Date: Fri, 03 Feb 95 13:43:59 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#014
Computer Privacy Digest Fri, 03 Feb 95 Volume 6 : Issue: 014
Today's Topics: Moderator: Leonard P. Levine
Re: Wastebaskets
Re: Wastebaskets
Re: Wastebaskets
Re: Requests for Home Phone Numbers
Re: Requests for Home Phone Numbers
Re: Careless News Media
Re: Careless News Media
Re: Careless News Media
Lifestyle info on blood donor cards
Re: Check Security
Re: Credit Card Signatures
Tracking of News and WWW Routes
Re: Radio Shack and Privacy
Re: Radio Shack and Privacy
"Protect Your Privacy" by Stallings
Ethics and Privacy Survey
Forest Service and E-mail Censorship
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: leppik@uxa.cso.uiuc.edu (leppik peter)
Date: 01 Feb 1995 18:27:42 GMT
Subject: Re: Wastebaskets
Organization: University of Illinois at Urbana
G Martin <gmartin@freenet.columbus.oh.us> writes: I think shredders
are next to worthless because it's so easy to reassemble the
document. And just putting it in the trash just invites someone
with bad intentions to pull it out and possibly misuse the
information. I told her the only safe way I could think of was to
take it home and burn it. How about all of you?
Here's what I do....I take the stuff home, shred it, and then take all
the shredded stuff and use it as mulch around my garden.
Of course, it takes a lot more mulch than what a few confidential
documents can produce to handle my garden, so I also shred junk mail,
magazine "blow-in" cards, and so forth.
This has the added advantage that, if someone really wanted to dig
through my vegetable garden and reassemble the original documents, 99%
of the effort would go into reassembling "You May Have Already Won!"
letters. Actual confidential documents are few and far between....
(FYI, I generally have two kinds of confidential documents: personal
financial information, which I don't want people to see; and class
rosters, which often contain grade information protected by federal
law)
--
Peter Leppik-- p-leppi@uiuc.edu
Lost in the Information Supercollider
http://jean-luc.ncsa.uiuc.edu/People/PeterL/HOME.html
------------------------------
From: jonsg@diss.hyphen.com (Jon Green)
Date: 02 Feb 1995 09:57:18 +0000 (GMT)
Subject: Re: Wastebaskets
In a possible past, G Martin <gmartin@freenet.columbus.oh.us> said:
I think shredders are next to worthless because it's so easy to
reassemble the document. And just putting it in the trash just
invites someone with bad intentions to pull it out and possibly
misuse the information. I told her the only safe way I could think
of was to take it home and burn it. How about all of you?
I tend to tear it into small pieces manually, making sure that
sensitive stuff gets fragmented, then distribute the portions through
several random wastebaskets, public bins and the dustbin at home. Oh,
and I retain and _eat_ my signature, if it's a cheque I'm destroying.
(No kidding. I have a high-fibre diet...) 'Course, it's only worth it
for single pages on an occasional basis, but it works for me, and
no-one except a most diligent and observant private investigator would
be able to get enough pieces together to make something useful.
Burning's no use, BTW - you can _read_ the contents of ash, unless you
make sure to powder it afterwards. A number of crimes were solved by
analysing burnt sheets in the grate.
------------------------------
From: Tye McQueen <tye@metronet.com>
Date: 03 Feb 1995 12:51:48 -0600
Subject: Re: Wastebaskets
Gary Martin (gmartin@FREENET.COLUMBUS.OH.US) writes: How careful
are you about what you put in your wastebasket at work, or your
trash at home? I was recently making photocopies at a Mailbox,
Etc. and noticed what looked like a tax form in the waste basket
next to the copy machine.
After seeing our post office trash can overflowing with junk mail every
day I visited the Post Master and requested that the waste be
recycled. I was told that they can't do this because of risks to
privacy of the people who threw their mail away. I don't recall
exactly how the US Postal Service does dispose of this waste so as to
protect privacy. The trash certainly isn't well protected before the
bins are emptied.
--
Tye McQueen tye@metronet.com || tye@doober.usu.edu
Nothing is obvious unless you are overlooking something
------------------------------
From: "Dennis G. Rears" <drears@pica.army.mil>
Date: 01 Feb 1995 22:16:35 GMT
Subject: Re: Requests for Home Phone Numbers
Organization: U.S Army ARDEC, Picatinny Arsenal, NJ
Kelly Bert Manning <bo774@freenet.carleton.ca> wrote: In his role
as the previous moderatory Mr. Rears and I have expressed differing
opionions in the past about this issue. I'm hoping that we get
around to some new angles and opinions this time around.
My opinions on providing SSN to merchants have appeared to be
disjointed in the past. This is mainly because I haven't had an
original post in CPD in about 18 months, only followups. Here's my
thoughts:
1. Don't give false information. Either leave it blank or fill it in.
Giving false information poorly reflects on one integrity.
2. Stores should only request information they need.
3. In some cases a credit check is necessary and you do this via SSN.
If you don't like they don't have to extend you credit or cash your
check.
On a issue not that has nothing to do with privacy, I am a firm
believer in property rights. Part of owning property is have the
ability to decide who you want to sell, lease, give, or otherwise
convey services or property to. I believe a merchant should have the
right to refuse to do business with anybody.
--
dennis
------------------------------
From: djones@insight.dcss.McMaster.CA (David Jones)
Date: 01 Feb 1995 17:53:59 -0500
Subject: Re: Requests for Home Phone Numbers
Organization: McMaster University, Computational Vision Laboratory
Kelly Bert Manning <bo774@freenet.carleton.ca> wrote: This kind of
demand for information, backed up by a threat of denial of service
is probably why the Quebec government made it the legal right of
consumers not to have to provide unneccessary personal
information. Businesses cannot refuse a request to provide goods
or services just because a consumer refuses to provide irrelevant
personal information.
In practice, this statement is false.
Despite any law to the contrary, some Quebec companies regularly refuse
to provide service if personal information is not provided. Case in
point: Videotron. The local cable monopoly occasionally has a trial
"service" of their enhanced cable features. It involves a set-top box
that you would normally rent, but during the special trial service,
they loan you the box for free, but you must provide personal
information like your Health Insurance Number or your Social Insurance
Number (they presumably want to run a credit check to make sure you
won't steal the box). Even if you offer to provide a credit card
number as a kind of insurance against their concern of theft, they will
refuse to give you service.
After calling the appropriate gov't offices in Quebec and Ottawa I was
told "that's just the way it is, and there's nothing we can do about
it". So much for this well-intentioned law.
------------------------------
From: "Dennis G. Rears" <drears@pica.army.mil>
Date: 01 Feb 1995 22:03:49 GMT
Subject: Re: Careless News Media
Organization: U.S Army ARDEC, Picatinny Arsenal, NJ
G Martin <gmartin@freenet.columbus.oh.us> wrote: I videotaped the
news that day as I usually do, and replayed the tape in slow
motion. Sure enough, I was able to EASILY read his name, SSN, DOB,
and various physical descriptions like hair color. Columbus is a
city of 500,000 people, and they had to have given that information
to at least tens of thousands of people, some of who are likely
criminals. I couldn't believe the stupidity of it.
The stupidity was on the individual who allowed the badge to be
recorded. You never allow security badges to be photographed. It
makes them easier to copy that way.
I also contacted an ATF agent. He said that the guy is at great
risk of his SSN, etc. being used for all kinds of illegal purposes
from buying guns, to credit cards, etc. His advice was that the
guy contact his office, the Secret Serivce (for credit card fraud),
his local credit bureau, etc., etc., etc. and try to head off any
potential damage before it happens.
If you speak to any professional (which by definition an ATF agent
isn't) they can tell you potential horror as it relates to their
profession. Yes, it is possible. Likely? no. Anyone who is of the
mind to abuse information like that doesn't need to record the news and
slow motion it. I think you are making a mountain out of a molehill.
What can the ATF or any government employee do? Put out an All Points
Bullentin for a possible misused SSN. If there is such a thing let me
know and I will publicize and hopefully load it so much it crashes.
My next call was to the media director at the water company. The
media director had been standing right next to him when the cameras
took the pictures. She treated me like I was bothering her, and
was very rude. She said she'd warn the employee who's ID was
aired, but I didn't believe her. I called back again and asked to
speak to her boss. He was very understanding, and said they'd do
what they could to help the employee out. He also said he was
going to make up a phoney ID card in case they ever need to show
one again in the media.
Don't you have any better things to do with your time? It didn't
affect you and you actually called the utility company?
How could the media have been so careless?!? they may have ruined
this guys life with their stupidity. Other than the possible risks
I've mentioned, what other risks might he face? Has anyone else
seen the media to anything like this?
This is nothing. If you are going to complain about the media complain
about the hatchet jobs they do. Keep in mind the employee allowed the
badge to be photographed. Evidently the employee didn't care.
--
dennis
------------------------------
From: sean@sdg.dra.com (Sean Donelan)
Date: 02 Feb 95 02:29:10 CST
Subject: Re: Careless News Media
Organization: Data Research Associates, St. Louis MO
G Martin <gmartin@freenet.columbus.oh.us> writes: How could the
media have been so careless?!? they may have ruined this guys life
with their stupidity. Other than the possible risks I've
mentioned, what other risks might he face? Has anyone else seen
the media to anything like this?
The problem isn't with the media. It is with the water company. Why
does the water company put information such as the employee's SSN on
the ID card the water meter reader is required (likely also by company
policy) to show to any customer that demands it.
--
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Affiliation given for identification not representation
------------------------------
From: geoff@ficus.CS.UCLA.EDU (Geoff Kuenning)
Date: 02 Feb 1995 22:23:20 GMT
Subject: Re: Careless News Media
Organization: Ficus Research Project, UCLA Computer Science Department
<gmartin@freenet.columbus.oh.us> writes: Sure enough, I was able to
EASILY read his name, SSN, ... How could the media have been so
careless?!?
The reporter and cameraman probably forgot to consider slow-motion
videotape, thinking that the card would go by too quickly to matter.
But a much more important question is, why does the water company put
the SSN on the ID card? That sounds totally inappropriate to me.
Every house this guy visits could do all the same bad things to him
that a TV viewer could. Why is the WATER COMPANY so careless?!?
--
Geoff Kuenning g.kuenning@ieee.org geoff@ITcorp.com
------------------------------
From: "Virginia Matzek" <VMATZEK@alumni.berkeley.edu>
Date: 01 Feb 1995 11:49:34 PACIFIC
Subject: Lifestyle info on blood donor cards
Organization: California Alumni Assoc.
Additionally, are the results of these screens the property of the
blood collection agency for further use as they see fit, or does
the "screenee" have the right to control the use of the information
(or somewhere in-between)?
The development of profiles of types of individuals is becoming
less important as HIV spreads throughout the general population.
Further, it may the basis of discrimination suits. If the
information is not collected with any specific identifiers, (SOC #
or name) then who cares? If there are personal identifiers, then it
seems to me to be an attempt to develop it for another purpose.
The last time I donated blood, I was given a card to fill out with
personal info on one side (name, address, DOB, SSN#, etc.) and then
some VERY personal info on the other (Have you had sex with anybody for
money or drugs since 1977?, etc.)
I left the SSN space blank, but after I had donated, I got a call from
the blood bank saying they needed to confirm my SSN or they couldn't
use my blood. Apparently this is their method of insuring that the
person who comes in and gives blood is the same person as last time. I
gave in and provided the number.
Then I started thinking about the card and all that information on it
and wondered exactly what sorts of identifiers went with it. I phoned
the blood bank and asked them to change my personal identifier from my
SSN to my Calif. driver's license # (which they did--ironically for
their "security measures"--without seeing my driver's license or
verifying my identity in any way at all).
I also asked two different people what happened to that information. I
was given consistent reports--that only the cards that I filled out
were put in my file (i.e., no additional info, like a medical file
would have), and that the only people to see the information were the
nurses at the blood station (who check your responses for risk factors)
and the business office folks who keep the files. I was told that the
information would never be given out to anybody and was kept completely
confidential (although one wonders, when their security of identity is
so lax, what they mean by "confidential").
As to whether I had access to my file or not, I was not given a clear
answer because the business office people had never fielded that
question before. However, they seemed surprised that anyone would ask,
and told me that the only info in the file is what I filled out myself,
so why should I care?
Just FYI.
+----------------------------------------------------------------+
| Virginia Matzek "I love being a writer. |
| Associate Editor What I can't stand is the |
| California Monthly paperwork." -- Peter De Vries |
| |
| vmatzek@alumni.berkeley.edu |
| phone: 510/642-5781 fax: 510/642-6252 |
+----------------------------------------------------------------+
------------------------------
From: "Michael O'Donnell" <mod@osf.org>
Date: 01 Feb 1995 16:42:45 -0500
Subject: Re: Check Security
jepstein@cordant.com writes: So I sent another check in, attaching
the original with a note to show this is what happened, and writing
in large letters VOID across the old check. BOTH checks were
deposited. Luckily I had enough in my account to cover both, so I
didn't make a fuss (and I didn't have to make a payment the next
month). It would have been interesting to ask the bank to explain
their security if an apparantly year-old check clearly marked VOID
could clear the system!
The situation you described certainly ought not to have happened, but
given my casual knowledge about how checks are processed it at least
makes (some) sense. It's probably true that one of the last humans to
touch (not necessarily look at, just touch) your check was the person
who opened your envelope at your insurance company. They were most
likely not paying attention and simply stamped the back of your check
"for deposit to the account of..." and then jammed it into a deposit
pouch with a zillion other such checks. From then on, the only other
person who had cause to look at your check was probably an extremely
overworked data-entry person whose only goal was to read the amount
scrawled on your check and cause that amount to be imprinted at the
bottom so that the MICR (Magnetic Ink Code Recognition) equipment could
take it from there. I'm pretty sure that once your check gets into the
pipeline between the banks and the clearinghouse(s) the process is
entirely automated - as long as the MICR info is intact there is no
reason for a human to ever again be interested in looking at your
check.
from the above, one should conclude that the way to REALLY make a check
"void" is to trash the MICR characters at the bottom, especially the
account number.
Regards,
---------------------------------------------------------------
Michael O'Donnell (617)621-7308 mod@osf.org/mod@std.com
---------------------------------------------------------------
------------------------------
From: berczuk@glendower.mit.edu (Steve Berczuk)
Date: 02 Feb 1995 20:32:42 GMT
Subject: Re: Credit Card Signatures
Organization: MIT Center for Space Research
Since June 1st, 1994 (for MasterCard) and January 1st, 1995 (for
VISA), merchants have been instructed to refuse all unsigned
cards. A specific procedure has been established to deal with
unsigned cards:
This poses an interesting problem. One of the things I like about my
one of my credit cards is that it has a picture. We can argue about
what is harder to fake, a picture or a signature, but given the way
signature change over time, and the amount of effort clerks often give
to checking signatures, I like the idea of having a picture on the
card. As far as I know only 2 banks have photo cards, so for any other
cards I've taken to writing "ASK FOR PHOTO ID" in the signature spot.
according to the above policies, then, I imagine that I'll have to stop
using the other cards, except perhaps for mail order stuff. This
doesn't seem to make a whole lot of sense. -steve berczuk
--
Steve Berczuk -berczuk@mit.edu | MIT Center for Space Research
Phone: (617) 253-3840 | NE80-6015
Fax: (617) 253-8084 | Cambridge MA 02139
------------------------------
From: Kajae@aol.com
Date: 03 Feb 1995 03:16:24 -0500
Subject: Tracking of News and WWW Routes
kirby6@psu.edu wrote: Is it possible for my school admins. to keep
track of the sites I visit or the news servers I connect to, or
even the groups I read? Is every connection through the campus
gateway logged somehow or would I have to be a specific target?
When I connect to a site does that site also record my connection?
Do admins even have time to be concerned with this? What I'm
wondering is just how any of this information might be used to
"profile" me later. Be it through sales to marketers, restriction
of account, or whatever? Do privacy laws apply to any of this?
Yes, yes, and yes (some of them will tell you so, and that if it
bothers you, that you should log off now). Scary, huh?
I doubt your admins have the time to be bothered with all users
individually (or you personally) unless you do something illegal or
otherwise violates the policy of either of the systems you happen to be
using at the time - in which case you'd be facing whatever disciplinary
action deemed fit by them. It might be interesting to note (as was
brought up in this forum a while ago) that some schools do monitor
their own systems for security purposes, so not just what you do on the
web is logged, but what you do on your schools system may be being
logged as well. And since it's thier systems, it's all completel y
legal. (See Computer Privacy Digest Vols. 5 #78 thru 6 #2 "School
Monitoring" for the thread on that topic). For any agency that can and
will do the leg work required, a more or less complete history of
everything you've done on the net (especially recently) could be
compiled...
As far as your "profile" is concerned, while admittedly this data could
be used to profile you, doing anything with that profile might be risky
on the part of the users. Restricting accounts or credit, or denying
you a job might be hard (and certainly discriminatory) based solely on
what you like to read or don't like to read. And doing that based on
what you say or don't say in any medium, electronic or otherwise, is
unconstitutional. Or at least I *think* still it is, I haven't caught
the TV news for the latest Supreme Court ruling...
Marketing is another matter entirely. It never ceases to boggle the
mind how people get hold of information about me so they can stuff my
mailbox with junkmail. (Thank God spamming is outlawed here!) There
are several computer marketing and distribution companies that, while
they've somehow or another found out that I own a new computer, many of
them are confused as to what kind it is (for anyone who cares its
really a 486/DX2/66). But I get mail for macs, amigas, companies
telling me I should use their chips to upgrade my 386 to a 486, and so
on. In this case, do as I (and others) do:
travis@netrix.com (Travis Low) writes: IMHO, it is better to open
them and look for a postage-paid return envelope. If there is one,
just stuff it full and pop it in the mail. That way, the mailers
subsidize the post office, saving taxpayer dollars. And the
mailers will have to spend money processing the bogus envelopes,
hopefully to their fatal detriment.
Try it. It's great fun.
When it comes to life in Cyberspace, you have to live the Way of the
Warrior: "If you love, love without reservation - if you fight, fight
without fear.
Live every moment as though it were your last." If you're going to
post, post what you think. If you ftp, ftp for what you really want.
Ride every wave on the net like you're about to max all your credit
cards on it. No regrets.
Knowledge is power, and there will always be those who will abuse that
power, and fight tooth and nail to keep it. There are also those of us
who are fighting them with our teeth and nails, but we're another
story...
------------------------------
From: gmcgath@condes.MV.COM (Gary McGath)
Date: 03 Feb 1995 12:53:13 GMT
Subject: Re: Radio Shack and Privacy
Organization: Conceptual Design
privacy@interramp.com wrote: Sure, Radio Shack isn't the only game
in town. But your solution doesn't solve the problem; it ignores
it. Convince me that other electronic merchants will treat you any
better. Even if you do find more privacy-sensitive merchants,
isn't our job -- as privacy sensitive advocates -- to help others
from being manipulated?
Well, in my experience, Radio Shack is the only retail outfit of any
kind that routinely asks for the phone numbers of people who pay cash.
It's their right to do that, and my right not to deal with such bozos.
I don't see why it's anyone's "job" to "help" people who are perfectly
satisfied with such an arrangement.
Unlike E. J. Barr, I don't boycott Radio Shack absolutely. But where
the alternatives are nearly equal, I buy elsewhere. When I do buy
there, I always decline to give any personal information. I use a
humorous rather than confrontational approach, feigning temporary total
amnesia.
--
Gary McGath
gmcgath@condes.mv.com
PGP Signature: 3E B3 62 C8 F8 9E E9 3A 67 E7 71 99 71 BD FA 29
------------------------------
From: privacy@interramp.com
Date: 03 Feb 95 08:43:06 PDT
Subject: Re: Radio Shack and Privacy
Organization: PSI Public Usenet Link
privacy@interramp.com wrote: ...While returning a product purchased
by credit card but without providing my address, I was told that I
could not receive credit unless I provided my name, address, and
phone...
Not only is providing false information a "bad idea," since it is
illegal, as Mr. Resch writes. It is also a last ditch resort that
consumers should not have to face.
It's easy to lie and give out fake names, addresses, telephone numbers,
etc. But this is not the "way it should be." Sure, in my newsletter, I
encourage readers to use pseudonyms in certain situations. But in none
of these situations are people breaking the law or hurting others.
Instead, the best solution (as far as I am concerned) is to create laws
and grassroot efforts to stop such requests for personal information as
a condition of sale. Let's empower the consumers so that they don't
have to be placed in the unenviable position of having to lie in order
to protect their privacy.
Until we have such laws or widespread support, we should educate
consumers on how to deal with situations where personal information is
requested. The more educated and the street smart consumers are not the
ones we need to worry about. Often, they will read the "Riot Act" or
find some way of preserving their privacy. It is the shy, naive, or
less educated that we need to empower by making them aware of their
"Privacy Bill of Rights."
Do you have suggestions for a "Privacy Bill of Rights?" Please forward
them to me, as I am compiling one for future applications.
--
John Featherman
Editor
Privacy Newsletter
PO Box 8206
Philadelphia PA 19101-8206
Phone: 215-533-7373
E-mail: privacy@interramp.com
------------------------------
From: "Rob Slade, Social Convener to the Net" <roberts@mukluk.decus.ca>
Date: 02 Feb 1995 12:47:47 EST
Subject: "Protect Your Privacy" by Stallings
[It didn't start out this way, but this seems to be the start of a
"mini" series of reviews on the topic of PGP. Garfinkel's review is
due to be sent in another two weeks, Schneier's a week after that;
Peachpit has one due out in February while Zimmerman's own, I found out
yesterday, is due out in April. - rms]
BKPRTPRV.RVW 941214
"Protect Your Privacy", Stallings, 1995, 0-13-185596-4, U$19.95
%A William Stallings ws@shore.net
%C 113 Sylvan Avenue, Englewood Cliffs, NJ 07632
%D 1995
%G 0-13-185596-4
%I Prentice Hall PTR
%O U$19.95 (515) 284-6751 FAX (515) 284-2607 camares@mcimail.com
%P 302
%T "Protect Your Privacy"
This is the first-released of at least three books on PGP (Pretty Good
Privacy), the encryption and authentication package by Phil Zimmerman.
It covers the concepts of encryption, public key encryption,
authentication and key management, as well as the installation and
operation of PGP on MS-DOS and Macintosh platforms. There is also some
overview of front end shells for DOS and Windows, plus helpful
supplementary information on password/phrase choice key servers, and
where to get PGP. (The promise of coverage for Windows, UNIX, OS/2 and
Amiga in the promotional literature is overkill, but these interfaces
will be almost identical to those covered.)
Stallings' material is generally very clear and well written. Many
times, however, concepts are introduced early in the book but not
explained until much later. This is particularly true of key
management. In most cases, I can assure the reader not to worry--all
will be made clear, eventually. (In some few cases, the explanation
may remain confusing until you actually run the program.)
The book echoes the assertion by many that PGP has become the de facto
standard in Internet privacy and authentication. Certainly no
commercial product has anything like the same range of use. Full
acceptance of PGP, though, has been hampered by the version
incompatibilities and the legal difficulties caused by the US weapons
(!) expert control laws. Given the touchy nature of this subject, it
is not terribly surprising that both Stallings, and Michael Johnson in
the access document, comment only briefly on the subject. These
passages are somewhat calming, but hardly calculated to inspire
confidence.
Solid background on the technology, if sometimes disjointed. Terse,
but serviceable documentation on the program. Readable and
informative.
copyright Robert M. Slade, 1994 BKPRTPRV.RVW 941214
==============
Vancouver ROBERTS@decus.ca | "virtual information"
Institute for Robert_Slade@sfu.ca | - technical description of
Research into rslade@cue.bc.ca | marketing info disguised
User p1@CyberStore.ca | as technical description
Security Canada V7K 2G6 | - Greg Rose
------------------------------
From: Urs Gattiker <GATTIKER@CETUS.MNGT.ULETH.CA>
Date: 03 Feb 1995 10:16:18 -0700
Subject: Ethics and Privacy Survey
About 8 months ago a survey on ETHICS AND PRIVACY ON THE INTERNET was
mailed through this NetWork to you and many others. The data we have
gathered has been analyzed and one of the reports materialising from it
is mentioned below. If you are interested in a complete copy, please
feel free to drop me a line and again, thanks for your cooperation and
help.
The program on ETHICS AND PRIVACY ON THE INTERNET is continuing and a
new survey assessing additional issues as well as regulation,
cryptography and cyberspace is in the final stages of the development.
Cordially
Urs E. Gattiker
MORALITY AND TECHNOLOGY, OR
IS IT WRONG TO USE A SELF-MADE ENCRYPTION DEVICE, AND
CREATE OR LET LOOSE A COMPUTER VIRUS?
Urs E. Gattiker
Helen Kelley
Centre for Technology Studies,
The University of Lethbridge, CANADA
Abstract
Stories about computer-related actions (e.g., placing a document about
how a computer virus works on an electronic network/bulletin board)
were presented to users. Data indicate that women end-users compared
to men have a less libertarian sense of what is right and wrong; as
well, younger respondents are more libertarian than their older
compatriots. Data also indicate that participants are less likely to
endorse civil liberties and more concerned about the harm and
violations of social norms when the scenario describes a context-
specific situation. How users act, feel and respond toward computer-
mediated behaviours and actions raise questions for researchers and
policy makers. For example, how do researchers and policy makers
maintain and protect the privacy of individuals, and at the same time
ensure moral conduct by end-users who enjoy using the electronic
highway. Suggestions are made for developing theoretical models of
moral judgment in the cyberspace domain as well as policy (e.g., U.S.
Clipper chip debate).
Published reports of some of our findings can be found in:
Gattiker, U. E., & Kelley, H. (1994). Techno-crime and terror
against tomorrow's organisation: What about cyberpunks. E.
Raubold and K. Brunnstein (Eds)., Proceedings of the 13 World
Computer Congress -- IFIP Congress '94, Hamburg (pp. 233-240).
Amsterdam: Elsevier Science Publishers.
Gattiker, U. E., & Kelley, H. (1995). Morality and Technology, or is
it wrong to create and let loose a computer virus. In J. F.
Nunamaker, Jr. & R. H. Sprague (Eds.), Proceedings of the 28th
Annual Hawaii International Conference on System Sciences 1995,
Hamburg (pp. 563-572). Las Alamitos, CA: IEEE Computer Society
Press.
Additional papers are currently being written.
************************************************************
------------------------------
From: James Love <love@essential.org>
Date: 02 Feb 1995 00:29:57 -0500
Subject: Forest Service and E-mail Censorship
the following is a forwarded message from tap-resources, another one of
our lists. Ned Daly reports on a proposal at the forest service to
censor forest service employee email critical of the agency. jamie
Distributed to TAP-RESOURCES, a free Internet Distribution List
(subscription requests to listproc@tap.org)
TAXPAYER ASSETS PROJECT - NATURAL RESOURCES POLICY ADVISORY (please
distribute freely)
TAP-RESOURCES
February 1, 1995
The Following is an excerpt from "Chainsaw Justice: The U.S. Forest
Service out of Control" which will be published soon by Voices of the
Environment (VOTE). If you would like the report or more information,
contact VOTE in Hamilton, Montana at (406)363- 4225.
The Forest Service presently has a proposal under review that would
prohibit Forest Service employees from criticizing agency leadership
and policies on the agency's electronic mail system. The excerpt
reprinted below looks at the Forest Service's attempts to limit freedom
of speech. The Forest Service's proposed policy sheds light on the
agency's attempt to quell any internal criticism as well as the
administration's (lack of) commitment to privacy.
The author of the "Chainsaw Justice", Steve Taylor, also wrote
"Sleeping with the Industry" a report published by the Center for
Public Integrity and excerpts from that report were published on
TAP-RESOURCES earlier.
Ned Daly
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SECTION #7-ROADBLOCKS ON THE INFO HIGHWAY: CHILLING E-MAIL SPEECH by
Steve Taylor
When Jack Ward Thomas became Chief of the Forest Service on Dec. 1,
1993, many believed he would usher in a new era of openness among
agency employees and members of the press, that he would be the arbiter
of "glasnost."
In some respects, Thomas has met those expectations. He did grant an
interview for this report and has generally been accessible to the
media.
However, through the office of Thomas's underling, recently retired
Deputy of Administration, Lamar Beasley, the agency has drafted a
policy for the USFS [Forest Service]electronic mail system, Data
General (DG), that if implemented would chill free speech among the
Forest Service ranks, according to several agency employees.
Most insidious and possibly illegal, they say, are two provisions of
the draft that prohibit criticism of agency leadership and policy.
Agency brass assert that a clear policy for e-mail is needed to ensure
that "government electronic communications facilities" and "official
time" are not "misused," and to protect against the "unauthorized
disclosure" of government information, according to a document signed
by Lamar Beasley and obtained by VOTE.
Chief Thomas echoed these concerns about government employees wasting
the public's time and resources. He added that a major reason for the
policy was to prevent too many messages from jamming the DG. (For a
more thorough explanation of the Chief's opinion on this policy, see
the interview excerpts below.)
Considering that in the 1990's much of the inter-agency dialogue occurs
on the DG, the proposed policy would greatly hamper constructive
dialogue, said sources inside and outside the agency. USFS personnel
use the DG to discuss ecosystem management, environmental laws, timber
sales, fire control, and other issues relevant to the management of the
national forests. And yes, sometimes these discussions criticize
agency positions and its leaders. But from such dialogue, innovative
ideas often emerge.
"The DG is almost the exclusive form of internal communication," Andy
Stahl, executive director of the Association of Forest Service
Employees for Environmental Ethics (AFSEEE), told VOTE. "The message
this [policy proposal] sends is: 'We don't want to hear the bad news.
We certainly don't want to hear your opinions of where we might be
going wrong.'"
The policy draft was released during the summer of 1994 with little
fanfare. "It's been amazingly low-profile," said a Washington Office
employee, who asked to remain anonymous for fear of reprisal. "This is
a blast from the past," the source said. "If this policy is adopted it
would be very telling."
Others within the agency are more caustic. "It is a very repressive
policy," a USFS source in a western state said. "in a way, it is
reprisal in a systematic sense."
A Dictator's Policy?
A USFS employee in the Southeast United States had this to say: "This
attempt to muzzle free speech reminds me of a dictatorship in trouble.
It seems like a desperate move and a tacit admission that they, that
is, Beasley and Thomas, have lost control. What's next? Are they going
to confiscate are pencils and notepads so we can't write bad things
about them. This is really sick."
In a written response to the proposed policy that was submitted to the
agency, USFS computer operator Debbie Tachibana and wildlife biologist
Donald Yasuda tread more lightly in their criticism. They first
expressed concern that the Washington Office staff worked on writing
the policy without consulting those in the field or the agency's union.
"Such top-down solutions usually ensure a lack of commitment to the
product by the bulk of FS employees," they wrote. "In reading this
report, we can only assume that field level personnel are part of the
problem you are trying to solve."
Tachibana and Yasuda also note that the e-mail system levels the
playing field for employees of all ranks. "It reaches employees at all
levels of the organization and provides all of them the opportunity to
give input to the dialogue regardless of background, culture, or
position in the organization."
And, they condemn the reach of government as a thought-control
mechanism. The policy seeks "not only to restrict information sharing
but also to restrict employees' abilities to exercise independent
critical thinking."
Others in the agency worry that the policy will further rip an already
tattered agency morale. Dave Iverson, an outspoken USFS economist,
wrote in his comments on the policy, "[It] upholds a long-standing
government tradition of establishing policy that attempts to ensure
'employees don't do the wrong thing' rather than encouraging 'employees
to do the right thing.' This implicit lack of confidence in the ethical
foundation of government employees breeds dissention and reciprocal
mistrust between employees and the agencies where they work."
Another employee commented on the DG, "... the knee jerk reaction of an
organization long accustomed to controlling information flow via
organization hierarchy is to attempt to do the same thing in the
automated information environment (i.e. computer networks)."
Responding to one employee's criticism of the policy, Lamar Beasley
stated that the policy is intended as a preventive measure, to keep
employees from breaking the law, presumably privacy laws. "I only ask
you," he wrote to a respondent over the DG, "to keep in mind that we
cannot violate the law. We've had people to do that [sic] and we've
also had people that were almost fired. We have an obligation to set
policy in place that prevents our people from getting in trouble."
What Beasley may have overlooked is that the policy itself may be
illegal, particularly if it prohibits protected speech about government
behavior concerning environmental laws. Both the National Forest
Management Act (NFMA) and the National Environmental Policy Act (NEPA)
require free discussion and dissemination of new science as it evolves,
and that the government amend policies when appropriate.
"NEPA demands that policy be reexamined when there is new scientific
evidence," AFSEEE's Stahl said. "NFMA demands that forest plans be
revised when there's new information that might trigger that. You'd be
violating the law if you didn't bring those concerns forward." Stahl
added that because the DG is virtually the exclusive form of
communications it would impede constructive information exchange and
that "would short change the public."
When VOTE asked Beasley about the policy and USFS employees' concerns
that it restricts free speech, he was evasive saying only that the
policy had not yet been finalized. "We're along ways from issuing a
[final] policy," he said.
Is the Chief out of the loop?
In a personal interview with Chief Thomas on Sept. 16, 1994, more than
three months after the policy draft was released, he said he had not
seen it. However, he did dismiss any notion that it was written to
restrict any criticism. Because the interview exchange on this topic
illuminates both the policy itself and his leadership, Thomas's
comments are included verbatim:
Thomas: "First there has been no decision made. It doesn't have
anything to do with criticizing leadership. It has to do with jamming
our electronic mail system. And then you begin to wonder, should
taxpayers pay people to sit there and use the government's electronic
mail system to do all this, or should they be doing it on the job. It
doesn't matter that they can't criticize."
VOTE: "I have seen the draft policy and it does say that Forest Service
employees should not use the e-mail to criticize leadership and policy.
Some would say that discussion of leadership and policy is what the
taxpayers need and even deserve, and that, in the electronic age, this
is the one way to do it."
Thomas: "First, I haven't seen the policy. I know that there is one
being prepared for my consideration... They can write anything they
want. They have their own home computer. That is the question and I'm
not sure I know what the answer is. I don't know if I'll approve the
policy or not. I do know that the general complaints of the
administration is that their employees are using a considerable amount
of government equipment and government time on e-mail games. I'm not
concerned about criticism one way or the other. I'm concerned about
jamming and people using time to gossip."
Interestingly, when management issued the second policy draft, the
suspect provision on prohibiting criticism of leadership and policy was
no where to be found -- until the very last page. Management had moved
it from up front to the bottom. But it was still there.
--------------------------------------------------------------
TAP-RESOURCES is an Internet Distribution List provided by the
Taxpayer Assets Project (TAP). TAP was founded by Ralph Nader to
monitor the management of government property, including
information systems and data, government funded R&D, spectrum,
allocation, public lands and mineral resources, and other
government assets. TAP-RESOURCES reports on TAP activities
relating to natural resources policy. To obtain further
information about TAP send a note to tap@tap.org.
Subscription requests to: listproc@tap.org with the
message: subscribe tap-resources yourfirstname yourlastname
---------------------------------------------------------------
Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036
v. 202/387-8030; f. 202/234-5176; internet: tap@tap.org
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours
of submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #014
******************************
.