Date: Mon, 26 Feb 96 06:59:52 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#018
Computer Privacy Digest Mon, 26 Feb 96 Volume 8 : Issue: 018
Today's Topics: Moderator: Leonard P. Levine
Re: Anonymous Remailers are a Virus Spreading Online
Re: Anonymous Remailers are a Virus Spreading Online
Re: Anonymous Remailers are a Virus Spreading Online
Re: Anonymous Remailers are a Virus Spreading Online
Re: Strange Telemarketing Call
Re: Strange Telemarketing Call
Re: Caller ID: Ameritech -> MCI
Re: Caller ID: Ameritech -> MCI
Re: Caller ID: Ameritech -> MCI
Re: Caller ID: Ameritech -> MCI
Re: Caller ID: Ameritech -> MCI
Re: Europe Data Protection Directive
Re: Your Computer Is Watching You
Re: Access to DMV Records by Rental Car Companies
Email Privacy in Colorado, USA
"Privacy Piracy" on KING TV Monday 17:00 Pacific Time
It Could Never Happen Here
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: brown@krl.caltech.edu
Date: 25 Feb 1996 14:17:49 -0800
Subject: Re: Anonymous Remailers are a Virus Spreading Online
Organization: Avida Artificial Life group
References: <comp-privacy8.15.6@cs.uwm.edu> <comp-privacy8.16.6@cs.uwm.edu>
This .sig is a fucking protest. Don't let the assholes in Congress
get away with this abortion of Justice. Feel free to duplicate,
modify and redistribute this .sig, under the condition that the
content remains "indecent". http://www.vtw.org
[moderator: I will leave this signature file in this time, but
intend to censor gratuitous indecent material in the future. Not
that I fear the government but it offends my personal taste.]
I think that it would be more in line with the "moderator" aspect of
things to simply deny the post on these grounds, rather than removing
the .sig.
Just my $.02...
--
Titus Brown, brown@krl.caltech.edu.
[moderator: Titus is right, in future I will not censor user postings
but will reject those with gratuitous indecent material.]
------------------------------
From: JF_Brown@pnl.gov (Jeff Brown)
Date: 23 Feb 1996 23:29:38 +0000 (GMT)
Subject: Re: Anonymous Remailers are a Virus Spreading Online
Organization: Battelle Pacific Northwest Labs
References: <comp-privacy8.15.6@cs.uwm.edu> <comp-privacy8.16.6@cs.uwm.edu>
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> wrote: My most
serious question about anonymous remailers is this: How can we be
sure that the operator of such a remailer is not a federal or other
governmental agent? That person is trusted with our privacy and
has all the data needed to identify a user.
In article <comp-privacy8.16.6@cs.uwm.edu>, daveb@iinet.net.au
says... One (too?) obvoius defence is to use a remailer in another
country. I greatly doubt if the US Govt. has subverted a remailer
in, say, Finland. The Finnish Govt. might have something to say
about that.
This may be naive, but:
- aren't network locations traceable to being overseas just
by convention. That is, couldn't one really be in the
U.S. but have "daveb@iinet.net.au" as their address?
- couldn't a particular address be set up overseas, but
tapped in between? My overseas mail appeared to go through
particular routers.
- couldn't a U.S. "spy" set up a remailer overseas?
--
Jeff Brown
JF_Brown@pnl.gov
------------------------------
From: JF_Brown@pnl.gov (Jeff Brown)
Date: 23 Feb 1996 23:34:15 +0000 (GMT)
Subject: Re: Anonymous Remailers are a Virus Spreading Online
Organization: Battelle Pacific Northwest Labs
References: <comp-privacy8.16.3@cs.uwm.edu>
fyoung@oxford.net says... ... snip prior article ... I remember
reading this on an anonymous remailer FAQ. Chaining at least three
remailers and using PGP to encrypt the message would greatly
reduced the chance of being "exposed." If one of the three
remailers was a government sting, then the worse it could get is
big brother would discover the orign of a message (going to another
remailer) or the destination of a message (from another remailer).
I think it is probably worse than that. If the first of the three
remailers were the sting, then wouldn't the message be compromised?
Or, if encrypted, then the sender would be flagged as someone to watch
more closely?
If it were not the first, then any remailer in the chain that was a
front could track where messages came from and where they go to, and
thereby gain an idea of where additional remailers would be. Could
these sites then be monitored to track flows more closely, and perhaps
track individual addresses (an "anonymous" one, but still "unique" and
therefore traceable)?
Jeff Brown
JF_Brown@Pnl.gov
------------------------------
From: martin@kurahaupo.gen.nz (Martin Kealey)
Date: 24 Feb 1996 17:03:45 +1200 (NZST)
Subject: Re: Anonymous Remailers are a Virus Spreading Online
Roy M. Silvernail (roy@sendai.cybrspc.mn.org) wrote: That's the
reason behind chaining your message through several remailers. The
first remailer in the chain knows your address, but not the
ultimate destination of the traffic. A single uncompromised
remailer in the chain will break the traceability of your message.
[assuming encrypted message] Unfortunately that is untrue. If the
first and the last remailer cooperate
Well, there you have it - if you already know the routing of the
message, then of course you can trace it - the hard part's already been
done!
The point with an encrypted chain is that only the sender and recipient
know the total chain - the other members only know the link either
side, and can't see end-to-end (as long as you have at least 3
remailers in the chain).
------------------------------
From: Chris Kocur <ckocur@jcpenney.com>
Date: 24 Feb 1996 00:17:53 GMT
Subject: Re: Strange Telemarketing Call
Organization: JCPenney
References: <comp-privacy8.17.9@cs.uwm.edu>
Mark.E.Anderson@att.com (Mark Anderson) wrote: [snip] Has anyone
else heard of a market research survey that had to be recorded?
I've done telephone recordings for insurance depositions before but
it seems odd to cold call someone and demand of them to be
recorded.
In the last year or so I have had that happen when I've agreed over the
phone to subscribe to a service or something, but never for a survey.
So far it has only been after the sales pitch and I've already agreed
to the purchase. They read a prepared statement (which I believe is
also recorded) and record my reponse. I should probably respond with a
specific answer such as 'I agree to purchase xxxx', but usually I just
say 'yes'.
(I know, I shouldn't encourage them, but sometimes its something I want
and they're lucky enough to catch me in a generous mood).
--
Regards, Chris
#include <std/disclaimer.h>
I can do it quick; I can do it well; I can do it cheap -- pick any two.
-- Red Adair
ckocur@jcpenney.com (work), ckocur@plano.net (home)
------------------------------
From: prvtctzn@aol.com (Prvt Ctzn)
Date: 25 Feb 1996 11:20:33 -0500
Subject: Re: Strange Telemarketing Call
Organization: America Online, Inc. (1-800-827-6364)
References: <comp-privacy8.17.9@cs.uwm.edu>
Here's a suggestion!
If you think your up against a `peculiar' survey caller...
1) Allow the interview to start
2) give them information (it does not have to be coreect)
3) after about the fourth question say something like:
"Hey, I'm giving you my private info but I don't know anything about your
firm."
4) ask them for their firm's name, then address,
5) tell them that, in order to confirm their ID, you will call them back.
Then get their phone number.
The key to this process is to give them enough survey information for them
to feel invested in you. Thus they will want to be able to complete the
survey, rather than waste the time the already spent wasting your time.
It's kinda like fishing... You are the fish... but you have a hook to pull
them into the water.
Robert Bulmash
Private Citizen, Inc. 1/800-CUT-JUNK
------------------------------
From: johnl@iecc.com (John R Levine)
Date: 23 Feb 96 23:52 EST
Subject: Re: Caller ID: Ameritech -> MCI
Organization: I.E.C.C., Trumansburg, N.Y.
Just another data point for those interested in Caller ID
interoperability. I phoned an 800 number from my private residence
[and the callee received my phone number]
This has nothing to do with CLID. When you call an 800 number, the
people you call always get a record of the caller's number. Why? It's
itemized billing. The number is delivered via a technology known as
ANI, which has been around for many decades, ever since the operator
stopped asking "what number are you calling from?" on toll calls. I
have cheapo $5/mo 800 service, so I get my monthly bills with the 800
calls itemized by number, just like the outgoing calls. If I had
fancier 800 service, I could get the caller's number at the time the
call arrives.
The theory, which I think is reasonable, is that since I'm paying for
the calls, I have a reasonable right to get an itemized bill, just like
for all the rest of my phone calls. Anyone who wants to call me
without giving me their phone number is entirely welcome to do so, just
not on my nickel. (Unlike some 800 numbers, mine all have published
normal equivalents.)
900 and other pay-per-call numbers also get the calling number, for a
very similar reason -- they need to know who to bill.
--
John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof
------------------------------
From: Aaron Zaugg <relief@indirect.com>
Date: 24 Feb 1996 15:43:15 -0700 (MST)
Subject: Re: Caller ID: Ameritech -> MCI
Anytime anyone calls an 800 number the possibility is there for your
phone number to be sent along with it. Its not Caller ID but instead
ANI. Automatic Number Identification can be used for many different
reasons. Most long distance code dialup numbers use it for security
purposes so someone can not just call trying codes with no threat of
recourse. The justification for ANI on 800 numbers (besides the
answering operator having all your personal info pop up on the screen
before the call is answered) is that the company you are calling is
paying for the toll. Therefore for billing purposes, they have the
right to know who is calling.
Just a warning to others. The same applies if anyone makes a collect
call from your own phone. The receiver of the call will have your
phone number on their long distance bill. This will happen whether
your number is unlisted or not.
------------------------------
From: jlkolb@sd.cts.com (John Kolb)
Date: 25 Feb 1996 03:03:24 GMT
Subject: Re: Caller ID: Ameritech -> MCI
Organization: CTS Network Services (CTSNET), San Diego, CA
References: <comp-privacy8.17.11@cs.uwm.edu>
Christopher L. Barnard (cbarnard@cs.uchicago.edu) wrote: Just
another data point for those interested in Caller ID
interoperability. I phoned an 800 number from my private residence
line (Ameritech) and preceded the call with *67. The 800 number
was able to determine my phone number (this was an automated system
I was calling). I phoned Ameritech, who identified the 1-800
number as
800 and 900 numbers ALWAYS, to the best of my knowledge, receive the
phone numbers of those who call them. After all, they are the ones
paying for the call.
Guess we need to insist that anyone we call provide a non-800 # also.
------------------------------
From: dan@fch.wimsey.bc.ca (Dan Fandrich)
Date: 25 Feb 96 01:51:50 GMT
Subject: Re: Caller ID: Ameritech -> MCI
Organization: Fandrich Cone Harvesters Ltd.
References: <comp-privacy8.17.11@cs.uwm.edu>
cbarnard@cs.uchicago.edu writes: Just another data point for those
interested in Caller ID interoperability. I phoned an 800 number
from my private residence line (Ameritech) and preceded the call
with *67. The 800 number was able to determine my phone number
(this was an automated system I was calling). [...] Yet another
reason to never assume that caller ID blocking will actually block
anything...
When an 800/888/900 number owner receives the number of the person
calling, he receives the caller's ANI (Automatic Number
Identification), NOT his directory number sent by Caller*ID. In most
cases, the ANI and Caller*ID are the same but since ANI is designed for
billing purposes, they can be different. ANI uses a completely
different mechanism from Caller*ID and *can not* be blocked by the
caller, period. The reasoning is that the 800 number owner is paying
for the call so is entitled to know who is racking up his bill.
>>> Dan
--
dan@fch.wimsey.bc.ca / MIME email ok /
finger danf@vanbc.wimsey.com for pgp key
------------------------------
From: peter@nmti.com (Peter da Silva)
Date: 25 Feb 1996 22:59:47 GMT
Subject: Re: Caller ID: Ameritech -> MCI
Organization: Network/development platform support, NMTI
References: <comp-privacy8.17.11@cs.uwm.edu>
Christopher L. Barnard <cbarnard@cs.uchicago.edu> wrote: Just
another data point for those interested in Caller ID
interoperability. I phoned an 800 number
800 numbers will always get your ID, since they're paying for the phone
call... it's billing information they're entitled to. This predates
"Caller ID", and has nothing to do with it. I'm boggled that none of
the operators knew this, though.
--
Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard
Bailey Network Management 'U` Sugar Land, TX 77487-5013
+1 713 274 5180 "Har du kramat din varg idag?" USA
Bailey pays for my technical expertise. My opinions probably scare them
------------------------------
From: banisar@epic.org (Dave Banisar)
Date: 24 Feb 1996 13:58:08 GMT
Subject: Re: Europe Data Protection Directive
Organization: Electronic Privacy Information Center
References: <comp-privacy8.17.5@cs.uwm.edu>
Jacques Lemieux <72470.1055@CompuServe.COM> wrote: I am looking for
any comment on the European Data Protection Directive. Any hints
for me?
The EC Directive is available at Privacy International's web page at
www.privacy.org/pi/
--
Dave Banisar
EPIC/PI Washington Office
------------------------------
From: gordon@sneaky.lerctr.org (Gordon Burditt)
Date: 24 Feb 1996 09:03:31 -0600 (CST)
Subject: Re: Your Computer Is Watching You
But many PC users may take a dim view of Netscape's failure to draw
their attention to the fact that their behaviour may be tracked i
this way. Moreover, there appears to be only one way to disable
the facility: by manually amending or deleting the COOKIE.TXT file
containing all the cookies.
Why does anyone think that this disables the facility?
Deleting the cookies file will prevent the cookies from persisting over
sessions (I hope), but it is not at all obvious to me that you won't be
"re-infected" with cookies each time you visit a site that uses them
(especially if Netscape is still set to show one of Netscape's pages on
startup - I recommend changing this). I expect that the cookies file
is cached in memory and that updates use the memory copy (no, I didn't
trace the code to prove this). This will allow Netscape to track your
travels in their pages in any one session, but it won't allow
correlations between sessions (except by IP address, which might be
dynamic or correspond to several different users) if you keep deleting
or prevent creation of the cookie file.
Gordon L. Burditt
sneaky.lerctr.org!gordon
------------------------------
From: "Milton C. Hubbard" <mchubb01@starbase.spd.louisville.edu>
Date: 24 Feb 1996 19:50:06 -0500
Subject: Re: Access to DMV Records by Rental Car Companies
Organization: University of Louisville
References: <comp-privacy8.14.7@cs.uwm.edu> <comp-privacy8.17.8@cs.uwm.edu>
Philip H. Smith III, (703) 506-0500 wrote: [cut] Moral: never,
never, never, never rent off-airport unless you (a) can't afford a
real car rental agency (b) have lots of time and (c) have proof of
lots of insurance.
Philip,
Did you offer to use a Gold VISA, MC or AMEX as security? They offer
complete car insurance automatically even when the renter has no
comprehensive coverage on his own policy. I don't see how the rental
agency could lose in this situation. Comments anybody?
--
Milton Hubbard
------------------------------
From: lrose@mercury.cair.du.edu (Lucas Rose)
Date: 24 Feb 1996 23:33:43 -0700
Subject: Email Privacy in Colorado, USA
Organization: Would you give the 30 pieces of silver back?
Rep. Ron Tupa's (D-Boulder) email privacy bill has been sent to the
Appropriations committee.
This bill tried to guarantee that an employee's email was secure from
the inspection of the employer without the employee's consent. It also
tried to make inter- and intra-office governmental email memos not
subject to the Open Records Law, and insure the same employee email
privacy for public employees. Additionally, it updated Colorado's
wiretapping laws to the same protection afforded by Federal Law.
It has been amended down to only the governmental privacy policy
mandate and the updating the wiretapping laws, but it still needs
support to escape Apropriations.
Please call the Representatives who sit on the Appropriations committee
and encourage them to support the bill so that Colorado can begin to
treat email like all other forms of communication.
Ask them to support HB1199, regarding email privacy.
Appropriations Committee (all areas codes are 303):
Tony Grampsas: 866-2957
David Owen: 866-2943
Jeanne Adkins: 866-2936
Vickie Agler: 866-2939
Nolbert Chavez: 866-2925
Bill Jerke: 866-2907
Bill Martin: 866-2965
Phil Pankey: 866-2953
Gilbert Romero: 866-2968
Todd Saliman: 866-5524
Carol Snyder: 866-4667
Colorado is a national leader in the telecommunication field, and we
should be a leader in protecting electronic communication. Help support
HB1199, and help support privacy in telecommunications.
If you have additional questions, please call Rep. Ron Tupa
(303-866-2915).
Please forward this message to all interested parties.
--
lrose@mercury.cair.du.edu "A thing is not necessarily true because a
man dies for it." -- Oscar Wilde
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 25 Feb 1996 23:27:13 GMT
Subject: "Privacy Piracy" on KING TV Monday 17:00 Pacific Time
Organization: The National Capital FreeNet, Ottawa, Ontario, Canada
This is a Seattle area NBC station, but I have the impression that it
is also distributed by satellite, so it may be widely available across
the continent. This is their normal 5:00 am news slot, so it probably
won't take up the whole hour.
I have a recollection of seeing a story on a Seattle station about 8
years ago that started out with writing down a licence number of a
randomly selected car parked near the station and recounting all that
could be discovered about the registered owner using public records,
which included a few years of tax returns because they had been filed
as part of a divorce case. I can't recall if that was KING or another
seattle area station.
My recollection is that the story said that the owner was advised of
them retrieving the registration details because it was Washington
state policy to use part of the statutory access charge fee to send
notice of disclosure to the registered owner whenever vehicle
registration data was released to a third party.
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: jwarren@well.com (Jim Warren)
Date: 24 Feb 1996 12:41:34 -0800
Subject: It Could Never Happen Here
For reasons that will become obvious, I've blanked the user id info in
this forward -- though the *currently operational* thought police
probably already have a copy if the author transmitted from their
current location.
Notice how nicely the 1994 Democrats' half-billion-dollar national
wiretap system facilitates the 1995 Republicans' zealous "decency"
mandate.
--jim
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc.
From: xxx@xxx.com
Date: 15 Feb 1996 05:09:32 -0500
To: jwarren@well.com
Jim,
This is delayed in getting back to you, but I just wanted to tell you
that your discussion of making all U.S. phone lines wire-tap ready
reminds me of my present life. I live in Riyadh, Saudi Arabia.
Everything is tapped here and most people know it. Faxes are also
"grabbed" and if they find a reason to suspect immoral activity, they
can then go back and actually open up every transmitted fax from a
certain line.
The government acquiesces to the religious police and allows the
tapping (besides the obvious reasons of snooping around for subversion)
to be done for the purpose of routing our expatriates' prohibited
activities (church, parties with men & women mixed, music and
theatrical performances, etc).
There is a list of "key words" plugged into the tapping computers (for
instance, the choral society I am in makes everyone avoid "choir,
chorus, rehearsal, conductor, concert" and we're not making this up --
we have a manager (expat, of course) from the Ministry of Postal,
Telegraph and Telephone in our bass section that provides us with the
hot list every few months or so.
As pertains to church, it's really a mess. My spouse and I worship in
the Diplomatic Quarter with an Anglican community, but we live in a
U.S. Army facility (the one that had the terrorist bombing on Nov. 13
that killed 7 -- my spouse was in the building and got bad glass cuts)
that houses worship services on Fridays.
We learned that the General did not know about the phone tapping, but
certain civilian staff were briefing everyone new upon arrival about
avoiding "sunday school, preacher, etc") on the phone so as to not
endanger our services. After the bombing, dear friends and family would
sometimes want to pray with our families over the phone, or offer
scripture for comfort, and we had to tell them "you can't do that", so
we asked the General if our phones were STILL being tapped at a public
meeting and he told everyone that he'd never heard of that before (I
heard his secretary tell him it was a "story" that did surface every
few months or so) and that it was ridiculous -- the Ambassador would
love to see the Muttawa (religious police) try and get us thrown out of
the kingdom for holding religious services.
Anyhow, I just thought you'd be interested to see a slice of official
U.S. military life, residing here on Diplomatic Passports, outside the
confines of the American border.
Best wishes,
xxx, Information Systems Mgmt.
xxx, European Division
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 30 Jan 1996 18:45:30 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #018
******************************
.