Date: Sat, 19 Aug 95 16:43:35 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V7#014
Computer Privacy Digest Sat, 19 Aug 95 Volume 7 : Issue: 014
Today's Topics: Moderator: Leonard P. Levine
Re: Credit Reports and Identifying Information
Re: Watch them Vacation Programs
Re: Web Access and Mailing Lists
Netscape Security
Privacy Commissioner of Canada -- Annual Report 1994/95
News about Secure-A-File
Re: Caller ID/ANI
A Netscape Story
Re: An Abuse of Individual Right to Privacy?
Final Program - AST 9/4/95 [long]
Info on CPD [unchanged since 08/01/95]
----------------------------------------------------------------------
From: harris.jarnold@ic1d.harris.com (Jon Arnold)
Date: 15 Aug 1995 17:27:16 GMT
Subject: Re: Credit Reports and Identifying Information
Organization: Harris Corp - ATCSD
berczuk@space.mit.edu (Steve Berczuk) writes: 1) Does this mean
that if a "TRW Subscriber" makes a mistake reporting identifying
info it stays there? (on a related note, they also had a "previous
address" mispelled. When we pointed that out we got the same answer
("we only print what was reported".))
Having dealt specifically with TRW many times in the past for similar
errors in their report, this is true. They take the stand that they
will store *whatever* information their subscribers send them about a
person; right, wrong, misspelled, or inaccurate is not their concern,
they merely report the news. All of the big 3 credit bureaus are like
this, but TRW seems to take it quite literally as a matter of policy.
If I wanted to pay to be a bona fide TRW subscriber, I could report
delinquent debts on anybody I didn't like, and TRW would post the
delinquency to their credit reports in a flash. No exaggeration here;
I posed this question to a TRW manager, who verified that that's
exactly how it would work if I were a subscriber.
2) Can we figure out who reported the AKA to get THEM to correct
it? How?
They apparently know who reports every scrap of information to them,
but they are normally unwilling to give out that information to you.
For me, it took a *lot* of persistence to get similar information from
various pieces of erroneous information on my own report.
3) Aside from esthetic considerations, how important is information
like "previous addresses and "Also know as" (or relatedly spouses
first name-- credit bureaus seem to not be able to handle "spouses
first & last name")?
Don't know on this one, but I figure if this is something that's going
to be used for things like mortgage applications, car loans, etc, I
would feel better if the information there was accurate, imho.
--
harris.jarnold@ic1d.harris.com
----------------------------------------------------------------------------
Jon Arnold "If you ain't the lead dog, the view never changes."
Disclaimer: The views & opinions expressed here are my own, and have no
necessary relevancy to the views & opinions of my employer.
----------------------------------------------------------------------------
------------------------------
From: "Peter M. Weiss +1 814 863 1843" <PMW1@PSUVM.PSU.EDU>
Date: 15 Aug 95 14:07 EDT
Subject: Re: Watch them Vacation Programs
Furthermore, they are an invitation to a hacker to "try" the
vacationer's account.
--
Pete Weiss,
Penn State
------------------------------
From: Robert Bulmash <75754.2763@CompuServe.COM>
Date: 15 Aug 1995 20:19:22 GMT
Subject: Re: Web Access and Mailing Lists
Organization: Private Citizen, Inc.
It is unlawfull for anyone in the USA to send unsolicited junk E-Mail
over regular telephone lines to any modem-computer that has a printer
attached to it.
The law allows the plaintiff to sue the sender for $500 (in state small
claims court) for each transmission of such. I will be filing such a
suit here in DuPage County (just west of Chicago) later this week or
early next.
If you want more information call Private Citizen, Inc. at
1/800-CUT-JUNK
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Aug 1995 11:23:48 -0500 (CDT)
Subject: Netscape Security
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Friday 18 August 1995
Volume 17 : Issue 27 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
From: shank@netscape.com (Peter Shank)
Date: 17 Aug 1995 08:44:45 -0700
Subject: Netscape security
Late Tuesday evening a person from France posted a news article to the
hacker community claiming success at decrypting a single encrypted message
that had been posted as a challenge on the Internet sometime on or before
July 14, 1994. His response to the challenge is described in an email that
has been forwarded widely across the Internet.
What this person did is decrypt one encrypted message that used RC4-40 for
encryption. He used 120 workstations and two parallel supercomputers for 8
days to do so. As many have documented, a single RC4-40 encrypted message
takes 64 MIPS-years of processing power to break, and this roughly
corresponds to the amount of computing power that was used to decrypt the
message.
Important points to understand:
1. He broke a single encrypted message. For him to break another message
(even from the same client to the same server seconds later) would
require *another* 8 days of 120 workstations and a few parallel
supercomputers. The work that goes into breaking a single message
can't be leveraged against other messages encrypted with other
encryption keys.
2. The standard way to determine the level of security of any encryption
scheme is to compare the cost of breaking it versus the value of the
information that can be gained. In this case he had to use roughly
$10,000 worth of computing power (ballpark figure for having access to
120 workstations and a few parallel supercomputers for 8 days) to break
a single message. Assuming the message is protecting something of less
value than $10,000, then this information can be protected with only
RC4-40 security. For information of greater value, currently available
RC4-128 security should be used.
3. Inside the US, software can support a range of stronger encryption
options, including RC4-128, which is 2^88 times harder to break.
Meaning that the compute power required to decrypt such a message
would be more than 1,000,000,000,000 (trillion) times greater than
that which was used to decrypt the RC4-40 message. This means that
with foreseeable computer technology this is practically impossible.
So in conclusion, we think RC4-40 is strong enough to protect
consumer-level credit-card transactions -- since the cost of breaking the
message is sufficiently high to make it not worth the computer time
required to do so - -- and that our customers should use higher levels of
security, particularly RC4-128, whenever possible. This level of security
has been available in the U.S. versions of our products since last April.
Because of export controls it has not been available outside the U.S. We
would appreciate your support in lobbying the U.S. government to lift the
export controls on encryption. If you'd like to help us lobby the
government send email to export@netscape.com.
Finally, we'd like to reiterate that all this person has done is decrypt
one single RC4-40 message. RC4 the algorithm and products which use the
algorithm remain as secure as always.
[moderator, this was also noted by:
Timothy P. Donahue Cisco Systems
ATM Business Unit +1-508-262-1141
1100 Technology Park Drive +1-508-262-1141 FAX
Billerica MA USA 01821 tdonahue@cisco.com
]
------------------------------
From: jroy@fox.nstn.ca (Jocelyn Roy)
Date: 17 Aug 1995 19:24:12 GMT
Subject: Privacy Commissioner of Canada -- Annual Report 1994/95
Organization: NSTN Inc. ICS/Windows Dialup User
The Privacy Commissioner of Canada released his 1994/95 annual report
today. It can be found at the following Web site:
http://info.ic.gc.ca/opengov/opc/pubs.html
Among the topics discussed:
* privacy and security on the information highway
* a model privacy code for the private sector
* biomedical privacy (drug testing and genetic testing, including
Canada's new forensic DNA testing law)
* the inadequacy of Canada's current patchwork of privacy laws
* court decisions on privacy issues.
------------------------------
From: ppease@netcom.com (Paul Pease)
Date: 17 Aug 1995 22:13:59 GMT
Subject: News about Secure-A-File
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
Ilex Systems has just announced a new software package for Windows,
called Secure-A-File. It uses RSA-licensed security, with 1024-character
words to make it unbreakable. Costs $99 per end. E-mail me if you would
like more information.
--
Paul Pease, Writer/Consultant in Beautiful Downtown Palo Alto.
Call me at 415 322-2072; fax 415 322-7940. ppease@netcom.com
[moderator: This is very close to an advertizement, but I have
decided that a single announcement like this makes sense here.]
------------------------------
From: Terry Crabb <TCRABB@Gems.VCU.EDU>
Date: 18 Aug 1995 08:51:35 -0400 (EDT)
Subject: Re: Caller ID/ANI
I have cause to regularly send packages via Fed Ex, and was initially
surprised to discover that they knew who I was, and where I was, before
I told them anything.
The process to get a courier to call involves dialling 1-800-.... If
you ignore the "press 1 for this, press 2 for that", and roll over to a
human, they appear to be reading your information from a terminal.
An earlier post suggested calling 1-800-CALL-ATT prior to placing a
call to another 800 number, in order to defeat ANI. Well, I tried that,
and they _still_ knew who I was!
--
Terry Crabb tcrabb@gems.vcu.edu
Systems Programming Dept.,
MCV Associated Physicians,
Richmond, VA
Finger tcrabb@opal.vcu.edu for PGP Public Key
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 18 Aug 1995 08:39:54 -0500 (CDT)
Subject: A Netscape Story
Organization: University of Wisconsin-Milwaukee
If you are running Netscape on your IBM type PC and you type
CTRL-ALT-F you suddenly find yourself looking at "The Amazing Fish
Cam" which connects to a netscape server and does something cool, I
suppose.
I saw this noted on page 18 of the 8/14/95 "Interactive Age" and tried
it today.
What are the privacy implications?
The geniuses at Netscape have put into their excellent software this
undocumented (or poorly documented) feature to amuse me. I must ask
why else they would have done it.
Have they not learned from the experience of Prodigy or Microsoft that
communications software that runs in ways that the user is not warned
about can easily lead the user to wonder what else is automatically
installed? That undocumented stuff might well be very intrusive.
Most of us recall the near disaster that faced Prodigy some years ago
when a swap file they installed on the user's PC seemed to have
material to be uploaded from the user's work space. The facts were
finally shown to be much more benign, but the damage still echos around
the net.
Currrently we are watching the introduction of Windows 95. Windows 95
might or might not have software that automatically reports to
Microsoft just what software you are running. I suspect it does not,
but we shall see.
I truly wonder just what else Netscape does that they have not told
me/us about. I hope that there are those privacy nuts out there who
are watching as packets are thrown around the net. I hope that they
are looking for stuff that the user did not intend to send to the
author of the package. I hope that the CTRL-ALT-F is the only
unadvertized special feature.
--
Leonard P. Levine e-mail levine@cs.uwm.edu
Professor, Computer Science Office 1-414-229-5170
University of Wisconsin-Milwaukee Fax 1-414-229-6958
Box 784, Milwaukee, WI 53201
PGP Public Key: finger llevine@blatz.cs.uwm.edu
------------------------------
From: shorten@nic.wat.hookup.net (Robert Shorten)
Date: 19 Aug 1995 02:37:24 GMT
Subject: Re: An Abuse of Individual Right to Privacy?
Organization: HookUp Communication Corporation, Waterloo, Ontario, CANADA
Well, wouldn't such a thing be like the phone book? The phone company lists
names and addresses of people and doesn't ask them first whether they want
to be listed (such people have to contact the phone company.) As long as they
(the directory people) give clear information in their directory as to how
one can be unlisted, I don't think it's an invasion of privacy. There are
already paper directories that list names, addresses, phone numbers, and
even places of work.
Jay Shorten
shorten@nic.wat.hookup.net
------------------------------
From: "Dave Banisar" <banisar@epic.org>
Date: 16 Aug 1995 07:51:10 U
Subject: Final Program - AST 9/4/95 [long]
ANNOUNCEMENT OF FINAL PROGRAM
Advanced Surveillance Technologies
A one day public conference
sponsored by
Privacy International and
Electronic Privacy Information Center
4 September 1995
Grand Hotel Copenhagen, Denmark
Overview
Recent developments in information technology are leading to the
creation of surveillance societies throughout the world. Advanced
information systems offer an unprecedented ability to identify,
monitor, track and analyse a virtually limitless number of
individuals. The factors of cost, scale, size, location and distance
are becoming less significant.
The pursuit of perfect identity has created a rush to develop systems
which create an intimacy between people and technology. Advanced
biometric identification and ID card systems combine with real-time
geographic tracking to create the potential to pinpoint the location
of any individual. The use of distributed databases and data matching
programs makes such activities economically feasible on a large
scale.
Extraordinary advances have recently been made in the field of visual
surveillance. Closed Circuit Television (CCTV) systems can digitally
scan, record, reconfigure and identify human faces, even in very poor
light conditions. Remote sensing through advanced satellite systems
can combine with ground databases and geodemographic systems to
create mass surveillance of human activity.
Law is unlikely to offer protection against these events. The
globalisation of information systems will take data once and for all
away from the jurisdiction of national boundaries. The development of
data havens and rogue data states is allowing highly sensitive
personal information to be processed without any legal protection.
These and other developments are changing the nature and meaning of
surveillance. Law has scarcely had time to address even the most
visible of these changes. Public policy lags behind the technology by
many years. The repercussions for privacy and for numerous other
aspects of law and human rights need to be considered immediately.
Advanced Surveillance Technologies will present an overview of these
leading-edge technologies, and will assess the impact that they are
likely to have in the immediate future. Technology specialists will
discuss the nature and application of the new technologies, and the
public policy that should be developed to cope with their use.
The conference will also bring together a number of Data Protection
Commissioners and legal experts to assess the impact of the new
European data protection directive. We assess whether the new rules
will have the unintended result of creating mass surveillance of the
Internet.
The conference will be held in Copenhagen, and is timed to co-incide
with the annual international meeting of privacy and data protection
commissioners.
PROGRAM
10.00 - Introduction and Welcome
10.10 Keynotes
Simon Davies, Director General, Privacy International and Visiting
Law Fellow, University of Essex, UK,
"Fusing Flesh and Machine"
This lively introduction will provide an overview of recent trends in
technology, culture and politics that are bringing about an era of
universal surveillance. The paper concentrates on the theme of
fusion, in which data and data subjects are being brought into more
intimate contact. The creation of an informational imperative
throughout society is leading to the degradation of privacy as a
fundamental right. As a result, there are few remaining boundaries to
protect the individual from surveillance.
Steve Wright, Director, Omega Foundation, UK
'New Surveillance Technologies & Sub-state Conflict Control.
This talk will cover the role and function of new surveillance
technologies; an overview of the state of the art and some of the
consequences eg the policing revolution - with a move away from
firebrigade policing towards prophylactic or pre-emptive policing
where each stop and search is preceded by a data check. The emergence
of new definitions of subversion to justify new data gathering
activities and an increasing internal role for the intelligence
agencies now that the cold war has ended. It will show how
different surveillance and computer technologies are being integrated
and how such information and intelligence gathering is linked into
more coercive forms of public order policing when tension indicators
rise during a crisis.
11:15 - 11:30 Break
11.30 - 12.45 Regulation versus freedom
The European Data protection Directive will establish a common
privacy position throughout Europe. Its intention is to safeguard
personal privacy throughout the Union, yet already there are glaring
conflicts with the freedom of information flows on the net. This
section discusses the threat of universal surveillance of the net
caused by the new laws.
Frank Koch, Rechtsanwalt, Munchen, Germany
European Data Protection : Against the Internet ?
Data Protection, according to the Common Position (CP) of the
European Union, requires control over the medium used for transfers
of personal data, the recipients of these data, and the way these
data are used. The open structure of the Internet seems to be quite
incompatible with these requirements. The member States and the
controllers within them are required to take all steps to ensure that
personal data are not transferred into communication nets that do
not conform to the CP. This paper will discuss why personal data will
be prevented from being freely transferred throughout the internet,
and how this will affect users of the net.
Malcolm Norris, Data Protection Registrar, Isle of Mann
Enforcing privacy through surveillance?
The need for a Europe-wide privacy directive is pressing. Greater
amounts of personal data are flowing to a growing number of sites.
Yet, without care, there is a risk that such laws could have the
unintended consequence of causing widespread surveillance of
activities of net users. The fact that unprotected personal data
should not be flowing on the net might at some point provoke
authorities to routinely surveil net data. This paper discusses these
dilemmas, and suggests measures that might avoid the threat of
universal surveillance.
Lunch Break 12:30 - 1:45
1.45 - 3.15 Perfect surveillance
In many countries, the era of the private person is at an end.
Information surveillance, automatic visual recognition and geographic
tracking are at an advanced stage, and are set to imperil privacy.
This panel will discuss developments in surveillance, including
advanced Closed Circuit TV, satellite remote sensing, Intelligent
Vehicle Highway Systems, and forward looking infrared radar.
Phil Agre, University of California, Advanced tracking technologies
Ambitious plans for advanced transport informatics have brought
serious privacy concerns. Computerized tracking of both industrial
and private vehicles may not be consciously intended to reproduce the
erstwhile internal passport systems of the Soviet Union and South
Africa, but deeply ingrained technical methodologies may produce the
same result nonetheless. This presentation surveys some of the
purposes behind ongoing transport informatics programs, including
integrated logistics systems and regulatory automation. It offers a
conceptual analysis of "tracking" in technical practice. The most
serious dangers to individual liberty and civic participation can be
greatly alleviated, though, through the systematic use of digital
cash and other technologies of anonymity. At the moment, this
prospect seems much more likely in Europe than in the United States.
Simon Davies, Privacy international, Closed Circuit Television and
the policing of public morals
The use of Closed Circuit Television (CCTV) camera systems has become
a key plank in the law and order strategy of the British government.
Most cities in Britain are constructing powerful, integrated CCTV
systems to surveil shopping areas, housing estates and other public
areas. Although there is some evidence that this extraordinary
strategy is having an effect on crime figures, it is also becoming
apparent that the cameras are increasingly used to enforce public
morals and public order. The use of new visual information processing
technologies is leading to numerous unintended purposes for the
cameras, including automated crowd control and automated face
recognition.
Detlef Nogala, University of Hamburg, Germany, Techno-policing
Technology has been used for many years for surveillance purposes,
and the last decades have seen a rapid proliferation of different
surveillance technologies into the civilian realm. Today there is a
whole industry which is trying to direct the momentum of military
surveillance technologies into the civilian security market. But
there is a difference between some spectacular applications (like the
gunshot-locator system derived from submarine sonar-technology) and
common applications on a mass basis (like smart cards with digitally
stored fingerprints). Among the "counterforces" like data-protection
laws, political opposition or consumer politics a deficit in
financial resources is not the least one. It is clear that most
surveillance agencies are trapped in the contradiction between
maximum performance and economy. This paper discusses the various
forces and influences that bear upon a decision to implement
particular technologies of surveillance.
3:00 - 3:15 Break
3:15 - 4:30 Solutions
This session will discuss a range of responses to the new era of
surveillance. These include regulation, consumer action, and the
development of privacy friendly technologies.
Dave Banisar, Electronic Privacy Information Center, Washington DC
Encryption and the threat of universal surveillance of the net
Encryption is one technological solution to the problem of privacy
invasion and surveillance, yet encryption also provides an excuse for
governments to undertake surveillance of citizens. Documents recently
secured by EPIC indicate that US Law enformcent and intelligence agencies
had planned to implement a two stage strategy for its Clipper Chip
encryption policy, resulting in non-official encryption being made
illegal, and thus providing an opportunity for law enforcement
authorities to engage in limitless surveillance of communications.
This talk discusses the dilemma facing supporters of encryption.
Bruce Slane, Privacy Commissioner, New Zealand.
Some positive aspects of privacy law
In this talk, New Zealand Privacy Commissioner Bruce Slane presents a
number of positive aspects of legal regulation of information flows.
He describes areas where law is being successfully used to enforce
responsible information practices.
4:30- 5:00 Conclusion and Wrap-up
Number of participants : approximately sixty
Costs: US $75 - Individuals/non-profit organizations
$175 - Commercial organizations
Venue : Grand Hotel, Vesterbrogade 9.
DK -1620, Copenhagen V, Denmark
For further Information and registration please contact :
Dave Banisar
Privacy International Washington Office
666 Pennsylvania Ave, SE, Suite 301
Washington, DC 20003 USA
1-202-544-9240 (phone)
1-202-547-5482 (fax)
email : pi@privacy.org
Web address: privacy.org/pi/conference/
_________________________________________________________________________
Subject: Final Program - AST 9/4/95
_________________________________________________________________________
David Banisar (Banisar@privacy.org) * 202-544-9240 (tel)
Privacy International Washington Office * 202-547-5482 (fax)
666 Pennsylvania Ave, SE, Suite 301 * HTTP://www.privacy.org
Washington, DC 20003
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Aug 1995 09:39:43 -0500 (CDT)
Subject: Info on CPD [unchanged since 08/01/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit or append to the text except for purely technical
reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V7 #014
******************************
.