Date: Tue, 09 Aug 94 06:50:05 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#021
Computer Privacy Digest Tue, 09 Aug 94 Volume 5 : Issue: 021
Today's Topics: Moderator: Leonard P. Levine
Towards Natl ID card?
Answering Machine Features
Health Care Privacy Alert
Re: Are Web Servers Anonymous?
Re: Are Web Servers Anonymous?
Re: Bank Account Numbers
Re: Bank Account Numbers
Re: Internet White Pages
Re: Internet White Pages
Re: Set Top Boxes
---------------------------------------------------------------------
Housekeeping information is located at the end of this Digest.
----------------------------------------------------------------------
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Date: 08 Aug 94 08:43:38 EDT
Subject: Towards Natl ID card?
from the Washington Post newswire (94.08.04) via Compuserve's Executive
News Service:
"Targeting Illegal Workers;Immigration Panel Wants Job Applicants To
Prove Identities"
By Roberto Suro
Washington Post Staff Writer
"An influential commission on immigration policy yesterday urged
President Clinton to expand the fight against illegal workers by
testing a program that would require all job applicants to prove their
identities.
"The president could launch such a program immediately under existing
authority and without the need for new legislation, said former
epresentative Barbara Jordan (D-Tex.), chairman of the Commission on
Immigration Reform, who unveiled the recommendation yesterday in
congressional testimony."
Key points from Suro's article:
o Computer registry of all authorized workers.
o Employers required to verify authorization to work before
hiring.
o Many groups protest what they see as incremental approach to a
national identity card.
o Pilot projects would begin in CA, NY, TX, FL and IL, where the
INS estimates 80% of the estimated 4 million illegal immigrants live.
o Authentication might involve "a more secure Social Security
card, a counterfeit-resistant driver's license and a telephone
verification system."
o If successful, the program would be extended nationally.
M. E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn
------------------------------
From: David Redish <David_Redish@GS17.SP.CS.CMU.EDU>
Date: 08 Aug 94 10:50:17 -0400
Subject: Answering Machine Features
Recently we received (as a present) an answering machine made by AT&T.
On reading the manual, we discovered that not only does it have
extensive remote facilities (such as changing your message, accessing
messages, etc.) protected only by a limited 2 digit code (with some
2-digit pairs locked out, so <<99 possible passwords), it has a feature
so that if you know the 2 digit password you can *listen to the room
the phone is in*!
When we went to AT&T to try to exchange it, we discovered that they
don't make phones without all of these remote features. So we went
looking for answering machines (of a decent quality) that don't have
remote features. It appears none exist. Does anyone know of a quality
made answering machine that does not have these highly suspect "bugs"
(they called them features, but I know better)?
------------------------------
From: Dave Banisar <banisar@washofc.epic.org>
Date: 08 Aug 1994 21:21:37 EST
Subject: Health Care Privacy Alert
Organization: Electronic Privacy Information Center
FYI, pls respond directly to the address below.
Date: 07 Aug 1994 12:43 EDT
From: WOODWARD@BINAH.CC.BRANDEIS.EDU (Beverly Woodward)
Subject: Health Care Privacy Alert
ALERT
The health care legislation proposed by Gephardt in the House and
Mitchell in the Senate contains provisions which would establish a
national health care data network and override most state medical
confidentiality laws. All health care providers, whether paid by
insurance or not, will be required to provide the network with data
from the patient medical record after every clinical encounter.
(The data elements will not be limited to what is necessary for
billing purposes.) A very weak "privacy" (or "fair information")
code will regulate the redisclosure of such patient-identified
information. The law will permit person-identified information
to be made available in various circumstances to law enforcement
officials, medical and social studies researchers, and government
authorities without the knowledge or consent of the patient.
These legislative provisions are being promoted as administrative
simplification and cost-saving measures, but they will seriously
erode patient privacy. Unfortunately the general public has not
been informed about these sections of the health care reform bills.
Legislation of this kind requires intensive debate and should not
be folded into a bill to extend insurance coverage and reform
health care financing. Contact your Representative and your Senators
to urge that the "Administrative Simplification," "National Health
Care Data Network," and so-called "Privacy" and "Fair Information
Practices" sections of these bills be deleted. The general telephone
number for Capitol offices is 202, 224-3121.
Watch for further updates! You may contact us at 617, 433-0114.
Coaltion for Patient Rights, Massachusetts
------------------------------
From: "Dennis G Rears" <drears@pica.army.mil>
Date: 08 Aug 1994 13:54:55 GMT
Subject: Re: Are Web Servers Anonymous?
Organization: U.S Army ARDEC, Picatinny Arsenal, NJ
MLaroque <mlaroque@aol.com> wrote: A web question: I understand
that the administrator of a web server has access to a log of
connections made.
Correct. For the most part some admins just toss them without
looking.
How do the logs for the server work ?
As a server administrator, can one determine the
[1] { } users who web to the server
[2] { } sites of the users who web to the server
[3] { } sites from which the most adjacent connection was made
The asnwer is 2. We can determine the host where the request came
from.
An example of a log:
qa.pica.army.mil [Mon Aug 8 09:16:42 1994] GET /drears/images/blueball.gif HTTP
/1.0
zircon.pica.army.mil [Mon Aug 8 09:22:42 1994] GET /sunnet.html/
HTTP/1.0
You will notice the first field is the host. The second if the date.
The third/fourth field is the name of the file and the fifth field is
version.
user on netcom webs to ucla.edu
user chooses cs.bu.edu from a menu on ucla
Under [3] above, the cs.bu.edu administrator would know that there
had been a web connection from ucla, but would not know the the
client was on netcom.
No. The connection came from netcom. When the user chooses an item on
ucla that actually resides on cs.bu.edu. The web client (on netcom)
grabs it from cs.bu.edu. Ucla does not grab it for ucla from
cs.bu.edu.
Essentially, I am wondering about the anonymity of the users
connecting to a server.
For the most part logs are used to produce overall usage reports or
maybe to help diagnose problems with html documents. As a WWW server
admin, I like to find out numbers of connections from the top level
domains (e.g. mil, com, edu) but I almost never go into my log files.
This was the first time in 4 months that I actually went into them. A
program call getstats do all my summarizing for me.
An admin has better things to do with his time than to look at who
(individually) is looking at his stuff. Some pages might have a
registration form for you to fill out but that is voluntary.
------------------------------
From: leppik@uxa.cso.uiuc.edu (leppik peter)
Date: 08 Aug 1994 19:55:57 GMT
Subject: Re: Are Web Servers Anonymous?
Organization: University of Illinois at Urbana
mlaroque@aol.com (MLaroque) writes: I understand that the
administrator of a web server has access to a log of connections
made. [.....] Essentially, I am wondering about the anonymity of
the users connecting to a server.
The log (at least in the implementation of the httpd I use) stores for
each "hit" the time of the hit, the machine which made the request, and
the file requested.
No information is available on the username of the person initiating
the request, though sometimes this can be deduced from other
information (for example, if you are using Mosaic from a personal
computer, all you need to find out is who owns the computer for that IP
address....similarly for accessing via SLIP, if your provider keeps
logs). If there is sufficient motivation for both the owner of the
server, and the owner of the machine from which the reuqest is made (or
the owner of the net links), then a lot could probably be discovered
(for example, if someone was seriously abusing someone's Web server).
No information is available on what page the requester "hit" previous
to a particular hit.
In general, you're probably safe in assuming that the Web is anonymous,
unless (1) you give out your name or address in a form somewhere, or,
(2) you do something to really piss someone off, to the point where the
operator of the server is REALLY motivated to track you down.
--
Peter Leppik-- p-leppi@uiuc.edu
I'm Not A Physicist, But I Play One On The Net
http://jean-luc.ncsa.uiuc.edu/People/PeterL/HOME.html
------------------------------
From: glr@ripco.com (Glen Roberts)
Date: 08 Aug 1994 14:47:06 GMT
Subject: Re: Bank Account Numbers
Organization: RCI, Chicago, IL
amy young-leith (alyoung@kiwi.ucs.indiana.edu) wrote: What I want
to ask is: WHEN did I give my bank authorization to allow other
people to take money out of my account? How can they allow these
"dedictions" with just a signature at a company (most say, "Just
fill in your account number and sign below...."
The telemarketers have come up with a new trick. Many found it hard to
get Visa/MC accounts, because they didn't qualify... Visa/MC ensures
good customer service... if you don't like the stuff (mail/phone) it is
EASY to have the charges reversed.
So, they came up with an idea to do it with checks. Rather than asking
for your Credit Card number... they will ask for your bank account
number off the bottom of one of your checks. They will then have a
"facisimile" check made, that looks like a real check, but in the spot
for the signature it, says "no signature required." The telemarketer
(or other business) then deposits these checks.
This works great... as along as everything is on the up and up and
there are no mistakes.
What happens if a credit card card of $100 to put in as $1000. Well, you
might be turned down one a transaction the next week.
What happens if a check of $100 is run through as $1000... you're
balance is $900 less than you think, and if you write a check that
bounces, you could be arrested for a felony.
It would be much worse, of course, if someone stole your checking
account number and took money out. Unlike the credit cards that have a
easy procedure for contesting charges... have fun at the bank!
--
--------------------------------------
Glen L. Roberts, Editor, Full Disclosure Magazine
Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central)
email glr@rci.ripco.com for information on The Best of Full Disclosure,
four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646
--------------------------------------
------------------------------
From: makyen@netcom.com (makyen@netcom.com)
Date: 09 Aug 1994 07:11:39 GMT
Subject: Re: Bank Account Numbers
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
sherry@meaddata.com (Sherry White) writes: I never felt that I
should hide my bank account number because I felt the only thing
one could do with it was deposit money into my account. Then I was
told that when a company direct deposit your check into the accout
they have the previledge to deduct money as well. They say it's
incase a mistake is made and needs correction. Could someone e-mail
me and tell me what else can be done with my bank account number.
I have had money removed from my account by a previous employer.
I had set up direct deposit of my paycheck into my checking account.
Then one time that I received a statement of my account, I noticed
that money had been witdrawn by my employer. As I recall, this has
happened twice.
makyen
------------------------------
From: Lynne Gregg <lynne.gregg@mccaw.com>
Date: 08 Aug 94 09:50:00 PDT
Subject: Re: Internet White Pages
jeffrey@minerva.cis.yale.edu (Jeffrey Licht) said: * Do people
posting on Usenet know that their e-mail addresses are being
recorded? (I doubt it.)
PROBABLY NOT.
* Does anyone have the right to publish this information about me.
for personal gain, without contacting me first? This is currently
done all the time with (snail) mailing lists - is it appropriate
for the Internet?
YOU BET THEY HAVE THE RIGHT: THIS IS A PUBLIC - NOT PRIVATE - NETWORK.
* And if this book calls itself a "White Pages", is there a
provision to request an unlisted number? (There may be - I didn't
look at it long enough to find out.)
IN THAT BOOK, YOU'LL FIND THEIR EMAIL ADDRESS TO REQUEST
ADDS/DELETIONS.
MY DISCOVERY WAS SIMILAR TO YOUR OWN. ONLY ONE OF MY EMAIL ADDRESSES
WAS LISTED. I ASKED FOR THE OTHER TO BE INCLUDED AS WELL.
I THINK THE WHITE PAGES IS AN GREAT IDEA - AND OVERDUE.
------------------------------
From: "David A. Honig" <honig@buckaroo.ics.uci.edu>
Date: 08 Aug 1994 14:13:32 -0700
Subject: Re: Internet White Pages
Organization: UC Disneyland, in the Kingdom of Bren
jgd@dixie.com (John De Armond) writes: jeffrey@minerva.cis.yale.edu
(Jeffrey Licht) writes: * Do people posting on Usenet know that
their e-mail addresses are being recorded? (I doubt it.) If a
person speaks in public to an audience of thousands, does he know
that someone may have written down his name for future use? If he
didn't, he should have.
I was shocked last year to find a classroom full of computer science
grads who hadn't realized that everything they ever posted was stored
on tape or CDROM by some TLA for use in security clearances. John's
statement should be amended to read, "if someone communicates and
computers are involved, assume its stored forever". This is just a
corollary of plan for the worst.
--
David A. Honig, informivore
Prof. D. Denning: fool, fascist or Faust? Only the NSA knows for sure..
Ayatollah:Rushdie::NSA:RSA
------------------------------
From: flb@flb.optiplan.fi (F.Baube[tm])
Date: 08 Aug 94 19:51:44 EET
Subject: Re: Set Top Boxes
Surely sendmail reeled when thusly spake Marc Thibault: (1) If you
had to pay the full cost of delivering television programming to
your home, you would spend more time in theatres. A lot of people
would choose to do without TV. Advertisers pick up the tab and
make TV cheap for us to watch. It is appropriate that they get
some compensation in the form of viewer attention.
I'm not sure this is strictly privacy-related, but ..
There's a third possibility, TV licenses. Call me silly, but I happen
to *like* commercial-free TV, and I'm more than willing to pay a
reasonable amount for it. (It means movies are still coherent, for one
thing.)
I'm not sure how such a policy option could translate to the case of
the set-top box. Perhaps those opting out of commercials would pay an
extra fee that would contribute to a rebate pool for advertisers ?
Then *no* marketing data from *any* source could be used to target me.
--
* Fred Baube(tm) * "Do you really want to hurt me ?
* GU/MSFS/88 * I want your sex !
* baube@optiplan.fi Because I'm bad, I'm bad Jammon, so
* #include * Stay just a little bit longer"
* <disclaimer.h> * -- Boy George Michael Jackson Browne
------------------------------
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
Back issues are available via anonymous ftp on ftp.cs.uwm.edu
[129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The
archives are in the directory "pub/comp-privacy".
People with gopher capability can access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Archives are also held at ftp.pica.army.mil [129.139.160.133].
End of Computer Privacy Digest V5 #021
******************************
.