Date: Wed, 10 Aug 94 13:50:38 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#022
Computer Privacy Digest Wed, 10 Aug 94 Volume 5 : Issue: 022
Today's Topics: Moderator: Leonard P. Levine
Re: Fingerprinting Rules
Re: Fingerprinting Rules
Re: Answering Machine Features
Re: Answering Machine Features
Re: Answering Machine Features
Re: Answering Machine Features
Re: Are Web Servers Anonymous?
Re: SSN Required by Sprint in U.S.
Re: SSN Required by Sprint in U.S.
Re: Towards Natl ID card?
Re: Bank Account Numbers
Re: Bank Account Numbers
Big Brother at Checkout Stand
Privacy and Marketing
Privacy Rights Clearinghouse Correction!!!
EPIC Seeks Release of FBI Wiretap Data
---------------------------------------------------------------------
Housekeeping information is located at the end of this Digest.
----------------------------------------------------------------------
From: Mike Fischbein <msf@nyc.ov.com>
Date: 08 Aug 1994 14:42:44 -0400
Subject: Re: Fingerprinting Rules
I wouldn't mind being fingerprinted; that's pretty much only useful for
positive ID purposes. I've had several (different jobs, different
agencies) high security clearances, and been fingerprinted for each, as
well as when I was active duty Navy. I wouldn't have been upset at all
about fingerprinting.
On the other hand, even though I somewhat reluctantly admit of a
reasonable need for urine testing in the military (and participate,
since I'm still in the reserves), I do NOT feel it is valid before the
fact in the civilian world. I have told firms that wanted samples "no,"
and if they wanted my services they could go ahead anyway. If they
didn't, they could go elsewhere.
If it was a one-time test and for permanent employment, I might put up
with it, but I have not done that for consulting jobs.
------------------------------
From: poivre@netcom.com (Poivre)
Date: 09 Aug 1994 22:42:43 GMT
Subject: Re: Fingerprinting Rules
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
JB Wood (JBWOOD@CHEMICAL.watstar.uwaterloo.ca) wrote:
Fingerprinting is a lot more serious and I would NEVER submit to
any gov't agency retaining my prints (voluntarily). About 8 years
ago, my mom thought it was a good idea when the police offered the
free service one weekend at the mall. They said it was to help
find missing children, but in my mind they just wanted to be able
to use future technologies to I.D. anybody by computer. I said I
had a date that night and didn't want ink all over my fingers...
worked like a charm.
I have always wondered about fingerprinting children against
kidnapping. What good does fingerprinting do in recovering live,
coherent abductees? The only use that I can think of would be if they
find the child's corpse and they fingerprint to make a positive ID, or
if somehow the child escapes from the kidnappers or if the kidnappers
let the child go, but the child is left too damaged to tell police
their name or grown too much that family don't recognize them.
Fingerprinting can't prevent crimes against children cause the
practical uses of fingerprints comes AFTER a crime has already been
committed. If someone could explain to me the benefits of
fingerprinting children other than what i've said above, i'd like to
hear it. Otherwise, its almost useless.
--
. . . . . . . . . . . . . . . . . . . . . . . . . .
poivre@netcom.com : #include <disclaimer.h>
:
. . . . . . . . . . . . . . . . . . . . . . . . . .
------------------------------
From: ppxpmd@unicorn.ccc.nottingham.ac.uk (P.Debenham)
Date: 09 Aug 1994 15:13:45 +0100
Subject: Re: Answering Machine Features
Organization: Cripps Computing Centre, University of Nottingham
Of course for those with some electronic skills there is always another
option if equipment has 'remote' features you do not want, and that is
open the thing up and modify it. Most of these devices use fairly
simple logic circuitry which should not be too difficult to understand
and modify.
For those without electronic skills start trying to persuade the
producers that enough people care about their privacy to give a market
for equipment without the 'remote' features. Problem is that I doubt
enough people care to produce a large enough market so you are back to
option one. Pass the screwdriver and soldering iron..
--
-------------------------------------------------------------------------------
Peter_Debenham@vme.ccc.nottingham.ac.uk (might differ from header address but
Physics Dept., Nottingham Uni, UK this one gets checked most often)
------------------------------
From: poivre@netcom.com (Poivre)
Date: 09 Aug 1994 23:19:10 GMT
Subject: Re: Answering Machine Features
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
David Redish (David_Redish@GS17.SP.CS.CMU.EDU) wrote: Recently we
received (as a present) an answering machine made by AT&T. On
reading the manual, we discovered that not only does it have
extensive remote facilities (such as changing your message,
accessing messages, etc.) protected only by a limited 2 digit code
(with some 2-digit pairs locked out, so <<99 possible passwords),
it has a feature so that if you know the 2 digit password you can
*listen to the room the phone is in*!
I have an answering machine made by Panasonic and it has that listening
feature too. It also has a button that you can push (this is not a
remote feature) to record the phone conversation you are having. I
only discovered these features upon reading the manual. Its not listed
on the box.
When we went to AT&T to try to exchange it, we discovered that they
don't make phones without all of these remote features. So we went
looking for answering machines (of a decent quality) that don't
have remote features. It appears none exist. Does anyone know of
a quality made answering machine that does not have these highly
suspect "bugs" (they called them features, but I know better)?
I dont know of answering machines without those things. I am not an
answering machine hobbyist so i dont know. However, if the remote
listening to the room bothers you, you can just unplug the machine from
the phone line whenever you are home.
--
. . . . . . . . . . . . . . . . . . . . . . . . . .
poivre@netcom.com : #include <disclaimer.h>
:
. . . . . . . . . . . . . . . . . . . . . . . . . .
------------------------------
From: Rob.Aronson@fw.gs.com (Rob Aronson)
Date: 10 Aug 1994 11:07:18 +0500
Subject: Re: Answering Machine Features
Organization: Goldman, Sachs & Company - Distributed Systems Services
David Redish discussed the remote features of his AT&T answering
machine. Well, I have one of the Panasonic all-digital models and it
operates the same way.
I don't have a problem with remote access to features, but I have a big
problem with the security code. Like the AT&T machine, the Panasonic
uses a 2-digit code which in my mind is completely unacceptable.
I think a 3-digit code would be bad enough, although it would deter
most >casual< attackers, but a 2-digit code is absurd.
All of these vendors should wake up to reality and make their machines
more difficult to get into. My guess is that they figure alot of people
won't realize how many digits are in the code, but that's security
through obscurity and most people would realize that that doesn't
work.
------------------------------
From: glr@ripco.com (Glen Roberts)
Date: 10 Aug 1994 18:19:02 GMT
Subject: Re: Answering Machine Features
Organization: RCI, Chicago, IL
David Redish (David_Redish@GS17.SP.CS.CMU.EDU) wrote: Recently we
received (as a present) an answering machine made by AT&T. On
reading the manual, we discovered that not only does it have
extensive remote facilities (such as changing your message,
accessing messages, etc.) protected only by a limited 2 digit code
(with some 2-digit pairs locked out, so <<99 possible passwords),
it has a feature so that if you know the 2 digit password you can
*listen to the room the phone is in*!
Some fax machines also have the listen in feature....
--
Glen L. Roberts, Editor, Full Disclosure Magazine
Host Full Disclosure Live (WWCR 5,810 khz - Sundays 7pm central)
email glr@rci.ripco.com for information on The Best of Full
Disclosure,
four volumes to blow your mind. Voice/Fax on demand: (708) 356-9646
No record. No Trace calling: 1-900-STOPPER (786-7737). $1.95/min
------------------------------
From: stein-c@acsu.buffalo.edu (Craig Steinberger)
Date: 09 Aug 1994 16:56:53 GMT
Subject: Re: Are Web Servers Anonymous?
Organization: SUNY at Buffalo CFD Lab
If the person who connects to a web server is on a machine that runs
the identd daemon, the username as well as the machine is available to
the web server admin. For example, here is an excerpt from my web
logs:
cfd20.eng.buffalo.edu stein-c - [29/May/1994:13:22:55 -0400] "GET
/~stein-c/craig.html HTTP/1.0" 200 2302
In fact, if your machine runs the identd daemon, all of your network
connections are traceable to you.
--
Craig Steinberger stein-c@eng.buffalo.edu
SUNY at Buffalo, Computational Fluid Dynamics Lab
http://cfd20.eng.buffalo.edu/~stein-c/craig.html
------------------------------
From: elvey-matthew@CS.YALE.EDU (Matthew Elvey)
Date: 09 Aug 1994 18:33:18 -0400
Subject: Re: SSN Required by Sprint in U.S.
poivre@netcom.com is a bit confused.
Friends and Family is MCI's program, not Sprint's! I have it and it
sucks and is a pain in the ass. But it gives the best rates I can
find.
(I can't imagine why they don't just give you 20% off everything. They
could probably get rid of half their staff, who do nothing but add
names and numbers to F&F lists. Marketing!)
--
Matthew Elvey New Haven, CT | My opinions represent the
elvey@gator.zoo.cs.yale.edu or | official policy of Yale U.,
elvey@minerva.cis.yale.edu or | all men and the American
(203)772-4826 | Bar Association...NOT!
------------------------------
From: elvey-matthew@CS.YALE.EDU (Matthew Elvey)
Date: 09 Aug 1994 18:37:24 -0400
Subject: Re: SSN Required by Sprint in U.S.
robert heuman <robert.heuman@rose.com> writes: I for one do NOT
remember my SSN (SIN here in Canada, but I have BOTH) and carry it
in my wallet...
In fact, the Social Security card _stub_ states that the card must be
carried at all times, as I recall.
------------------------------
From: kfl@access.digex.net (Keith F. Lynch)
Date: 09 Aug 1994 22:05:11 -0400
Subject: Re: Towards Natl ID card?
Organization: Express Access Public Access UNIX, Greenbelt, Maryland USA
Mich Kabay [NCSA Sys_Op] <75300.3232@compuserve.com> wrote:
Authentication might involve "a more secure Social Security card, a
counterfeit-resistant driver's license and a telephone verification
system."
What about those of us without driver's licenses?
Also, how do they propose to control the self-employed?
--
Keith Lynch, kfl@access.digex.com
f p=2,3:2 s q=1 x "f f=3:2 q:f*f>p!'q s q=p#f" w:q p,?$x\8+1*8
------------------------------
From: John Palkovic <palkovic@x4u2.desy.de>
Date: 10 Aug 1994 09:30:31 GMT
Subject: Re: Bank Account Numbers
amy young-leith <alyoung@kiwi.ucs.indiana.edu> writes: I was just
thinking today.... "Am I the only one bothered by this new gimick
of "Have your payment deducted monthly from your checking
account...." thing I'm seeing everywhere.
This is the standard method of bill payment here in Germany. The
authorization comes from the account holder. You fill out a form,
giving your account number and "Bankleitzahl" (bank number), sign it,
and mail it off. The withdrawals can be stopped by the acct. holder at
any time. Personally, I think it is great. I have had no problems with
such payments.
I don't have to worry about writing checks each month for water, gas,
etc. Notice of the withdrawal is mailed to you, and is also printed on
your account statement (I can get a statement at any time by going to
the bank and running my ATM card through a little machine). If there is
a problem with the amount, you are given a grace period to contest it.
Just like when you pay by check.
--
palkovic@desy.de Deutsches Elektronen-Synchrotron, Relativity Engineering
"I ask each of you to be intolerant of creeping bureaucracy." - Bob Wilson
finger for PGP public key. MIME and PGP mail welcome
------------------------------
From: wayne@arrow.HIP.berkeley.edu (Wayne Christian)
Date: 10 Aug 1994 17:09:26 GMT
Subject: Re: Bank Account Numbers
Organization: University of California, Berkeley
I have had money removed from my account by a previous employer. I
had set up direct deposit of my paycheck into my checking account.
Then one time that I received a statement of my account, I noticed
that money had been witdrawn by my employer. As I recall, this has
happened twice.
There are also very strict rules about electronic funds transfers (EFT)
which you will find listed in a disclosure form you get with your
account or you can request from the bank. You have 60 days to dispute
a EFT, and a legitimate basis for dispute is that you did not authorize
the transfer. You may legitmately dispute a transfer even if you have
authorized other transfers. It is the responsibility of the other
party to prove that you authorized this individual EFT.
In practice banks differ in how they interpret the law and it is up to
the bank offical you talk to to actually initiate a reversal. If your
bank seems too willing to allow unauthorized transfers you can take
your business to another bank or even sue the bank. The law on EFT is
administered by the Federal Reserve, but I have been unsucessful in
even finding a office at the FED which will accept complaints.
Citibank seems unwilling to exercise consumer rights under the law.
My experience with EFT is that a lot of mistakes get made and companies
will often not even provide an invoice to document what they claim to
have provided. This is also true of credit cards. I terminated my
account with CheckFree because of their billing errors.
------------------------------
From: wmccarth@t4fsa-gw.den.mmc.com (Wil McCarthy)
Date: 09 Aug 1994 14:25:29 GMT
Subject: Big Brother at Checkout Stand
Organization: Martin Marietta Corporation
I went grocery shopping yesterday at a King Soopers in Denver, where I
bought all the usual comestibles, pet food, kitty litter, and a
six-pack of beer. Like most people, I do this about every two weeks.
Yesterday, though, the bar code scanner stopped dead on the beer, and
the words "ID CHECK REQ'D" appeared on the little LED display.
The clerk was then forced to ask for my driver's license, and to type
in my date of birth, to prove to the computer that I was old enough to
buy beer. I'm 28 years old and look every day of it, and there was
quite a long line behind me, and the clerk was clearly furious at
having to do this for the nth time on a busy day.
I'm concerned that the clerk is no longer permitted to exercise
judgment of any sort, and that the specter of underage drinking is _so_
terrible that every shopper must be inconvenienced to prevent it. I'm
also concerned that the process is 50% automated at this point. Much
simpler if you just surrender your license at the start, yes? The
computer will give it back to you if you haven't broken any laws...
--
The ideal state provides its Wil McCarthy (wmccarth@t4fsa-gw)
citizens with the tools to succeed Martin Marietta Corporation
and the freedom to fail. I made this stuff up myself.
------------------------------
From: gast@CS.UCLA.EDU (David Gast)
Date: 09 Aug 94 23:21:17 PDT
Subject: Privacy and Marketing
Marc Thibault <marc@tanda.on.ca> writes:
Jeremy D. Allaire <jallaire@skypoint.net> writes: ... hence,
the advertiser will shape the contents of your box more than
you ...
Although there is a privacy issue here, there are also some
benefits (which is why we routinely give up bits of privacy).
First it appears that Mr. Thibault may be engaged in the
privacy-invading/marketing business and it would be proper for him to
state so up front, so that others can decide if he might be considered
to have a conflict of interest due to his job.
I think we usually give up privacy because we are forced to, not
because we expect some benefit unless you mean that staying alive out
of prison is a benefit as opposed to what should be normalcy. That is,
I do not think that most people give up privacy voluntarily.
In any event, if you want to use information about someone, you should
first get the permission of that person.
(1) If you had to pay the full cost of delivering television
programming to your home, you would spend more time in theatres. A
lot of people would choose to do without TV. Advertisers pick up
the tab and make TV cheap for us to watch. It is appropriate that
they get some compensation in the form of viewer attention.
I don't watch TV now. I cannot think of a bigger waste of time or a
less informative medium. One of the problems is that because the
adversisers pay for the full cost, the TV networks do not have to care
*directly* whether the shows are popular; the networks only care if
advertisers like the show, which depends on the message and
demographics. That is, a show could be really popular, but it would be
canceled if there no advertisers. (There were some very interesting
Congressional hearings in the sixties. The big advertisers testified
about all the types of programs, based on content, they would not
advertise on. A corollary is that nothing of substance or importance
can be shown on TV because the commercials have to be able to fix all
of our problems in 15 or 30 seconds. It would detract from the happy
message of the ad if serious problems requiring more than 15 seconds to
solve or unhappy endings were common. The so-called content is nothing
more than glue to keep the viewer vegetating between commercials, the
true content of TV.
Many people do not want to see the Internet degenerate in this way.
(2) Smarter marketing as a result of effective use of consumer
databases means that the time you do spend watching ads will more
likely be useful.
But I am not interested in spending any time watching ads unless I
specifically choose to do so, and then only for the specific purpose I
have in mind. I would not have an account with Prodigy in part because
I do not want to get the constant stream of ads.
No advertiser is going to waste selling dollars trying to sell you
something you don't want or need if they can help it. You'll get
ads for stuff you are actually interested in buying. In the end,
you do in fact shape the contents of your box; effortlessly.
Most ads are not for things that we truly "need." One of the purposes
of advertising is to create a "need" or a desire for a product.
Further, advertising will remain demographically based. Further, most
ads have zero content in terms of information. The purpose in large
part is to attempt to differentiate through emotional attachment nearly
identical products so that the consumer will pay for one product than
another. Advertisers hope we will be stupid and pay more for brand
loyalty.
(3) Smarter marketing will also make it cost effective to advertise
niche products, so you won't have to dig all over the place for
that special item - the producer will find you.
Thanks, but I don't want advertisers finding me. Further, advertising
costs money, and that means that ceteris paribus an unadvertised
product can be sold for less money than a heavily advertised product.
Anyway, even if the producer did find me, the information he sends will
likely be happy faces, and image rather than real information.
------------------------------
From: Privacy Rights Clearinghouse <prc@teetot.acusd.edu>
Date: 09 Aug 1994 23:42:06 -0700 (PDT)
Subject: Privacy Rights Clearinghouse Correction!!!
<<The Privacy Rights Clearinghouse Information Service>> Correction!!!
Information on the PRC gopher site is in error. The phone number for
the California hotline was incorrectly listed on the factsheets
contained on the gopher. The correct number for the PRC Hotline, in
California only is, 1-800-773-7748. We are sorry for any inconvince.
The Privacy Rights Clearinghouse (PRC) a non-profit consumer education
group, now has a gopher site. The gopher site contains State
(California) and Federal legislation relating to the issue of privacy
and informational fact sheets that are constantly being updated. Some
of the topics include; Your Social Security number, junk mail, e-mail
in the work place and wiretapping, and many others. Gopher to
gopher.acusd.edu. To telnet to the PRC: telnet teetot.acusd.edu,
login: privacy.
Once in the USD Gopher, Select #4. USD Campus-Wide Information
System/. then select #8. Privacy Rights Clearinghouse.
The Privacy Rights Clearinghouse is a service for California
consumers. It is administered by the University of San Diego's Center
for Public Interest Law. It is funded by the telecommunications
Education Trust, a program of the California Public Utilities
Commission. It has been in operation since October 1992. Voice
(619)298-3396.
------------------------------
From: Dave Banisar <banisar@epic.org>
Date: 09 Aug 1993 13:15:11 +0000
Subject: EPIC Seeks Release of FBI Wiretap Data
Electronic Privacy Information Center
PRESS RELEASE
_____________________________________________________________
For Release:
August 9, 1994
2:00 pm
Group Seeks Release of FBI Wiretap Data,
Calls Proposed Surveillance Legislation Unnecessary
Washington, DC: A leading privacy rights group today sued the
Federal Bureau of Investigation to force the release of documents the
FBI claims support its campaign for new wiretap legislation. The
documents were cited by FBI Director Louis Freeh during testimony
before Congress and in a speech to an influential legal organization
but have never been released to the public.
The lawsuit was filed as proposed legislation which would mandate
technological changes long sought by the FBI was scheduled to be
introduced in Congress.
The case was brought in federal district court by the Electronic
Privacy Information Center (EPIC), a public interest research
organization that has closely monitored the Bureau's efforts to mandate
the design of the nation's telecommunications infrastructure to
facilitate wiretapping. An earlier EPIC lawsuit revealed that FBI
field offices had reported no difficulties conducting wiretaps as a
result of new digital communications technology, in apparent
contradiction of frequent Bureau claims.
At issue are two internal FBI surveys that the FBI Director has
cited as evidence that new telephone systems interfere with law
enforcement investigations. During Congressional testimony on March
18, Director Freeh described "a 1993 informal survey which the FBI did
with respect to state and local law enforcement authorities."
According to Freeh, the survey describes the problems such agencies had
encountered in executing court orders for electronic surveillance. On
May 19 the FBI Director delivered a speech before the American Law
Institute in Washington, DC. In his prepared remarks, Freeh stated
that "[w]ithin the last month, the FBI conducted an informal survey of
federal and local law enforcement regarding recent technological
problems which revealed over 180 instances where law enforcement was
precluded from implementing or fully implementing court [wiretap]
orders."
According to David L. Sobel, EPIC's Legal Counsel, the FBI has not
yet demonstrated a need for the sweeping new legislation that it
seeks. "The Bureau has never presented a convincing case that its
wiretapping capabilities are threatened. Yet it seeks to redesign the
information infrastructure at an astronomical cost to the taxpayers."
The nation's telephone companies have consistently stated that there
have been no cases in which the needs of law enforcement have not been
met.
EPIC is a project of the Fund for Constitutional Government and
Computer Professionals for Social Responsibility.
================================================================
FBI Director Freeh's Recent Conflicting
Statements on the Need for Digital Telephony Legislation
_______________________________________________________________
Speech before the Executives' Club of Chicago, February 17:
Development of technology is moving so rapidly that several hundred
court-authorized surveillances already have been prevented by new
technological impediments with advanced communications equipment.
* * *
Testimony before Congress on March 18:
SEN. LEAHY: Have you had any -- for example, digital telephony, have
you had any instances where you've had a court order for a wiretap
that couldn't be executed because of digital telephony?
MR. FREEH: We've had problems just short of that. And I was going
to continue with my statement, but I won't now because I'd actually
rather answer questions than read. We have instances of 91 cases --
this was based on a 1993 informal survey which the FBI did with
respect to state and local law enforcement authorities. I can break
that down for you.
* * *
Newsday interview on May 16:
We've determined about 81 different instances around the country
where we were not able to execute a court-authorized electronic
surveillance order because of lack of access to that particular
system - a digital switch, a digital loop or some blocking
technology which we didn't have to deal with four or five years
ago.
* * *
Speech before the American Law Institute on May 19:
Within the last month, the FBI conducted an informal survey of
federal and local law enforcement regarding recent techno- logical
problems which revealed over 180 instances where law enforcement was
precluded from implementing or fully implementing court orders [for
electronic surveillance].
============================================================
------------------------------
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
Back issues are available via anonymous ftp on ftp.cs.uwm.edu
[129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The
archives are in the directory "pub/comp-privacy".
People with gopher capability can access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Archives are also held at ftp.pica.army.mil [129.139.160.133].
End of Computer Privacy Digest V5 #022
******************************
.