Date: Tue, 23 Jan 96 14:07:16 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#008
Computer Privacy Digest Tue, 23 Jan 96 Volume 8 : Issue: 008
Today's Topics: Moderator: Leonard P. Levine
One Person's War on Junk Mail
Re: Unsolicited email Advertising
Medical Confidentiality
Keyboard Monitors
US Customs and Social Security Numbers
Password Protection
Scientology wins Copyright Case
Re: Spy Viruses
Lotus [IBM] Blinks
Conferences / Events
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Beth Givens <bgivens@pwa.acusd.edu>
Date: 18 Jan 1996 13:18:21 -0800 (PST)
Subject: One Person's War on Junk Mail
A San Diego man, Bob Beken, recently won an interesting suit in Small
Claims Court against Computer City involving unwanted mail
solicitations. He purchased some items at Computer City (owned by
Tandy, which also owns Radio Shack and Incredible Universe) and paid by
check. When he noticed the clerk keying his name and address into the
computer at the checkstand, he asked if he was going to get any junk
mail as a result. He was told 'no.'
As a precaution, Beken took the check back and wrote a short contract
on the back: "Computer City agrees NOT to place Robert Beken on any
mailing list or send him any advertisements or mailings. Computer City
agrees that a breach of this agree- ment by Computer City will damage
Robert Beken and that these damages may be pursued in court. Further,
that these damages for the first breach are $1,000. The deposit of this
check for payment is agreement with these terms and conditions."
After some discussion with another clerk, Computer City accepted the
check. In the ensuing months, Beken received four mail solicitations
from Computer City. He wrote two letters in protest but received no
reply.
Beken then took his case to Small Claims court. The judge agreed that a
contract had been broken and awarded Beken $1,000 plus court costs of
$21. Beken has since written a book (self-published) about his winning
method.
Is this a significant victory? I think so. A court has agreed that a
consumer has a right to say "no" to junk mail and to have the request
honored. Perhaps this case, along with the Avrahami case, will serve as
wake up calls to the direct marketing industry. Consumers want and
deserve to be able to control what enters their mailboxes. Your
thoughts??
--
Beth Givens Voice: 619-260-4160
Project Director Fax: 619-298-5681
Privacy Rights Clearinghouse Hotline (Calif. only):
Center for Public Interest Law 800-773-7748
University of San Diego 619-298-3396 (elsewhere)
5998 Alcala Park e-mail: bgivens@acusd.edu
San Diego, CA 92110
------------------------------
From: rj.mills@pti-us.com (Dick Mills)
Date: 19 Jan 1996 14:14:07 -0500
Subject: Re: Unsolicited email Advertising
donna@mildred.houston.tx.us (hyper-creatrix) wrote: can i add
america online for allowing their clueless lot to do such things?
i got a post recently from someone on aol whose screen name i
didn't recognise, and i also didn't recognise any of the 30+
addresses/screen names in the remainder of the to: field. the
sender, an aol looney, was asking me and the other recipients to
effectively mailbomb a third party who's screen name i also didn't
recognise. i complained to the postmaster and abuse daemons at aol.
haven't heard anything since, but also the bozo hasn't sent any
more junk mail to me. ...<snip>... that's a great solution; i'll
add that to my retaliation! :) thanks for the tips!
Aren't we getting a little oversensitive folks? Donna's complaint goes
far beyond commercial spamming or Advertizing. She doesn't make any
allowance for the sender simply getting the screen name wrong.
AOL allows up to 5 screen names per user, and they have lots of
subscribers. Take any valid screen name and mis-type it somehow.
Because names are anything but randomly distributed, you may have a
very high probability of hitting some third party's screen name by
accident. It's annoying, just like wrong numbers on the phone, but it
is not worthy of such anger or retaliation.
Even if the looney chose her name deliberately what's the big deal? I
get snail mail and email from political movements I oppose. What would
we become if everyone decided to retaliate against the Democrats or
Republicans because they sent you unwanted political material? The
line of burglar wannabes outside the Watergate offices would be very
long.
I can't imagine anyone reacting so strongly to a wrong telephone
number, or to a misaddresed post card. Let's just apply the same
standard of civility and tolerance in cyberspace.
--
Dick Mills +1(518)395-5154
AKA dmills@albany.net http://www.albany.net/~dmills
------------------------------
From: Robert Ellis Smith <0005101719@mcimail.com>
Date: 19 Jan 96 13:57 EST
Subject: Medical Confidentiality
If the current "medical confidentiality" proposal in Congress is
enacted as is, a patient would be powerless to sue if an insider at a
hospital browsed through medical files without a need to know, if a
hospital released patient information to an information company it uses
that had been cited for violations of federal laws on the management of
personal information, if a hospital employee disclosed information to
an authorized recipient in a format that could be easily intercepted
(fax, e-mail, word-of-mouth, unsealed envelope), or if a doctor's
assistant used patient information to harass a patient (perhaps by
calling the patient's home).
The "immunity" provision of S. 1360 sponsored by Senator Bennett of
Utah is one of the most troublesome parts of the bill. Deleting it
would improve the bill tremendously in the interests of medical
patients.
Computer Privacy Digest subscribers should express their concerns to
their Members of Congress and to Sen. Bennett.
--
Robert Ellis Smith
Publisher, Privacy Journal
Providence RI 0005101719@mcimail.com
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Jan 1996 14:01:46 -0600 (CST)
Subject: Keyboard Monitors
Organization: University of Wisconsin-Milwaukee
What follows is a spam, but for a product that we should be aware of
and warned about.
SUBJECT:***KEYBOARD RECORDERS********
ALSO KNOWN AS:Keyboard Grabber, Keyboard Key Logger, Keyboard Monitor,
Keyboard Recorder.
PURPOSE: Captures keystrokes and sends & saves them to a hidden file.
Now you can keep a record of any keyboard activity on your
computer. Monitor your computer at home or office.
My private collection of keyboard recorders is yours for only $9.95.
You will receive 18 different programs on a 3 1/2 disk.
You'll get:KEYCOPY,KEYFAKE,KEYREAD,KEYTRAP,KEYREC,KEYLOGWN(Windows),
HACKKEY,BAGKEYS,GETIT,PLAYBACK,ROBOKEY,RECORD,ENCORE,
KCAP10,PTM229N,QWERTMAN,GKG,DEPL.
Just send $9.95 plus $1.00 for shipping and handling to:
[moderator: sorry I seem to have lost the mailing address.]
------------------------------
From: "anonymous" <levine@blatz.cs.uwm.edu>
Date: 19 Jan 1996 14:01:46 -0600 (CST)
Subject: US Customs and Social Security Numbers
[To Moderator: to protect the privacy of the business I work for, and
that of their customers, please remove my name and e-mail address if
you decide to post this message. ] [moderator: done.]
Over the past few weeks, there has been a lot of discussions on the use
of SSN by businesses, employers and insurance companies. I perform
import and export for a Canadian company. The US Customs Proforma
Invoices I have to fill out has a field for the consignees' IRS or
Social Security #. I was told that the field has to be filled out -
sometimes, goods get imported with no problem, but if US Customs feels
like, they can demand the information before releasing the goods,
therefore causing delays.
Consignees which are businesses will have to provide their Employer ID
to the me, if they are individuals, their SSN must be used. I do not
know what are the implications of releasing a business' Employer ID.
But in any case, I find it rather intrusive for US Customs to ask for
such info, since I am the one to obtain these info from the
consignees.
Canadian Customs also requires businesses to provide their ID for
customs clearance. But with the current system, Canadian businesses'
ID are the same as their GST registration number, which, by law, must
appear on all invoices and receipts anyways - so there is no big deal.
I have purchased many products from overseas personally, and I have
never been asked for my Social Insurance Number for customs clearance.
Something to ponder ...
------------------------------
From: "anonymous" <levine@blatz.cs.uwm.edu>
Date: 20 Jan 1996 22:19:17 CST
Subject: Password Protection
[moderator: the poster requested anonymity.]
I work for a company that handles support for an online service.
Previously, passwords were not available to anyone here -- we had to
submit a request to the service's headquarters to have someone's
password mailed to him. I recently found out that they now will be
available to anyone here -- this includes ours (employees). Supposedly
the software in which contacts are recorded will record the ID of
anyone who pulls up a member's password, but only if the contact is
closed! The software won't let you exit without closing the contact,
but this is so easy to circumvent that it's ridiculous. Simply turning
off the PC or using someone else's PC while he's away is all that's
necessary.
My concerns are twofold:
1) primarily, the ability of anyone at work to get my password and read
my e-mail. This is the one that really freaks me...
2) the possibility that an employee could be wrongfully terminated when
someone else pulled a password.
It seems like both companies are setting themselves up for lawsuits,
and I wouldn't mind being the first if it means putting an end to
this. I'd appreciate comments from any attorneys/ACLU foks/anyone
familiar with privacy laws.
------------------------------
From: Declan McCullagh <declan@eff.org>
Date: 20 Jan 1996 09:41:01 -0800 (PST)
Subject: Scientology wins Copyright Case
{The New York Times' web site is now online. It's a must-read. Check
out: http://www.nytimes.com/}
The Scientologists won a battle, finally, and Helena Kobrin is crowing,
predictably. Read the full article on the NYT web site; registration is
free.
// declan@eff.org // My opinions are not in any way those of the EFF //
the following is a copy from
http://www.nytimes.com/library/cyber/week/0120online.html
January 20, 1996
Placing Documents on Internet Violated
Scientology's Copyrights, Judge Rules
By PETER H. LEWIS
A Federal judge ruled on Friday that a Virginia man had violated the
copyrights of the Church of Scientology by posting confidential Church
documents on the Internet, even though the material had been obtained
from public court records. [...]
In making her ruling, Judge Leonie M. Brinkema of United States
District Court in Alexandria, Va., affirmed that the church holds a
copyright on the documents and that Mr. Lerma infringed on the
copyright by posting church documents without comment, criticism or
other significant changes that would have constituted fair use. She
said the church was entitled to statutory damages and legal fees, which
will be determined later.
------------------------------
From: morris@grian.cps.altadena.ca.us (Mike Morris)
Date: 22 Jan 1996 09:15:38 GMT
Subject: Re: Spy Viruses
Organization: College Park Software, Altadena, CA
References: <comp-privacy8.4.4@cs.uwm.edu> <comp-privacy8.5.3@cs.uwm.edu> <comp-privacy8.6.6@cs.uwm.edu>
bo774@freenet.carleton.ca (Kelly Bert Manning) wrote: According to
a CBC Radio "Quirks and Quarks" segment from a few weeks back a
Vancouver company called "Absolute Software" is planning to offer a
"PC Phone Home" product to deter or alleviate theft. [snip] The
claim was that whatever is added in would look for a modem port and
dial a special 1-800- number during idle periods, in such a way
that it wouldn't be noticed by the user of the stolen system.
[snip] I can't imagine an individual or a company with any concern
about data confidentiality that would seriously consider putting
something inside their boxes that is designed to surreptiously dial
out without the user knowing, and which has the added bonus of
covertly dumping data over the phone line.
daveb@iinet.net.au (Dave) writes: Sounds like another good reason
to use an external modem. If my modem dials out, I get to hear it
do so, and see the status lights twitch, in time to kill it if need
be. I defy any software to defeat that.
Many modems will accept the command ATL0 and shut off the speaker.
ATL0=off, ATL1=soft, ATL2=normal, ATL3=loud on my old modem. Some
ignore the ATL command set and reply OK to it whatever you send.. I
can concieve of s/w that could determine a usage profile, then dial out
in a projected "safe" period after turning the speaker off... (I am
picturing a system that is left running 24hrs a day). That would allow
a tattle-tale program to work....
I have my entire system on a Tripp-Lite Isobar 8-outlet strip,
including the sound card speakers, external modem, printer(s), etc.
When I am finished with the system, it is powered off totally.
--
Mike Morris morris@grian.cps.altadena.ca.us
#include <disclaimer.std.h> I have others, but this works the best.
This message assembled from 100% recycled electrons (and pixels).
------------------------------
From: Monty Solomon <monty@roscom.COM>
Date: 23 Jan 1996 00:20:53 -0500
Subject: Lotus [IBM] Blinks
Excerpt from BillWatch #33
LOTUS BLINKS IN INDUSTRY/NSA CRYPT STANDOFF
It's not clear why this hasn't made a larger impression on the net yet,
because we think its of crucial importance in the ongoing debate about
cryptography.
For years since the original introduction of the Clipper Chip, the
debate over cryptography has continued to gain momentum. Recently, the
Administration, embarrassed by its defeat over the Clipper Chip
proposal, put forth it's Commercial Key Escrow proposal. What is all
the fuss about?
It's about cryptography, and who has the right to encrypt information
and who has the right to keep the key. Right now, you do, but that
could all change.
Think of cryptography as a really good front door on your house or
apartment. The door key is yours to hold, isn't it? It's your right
to give a copy to someone you trust, or if you choose, nobody at all.
The Administration contends that this is not so. With their
"commercial key escrow" scheme, they contend that you shouldn't be able
to build a door they cannot break down, but they also contend that they
should be able to order you to give a copy of the key to a
government-approved individual, so that they can come enter your house
(with a warrant, of course) when they wish.
Industry, of course, panned this plan when it proposed late 1995, and
continues to object to it. All the while, a standoff continues: the
Administration refuses to allow cryptographic software with keys longer
than 40 bits to be exported, and industry refuses to build Big Brother
into their products.
And this is where the standoff stayed until last Wednesday, when Lotus
blinked.
On Wed, Jan. 17th, 1996, Lotus announced that it had increased the key
length of its International version of the Lotus Notes product to 64
bits. They did this by building in a back door for the Administration
to use to decrypt any international traffic that it might desire to
read.
Although there are a lot of reasons why we think this is a terrible
idea, the first one that springs to mind is the fact that the one
public key that Lotus has embedded in all their software is a single
point of failure for every International Lotus user throughout the
world. Sure, this key is held with a high security clearance by the
government, but then Aldritch Ames also had some of the most sensitive
information available to him, and he proved untrustworthy.
After all, if $1.5 million can buy a CIA counter-intelligence agent, I
wonder how much a Lotus Notes key escrow holder goes for these days?
You can find a copy of the Lotus press releases at http://www.lotus.com
------------------------------
From: cpsr-global@Sunnyside.COM
Date: 20 Jan 1996 01:19:08 -0800
Subject: Conferences / Events
Taken from CPSR-GLOBAL Digest 309 [CPD moderator: items have been
removed.]
From: marsha-w@uiuc.edu (Marsha Woodbury)
Date: 19 Jan 1996 17:38:52 -0700
Subject: Conferences / Events (@)
CONFERENCE /EVENT SCHEDULE of interest to cpsr-global
Security, Privacy and Intellectual Property Protection in the Global
Information Infrastructure, Canberra, AUSTRALIA, Feb. 7-8. Contact:
http://www.nla.gov.au/gii/oecdconf.html
Computers, Freedom, and Privacy, M.I.T., Cambridge, MA, March 27-30,
1996. Contact: web.mit.edu/cfp96 cfp96-info@mit.edu
ACM's Special Interest Group on Computer-Human Interaction, Vancouver,
BC, CANADA, April 14-18, 1996. Contact:
http://www.acm.org/sigchi/chi96/ chi96-office@acm.org
410 263-5382 410 267-0332 (fax)
Visions of Privacy for the 21st Century: A Search for Solutions,
Victoria, BC, CANADA, May 9-11, 1996. Contact:
http://www.cafe.net./gvc.foi
Society and the Future of Computing (SFC'96), Snowbird, UT, June 16-20.
Contact: rxl@lanl.gov http://www.lanl.gov/SFC
International Symposium on Technology and Society 1996 (ISTAS '96),
Princeton University, Princeton, NJ, June 21-22, 1996
Contact: istas@wws.princeton.edu 609 258-1985 (fax)
Australasian Conference on Information Security and Privacy, New South
Wales, AUSTRALIA, June 24-26. Contact: jennie@cs.uow.edu.au
The Privacy Laws & Business, Cambridge, ENGLAND, July 1-3. Contact:
44 181 423 1300 44 181 423 4536 (fax)
Advanced Surveillance Technologies II. Ottawa, ON, CANADA, Sept. 17.
Contact: pi@privacy.org
Data Protection and Privacy Commissioners, Ottawa, ON, CANADA, Sept.
18-20. Contact:
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 15 Jan 1996 18:40:39 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #008
******************************
.