Date: Wed, 08 Feb 95 15:41:27 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#016
Computer Privacy Digest Wed, 08 Feb 95 Volume 6 : Issue: 016
Today's Topics: Moderator: Leonard P. Levine
Re: Wastebaskets
Re: Wastebaskets
Research Help on Database Administrators' Liability
Inaccurate Personal Information
Re: Who is Looking at Your Files?
Re: Who is Looking at Your Files?
Re: Phone Users Slam Dunked
Re: Privacy in Telecommunications
Re: Requests for Home Phone Numbers
Internet Access Policy
The Cybercop Impetus
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: wb8foz@netcom.com (David Lesher)
Date: 06 Feb 1995 20:49:28 GMT
Subject: Re: Wastebaskets
Organization: NRK Clinic for habitual NetNews Abusers - Beltway Annex
"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> writes: For
high-security requirements, you can use "cross-cut" shredders which
use offset knives to slice paper into small diamond-shaped
fragments instead of long parallel ribbons.
Such crosscut shredders (typically the Intimus 007) have been required
by USG for any classified for 15 years. They learned this in Tehran.
The alternative is a SEM, Inc. disintegrator. This is a 10-20 hp. motor
with three rotating knives, sort of like a reel-type lawn mower.
Unlike a 007, it will eat anything short of a handgun....
------------------------------
From: sasdvp@unx.sas.com (David Phillips)
Date: 07 Feb 1995 13:58:52 GMT
Subject: Re: Wastebaskets
Organization: SAS Institute Inc.
G Martin <gmartin@freenet.columbus.oh.us> writes: How careful are
you about what you put in your wastebasket at work, or your trash
at home? [chomp] Which leads me to a question I'd like to ask all
of you. How do you dispose of documents, diskettes or backup tapes
that have sensitive info on them? I think shredders are next to
worthless because it's so easy to reassemble the document.
It really depends upon the shredder. While in the Navy, one of my
responsibilities was the destruction of our communications security
materials (ie, code cards, etc.) We ran this through a shredder that
left pieces that were 1/16" by 3/16" (I know, cause I had to measure a
sample of them periodically to ensure destruction met specifications)
I doubt that it would be easy, or even possible, to reassemble such a
document.
--
David Phillips sasdvp@unx.sas.com SAS Institute, Inc., Cary, NC
If you're not living on the edge, you're taking up too much room.
Don't Tread on Me DVC
------------------------------
From: "James E. Kelley" <jkelley@creighton.edu>
Date: 06 Feb 1995 14:05:20 -0600 (CST)
Subject: Research Help on Database Administrators' Liability
I have been monitoring the group for the last couple of weeks in the
hope of running accross some information or discussion that would be of
help to me in my research. I am a graduating law student who wishes to
inquire into the potential liability of database administrators who
fail to adequately protect information contained within the database.
I feel that this is primarily a privacy concern that will stem from
tort law. However, I have not failed to see the potential of liability
for the disemination of corrupted (changed) data.
I ask for any and all suggestions that would give me avenues to
research. To date, I have read numerous articles and papers.
Unfortunately, I have not found much information directly on point. I
hope that this is something that either has been discussed before or is
a new topic you would be willing to explore with me.
I hope we can be of help to one another. I have appreciated the fact
that most of what I have read in this group is both well thought out
and well spoken.
Hope to hear from you.
--
James E. Kelley
Creighton Univercity School of Law
Omaha, NE
------------------------------
From: "Richard Schroeppel" <rcs@cs.arizona.edu>
Date: 06 Feb 1995 18:13:42 MST
Subject: Inaccurate Personal Information
A couple of people have suggested that, whenever a credit bureau mails
out a report, they should cc the reportee; the requester pays for the
extra copy.
This seems fair, and it may be a good idea. There are two downsides to
be aware of. I don't know how they balance out.
(1) If I'm snooping through your mailbox, I might find a credit
report. You'll never know it's missing, since you were unaware that
XYZ corp. was thinking of sending you an unsolicited credit card. I
swipe the credit report and use the information therein to cause you
misery.
(2) There's a more general problem about privacy here: The typical
complaint begins "the XYZ corp. refused my loan and won't say why", and
evolves to "XYZ corp. used wrong information from ABC credit". The
victim decides that he at least wants the damned data to be accurate.
But this ignores another problem: The data often shouldn't have been
collected in the first place. If there are procedures in place for
correcting externally held personal information, and they aren't too
onerous, we will drift into the situation that the subject of the
information is *responsible* for correcting the information. The
credit scum mails you a report and says "Is this correct? Use the
attached postcard to mail corrections." and then it's up to *you* to
fix it, and if you don't you've (a) accepted any resulting credit
denial, and (b) acquiesced in a felony if the report seriously
overstates your income or omits that phone bill you skipped out on in
college.
Is it worse to have the credit scum collecting personal information
that's full of errors, or to have the same scum, with the same
information, but also the assurance that the information is correct?
The IRS has announced a goal of collecting enough information about us
to form a "personal profile", to see if we're living too high for the
income we report. They aren't planning to let the public see the
files, so they don't plan procedures for correcting them. But suppose
they sent you the file, and demanded by law that you correct it? It's
one thing to be in Who's Who when you want to, but quite another to be
required to report the information and swear to it.
--
Rich Schroeppel rcs@cs.arizona.edu
------------------------------
From: otto@vaxb.acs.unt.edu (M. Otto)
Date: 07 Feb 1995 16:18:32 GMT
Subject: Re: Who is Looking at Your Files?
Organization: Zetetic Institute
This post may be included, in whole or in part, in followups or pri
vate email. It may also be included in any archive site which archives
all posts to a group. Proper attribution must be maintained. It may not
be included in an y edited compilation, distributed electronically or
otherwise, for profit or not , without the permission of the author.
rj.mills@pti-us.com (Dick Mills) wrote: That leads me to wonder if
we couldn't form privacy rights legislation on the same principle.
Instead of attempting to stop digitized signatures, sales records,
video rental info, and the thousands of other data gathering
activities, we could require that the individual be cc'd whenever
this information was transmitted to third parties.
I like this idea too. It's much too sensible, so of course the U.S.
Government will hate it. :)
Seriously, though, I think there would be at least one really big
obstacle to overcome in getting this bill passed: The junkmailer's
lobby. The junkmailers will be among the ones expected to pay for all
of these notifications, and they won't like this one bit. Expect
resistance. Expect resistance from people with deep pockets.
--
M. Otto otto@vaxb.acs.unt.edu "A virtual prisoner of UNT's VAX"
------------------------------
From: BSD Now! <attila@PrimeNet.Com>
Date: 08 Feb 1995 07:26:10 +0000 (GMT)
Subject: Re: Who is Looking at Your Files?
Organization: home.for.retired.hackers
d) Police Abuse of Personal Records [comp.society.privacy V6#004]:
If the citizens were getting copies when police request information
on them from a national center, then abuse would be harder to
spot. More important, knowledge that they could not do it secretly
would deter police from abusing the data in the first place. Why
isn't there more enthusiasm from comp.society.privacy readers? Is
it not explained well?
OK, I'll bite on your question as to why no enthusiasm...
as you point out, there are hundreds of supposedly legitimate credit
reporting groups --I know some that are one man bands that specialize
in more detailed searches.
banks are interested in 'clear' assets they can lien;
car dealers are interested in how you made your car payments; if you
have good car payment records and your baseline is not too bad, you'll
get the paper, maybe not at the rate you would like, but you'tt get the
paper.
third mortgage lenders are total bandits --they are often looking to
make loans to people with sufficient equity who probably will _not_ be
able to meet the load payback - they _want_ to foreclose.
the real problem will be enforcement --the big 3: trw, equifax, and ???
will comply; major regionals will comply. some locals will comply --but
I'd take any amount in bets on the rest.
for instance, --just check the boxes on 50 categories: real estate,
litigation, criminal, driving, marital, you name it --specify the
geographic areas for a head start (or just start with a name and
address or an SSN. give me $200 plus $50 a check box --you're about to
get in bed with this dude you think you know for $10 million --is it
worth tossing me $1,000, or even $10,000 to get _everything_ that
exists on this guy --it is, and computers make it impossible to
regulate this; too much is public record; the rest is obtained by
someone, and is available.
if you want to make the concept of credit access disclosure stick (and
I am all in favour), it will be necessary to make it at least a
misdemeanor to _RECEIVE_ the subrosa information, or information which
has not been 'vetted by the "victim." Now, enforcing this in the
computer age is going to be more of a nightmare than prosecuting the
prostitute's johns.
I am sure we can all agree that we would like to believe everyone would
obey a set of legislative ethic limitations --but I dont. do you?
--
Dick Mills rj
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 08 Feb 1995 05:38:25 GMT
Subject: Re: Phone Users Slam Dunked
Organization: The National Capital FreeNet, Ottawa, Ontario, Canada
The so called "Smart Talk Network" is getting a lot of bad press here
about people being slammed over to it. STN contracted out the marketing
and are trying to lay the blame on their indirect commission
salespeople.
Hm, bribing telco staff to give lists of long distance numbers called
is a favourite tactic of private dicks trying to track down women
trying to avoid abusive former husbands/boyfriends/etc. They usually
try to find someone they think knows where the woman is hiding and
throw a scare into them so that they make a long distance call and
report "someone has been around looking for you". The phone number
tightens the net of public and utility records to search and makes
locating the target much easier.
With the feeble/nonexistent validation shown by slamming it seems that
it might not be that difficult for a private dick to set up a small
scale long distance operation for the express purpose of getting access
to peoples long distance records. They could even send some sort of
obnoxious "salesman" around to give them the out that it was all a
misunderstanding.
------------------------------
From: "Ronald A. Smit" <RAS@rhn.ow.nl>
Date: 08 Feb 1995 10:07:16 MET1DST
Subject: Re: Privacy in Telecommunications
You can find lots of information in Telecommunications Policy. E.g.
in Telecommunications Policy dated December 88 (pp 353-368) you can
find an article US Telecommunications Privacy Policy.
--
Ronald A. Smit
------------------------------
From: "Dennis G. Rears" <drears@Pica.Army.Mil>
Date: 08 Feb 95 8:58:21 EST
Subject: Re: Requests for Home Phone Numbers
"Dennis G. Rears" (drears@pica.army.mil) writes: My opinions on
providing SSN to merchants have appeared to be disjointed in the
past. This is mainly because I haven't had an original post in CPD
in about 18 months, only followups. Here's my thoughts: 1. Don't
give false information. Either leave it blank or fill it in.
Giving false information poorly reflects on one integrity.
Kelly Bert Manning writes: This may be a cultural difference.
There is also a nuance of difference btween alias and false name.
An alias is a name that you choose to use for a particular purpose,
as opposed to a false name made to disassociate yourself from
something.
I have no problem with an alias. I am refering to when a person is
asked for a SSN or credit card number and that person gives a number
that is false.
On a issue not that has nothing to do with privacy, I am a firm
believer in property rights. Part of owning property is have the
ability to decide who you want to sell, lease, give, or otherwise
convey services or property to. I believe a merchant should have
the right to refuse to do business with anybody.
Let me extend this belief. On this I am refering to a person only, not
a corporation. A corporation owes it existence to the government as
such it could be forced to sell to anybody.
How far does that belief extend? Can a healthcare
merchant(hospital) refuse to provide life saving care to someone
who can pay the going rate but happens to have a skin color the
hospital doesn't like to see?
In this case no because the hospital is typically a corporation.
Can the owner of a busline refuse to carry blacks unless they
consent to ride in the back and give up their seats to whites if
the bus fills up?
A busline is typically operated by a governmental agency or
corporation.
Can someone who owns a restaurant refuse to sell the food they own
to people of a particular ethnic or racial background?
Absolutely. They should be able to decide who and who not they want as
customers.
Allowing merchants to be arbitrary rather than equitable in their
choice of clients opens up a wide range of posibilities for them to
be discriminatory. If they are in business they should be prepared
to treat anyone with sufficient cash to pay in the same manner as
anyone else who can pay.
Why? In most cases market pressure will bear on the store to develop
reasonable policies.
--
dennis
------------------------------
From: jhoogerd@bacon.norcen.com (John Hoogerdijk)
Date: 08 Feb 1995 11:47:38 -0700
Subject: Internet Access Policy
Organization: Norcen
Hello folks,
I am drafting a usage policy for our company regarding access to the
Internet. I am posting to this group because privacy, security and
policy items are somewhat related.
I would like feedback on the following areas from people who have
developed similiar policies for their respective corporations.
1. Do you take measures to ensure that abuses do not occur - ie: users
spending excessive time on the WWW, reading Network News, etc.
2. Do you filter and accept only news groups relevant to your
business?
3. Do you have any statistics of "abuses" of the Internet, where abuse
is in the context of activities not related to business objectives of
the company?
4. Do you audit your user activities on the Internet?
5. Have you researched and considered any liabilities a corporation may
face as a result of Internet access? This, of course, is relevant to
local/national law - Norcen is a Canadian company, so Canadian
experiences would be more relevant, although others would be
interesting.
I recognize that there is a diverse and potentially contentious set of
opinions related to these issues, and although I don't wish to enter a
discussion on the broader issues of censorship, I do wish to consider a
wide range of views on these matters.
--
John Hoogerdijk
jhoogerd@norcen.com
------------------------------
From: Kajae@aol.com
Date: 08 Feb 1995 15:35:52 -0500
Subject: The Cybercop Impetus
Hmm...
When I started the thread on the cybercops it was with the notion that
those of us here who actually *care* one way or the other about
possible future censorship, privacy invasions, and personal information
abuses would do something about this situation other than make our
opinions known to others besides _just_ those of us on the Net, whom,
if they aren't like minded will at least be in a similar situation if
this comes to pass.
I suppose what I didn't realize at the time was that:
1) Anything that we did would have to be done by a large (or at
least significant) number of us in order for it to be effective
2) Those of us who _did_ do something would have to, at some
point and in some way agree on what to do and how to do it.
3) That I strongly suggest that everyone who wanted to actively
participate the thread read the January 23rd article in U.S. News
& World Report so you'd have a decent idea of what the heck I was
talking about.
What I ultimately hoped to accomplish is for us to formulate a series
of actions (and perhaps even a philosophy or two along the way) that
would in some way negate the rather chilling vision of the future I had
after reading that article. Let me share it with you...
The year is 2005. At least 75% of all homes in America have computers,
tied in via modem (or whatever really cool tech we'll be using by then)
to every information exchange and service we require or desire, and the
U.S.'s population of couch potatoes has been all but converted into
netsurfers. But the Net isn't what it was back in the roaring '90's.
Oh, no. All (yes all) newsgroups and online services are monitored for
content by expert systems deployed by various "politically correct"
agencies of the Federal government to "regulate content for the purpose
of insuring domestic tranquillity".
It's illegal to own and/or operate a BBS without a Federal license,
and all sysops must adhere to specific federal guidelines.
Netsurfers aren't the only ones to enjoy the ever present influence of
our beloved government. Since the passing of the Clipper Amendment,
all forms communication hardware from cellulars to fax machines to
phone trunks and satellite dishes have nice tidy little slots in them,
anxiously awaiting the insertion of a chip that would give anyone who
had said chip the ability to see and hear everything each of us does.
And you can't use private encryption software, since *technically*, in
the wrong hands it could be used as a weapon. But don't worry. To
offset this, we, the Federal Government (NSA), will provide free of
charge, encryption software for the public - like a nationally
sponsored health care package for communications. Is it good? Sure!
Would anyone from the government be able to break into your encrypted
communications at will? Nah, not without Clipper, and we'd _only_ use
_that_ for strictly _legal_ purposes. You can trust us, we're the
government!
On top of all that, no citizen truly owns their own identity.
Information about everything one has, has done, and is doing is in the
hands of several agencies, both commercial and federal, who are by no
means accountable to mere individuals, American citizens or not.
Consumer buying power is not what it once was, as all goods and service
providers basically offer the same thing, but just a different way -
and treat all customers with the same lack of respect for their
individual privacy. Cyberthieves, hackers with reverse-engineered
Clippers buy and sell legitimate credit ratings, as well as any
information, great or small, to anyone with the money or power, for
money or power. Or maybe even just for fun. In the '90's, people were
prisoners in their own homes because of the threat of crime. In the
new millennium, people are prisoners of their own technologically
integrated, socially irresponsible society - unable to act, interact,
or even possibly *think* freely for fear of social, financial, or legal
reprisal. (Didn't some dude named Orwell write something about that a
while ago?)
Now aside from the fact that I need to lay off the peanut
butter/tuna/cream cheese sandwiches before I go to bed, I also need to
point out that _I_ don't endorse complete lawlessness on the Net, in
cyberspace in general, or anywhere else. In fact, several law
enforcement agencies have *already* used the Net to break child
pornography rings, credit card scams, and a host of other socially
productive things (read the aforementioned article). What I oppose is
the notion that said agencies have in that they believe that they
should have the potential to constantly (and I do mean constantly)
invade my privacy at will, in any and every way, especially when I as a
private citizen have not given them any legal (or any other) cause to
do so - using law enforcement as an excuse when they don't consistently
enforce existing laws that would help them accomplish their goals just
as well. Circumstances are already close enough to that as it is.
Do each of us as individuals have the right to make choices about where
and how we spend our money? Yes (for now). Do we have an obligation
to spend it in such way that it is a help to others who may not have
the same choices? Yes, but by definition it's not a binding one, since
that's a *free choice* that we all make, and it isn't always clear
cut. Forget Radio Shack. How many of you use AT&T? Do you know that
AT&T is already in the process of integrating Clipper into their
hardware? How many of you are ready and willing to switch to MCI or
Sprint based solely on that fact? What about the time when MCI and
Sprint will be forced by federal law to integrate Clipper into their
services? Who will you switch to then? What about the AT&T customers
who oppose Clipper, but AT&T provides them with the best and/or most
affordable service? Do we just leave them to hang, when a united front
from a majority of AT&T customers could change their policy? And maybe
even that of Congress? Does anyone besides me see where this is
going?
Should we ban police from the Net? Problematic, since you can't tell
who on the Net is a cop just by looking - you can't see a badge in
cyberspace. And there is the rather significant point that they do
accomplish *some* good here, which is why we have them in the first
place. If the law enforcement agencies of the US and the world want to
stake a better claim to the Net, let them have Usenet groups and online
services where the average person can *interact* with them, like a
police station on-line. Let them develop their own services,
applications, and encryption breakers, but do it in such a way that it
wouldn't be cost effective to have every individual either world- or
nationwide under some form of constant surveillance. The government
and military already have their own domains, let them expand on those.
So long as humans have imagination and ingenuity, all technology will
be either compromised or obsolete the day it's created. This applies
to Clipper just as much as it does typewriters. And no technology
remains intrinsically unique forever. Just ask IBM. The NSA is *NOT*
God almighty with a supremely omnipotent ability to touch and not be
touched, no matter what they would have us and their trainees think.
As a wing of a democratic government, they should be made responsive to
the will of the people, not the other way around. Legislation
reflecting this philosopy should definitely be put into place that
would apply to private sector agencies as well.
What's more dangerous than a person with a loaded gun? A person with a
loaded gun who has no real idea of how to properly use it. What's more
dangerous than a government with power? A government with power and no
understanding of why it was given that power in the first place - for
consideration and welfare of the people in its sovereignty. Same
principle, different scope.
Think about it. I have. Now it's your turn.
--
Karl Jackson Kajae@aol.com
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours
of submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #016
******************************
.