Date: Tue, 22 Nov 94 08:59:42 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#065
Computer Privacy Digest Tue, 22 Nov 94 Volume 5 : Issue: 065
Today's Topics: Moderator: Leonard P. Levine
Re: Datamation Writes on the Wiretap Act
Re: Mother's Maiden Name
Re: Mother's Maiden Name
Debit Cards
Vancouver Sun reports E-mail interception within BC Government
Re: Must I Always Carry I.D?
Conferences that may be of interest
Forged Internet Email
Re: Corporate Electronic Communications Policy
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: hedlund@halcyon.halcyon.com (M. Hedlund)
Date: 19 Nov 1994 21:34:04 GMT
Subject: Re: Datamation Writes on the Wiretap Act
Organization: NWNEXUS, Inc. - Making Internet Easy
Doug Sewell <doug@cc.ysu.edu> wrote: from November 15, 1994 issue
of Datamation, in Press Watch on p.99:] Despite a last minute push
by privacy geeks like the American Civil Liberties Union to block
its passage, Congress has approved President Clinton's new
data-wiretapping legislation. [...] This shows what "professional
DP people" think of both privacy and "us geeks".
You think? I read that as a sarcastic take on _Congress's_ view of the
bill -- that it was something only privacy geeks cared about.
But then, I know nothing about Datamation or its biases....
------------------------------
From: sean@sdg.dra.com (Sean Donelan)
Date: 19 Nov 94 17:12:45 CDT
Subject: Re: Mother's Maiden Name
Organization: Data Research Associates, St. Louis MO
Panopticon@oubliette.COM writes: and a wife without support. After
all, our government, local and national, has not yet really shown
significant enforcement of child support laws. I know that many of
you will mention that we must preserve the privacy of every man in
that we may secure privacy for all, and on the face of it I agree
with this. But isn't it time we made an exception in the case of
child support? Given that the assets of the man belong, legally in
part, to his children.
The exception has already been made. The US federal government is
requiring all the states to set up a fully automated means of tracking
down people who don't pay child support. I believe that Minnisota is
the first state to bring their system on-line.
--
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Domain: sean@dra.com, Voice: (Work) +1 314-432-1100
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: 21 Nov 94 16:00 EST
Subject: Re: Mother's Maiden Name
Jim Green (Nov. 15) and others imply that because we're free to select
any "mother's maiden name" we should feel secure about our bank records
and other personal information.
As I tried to point out earlier, when you supply a mother's maiden name
(or functional equivalent), the bank is free to pass that on to a
credit bureau. The credit bureau, in turn, is free to disclose that to
ANYBODY for a fee, including private snoopers. CREDIT information may
be disclosed only to users with a permissible purpose under the law,
but mother's maiden name can be disclosed to anyone.
What good is a personal password that can be bought and sold in the
marketplace by strangers? And isn't it a deception for banks and
others to imply that a mother's maiden name is some kind of secure
password?
--
Robert Ellis Smith
Publisher
Privacy Journal
------------------------------
From: robert.heuman@rose.com (robert heuman)
Date: 20 Nov 1994 20:25:40 -0500
Subject: Debit Cards
Organization: Rose Media Inc, Toronto, Ontario.
The use of debit cards has been discussed, without a clear
understanding of their purpose. Their purpose, from a bank's
viewpoint, is to get rid of the float and credit card frauds. From the
merchant's viewpoint, he is assured payment, because the funds are
transferred from your account to his at the time the card is run
through the equipment. There is NO advantage to you - you do loose the
float (if your bank really gave you one) and there is no credit
attached to the card, so an overdraft is a loan, if the bank has given
you those privileges.
Do not, for one moment, believe that the debit card is to your
advantage. When compared to a credit card, unless you have problems
handling your money, there is NO benefit to you. The card is for the
Bank's purposes. Eventually the banks would like to see the end of
credit cards and the exclusive use of debit cards - no float - loans
carrying high interest if you overdraw, and eliminate credit card
fraud. Just be sure you can:
1. select your own PIN
2. change your PIN at any time, day or night, on YOUR demand
Else refuse to use the damn things - if enough users REFUSE to use
them the bank has a marketing choice - alienate customers or continue
to provide credit cards.
Credit cards will be around for a number of years, but expect them to
disappear within 10-20 years unless consumers start protesting debit
cards, en mass, NOW.
---
RoseReader 2.52 P001886 Entered at [ROSE]
RoseMail 2.60 : RoseNet<=>Usenet Gateway : Rose Media 416-733-2285
------------------------------
From: ua602@freenet.Victoria.BC.CA (Kelly Bert Manning)
Date: 20 Nov 1994 23:01:37 -0800
Subject: Vancouver Sun reports E-mail interception within BC Government
The Vancouver Sun published a report about this on page B1 of the
94/Oct/12 issue. The headline was "Ministry admits to e-mail tapping:
MESSAGES: Corrections official sounded alarm on tapping". Byline:
Harold Munro.
The individual whose E-mail was being monitored found out after someone
sent him a note and got an acknowledgement from a second ID that he hadn't
CCed.
I'll quote remarks attributed to Steve Howell, described as a "program
analyst with the corrections branch in Victoria.
"McKinnon was sent the e-mail of hogg, Barr and a handful of other
civil servants on certain dates from July through September 1993".
"If current messages were monitored in May, Howell said, it might be
because computer systems officials are not accustomed to retrieveing
e-mail. This might be the first time that they had ever had such a
request."
"But he added, the ministry does operate on the basis of a legal opinion
that e-mail is the property of the government, not the employee, as soon
as it is sent. Therefore the government believes it can read employee
e-maill at anytime."
------------------------------
From: VSLARRY@weizmann.weizmann.ac.il (Larry Israel)
Date: 20 Nov 1994 19:19:15 GMT
Subject: Re: Must I Always Carry I.D?
Organization: Weizmann Institute of Science
In Israel a driver must always have his license, vehicle registration,
and compulsory insurance certificate. It used to be that if you did not
have them, you had twenty-four hours to get to the local police station
and show them (I don't know if this was the law, or what the police
allowed you out of the goodness of their hearts). A few years ago the
law (or perhaps practice) was changed, and you will be fined if caught
without them in your possession. Of course, a small fine compared to
the one levied if you really don't have a license, a registered
vehicle, or compulsory insurance.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 21 Nov 1994 08:41:17 -0600 (CST)
Subject: Conferences that may be of interest
Organization: University of Wisconsin-Milwaukee
The CPSR sent this to its Members and Friends. Some of them were
issues that related to privacy. What follows is a portion of their
list:
CONFERENCE /EVENT SCHEDULE
Free Speech and Privacy in the Information Age. Waterloo, Ontario. Nov.
26, 1994, Sponsored by University of Waterloo.
Contact: sfsp@graceland.uwaterloo.ca.
The Technology for Information Security Conference '94 (TISC '94),
Galveston, TX, Dec. 5-8.
Contact: John D'Agostino dagostin@killerbee.jsc.nasa.gov
"Information Espionage," Cincinnati, OH, Dec. 6.
Contact: thornbge@cyxsmtp.wpafb.af.mil
1995 Data Security Conference. Jan 9-11, 1995. Redwood City, CA.
Sponsored by RSA Data Security. Contact: kurt@rsa.com
Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19,
1995. Sponsored by Medical Records Institute. Contact: 617-964-3926
(fax).
Access, Privacy, and Commercialism: When States Gather Personal
Information, College of William and Mary, Williamsburg, VA, March 17.
Contact: Trotter Hardy 804 221-3826
Computers, Freedom and Privacy CFP'95, Burlingame CA, Mar 28-31
Contact: <cfp95@forsythe.stanford.edu>
1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 8-10.
Contact: sp95@itd.nrl.navy.mil
Tenth Annual Conference on Computing and Philosophy (CAP), Pittsburgh, PA,
Aug. 10-12. Contact: Robert Cavalier rc2z@andrew.cmu.edu 412 268-7643
Computers in Context: Joining Forces in Design, Aarhus, DENMARK, Aug. 14-18.
Contributions for papers, proposals for panels, workshops, and tutorials
(in 6 copies - not by facsimile or e-mail)): Deadline for receipt Jan 5.
Contact: Computers in Context, Aarhus University, Dept. of Computer Science,
Bldg. 540, Ny Munkegade 116, DK-8000 Aarhus C, DENMARK.
--- CPSR ANNOUNCE LIST END ---
To alter or end your subscription to this mailing list,
write to listserv@cpsr.org. For general information send the message:
HELP
To unsubscribe, send the message:
UNSUBSCRIBE CPSR-ANNOUNCE
You need to do this from the same machine you subscribed from.
In both cases, leave the subject blank, or at least not resembling an
error message.
------------------------------
From: mr.rogers@the_place_to_be_.nut
Date: 19 Nov 94 20:24:47 PST
Subject: Forged Internet Email
This is another example of how simple it is to forge messages.
What I really found as shocking was how just about anyone on a
ny kind of computer can pull it off.
--
Xxxxx Xxxxx
xxxxx@xxxxxxx.xxx
[extensive moderator comment: The author of the above did actually
sign with a name and a reasonable looking email address. I have
removed them since what I say below could easily be considered
offensive and there is no reason to put him or her to embarassment if,
in fact, the name is not that of the actual forger.
I responded to this message with my usual acknowledgement and got the
message below. Truly shocking and alarming; a user had found a way to
forge Internet email. Earlier today I noted that a paper envelope on
my desk had a return address of "God in Heaven". Incredible, a user
had managed to evade the power of the mighty Post Office and forge a
return address on this too. A month ago I received a phone call from
someone claiming to be Newt Gingrich. Some investigation traced that
call to a pay phone on the street. Even the power of the Phone Company
quakes before these technical geniuses. Credit cards have been forged,
copied, spoofed. Alarm! Alarm!!
The ultimate authority of a claim to my identity is me and my
credibility. If I claim that a message in _any_ media is not mine then
the onus falls on the claimant to establish that the claim is valid.
Can I be seriously inconvenienced, even to the point of being
arrested? Yes. The problem, however, is not electronic, it is just
old fashioned criminal action. It can and should be watched and
controlled, it can never be fixed, except at horrible cost to our life
style; a cost greater than I choose to pay.
So, bring on your forged email, you got me again. After all the 'D'
key is right here under ... my middle finger.
Actual copy of bounce from forged email message:
Date: 20 Nov 1994 08:34:27 -0600
From: Mail Delivery Subsystem <MAILER-DAEMON>
Subject: Returned mail: Host unknown (Name server:
the_place_to_be_.nut: host not found)
To: levine
The original message was received at Sun, 20 Nov 1994
08:34:26 -0600 from levine@localhost
----- The following addresses had delivery problems -----
mr.rogers@the_place_to_be_.nut (unrecoverable error)
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------]
------------------------------
From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 20 Nov 1994 15:15:39 GMT
Subject: Re: Corporate Electronic Communications Policy
Organization: Fantasy Farm, Pearisburg, VA
Dick Mills writes: Bernie Cosell [bernie@fantasyfarm.com
Computer-Privacy-Digest:V5,062,12] apparently does not share my
paranoia about the proposed policy.
I guess not...
In the original posting I didn't cite my actual fears so as not to
contaminate the comments. I'll state them now.
I have to confess that I still find your position on this unclear.
First, you mix together policy with how the policy might be
implemented. To my view those are *separate* matters and should be
discussed separately (and, indeed, specified by the company
separately!). We can chat about the _policy_ and whether it is
appropriate, makes sense, etc. Apart from that we can chat about
whether the particular way a company happens to be implmenting the
policy is appropriate, makes sense, etc. The company can change how it
implements a policy without changing the policy [in fact, this would
almost always be the case, as changing conditions and feedback both
from the employees and the operational groups (and perhaps new laws,
court decisions, EEOC rules, etc) dictate improvements and refinements
in the machinery].
Second, not all of your concerns are *privacy* ones, which I would
think are the only ones really appropriate for this forum. Questions
of employee morale, cost-effectiveness, and such, are surely better
discussed elsewhere [misc.jobs perhaps].
One question about your paranoia is whether it is with the policy, per
se, or over speculations about how the policy _might_ be implemented.
On the last, I'm not sure I can envision a policy on just about
anything that is so benign and airtight that it could not possibly be
badly misimplemented.
The policy states: [Company] reserves the right to review all
electronic records and communications, although it not the
intent to do so except for legitimate business reasons.
This implies that the company may tap phones, and bug rooms, even
though it is not their intention to do so. I fear this will cause
unnecessary fear and suspicion among employees. Suppose an
employee sent a letter to his employer stating, "I reserve the
right to criticize company management publicly in the press,
although it is not my intention to do so." What is the gain to
offset the suspicion caused by such a letter?
I agree.. this was a foolish thing to put in the policy. The
sentence should have ended just after "communications".
As for your fear, since you offered not even a hint as to why you
believe that, it is difficult to say much. I've worked at
high-security sites, where every square inch of the workplace is
covered by surveillance cameras, where every phone is recorded.
Employees aren't told when they're being watched/listened to or what
happens with the tapes. Your 'fear' certainly wasn't rampant there, so
it is at least not totally necessary that a policy mandating tight
security controls necessarily causes problems.
Now, I agree that that workplace certainly didn't have the feel of a
college lunchroom, and it surely wasn't going to be everyone's cup of
tea, but overall the security policy just wasn't a problem. I grant
you that there is a spectrum here, and a company might well foolishly
choose a level of oversight that is inconsistent with the 'social
climate' of their workplace.
But on the other hand, that might mean that the social climate, rather
than the security policy, is what needs tuning. I've argued in the
past that I think that most workplaces I've encountered would be
_improved_ by more company watchfulness and controls. Most places I
see are amazingly unprofessional about keeping their work-business
disentangled from their personal-business. [for example, look at all
of the postings to rec.pets from company machines with timestamps
clearly marked as being during business hours].
The policy states: The message originator's department manager
and corporate officers are the only individuals authorized to
review...
Bernie Cosell comments: I wouldn't even have been inclined to
put in all the disclaimers --- I'd have ended the paragraph
after the first sentence.
Without the disclaimers all employees, as agents of the company,
would be authorized to review any communications of anyone else in
the company. Limitations of authorization must be explicitly
stated.
Well, this isn't a privacy issue, but are you making that statement as
a lawyer? As far as I know [from every company I've worked for or
consulted for], the employees aren't free to act as "agents of the
company" and cannot on their own just do whatever "company" actions
they please in the company's name[*]. Rather, I think it is all only
by explicit authorization: you can't purchase things in the company's
name unless something authorizes you to do so; as opposed to its being
OK for you to do so unless there is an explicit rule preventing it.
[*] In fact, I would go farther: as I understand it, only a VERY few
number of folk actually have the legal authority to act as agents of
the company, period. As a rule, you generally have to be a corporate
officer. You can _pretend_ to be an agent of the company, but they
can take criminal action against you if you do so without
authorization.
The policy states: Improper use of [company] electronic
communications may result in disciplinary action up to and
including discharge from employment.
Email, more so than nearly any other kind of communication, is
subject to forgery. There have been lots of discussion in
computer-privacy about the vulnerabilities. It would be too easy
for another employees, or even an outsider to sabotage someone's
employment by sending forged email.
How can you say "it would be too easy"? As far as I recall, the policy
you presented [quite properly IMO!] said nothing about its
evidence-gathering procedures, its review and hearing procedures,
appeal procedures
Again, I think the policy is exactly right as stated, and it is correct
to leave out the *procedure* by which such "improper use" is
determined. Whether that procedure is fair or not, whether it includes
review/appeal/hearing provisions and a dozen other *procedural*
questions all should be dealt with someplace else, but that is a
_separate_ set of issues and ones that could actually be dealt with
wholly outside of the policy statement.
Also, non-electronic forms of communication become conspicuous by
their absence from the policy.
Perhaps --- what was the purpose of the policy? Surely there must be
other company policies having to do with things like use of the FAX
equipment, use of the company name [e.g., writing for info about a new
litterbox for your cat using company letterhead stationery], talking to
the press, handling of private and proprietary information,
administration of nondisclosure agreements, use of the telephones, etc,
etc, etc. Was this to be the *ONLY* company policy addressing employee
communications? If so, then I agree 100%: they left out a *ton* of
stuff that has to be addressed.
--
Bernie Cosell bernie@fantasyfarm.com
Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358
--->>> Too many people; too few sheep <<<---
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #065
******************************
.