Date: Tue, 21 Mar 95 19:43:31 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#028
Computer Privacy Digest Tue, 21 Mar 95 Volume 6 : Issue: 028
Today's Topics: Moderator: Leonard P. Levine
Re: Can My Neighbor Peruse My Medical Records?
Re: Can My Neighbor Peruse My Medical Records?
Re: Can My Neighbor Peruse My Medical Records?
Re: Can My Neighbor Peruse My Medical Records?
Is Caller ID to be mandantory nationally, April 1995?
Is Caller ID to be mandantory nationally, April 1995?
Is Caller ID to be mandantory nationally, April 1995?
Re: Sprint Privacy Issue on 10 Cents-a-minute
Re: Proving your Citizenship
Abolishing the IRS
First Bank of Internet Opens
FTC Legislative Alert
FTC Alert (continued)
The Manchurian Printer
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: Maryjo Bruce <sunshine@netcom.com>
Date: 17 Mar 1995 20:06:02 -0800 (PST)
Subject: Re: Can My Neighbor Peruse My Medical Records?
There is an article - "Is your health history anyone's business" in
McCalls magazine. David Linowes, who chaired the U.S. Pravacy
Protection Commission under presidents Ford and Carter and wrote
PRIVACY IN AMERICA; IS YOUR PRIVATE LIFE IN THE PUBLIC EYE? "conducted
a survey of Fortune 500 companies and found that half of them had used
medical records to make hiring decisions, often without informing the
potential employee." Reason: cost of health care. "Linowes expects
that a follow up survey this year will reveal that even more companies
now engage in the practice."
"A study at the University of Illinois found that 40 percent of
insurance companies disclose medical information to others, such as
lenders, employers and marketers of medical devices and drugs, without
customer permission."
"It is estimated that half of all Rx written in the U.S. are recorded
in db that are accessible...." and so forth.
The article, written by Joe Levine, is on p 54 in the April issue of
McCalls.
--
Sunny Bruce, M.L.S.
------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 18 Mar 1995 21:24:07 -0500 (EST)
Subject: Re: Can My Neighbor Peruse My Medical Records?
This is a response to a question posed by Harry Kingmill about a nosey
neighbor employed in a hospital. This problem illustrates a little
appreciated characteristic of modern personal recordkeeping. The
biggest threats to privacy come from insiders. Those who have a
legitimate ability to use records inside a hospital are much more
likely to abuse that ability and pose a threat to others than are
outside "hackers". This is not to say that there is no problem from
outsiders, but the threat from the outside tend to get all of the
attention while the real problem is frequently unaddressed.
What to do about the possibility of a nosey insider? You might bring
the problem to the attention of the administrator of the hospital. The
possibility of a lawsuit should be readily apparent to the
administrator. But you have to be careful. If you bring specific
charges against an identifiable person, you run the risk of being sued
by that person for defamation. If you name a person, you had better
have your facts straight and provable.
If you think that you are right but are still nervous, you can always
try to make an anonymous complaint. If the person has access to
psychiatric records, you might also address the complaint to the head
of psychiatry. They tend to be VERY concerned about confidentiality.
Depending on the law of the state where you live, the spreading of
gossip by hospital workers may be illegal. If the facility is covered
by federal alcohol or drug abuse rules, there may be a federal
violation. Similarly, if the facility is federally operated, the
federal Privacy Act of 1974 may impose statutory limits. Proving a
case -- either civilly or criminally -- is very difficult.
I hope that this helps.
--
Bob Gellman
------------------------------
From: chi@netcom.com (Curt Hagenlocher)
Date: 19 Mar 1995 17:05:24 GMT
Subject: Re: Can My Neighbor Peruse My Medical Records?
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
Harry Kingsmill <kingsmill@esdsdf.dnet.ge.com> writes: During the
past year, this person has taken a part time job in the admissions
department of our community hospital. Since then, other neighbors
tell us that she has all of the "dirt" on anyone she knows who
checks in to the hospital for any reason. She was apparently very
proud of herself to report that the nephew of one of the neighbors
had to spend time in the psychiatric ward after attempting
suicide. I'm sure there's much that she's reported on that I don't
know about (thankfully). My questions are: 1) With my insurance
info on file at that hospital, how safe are my family's medical
records from this woman? 2) How can she be stopped from wreaking
further damage to the community?
My girlfriend works at the UCLA Medical Center Blood Bank. If your
records are on file at the MC, then she can access them. Ideally, she
would only access your records if say, you needed a transfusion and she
needed to supply something appropriate. However, there is nothing that
prevents her from simply "browsing" at will. I'm not even sure if the
computer records her access to the records.
You haven't really provided that much information about what this woman
does in admissions. She may not have direct access to any records. If
you can provide some proof that she is misusing her position, I'm sure
that the hospital will fire her. Hospitals, like most companies, are
usually worried about the "L-word" (lawsuits).
>From what I can see, most medical professionals take their job very
seriously.
--
Curt Hagenlocher
chi@earthlink.net
chi@netcom.com
------------------------------
From: horowitz@nosc.mil (Alan M. Horowitz)
Date: 21 Mar 1995 04:46:47 GMT
Subject: Re: Can My Neighbor Peruse My Medical Records?
Organization: NCCOSC RDT&E Division, San Diego, CA
If you are willing to swear to these facts under oath (with attendant
penalty for perjury), swear out an affidavit, and ask your neighbors to
do likewise.
Transmit one copy of each affidavit to the adinistrator of the
hospital, another to the administrator of your State's hospital
regulating bureaucracy, and a third to the foreman of your local Grand
Jury. The sheriff's deputy on duty in the courthouse will assist with
that once he understands you are not seeking to learn the identity of
the Grand Jurors.
------------------------------
From: Maryjo Bruce <sunshine@netcom.com>
Date: 17 Mar 1995 19:27:13 -0800 (PST)
Subject: Is Caller ID to be mandantory nationally, April 1995?
We have just gotten caller id (Dallas). As soon as the service was
available, ads began to appear pointing out the benefits of the service
for businesses.
One of them said that "basic demographics" (whatever that means) about
the caller could appear on a computer screen automatically, by the time
the phone was answered, along with credit info, and all info the co
might have in its computer about the caller - order info, type of
products purchased, amount of money spent, whatever.
The ad went on to say that in the future, various national databases
will be accessible immediately, as the calls come in, and those
databases will be selected by the company, tailored to their needs.
------------------------------
From: jwarren@well.sf.ca.us (Jim Warren)
Date: 19 Mar 1995 09:45:32 +0800
Subject: Is Caller ID to be mandantory nationally, April 1995?
Would you like to know who's electronically knocking on your bedroom
door in the middle of the night?
Would you like to remain entirely undisturbed by anyone who's unwilling
to identify themselves to you when they try to contact you or
electronically enter your home?
Would you like for the computer system you call to be able to verify
that the call is coming actually from your phone number - rather than
from some vile computer cracker who's somehow obtained your user-id and
password?
Would you like computer systems to selectively allow access to
"sensitive" or "adult(?)" material via a call coming from your phone,
identified as a mature(?) adult, while blocking access requests via
your young teen-ager's phone that might be identified as such?
And would you like to selectively keep some people whom you decide to
visit electronically, no matter the time nor location at which you
decide to contact them, from knowing who you are - for personal privacy
or for nefarious purposes (or both)?
Okay. I just received a Spring, 1995, junkmail catalog from Hello
Direct, a telephone add-ons company. For some reason that's probably
fantesy, I had the impression they were somehow associated with Pacific
Bell, though I found no mention of it in this edition of their
catalog. (800-444-3556; now you know everything I know about 'em.)
An ad for a Caller ID blocking device on page 45 stated:
"Mark your calendar. In April, 1995, Caller ID will be a 'done deal,'
nationwide. You may or may not have Caller ID service from the phone
company today. But in April, every telephone company coast-to-coast
will be required to offer it, by law.
"Your number can be legally displayed, for anyone you call who has
Caller ID service and a phone with Caller ID functionality. ... While
you could get a call-blocking service from the phone company, you'd
have to keep paying for it every month. For a tidy fifty bucks, this
clever little device does the trick just as well - no monthly service
needed."
(Unsurprisingly, the catalog also offered ID receiving units, as well as
this ID transmission blocker. :-)
I don't know whether this is true, partly-true (e.g., for interstate
calls) or only sometimes true depending on which state you're in, as is
now the case.
Can anyone cite a federal statute or regulation - probably from the FCC
- mandating such national service? Would love to have the exact
citation and text of any such mandate.
--
Jim Warren, GovAccess moderator; columnist, MicroTimes/Govt.Tech/BoardWatch
jwarren@well.com (well.com = well.sf.ca.us; also at jwarren@autodesk.com)
345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request>
[puffery: James Madison Freedom-of-Information Award, Soc. of Professional
Journalists - Nor.Calif.(1994); Hugh Hefner First-Amendment Award, Playboy
Foundation (1994); Pioneer Award, Electronic Frontier Foundation (its first
year, 1992); founded Computers, Freedom & Privacy confs, InfoWorld, etc.]
------------------------------
From: PRIVACY Forum <privacy@vortex.com>
Date: 19 Mar 95 10:54:07 PST
Subject: Is Caller ID to be mandantory nationally, April 1995?
It's untrue. What the FCC mandated is that CNID data be passed between
local telcos and IXCs on interstate calls starting that date. They
also mandated that before that be done local telcos must provide free
per-call blocking (i.e. *67) for their subscribers, regardless of
whether or not CNID display services were being offered to subscribers
in that area. They also mandated that the privacy indication triggered
by the use of per-call CNID blocking must be honored by all receiving
local telcos.
Note that:
1) This says nothing about the actual providing of CNID to
subscribers. If the local telco decides they don't want to provide the
ability for their subscribers to receive CNID, that's OK.
2) It says nothing about intrastate calls, which may still be under
tighter controls (potentially with per-line CNID blocking still
available). There are some technical issues revolving around the
question of providing per-line blocking for intrastate calls and only
per-call blocking for interstate calls.
3) It says nothing about calls to 800 or 900 numbers, which use ANI for
caller (line) identification and are not affected by CNID
restrictions. The issue of 800 numbers in particular is a thorny one,
since the party paying for the call does need some way to track abusive
and other usage.
4) Many state PUCs (and other entities) have apparently filed suits
against the FCC regarding their ruling, particularly where the ruling
would preempt the states' own rules for providing of per-line CNID
blocking (at least as far as interstate calls are concerned).
5) Many local telcos seem quite confused about what's going on, and I
*suspect* the April implementation date will not be fully met,
especially since many local telcos, nor most IXCs, have said anything
to their subscribers about use of *67 in those areas where CNID
services are not being offered.
I also saw that writeup in the "Hello Direct" catalog. By the way, one
of the Caller ID boxes in their catalog, showing a name display, is
displaying the name "Will Robinson". Guess they really might be Lost
in Space.
--
Lauren
------------------------------
From: ramole@aol.com (RAMole)
Date: 18 Mar 1995 02:35:13 -0500
Subject: Re: Sprint Privacy Issue on 10 Cents-a-minute
Organization: America Online, Inc. (1-800-827-6364)
MCI didn't ask me all those questions -- nor anything irrelevant that I
recall. They have a "Friends & Family II" plan where calls to those on
your list are 10cents/min from 5pm to 8am&weekends and 20 or 25% more
off if the person on your list is also their customer. All these plans
are confusing, but MCI seems better than Sprint to me. Also, MCI will
give you 5 frequent flyer miles on American for each $ you spend, and
you can get an AAL visa card that gives you 1 mile per $ spent. All of
which has nothing to do with privacy, but may get you a free roundtrip
ticket every year or two at no added expense. I could be slightly off
on some of the rates, but I *think* this is right. Good luck. Alan
Mole ramole@aol.com
------------------------------
From: dpbsmith@world.std.com (Daniel P. B. Smith)
Date: 18 Mar 1995 15:37:37 GMT
Subject: Re: Proving your Citizenship
Organization: The World Public Access UNIX, Brookline, MA
The concept that I have to "prove my citizenship" disturbs me greatly.
The current situation is that I don't think I have any difficulty
"proving my citizenship," but that's only because nobody is seriously
interested in challenging it.
My basic idea is that I'm a citizen of a free republic and I don't have
to carry no steenking ID cards. Let the person who thinks I'm not Dan
Smith prove it. Unfortunately this is probably not in tune with the
nineties, because I'm sure we all realize we have to have our freedoms
temporarily restricted just a bit to counter the terrible threat of
(cue menacing music) _illegal aliens_ <shudder>
The basic question I have is: I have a "birth certificate," but how do
I "prove" that that birth certificate is actually _my_ birth
certificate if anybody decides to challenge it?
The piece of paper I currently present as my birth certificate was
obtained by placing an order over the telephone with the City of New
York's Bureau of Vital Records. It is a dot-matrix printout on a piece
of paper with some mottley money-colored background, some fancy-looking
scrollwork decoration, and a raised seal. It contains: my date of
birth, a certificate number, the borough (Manhattan), the date filed (a
couple of days after my birth), the issued, my name, my sex, my
mother's maiden name, and my father's maiden name. How on earth does
this "prove" anything at all? All it proves is that _somebody_
telephoned the City of New York and ordered a copy of Dan Smith's birth
certificate. What could I ever do if anyone ever questioned it?
Related questions. For years, I _had_ what my mother told me was the
official copy of my birth certificate, and used it for decades to get
driver's license, passports, etc. Suddenly, about ten years ago,
clerks started complaining about it on the grounds that it "didn't have
a raised seal." What I think must have happened is that at some point
in time, health departments must have started using raised seals and
clerks must have started requiring them. No problem, I called up New
York and ordered a new certificate. But
a) How can I be sure I can "prove" my citizenship if the standards for
what is considered "proof" keep changing? What happens if at some
later time some clerk says "Sorry, I can't accept this (issued-in-1991)
certificate because it doesn't have the microchip in it? And what if
b) I call the friendly New York Bureau of Vital Statistics and say
"Please send me Dan Smith's birth certificate again, because now I need
one with the translucent ultraviolet watermark in it" and they say
"What was that certificate number again?" And I say "012345" and they
say (cold pause) I'm sorry, our computer has no record of that
certificate?"
--
Daniel P. B. Smith
dpbsmith@world.std.com
------------------------------
From: GOODWYN@delphi.com
Date: 19 Mar 1995 00:06:59 -0500 (EST)
Subject: Abolishing the IRS
Regarding the various problems with the IRS snooping into people's
private, does anyone know anything about a proposal in Congress to
abolish income tax and the IRS? I think I saw something about this
recently, and would like to know more. The idea was to replace income
tax with a national sales tax, and the express purpose, if I remember
correctly, was to get the IRS out of people's private lives by
abolishing it.
Frank Goowyn 606-573-4607
107 1/2 Mound Street GOODWYN@delphi.com
Harlan, KY 40831
------------------------------
From: fboi@netcom.com (Vinn Beigh)
Date: 19 Mar 1995 23:03:45 -0800
Subject: First Bank of Internet Opens
___/\___
_|_()_|_ A N N O U C E M E N T
For immediate release: Contact: fboi@netcom.com
Monday, March 20, 1995 Subject of 'info' for details
Direct questions to Vinn K. Beigh
The First Bank of Internet, FBOI, is announcing the initiation of
transaction processing services for Internet electronic commerce.
Purchases over the Internet can now be made without exposing personal
credit card information. Vendors can now sell products on the Internet
without the restrictions imposed by credit card use.
Other Internet purchase procedures require personal credit card
information. Those proceedings will be monitored by thousands of
people all over the world. Some will attempt to either decode the
credit card information or impersonate the customer in future
transactions.
The alternative to personal credit cards for electronic commerce is
based on an FBOI procured Visa (tm) Automated Teller Machine (ATM)
card. The card is prepaid, PIN protected, replaceable, disposable, and
good at over 200,000 Visa/PLUS (tm) ATMs in 83 countries.
The safety of FBOI is ensured because access to ATM funds without
possession of both the ATM card and the Personal Identification Number
(PIN) is not possible. ATM cards are also better than credit cards
because their purchase does not require the personal, financial, and
employment background of the consumer.
The Visa ATM card is not a credit card. It is cash. The ATM card will
be used as a checking account. Using an ATM card allows consumers to
set aside dedicated funds for Internet data purchases. It provides a
safe, secure way to transfer cash from consumers to producers. In
addition, consumers can reclaim their funds at any time using an ATM.
A check/invoice procedure is used that consumers will find familiar.
The consumer first places an order with a vendor. The consumer then
sends to the vendor or FBOI an e-mail 'check' for the purchase of the
program/file/data product. The vendor sends FBOI an e-mail 'invoice'.
FBOI will reconcile the transaction and send e-mail transaction
receipts to both the vendor and customer. Cash will be taken from the
customer ATM account and credited to the vendor for later payment.
FBOI charges a 5% vendor commission per transaction.
Producers of software, information collections, newsletters, graphics,
and other data products can use FBOI services for the sale of their
products. These vendors can sell their products for prices that would
be too low for credit card transactions. Subscription services that
charge an up-front fee for one time access to data depositories and
services also can participate.
Vendors will benefit from a very large consumer base because this
global solution works just as well outside the U.S. as within the
U.S.. The Visa ATM network is worldwide. Consumers will benefit from
a very large vendor base because software produced in non-North
American countries can be offered for sale much easier than now.
The worldwide producers on the Internet can use FBOI services without
the expense of owning or renting a dedicated Internet server or a
World-Wide Web site. E-mail is the cheapest and simplest of all
Internet services. Large Internet commercial services will soon be
starting that provide only for the on-line purchase of catalog
products. It will not be possible for the individual producer to sell
a data product using those services. Those services will collect the
consumers credit card information in advance because of Internet
security problems.
FBOI transmits no sensitive information over the Internet and prevents
forgery and impersonation by using Pretty Good Privacy, PGP (tm),
software for all transactions. This freeware provides excellent
authentication and anti-alteration security.
In addition to the unsecured nature of the Internet, consumers should
be hesitant giving out their credit card information to vendors of
unknown credibility. Tracking is much harder on the Internet than
magazine direct marketing. Also, it is not the same as mail order
merchandise since U.S. Postal Service and Federal Trade Commission mail
order laws do not apply to the Internet.
For high volume, low cost, transactions directly between producers and
consumers on the Internet contact FBOI.
Further information can be obtained from The First Bank of Internet by
sending an e-mail message with the subject "info" to
<fboi@netcom.com>.
Visa is a trademark of Visa International Service Association.
PLUS is a trademark of Plus System, Inc.
PGP and Pretty Good Privacy are trademarks of Philip Zimmermann.
The First Bank of Internet (tm) is not a lending institution.
The First Bank of Internet (tm) is not a chartered.
------------------------------
From: Druff <71553.1102@CompuServe.COM>
Date: 20 Mar 1995 17:46:45 GMT
Subject: FTC Legislative Alert
Organization: via CompuServe Information Service
Legislative Alert!
New proposed Federal Trade Commission Rules on Telemarketing pose a
great threat
to businesses, sysops, list brokers, copywriters, printers, desktop
publishers, etc., and to freedom of speech!
Your Immediate Attention Is Called To 16 CFR Part 310
Telemarketing Sales Rules
Note: Section 310. Definitions...includes...the use of facsimile
machines...computer modems, or any telephonic medium.
Your attention is called to "Assisting and Facilitating" Section
310.3[b] [1] {page 11} of the proposed rule sets forth a general
prohibition against assisting or facilitating deceptive telemarketing
acts or practices. Assistors who engage in these activities will
violate the rule if they know, or should know, that the person they are
assisting is engaged in an act or practice that violates the rule.
The five types of assisting and facilitating activities listed in the
proposed rule are as follows: first, providing lists of customer
contacts to a seller or telemarketer [e.g., serving as a list
broker]...and fifth, providing any script, advertising, brochure,
promotional material, or direct marketing piece to be used in
telemarketing.
Section 310.4[b] [pages 14 & 15] ...it is an abusive act or practice
and a violation of the rule to call a person's residence to offer,
offer for sale, or sell, on behalf of the same seller, the same or
similar goods or services more than once within any three month
period...
Page 25 - #7 - The proposed rule states that the term "telemarketing"
includes the use of a facsimile machine, computer modem, or any other
telephonic medium, as well as calls initiated by persons in response to
postcards, brochures, advertisements, or any other printed, audio,
video, cinematic or electronic communications by or on behalf of the
seller...
Page 25 - #8 - The proposed definition of "telemarketing" includes
within the rule's coverage On-Line information services which a person
accesses by computer modem.
Section 310.3 [a] [4] {page 11} would prohibit consumers from paying by
check over the phone without prior written authorization while allowing
credit card holders to do so without prior written authorization. This
would discriminate against the 75 million consumers who do not have a
credit card, the millions of consumers who have no usable credit on
their credit card and the businesses, most of them small or new, who
cannot obtain credit card merchant status to accept credit cards. It
would also further the monopoly of Visa and MasterCard and the up to 21
percent interest they charge credit card users.
Please read the proposed rules in their entirety to ascertain their
possible effect on your business, the telemarketing industry and the
growth of the Information Super Highway.
Since most businesses and individuals are totally unaware of these
proposed rules, it is important that this information is distributed
through every means possible so that interested parties have the
opportunity to comment and protect their interests.
Written comments must be submitted on or before March 31, 1995. A
public workshop-conference will be held at the Chicago Hilton on April
18th through April 20th from 9am to 5pm.
Five paper copies of each written comment should be submitted to the
Office of the Secretary, Room 159, Federal Trade Commission, Washington
DC 20580.
To encourage prompt and efficient review and dissemination of the
comments to the public, all comments should be submitted, if possible,
in electronic form, on either a 5< or 3= inch computer disk, with a
label on the disk stating the name of the commenter and the name and
version of the word processing program used to create the document.
Submissions should be captioned: "Proposed Telemarketing Sales Rule"
FTC File NO. R411001.
The full 50 pages of the proposed rules can be downloaded from the
NYACC Bulletin Board, file name "FTC" - phone 718-539-3338.
I would appreciate your feedback and a copy of any comments that
you intend to submit and I suggest that you disseminate this
information as widely as possible.
Ronald A. Stewart
126 13th Street
Brooklyn, NY 11215
Phone 718-768-6803
Fax 718-965-3400
------------------------------
From: Druff <71553.1102@CompuServe.COM>
Date: 20 Mar 1995 17:47:22 GMT
Subject: FTC Alert (continued)
Organization: via CompuServe Information Service
File Name "FTcanswr.asc"
Proposed comments to FTC about written authorization required for
checks by phone
Under Section 310.3 [a] [4] of the proposed rule, it is a prohibited
deceptive telemarketing act or practice for a seller or telemarketer to
obtain or submit for payment from a person's checking, savings, share,
or similar account, a check, draft, or other form of negotiable paper
without that person's express written authorization. For example, a
telemarketer cannot submit an unsigned draft on a consumer's bank
account without that consumer's prior written authorization. This
Section of the proposed rule would discriminate against the 75 million
Americans who do not have a credit card [1990 census] and the millions
of credit card holders who want to make a purchase by phone, fax,
computer, computer bulletin board, etc., but who have no usable credit
on their card.
Would discriminate against the thousands of new and small businesses
who cannot obtain Credit Card Merchant Status to accept major credit
cards and reduce their sales by not being able to accept a customer's
check over the phone.
The rules would allow credit card payments over the phone, increasing
the monopoly of MasterCard and Visa with their up to 21 percent charges
to consumers.
Would effectively kill the rapidly growing "checks by phone" industry,
putting over 20 companies (and their employees) out of business and
costing countless less sales to the thousands of clients these
businesses are now servicing.
Fraud associated with checks by phone is less than with credit cards.
Any consumer can take a check to his or her bank and, since consumer's
signature is not on check, have the check kicked back to the bank it
was originally deposited in and have their account credited. As with
credit card sales over the phone, it is the merchant that is at risk,
not the consumer.
The FTC must demonstrate why checks over the phone must require prior
written authorization from consumers [which would effectively negate
its usefulness] while allowing credit card purchases by phone without
prior written authorization.
In order for the Information Super Highway to continue to grow, checks
by phone will play a positive important role. People will be shopping
from their personal computers, from their TV sets using their
interactive remote control device...on computer bulletin boards and on
the Internet and by fax machine. Consumers will need ways to transmit
money over the phone and fax lines and businesses will need ways to
receive money by phone line and fax and by computer. 75 million
Americans do not have a credit card and thousands of legitimate
businesses cannot qualify for credit card merchant account status to
accept major credit cards. To preclude checks by phone will cause
great economic loss to the American economy.
If banks received numerous complaints about checks by phone they would
stop paying them [checks without account holders signature].
Handicapped, the elderly, shut-ins, etc., would be further penalized by
being forced to address envelopes, purchase postage stamps, and going
to a mail box instead of being able to conveniently give a check over
the phone.
If future information and statistics demonstrate that checks by phone
produces more fraud and complaints than credit card fraud, the FTC can
revisit this issue in future rules. No anecdotal evidence presently
exists that this is currently the case.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 18 Mar 1995 11:03:49 -0600 (CST)
Subject: The Manchurian Printer
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: RISKS-FORUM Digest Thursday 16 March 1995
Volume 16 : Issue 92 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
From: simsong@pleasant.cambridge.ma.us (Simson L. Garfinkel)
Date: 15 Mar 1995 21:28:37 -0500
Subject: The Manchurian Printer
The Manchurian Printer, (C) 1995, Simson L. Garfinkel
[The Boston Sunday Globe, March 5, 1995, Focus Section, Page 83]
Simson L. Garfinkel
Early this month, Hewlett-Packard announced a recall of 10,000 HP OfficeJet
printer fax copiers. The printer's power supplies may have a manufacturing
defect that could pose an electrical shock hazard. HP says that it
discovered the problem with its printers during routine testing; HP was
lucky: printers can be very dangerous devices. A typical laser printer, for
example, can draw hundreds of watts of power, generate internal temperatures
high enough to burn a wayward human hand, and even, under the right
circumstances, start a fire.
Most manufacturers, of course, try to design their printers to minimize such
risks. Increasingly, however, there is a chance that companies might
intentionally design life-threatening flaws into their products so that the
flaws can be exploited at a later time. These fatal flaws might be
intentionally built into equipment manufactured overseas, as a kind of
"insurance policy" in the event of a war between that foreign country and
the United States. The flaws might form the basis for a new kind of
corporate warfare. Or the flaws might be hidden by disgruntled employees
contemplating extortion or revenge.
Indeed, U.S. military planners are increasingly worried about this sort of
possibility, they place under a heading "Information Warfare." Nevertheless,
although the threat of Information Warfare is very real, an even bigger
danger is that the Department of Defense will use this threat to convince
the new Congress to repeal the Computer Security Act of 1987. This would
effectively allow the National Security Agency to declare martial law in
cyberspace, and could place the civilian computer industry into a tailspin.
To understand what the military is afraid of, imagine the Manchurian
Printer: a low-cost, high-quality laser printer, manufactured overseas, with
built-in secret self-destruct sequence. For years these printers could lay
dormant. But send them a special coded message---perhaps a long sequence of
words that would never normally be printed together---and the printer would
lock its motors, overheat, and quickly burst into flames. Such an attack
might be the first salvo in an out-and-out war between the two countries.
Alternatively, an enemy company might simply use printers to start selective
fires, damage economic competitors, take out key personnel, and cause
mischief.
Unlike the movie the Manchurian Candidate, the technology behind the
Manchurian Printer isn't science fiction. Last October, Adobe accidentally
shipped a "time bomb" in Photoshop version 3.0 for the Macintosh. A time
bomb is a little piece of code buried inside a computer program that makes
the software stop running after a particular date. Adobe put two time bombs
into its Photoshop 3.0 program while the application was under development.
The purpose behind the time bombs was to force anybody who got an advance,
pre-release copy of the program to upgrade to the final shipping version.
But when it came time to ship the final version of Photoshop 3.0, Adobe's
engineers made a mistake: they only took out one of the bombs.
An engineer inside Adobe learned about the problem soon after the product
was shipped, and the company quickly issued a recall and a press release.
Adobe called the time bomb a "security code time constraint" and said that
"although this is an inconvenience to users, the security constraint neither
damages the program or hard drive, nor does it destroy any files."
It only takes a touch of creativity and a bit of paranoia to think up some
truly malicious variants on this theme. Imagine that a company wants to make
a hit with its new wordprocessor: instead of selling the program, the
company gives away free evaluation copies that are good for one month.
What's unknown to the users of this program is that while they are typing in
their letters, the program is simultaneously sniffing out and booby-trapping
every copy of Microsoft Word and WordPerfect that it finds on your system.
At the end of the month, all of your wordprocessors stop working: Instead of
letting you edit your memos, they print out ransom notes.
Any device that is equipped with a microprocessor can be equipped with such
a booby-trap. Radios, cellular telephones, and computers that are connected
to networks are particularly vulnerable, since an attacker can send them
messages without the knowledge or consent of their owners. Some booby- traps
aren't even intentional. What makes them particularly insidious is that it
is almost impossible to look at a device and figure out if one is present or
not. And there is no practical way to test for them, either. Even if you
could try a million different combinations a second, it would take more than
200 years to find a sequence that was just 8 characters long.
* * *
Information Warfare isn't limited just to things that break or go boom. The
Department of Defense is also worried about security holes that allow
attackers to break into commercial computers sitting on the Internet or take
over the telephone system.
"This nation is under IW attack today by a spectrum of adversaries ranging
from the teenage hacker to sophisticated, wide-ranging illegal entries into
telecommunications networks and computer systems," says a report of the
Defense Science Board Summer Study Task Force on Information Architecture
for the Battlefield, and issued last October by the Office of the Secretary
of Defense.
"Information Warfare could pervade throughout the spectrum of conflict to
create unprecedented effects. Further, with the dependence of modern
commerce and the military on computer controlled telecommunication
networks, data bases, enabling software and computers, the U.S. must
protect these assets relating to their vulnerabilities," the report warns.
Information warfare changes the rules of war fighting, the report warns. A
single soldier can wreak havoc on an enemy by reprogramming the opposing
side's computers. Modern networks can spread computer viruses faster than
missiles carrying biological warfare agents, and conceivably do more damage.
Worst of all, the tools of the information warrior are readily available to
civilians, terrorists and uniformed soldiers alike, and we are all potential
targets.
Not surprisingly, the unclassified version of the Pentagon's report barely
mentions the offensive possibilities of Information Warfare---capabilities
that the Pentagon currently has under development. Nevertheless, these
capabilities are alluded to in several of the diagrams, which show a keen
interest by the military in OOTW---Operations Other Than War.
"They have things like information influence, perception management, and
PSYOPS---psychological operations," says Wayne Madsen, a lead scientist at
the Computer Sciences Corporation in northern Virginia, who has studied
the summer study report. "Basically, I think that what they are talking about
is having the capability to censor and put out propaganda on the networks.
That includes global news networks like CNN and BBC, your information
services, like CompServe and Prodigy," and communications satellite
networks. "When they talk about 'technology blockade,' they want to be able
to block data going into or out of a certain region of the world that they may
be attacking."
The report also hints at the possibility of lethal information warfare.
"That is screwing up navigation systems so airplanes crash and ships runs
aground. Pretty dangerous stuff. We could have a lot of Iranian Airbuses
crashing if they start screwing that up," Madsen says. Indeed, says Madsen,
the army's Signal Warfare center in Warrenton, Virginia, has already invited
companies to develop computer viruses for battlefield operations.
Our best defense against Information Warfare is designing computers and
communications systems that are fundamentally more secure. Currently, the
federal organization with the most experience in the field of computer
security is the National Security Agency, the world's foremost spy
organization. But right now, NSA's actions are restricted by the 1987
Computer Security Act, which forbids the agency from playing a role in the
design of civilian computer systems. As a result, one of the implicit
conclusions of the Pentagon's report is to repeal the 1987 law, and untie
the NSA's hands. Indeed, the Pentagon is now embarking on a high-level
campaign to convince lawmakers that such a repeal would be in the nation's
best interests.
This argument confuses security with secrecy. It also ignores the real
reasons why the Computer Security Act was passed in the first place.
In the years before the 1987 law was passed, the NSA was on a campaign to
expand its power throughout American society by using its expertise in the
field of computer security as a lever. NSA tried to create a new category of
restricted technical information called "national security related
information." They asked Meade Data Corporation and other literature search
systems for lists of their users with foreign-sounding names. And, says
David Banisar, a policy analyst with the Washington-based Electronic Privacy
Information Center, "they investigated the computers that were used for the
tallying of the 1984 presidential election. Just the fact that the military is
looking in on how an election is being done is a very chilling thought. After
all, that is the hallmark of a banana republic."
The Computer Security Act was designed to nip this in the bud. It said that
standards for computer systems should be set in the open by the National
Institute of Standards and Technology.
Unfortunately, the Clinton Administration has found a way to get around the
Computer Security Act. It's placed an "NSA Liaison Officer" four doors down
from the NIST director's office. The two most important civilian computer
standards to be designed in recent years---the nation's new Escrowed
Encryption Standard (the "Clipper" chip) and the Digital Signature Standard
were both designed in secret by the NSA. The NSA has also been an unseen
hand behind the efforts on the part of the Clinton Administration to make
the nation's telephone system "wiretap friendly."
Many computer scientists have said that the NSA is designing weak standards
that it can circumvent, so that the nation's information warfare defenses do
not get in the way of the NSA's offensive capability. Unfortunately,
there's no way to tell for sure. That's the real problem with designing
security standards in secret: there is simply no public accountability.
In this age of exploding laser printers, computer viruses, and information
warfare, we will increasingly rely on strong computer security to protect our
way of life. And just as importantly, these standards must be accountable to
the public. We simply can't take our digital locks and keys from a Pentagon
agency that's saying "trust me."
But the biggest danger of all would be for Congress to simply trust the
administration's information warriors and grant their wishes without any
public debate. That's what happened last October, when Congress passed the
FBI's "Communications Assistance for Law Enforcement Act" on an unrecorded
voice vote. The law turned the nation's telephone system into a surveillance
network for law enforcement agencies, at a cost to the U.S. taxpayer of $500
million.
=========WHAT FOLLOWS ARE CAPTIONS FOR THE ART===========
Photo: Box of Microsoft Word 6.0
Even though it's illegal, a lot of people like to "try out" software by
making a copy from a friend before they plunk down hundreds of dollars for
their own legal copy. Computer companies say that this is a form of software
piracy: many who try never buy. More than 2 billion dollars of software is
pirated annually, according to the Business Software Alliance.
One way that companies like Microsoft and Novel could fight back is by
booby-trapping their software. Sure, customers wouldn't like it if that stolen
copy of Microsoft Word suddenly decided to erase every letter or memo that
they've written in the past month, but what legal recourse would they have?
=====================
Photo: Cellular Telephone
Is your cellular phone turned on? Then your phone is broadcasting your
position every time it sends out its electronic "heartbeat." Some law
enforcement agencies now have equipment that lets them home in on any
cellular telephone they wish (similar technology was used recently to catch
infamous computer criminal Kevin Mitnick). Perhaps that's the reason that
the Israeli government recently ordered its soldiers along the boarder to stop
using their cellular telephones to order late night pizzas: the telephone's
radio signal could be a become a homing beacon for terrorist's missiles.
===================
Photo: Floppy Disk
Beware of disks bearing gifts. In 1989, nearly 7000 subscribers of the British
magazine PC Business World and 3500 people from the World Health
Organization's database received a disk in the mail labeled "AIDS
Information Introductory Diskette Version 2.0". People who inserted the
disks into their computers and ran the programs soon found out otherwise:
the disks actually contained a so-called trojan horse that disabled the
victims' computers and demanded a ransom.
==================
Photo: A computer with a screen from America Online, and a modem
Several years ago, users of Prodigy were shocked to find that copies of
documents on their computers had been copied into special "buffers" used by
Prodigy's DOS software. Prodigy insisted that the copied data was the result
of a software bug, and it wasn't spying on its customers. But fundamentally,
if you use a modem to access America Online, Prodigy or Compuserve, there
is no way to be sure that your computer isn't spying on you while you surf
the information highway.
==================
HP's recall affects only OfficeJet printers with serial numbers that begin
US4B1-US4B9, US4C1-US4C9, US4BA-US4BU, or US4CA-US4CK. Worried
about your OfficeJet? Call HP at (800) 233-8999.
===============
Simson L. Garfinkel writes about computers and technology from his home in
Cambridge, Massachusetts.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours
of submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #028
******************************
.