Date: Mon, 15 Jan 96 19:11:31 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#006
Computer Privacy Digest Mon, 15 Jan 96 Volume 8 : Issue: 006
Today's Topics: Moderator: Leonard P. Levine
Re: Breasts on AOL
Re: Checking Account Status is Public
Re: Checking Account Status is Public
Cases on Disclosing Private Information
Re: Canadian Social Insurance Number
Re: Spy Viruses
Computers See ALL Your Postal Mail
New Access Code for the French Electronic Directory
Caller ID Leakage?
News from Zimmermann's Attorney
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: huggins@tarski.eecs.umich.edu (James K. Huggins)
Date: 12 Jan 1996 08:18:37 -0500
Subject: Re: Breasts on AOL
Organization: University of Michigan EECS Dept., Ann Arbor, MI
References: <comp-privacy8.4.2@cs.uwm.edu> <comp-privacy8.5.4@cs.uwm.edu>
gmcgath@mv.mv.com (Gary McGath) writes: At the time, I thought that
AOL figured that flamewars increased usage of the system, while
"dirty words" might drive people away, and thus that they were
increasing their revenue by having this policy. But banning the
word "breast" while allowing mildly dirty synonyms doesn't even
have this kind of twisted logic to it.
Oh, there's a logic to it. It's the old "my right hand doesn't know
what my left hand is doing" logic, though.
My speculation is that someone (some people?) on staff with AOL got
complaints about obscenity in some areas, and thought that banning the
use of certain words like "breast" would take care of that problem. It
probably did. But it also created the host of other problems that they
didn't anticipate (e.g. "breast cancer" becoming a forbidden term).
One time back in my undergraduate college days, the staff in the dorm
in which I lived were trying to crack down on large parties for the
usual reasons (noise complaints, illegal alcohol consumption, etc.).
The bright idea they had was to require every "party" to be registered
with the staff, presumably to allow the staff advance notice of a bad
situation. They defined a "party" as any gathering of 10 or more
people.
No problem, right? Right ... except that there was a Jewish group
which met occasionally to conduct services in one of the meeting rooms,
and (forgive my goyim ignorance here) certain services require the
presence of 10 adult men in order to be conducted. So this new "party"
requirement meant that every time this group wanted to conduct a
service, they had to register it. This seemed to be treading on 1st
amendment territory (regulating the free exercise of religion), and so,
the whole thing was dropped.
The point of the story? Mainly that some systems are so big that one
doesn't realize the effect that a seemingly "small" change will have
throughout the system.
--
Jim Huggins, Univ. of Michigan huggins@umich.edu
"You cannot pray to a personal computer no matter how user-friendly it is."
(PGP key available upon request) W. Bingham Hunter
------------------------------
From: anonymous@ixnews3.ix.netcom.com
Date: 12 Jan 1996 16:43:41 GMT
Subject: Re: Checking Account Status is Public
wrf@ecse.rpi.edu (Wm. Randolph U Franklin) wrote: Every bank (and
S&L etc) that I've checked with will tell you over the phone
whether a check you're holding from one of their customers would
clear if you deposited it. This means that if you know someone's
account number, perhaps because they wrote you a check in the past,
then you can call the bank, pretend to have a check from them for
$X, and determine whether their balance is >=X.
I worked in a bank for seven months as a teller and I always thought
that was a strange arrangement, and of course when I asked about it
everyone thought I was some complete and utter paranoid...
What I think is a bigger problem for everyones privacy is that for the
most part the average bank customer has absolutely no patience for
those relatively few policies that can offer some privacy protection.
The number of times I had customers go ballistic on the phone when I
refused to give out their account information (and these are customers
who did not know me or me them) was shocking. Only slightly more
puzzling was the amount of times I had people flip out when I asked
them for ID when they wanted to cash a check...
All that being said I must admit that, having worked in a bank, I
shudder to think just how available and accessable all our information
is...
------------------------------
From: cnordin@vni.net (Craig Nordin)
Date: 13 Jan 1996 01:40:30 -0500
Subject: Re: Checking Account Status is Public
Organization: Virtual Networks
References: <comp-privacy8.4.1@cs.uwm.edu> <comp-privacy8.5.5@cs.uwm.edu>
I think http://www.cashmoney.com will point you towards a Belize Trust
Account, which is much more secure. Untraceable Credit Cards,
Accounts, and other financial mechanisms which defy this kind of
invasion of privacy.
------------------------------
From: peggy@cc.gatech.edu (Margaret P. Eisenhauer)
Date: 12 Jan 1996 12:07:49 -0500 (EST)
Subject: Cases on Disclosing Private Information
kkirk@compumedia.com said: I am putting together an article on the
'new' issues of Client Server database access to corporate
databases/warehouses. One of the major issues is security. [snip]
What I'm looking for is actual, published and documented cases
where a company or organization became liable either civilly or
criminally for releasing information that is considered private and
protected.
There's no privacy issue in the example, as the records were public to
begin with... either public records or publically available. People
consider a lot of public information to be private, but this thought
doesn't create a basis for liability. There are cases (both civil and
criminal) based on disclosure of truly private info, breach of
confidentiality agreements, disclosure of legally-protected employment
data, etc. To find examples, look for a (legal) basis for the case,
such as a law or an agreement.
Also, there's been a case filed in Va by a name claiming that the sale
of his name on a mailing list violates a Va privacy statute (Avarahami
v. U.S. News and World Report). This cases hasn't come to trial yet.
Hope this help, -- Peggy
------------------------------
From: AFAULKNE@142.36.138.3 (Andrew Faulkner)
Date: 12 Jan 1996 16:24:47 -0800 (PST)
Subject: Re: Canadian Social Insurance Number
Organization: BC Systems Corporation
References: <comp-privacy8.5.6@cs.uwm.edu>
In article <comp-privacy8.5.6@cs.uwm.edu>
mbesosa@drake.prometric.com (Michael Besosa) writes: Can someone
point me to a source of information on the Net about the structure,
validation, and permitted uses of the Canadian Social Insurance
number?
http://vanbc.wimsey.com/~faulkner/sin_fact.html
--
Andrew Faulkner Applications Analyst, BC Lands Ministry of Environment,
Lands and Parks 387-1146 Internet address:
afaulkne@bclands.crl.gov.bc.ca
------------------------------
From: daveb@iinet.net.au (Dave)
Date: 13 Jan 1996 06:16:38 GMT
Subject: Re: Spy Viruses
Organization: iiNet Technologies
References: <comp-privacy8.4.4@cs.uwm.edu> <comp-privacy8.5.3@cs.uwm.edu>
bo774@freenet.carleton.ca (Kelly Bert Manning) wrote: According to
a CBC Radio "Quirks and Quarks" segment from a few weeks back a
Vancouver company called "Absolute Software" is planning to offer a
"PC Phone Home" product to deter or alleviate theft. [snip] The
claim was that whatever is added in would look for a modem port and
dial a special 1-800- number during idle periods, in such a way
that it wouldn't be noticed by the user of the stolen system.
[snip] I can't imagine an individual or a company with any concern
about data confidentiality that would seriously consider putting
something inside their boxes that is designed to surreptiously dial
out without the user knowing, and which has the added bonus of
covertly dumping data over the phone line.
Sounds like another good reason to use an external modem. If my modem
dials out, I get to hear it do so, and see the status lights twitch, in
time to kill it if need be. I defy any software to defeat that.
--
Dave
PGP fingerprint = 20 8F 95 22 96 D6 1C 0B 3D 4D C3 D4 50 A1 C4 34
------------------------------
From: TOM ALCIERE <73151.3051@CompuServe.COM>
Date: 14 Jan 1996 15:13:02 GMT
Subject: Computers See ALL Your Postal Mail
Organization: CompuServe, Inc. (1-800-689-0736)
You send your Aunt Matilda a letter and address it to Aunt Matilda
Smith, 123 Main St., Anytown NY 12345 and put a 32 cent stamp on it and
mail it.
The USPS machine picks up the ultra-violet reflection from the
phosphorescent tagging on the stamps, which you can't see but stamp
collectors can if they have a UV light for that purpose.
Now the computer can "face" the letter and run it past a scanner.
Unlike your telephone bill, however, this letter has a HAND-WRITTEN
address which the optical character recognition (OCR) machine cannot
read. It is then referrred to the remote bar code system (RBCS) and a
computer takes a picture of it, sending it down the telephone line to a
remote encoding center (REC) where data conversion operators (DCO's)
sit and read the address and type in the necessary keystrokes. 12345
is sufficient to send it to the Anytown post office. Then the DCO is
prompted to key "inward" info, 123MAIS <STREET KEY> for 123 Main St.
Supervisors take random samples which include hard copies of mailpiece
images and show DCO's the ones with errors. These sheets stay in the
DCO's file for a period of time. All that's necessary to monitor Aunt
Matilda is to command the RBCS to generate similar copies for anything
keystroked 123MAIS12345. Bring a letter with your return address ON
THE BACK to a post office window and ask the clerk for a stamp. S/he
will tell you to put the return address ON FRONT!!!
--
Tom Alciere 73151.3051@compuserve.com
------------------------------
From: JeanBernard_Condat@email.Francenet.fr (JeanBernard Condat)
Date: 21 Dec 1995 17:14:16 GMT
Subject: New Access Code for the French Electronic Directory
Organization: FranceNet
3611: new access code for the French electronic directory
The access code for the French email directory on the videotex network
(via the Minitel terminal interface) have change January 1st. The old
one was "11". The new one will be "3611" with a new beautiful name:
"les pages zoom." France Telecom begin currently to unify all the codes
preparing the hurge modification of October 16th.
The three first minutes are free at this time. To do some listing with
this file, France Telecom have develop the 3614 MARKETIS. Internet
users can access this service with the MinitelNet gateway (look at the
http://www.minitel.fr, too).
To have a phone number you can dial "12" on the French phone system
(cost: 5 UT = 3.6 FF or $.67), or dial freely from a public phone
(same access number) or dial the " 711" on a portable phone... The user
database will bethe same... but the time of research of the
information depend from the media used -|]
--
Jean-Bernard Condat <condat@atelier.fr>
___ ((
_.-| | _-~-_ ||
{ | | (o o(_)___ _) )
"-.|___| _.( Y ) \. `O /
.--'-`-. _((_ `^-' /__< \
.+|______|__.-||__)`-'(((/ ((_d
Ç Sur Internet, tout le monde sait que vous etes un chien È
[titre de mon prochain livre]
------------------------------
From: Beth Givens <bgivens@pwa.acusd.edu>
Date: 6 Dec 1995 13:20:09 -0800 (PST)
Subject: Caller ID Leakage?
Starting December 1, Calling Number ID is supposedly transmitted on ALL
calls, local as well as long distance, as per a FCC ruling. The one
exception is for calls originating in California. (The California
Public Utilities Commission has requested a 6-month waiver, until it
has had the opportunity to accept or reject the local phone companies'
education plans for alerting California consumers to the privacy
effects of Caller ID.)
Rumor has it that some Caller ID data for California calls has somehow
"leaked" out -- both in the past and since December 1st. But we have
not been able to verify that. If you have indeed seen California
numbers on your Caller ID display devices, I'd appreciate hearing from
you -- either via this forum or directly to my email address
(bgivens@acusd.edu). If you don't mind divulging the first 6 digits of
those numbers, that data would help track down the errant phone company
switches. Thanks.
Beth Givens Voice: 619-260-4160
Project Director Fax: 619-298-5681
Privacy Rights Clearinghouse Hotline (Calif. only):
Center for Public Interest Law 800-773-7748
University of San Diego 619-298-3396 (elsewhere)
5998 Alcala Park e-mail: bgivens@acusd.edu
San Diego, CA 92110
------------------------------
From: "Declan B. McCullagh" <declan+@CMU.EDU>
Date: 13 Jan 1996 11:44:03 -0500 (EST)
Subject: News from Zimmermann's Attorney
[snip]
And attached is a note from Phil Zimmermann's attorney.
---------- Forwarded message begins here ----------
From: "Philip L. Dubois" <dubois@dubois.com>
Date: 12 Jan 1996 23:37:22 -0700
Subject: News Release
-----BEGIN PGP SIGNED MESSAGE-----
Yesterday morning, I received word from Assistant U.S. Attorney William
Keane in San Jose, California, that the government's three-year
investigation of Philip Zimmermann is over. Here is the text of Mr.
Keane's letter to me:
"The U.S. Attorney's Office for the Northern District of California has
decided that your client, Philip Zimmermann, will not be prosecuted in
connection with the posting to USENET in June 1991 of the encryption
program Pretty Good Privacy. The investigation is closed."
The U.S. Attorney also released this to the press:
"Michael J. Yamaguchi, United States Attorney for the Northern District
of California, announced today that his office has declined prosecution
of any individuals in connection with the posting to USENET in June 1991
of the encryption program known as "Pretty Good Privacy." The
investigation has been closed. No further comment will be made by the
U.S. Attorney's Office on the reasons for declination.
Assistant U.S. Attorney William P. Keane of the U.S. Attorney's Office in
San Jose at (408) 535-5053 oversaw the government's investigation of the
case."
On receiving this news, Mr. Zimmermann posted this to the Cypherpunks
list:
- -----BEGIN-----
My lead defense lawyer, Phil Dubois, received a fax this morning from
the Assistant US Attorney in Northern District of California, William
Keane. The letter informed us that I "will not be prosecuted in
connection with the posting to USENET in June 1991 of the encryption
program Pretty Good Privacy. The investigation is closed."
This brings to a close a criminal investigation that has spanned the
last three years. I'd like to thank all the people who helped us in
this case, especially all the donors to my legal defense fund.
Apparently, the money was well-spent. And I'd like to thank my very
capable defense team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow,
Tom Nolan, and Bob Corn-Revere. Most of the time they spent on the case
was pro-bono. I'd also like to thank Joe Burton, counsel for the co-
defendant.
There are many others I can thank, but I don't have the presence of mind
to list them all here at this moment. The medium of email cannot express
how I feel about this turn of events.
-Philip Zimmermann
11 Jan 96
- -----END-----
I'd like to add a few words to those of my client.
First, I thank Mr. Keane for his professionalism in notifying us of the
government's decision. It has become common practice for federal
prosecutors to refuse to tell targets of investigations that the
government has decided not to prosecute. I appreciate Mr. Keane's
courtesy.
Let me add my thanks to the other members of the defense team-- Ken Bass
in Washington D.C. (kbass@venable.com), Curt Karnow in San Francisco
(karnow@cup.portal.com), Eben Moglen in New York (em21@columbia.edu), and
Tom Nolan in Palo Alto (74242.2723@compuserve.com). Bob Corn-Revere in
D.C. (rcr@dc1.hhlaw.com) was a great help on First Amendment issues.
These lawyers are heroes. They donated hundreds of hours of time to this
cause. Each is outstanding in his field and made a contribution that
nobody else could have made. It has been an honor and a privilege to
work with these gentlemen.
Mr. Zimmermann mentioned a lawyer named Joe Burton (joebur@aol.com) of
San Francisco. Mr. Burton deserves special mention. He represented
another person who was under investigation. To have made this other
person publicly known would have been an invasion of privacy, so we
didn't. We still won't, but we can finally acknowledge Mr. Burton's
enormous contribution. Whether we were getting paid or not, the rest of
us at least received some public attention for representing Phil
Zimmermann. Mr. Burton labored quietly on behalf of his client. He took
the case pro bono and did an extraordinary job. He is a lawyer who
exemplifies the finest traditions of the Bar and the highest standard of
integrity. I am proud to know Joe Burton.
The warriors at the Electronic Privacy Information Center (EPIC)-- Marc
Rotenberg, David Sobel, and David Banisar-- and at the Electronic
Frontier Foundation (EFF), Computer Professionals for Social
Responsibility (CPSR), and the American Civil Liberties Union (ACLU)
provided financial, legal, and moral support and kept the public
informed. They continue to do so, and we all owe them thanks for it.
Those members of the press who recognized the importance of this story
and told the world about it should be commended. Undeterred by the
absence of sex and violence, these reporters discussed the real issues
and in so doing served the public well.
Many other people, lawyers and humans alike, made invaluable
contributions. My assistants Alicia Alpenfels, Suzanne Turnbull Paulman,
and Denise Douglas and my investigator Eli Nixon kept us organized. Rich
Mintz, Tom Feegel, and Nathaniel Borenstein of First Virtual put up a Web
site and aggressively supported the Zimmermann Legal Defense Fund.
Another site was built by Michael Sattler of San Francisco, and he and
Dave Del Torto (also of S.F.) let me stay in their homes. Thanks also to
MIT and The MIT Press: Hal Abelson, Jeff Schiller, Brian LaMacchia,
Derek Atkins, Jim Bruce, David Litster, Bob Prior, and Terry Ehling. And
there were many others.
Finally, I offer my thanks to everyone who contributed to the Zimmermann
Legal Defense Fund. People all over the world gave their hard-earned
money to support not only Phil Zimmermann's defense but also the cause of
privacy. It is impossible to be too pessimistic about our future when
there are so many of you.
Now, some words about the case and the future. Nobody should conclude
that it is now legal to export cryptographic software. It isn't. The
law may change, but for now, you'll probably be prosecuted if you break
it. People wonder why the government declined prosecution, especially
since the government isn't saying. One perfectly good reason might be
that Mr. Zimmermann did not break the law. (This is not always a
deterrent to indictment. Sometimes the government isn't sure whether
someone's conduct is illegal and so prosecutes that person to find out.)
Another might be that the government did not want to risk a judicial
finding that posting cryptographic software on a site in the U.S., even
if it's an Internet site, is not an "export". There was also the risk
that the export-control law would be declared unconstitutional. Perhaps
the government did not want to get into a public argument about some
important policy issues: should it be illegal to export cryptographic
software? Should U.S. citizens have access to technology that permits
private communication? And ultimately, do U.S. citizens have the right
to communicate in absolute privacy?
There are forces at work that will, if unresisted, take from us our
liberties. There always will be. But at least in the United States, our
rights are not so much stolen from us as they are simply lost by us. The
price of freedom is not only vigilance but also participation. Those
folks I mention in this message have participated and no doubt will
continue. My thanks, and the thanks of Philip Zimmermann, to each of
you.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Jan 1996 16:51:47 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #006
******************************
.