.EDU (David Bridge) the originator of this
thread questioned the ethics of such an action. He said:
We are gathering information from two sources: personal
contributions, and organization representatives (i.e. e-mail
administrators). Since these people are providing the information
for the Directory they are "agreeing" to having it included and
published. [...] Does using the names of a public list, WITHOUT
permission constitute an invasion of privacy? If we include the
names without permission, is it: completely legal, "bad form",
poor netiquette, or illegal? and What is the "official view" on
this subject from different countries, not just the United States?
There are those who say that the limits on ethics are the same as the
limits on law, if it is legal it is ok. I must feel that the ethical
stance is higher than that. Collection of my name and personal data by
any means and using that data for other than its intended purpose is
outside of my ethics. That includes data collected by banks,
newspapers and grocery stores as well as eMail.
--
Leonard P. Levine e-mail levine@cs.uwm.edu
Professor, Computer Science Office 1-414-229-5170
University of Wisconsin-Milwaukee Fax 1-414-229-6958
Box 784, Milwaukee, WI 53201
------------------------------
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
Back issues are available via anonymous ftp on ftp.cs.uwm.edu
[129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The
archives are in the directory "pub/comp-privacy".
People with gopher capability can access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Archives are also held at ftp.pica.army.mil [129.139.160.133].
End of Computer Privacy Digest V5 #017
******************************
.