Date: Fri, 22 Mar 96 10:38:21 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#026
Computer Privacy Digest Fri, 22 Mar 96 Volume 8 : Issue: 026
Today's Topics: Moderator: Leonard P. Levine
Re: MS Internet Assistant Cache
Re: MS Internet Assistant Cache
Re: MS Internet Assistant Cache
Re: Netscape Problems
Re: 800 ANI
Re: 800 ANI
More on SSNs
More on SSNs
An Excellent Pro-Individual Rights Listserv
All Brothers May Be Watching Us
Privacy in Cyberspace
Privacy and Electronic Commerce
[from CUD] PGP and Human Rights [long]
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: huggins@tarski.eecs.umich.edu (James K. Huggins)
Date: 19 Mar 1996 13:02:35 -0500
Subject: Re: MS Internet Assistant Cache
Organization: University of Michigan EECS Dept., Ann Arbor, MI
References: <comp-privacy8.25.8@cs.uwm.edu>
Shannon Wenzel <s_wenzel@ix.netcom.com> writes: I have begun
learning HTML programming. In order to place an example graphic on
an HTML page, I thought I would scan my harddisk for a suitable GIF
or JPEG image. In Win95, I lauched the FIND utility and typed
*.GIF. In seconds, a huge list of GIFS scolled across the screen.
I though this was odd so I wen to the directory.
To rephrase someone ... it's not a bug, it's a feature. Netscape
(which I use: I don't have Win95) sets aside a cache directory where it
dumps all the files that it reads. Why it's a feature: you can
configure your browser so that it doesn't necessarily need to
re-download a file if you re-access it but it hasn't changed --- which
can be quite helpful if you're running over a slow modem or you pay for
connect charges by the minute.
Netscape does allow you to change the size of the cache (even to set it
to 0), and to change how it uses the cache. I don't know if MS
Internet Assistant does so as well, but I would guess it might be
possible.
As to the "unscrupulous" uses of such: standard HTML shouldn't do
anything nasty like virus delivery. Java does have some small security
problems (which are being addressed); check out comp.lang.java for
starters.
--
Jim Huggins, Univ. of Michigan huggins@umich.edu
(PGP key available upon request) W. Bingham Hunter
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Mar 1996 14:20:20 -0600 (CST)
Subject: Re: MS Internet Assistant Cache
Organization: University of Wisconsin-Milwaukee
James K. Huggins points out: Netscape does allow you to change the
size of the cache (even to set it to 0), and to change how it uses
the cache. I don't know if MS Internet Assistant does so as well,
but I would guess it might be possible.
Another side point. Copyright usually is interpreted as allowing a
download of a file for viewing and reading. It usually is interpreted
as not allowing the copying of the file for reprinting and further
publication.
This caching of a file (both images and text files are cached) for
later reloading to speed up review of an already viewed page or
picture permits (encourages?) the storage of files that might well
have been released only for viewing. The law is far from clear here.
As an example, one might look at the home page for Peter, Paul and Mary
(http://www.magick.net/%7Eppm/) where the owner of the data has a clear
copyright notice:
Portions of these pages, and all contents, are Copyright (C) 1995 by
Magick Net, Inc. or Warner Bro.
Have I violated the copyright by the simple act of viewing the home
page? Have I violated it by the automatic caching done in my little
PC? If I include the picture in my web page have I done it? If I save
and print the lovely photo on that page have I done it? Finally, what
if I sell copies?
--
Leonard P. Levine e-mail levine@cs.uwm.edu
Professor, Computer Science Office 1-414-229-5170
University of Wisconsin-Milwaukee Fax 1-414-229-2769
Box 784, Milwaukee, WI 53201
PGP Public Key: finger llevine@blatz.cs.uwm.edu
------------------------------
From: Mark.E.Anderson@att.com (Mark Anderson)
Date: 20 Mar 1996 14:03:36 -0600
Subject: Re: MS Internet Assistant Cache
Shannon Wenzel <s_wenzel@ix.netcom.com> said: Has anyone else had
experience with this? I am concerned about "virus" delivery or some
other unscrupulous use of such technology.
Call me paranoid but I wouldn't store any sensitive data (like credit
card info, home finances, ...) on any PC that can open an active TCP
session. There are so many unknown back doors and viruses out there
that would make it relatively easy for someone to snoop around your
system. Just look at how many security holes were found in operating
systems such as Unix (tm) throughout the years. I can imagine hackers
(some probably working for reputable software companies) having a field
day downloading select info from your hard drive without your
knowledge.
--
Mark Anderson
mea@ihgp.att.com
------------------------------
From: Chris Kocur <ckocur@jcpenney.com>
Date: 19 Mar 1996 18:15:55 GMT
Subject: Re: Netscape Problems
Organization: JCPenney
References: <comp-privacy8.24.1@cs.uwm.edu>
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> wrote: A quick test
on my local machine shows that this will send a message to
nasty@secret.org with the subject gotcha and the body "hi=there".
This is insidious; it means that E-mail messages, purportedly from
me (and all traces will show they really are from me) can be sent
anywhere, without my knowledge, with contents that I do not
approve. Further, it means that I can no longer count on browsing
a site without my userid being disclosed. Unlike Java, there is no
way to disable this. [Also been submitted to Netscape.]
Well one way to disable it is to update your Netscape mail preferences
and remove or invalidate the 'Mail (SMTP) Server' entry. Not only will
the mail not send, but you'll get an error message when a message is
attempted. The downside of course is that you can't mail anything from
inside of Netscape until you reenter the mail server. Definitely an
inconvenience, more so for some than others, but at least nothing will
get mailed out without your knowledge.
--
Regards, Chris
#include <std/disclaimer.h> I can do it quick; I can do it well; I can
do it cheap -- pick any two. -- Red Adair ckocur@jcpenney.com (work),
ckocur@plano.net (home)
------------------------------
From: Bruce.Taylor@hedb.uib.no (Bruce Taylor)
Date: 20 Mar 1996 17:55:40 GMT
Subject: Re: 800 ANI
Organization: Computing Section, Faculty of Arts, University of Bergen, Norway
References: <comp-privacy8.24.11@cs.uwm.edu> <comp-privacy8.17.11@cs.uwm.edu> <comp-privacy8.18.10@cs.uwm.edu> <comp-privacy8.22.7@cs.uwm.edu> <comp-privacy8.25.5@cs.uwm.edu>
johnl@iecc.com (John R Levine) writes: Dumb but true: US companies
put ads in European magazines with the only contact number an 800
number you can't call from Europe.
Prior to about 1992 I was unable to put through a call from Norway to
an 800 number in North America. I tried again about a year ago - these
days it works. Of course I pay international rates for the call.
--
Bruce
Bruce Taylor Bruce.Taylor@hedb.uib.no
Det historisk-filosofiske fakultets edb-seksjon voice: +47.55.212348
Universitetet i Bergen, Norway fax: +47.55.231897
------------------------------
From: wrf@ecse.rpi.edu (Wm. Randolph U Franklin)
Date: 22 Mar 1996 00:31:26 GMT
Subject: Re: 800 ANI
Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA
References: <comp-privacy8.17.11@cs.uwm.edu> <comp-privacy8.18.10@cs.uwm.edu> <comp-privacy8.25.6@cs.uwm.edu>
wbe@psr.com (Winston Edmond) writes: The policy is that the one who
pays for the call is entitled to enough information to determine
whether or not their bill is correct. "Somebody, somewhere, but
we're not going to tell you who or where, called and you owe us $5
for the call" isn't an acceptable billing practice.
However, I've heard that this was always the billing practice in
Europe, partly driven by their concern for privacy. Each account had a
meter to record total long distance charges, The actual called numbers
were not stored. Each month, you got a very simple bill, containing
just a total amount, from the PTT.
Dunno whether that's still the case over there. Of course, they now
have the prepaid calling cards, for which, it's been reported, all the
numbers called are recorded.
My general point here is that different societies can make quite
different privacy/accountability tradeoffs.
--
Wm. Randolph Franklin
wrf@ecse.rpi.edu
ECSE Dept., 6026 JEC, Rensselaer Polytechnic Inst, Troy NY, 12180 USA
------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 20 Mar 1996 13:36:54 -0500 (EST)
Subject: More on SSNs
curunir@deltanet.com wrote Two items: How did the codification
miss that particular section? I thought codification took the
public law word for word into the US Code...
Public laws and US code are not necessarily the same thing, and there
are many public laws that are uncodified. I could offer a longer
explanation, but codification policy and practice is pretty dull.
Second, my employer demands I get an airport ID at the Long Beach
Airport. In the absence of a privacy act disclosure statement, I
refused to give my SSAN. Now they're demanding it again. I think
they probably qualify under one of the exceptions (as a polic
agency), but it seems to me that they still have to give out a
disclosure notice. Showing them a copy of the law simply does not
impress them - no SSAN, no ID.
The airport authority may or may not be a governmental organization.
Assuming that it is, you are free to complain and point to the law.
You are right about the disclosure notice, as far as I know. (There
might be some anti-hijacking law that grants an exemption, but that is
rank speculation.)
The SSN provision of the privacy act has no enforcement provision. Why
not write to the general counsel for the airport and provide a copy of
the law? Odds are that they never heard of it. There have been some
successful court challenges to governmental violations, but that is a
lot of trouble and expense.
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman rgellman@cais.com +
+ Privacy and Information Policy Consultant +
+ 431 Fifth Street S.E. +
+ Washington, DC 20003 +
+ 202-543-7923 (phone) 202-547-8287 (fax) +
+ + + + + + + + + + + + + + + + + + + + + + + + +
------------------------------
From: kfarrell@brainiac.com (Kevin J.Farrell)
Date: 20 Mar 96 23:39:42 EST
Subject: More on SSNs
If some other form of identification is used instead of the SSN we will
still have the same problem. I heard there is talk of using a some form
of a National ID number for all Americans. Privacy is gone today.
Kevin J. Farrell
------------------------------
From: jwarren@well.com (Jim Warren)
Date: 20 Mar 1996 13:40:36 -0800
Subject: An Excellent Pro-Individual Rights Listserv
I recommend this relatively new list -- informative, provocative,
worthwhile.
--
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Advocate & columnist, MicroTimes, Government Technology, etc.
===========================
New Mailing List Freematt's Alerts; Pro-Individual Rights Issues.
Freematt's Alerts is a private moderated list dealing with pro-individual
rights issues. Special attention is given to censorship and free speech
concerns. (Volume of 7-15 messages per week).
To subscribe send a blank message to freematt@coil.com with the words
Subscribe FA in the subject field.
List is owned by Matthew Gaylor <freematt@coil.com>. Send any questions or
comments to Matthew Gaylor <freematt@coil.com>
============================
------------------------------
From: wjanssen@cs.vu.nl (Wouter Janssen)
Date: 21 Mar 1996 09:30:52 GMT
Subject: All Brothers May Be Watching Us
Organization: Fac. Wiskunde & Informatica, VU, Amsterdam
Big Brother is watching us? Probably, I don't know for sure, I'm just
careful :) but did you know just anybody can search a database and see
what articles you posted on which newsgroups lately?
I didn't untill I found out about DeJaNews. An on-line database on WWW
where you can enter keywords to search on some specific topic.
However, usernames are topics too!
Many of you probably knew about this, but in case you didn't be warned
when you post something!
(btw, the URL for DeJaNews = http://www.dejanews.com/forms/dnq.html)
---------------------------------------------------------------------
In real life : Wouter Janssen | Just because you're paranoid
E-mail : wjanssen@cs.vu.nl | Don't mean they're not after you
Irc : Tijgertje |
URL: http://www.cs.vu.nl/~wjanssen/| (K. Cobain)
PGPkey : mail to wjanssen=pgp@cs.vu.nl
---------------------------------------------------------------------
------------------------------
From: jonl@well.sf.ca.us (Jon Lebkowsky)
Date: 21 Mar 1996 19:24:48 GMT
Subject: Privacy in Cyberspace
Organization: The Whole Earth 'Lectronic Link, Sausalito, CA
Electronic Frontiers Forum at HotWired's Club Wired
Thursday, March 21, 1996 7PM PST
PRIVACY IN CYBERSPACE
Sameer Parekh, included on Newsweek's list of the "50 people who matter
most on the Internet," is an information-age renaissance blend of
programmer, entrepreneur, and activist. His company Community
Connexion (http://www.c2.org) has implemented an infrastructure
supporting completely private internet mail, a kind of anonymity
server. Join Sameer Parekh and Jon Lebkowsky for a lively discussion of
the technological and sociopolitical issues of privacy in cyberspace.
Access to the Electronic Frontiers Forum in Club Wired at HotWired is
by telnet to chat.wired.com:2428, or you can go to
http://www.hotwired.com/club and click on "Enter Club Wired."
A login is required, but free and easy to get. Login's also required to
post to Threads, HotWired's asynchronous conferencing system. Otherwise
you can read transcripts and other pages at HotWired without logging
in.
--
Jon Lebkowsky <jonl@wired.com> http://www.well.com/~jonl
Electronic Frontiers Forum, 7PM PST Thursdays <http://www.hotwired.com/eff>
------------------------------
From: collins@ait.nrl.navy.mil (Joe Collins)
Date: 21 Mar 1996 17:46:27 -0500
Subject: Privacy and Electronic Commerce
Organization: Naval Research Laboratory
Privacy & Electronic Commerce
The Risk:
With respect to protecting privacy, the genie is certainly out of the
bottle in the failure to restrict use of social security numbers. Abuse
of SSNs, however, is not the worst we may see of this kind of problem.
In order to mediate electronic commerce, in the near future we will
have cryptographic key identifiers that, as proposed, will be
inextricably bound to personal information. The need for this binding
is essential: without the ability to identify (and locate) a legal
person, one cannot enforce contractual agreements.
The danger of the widespread use of these cryptographic keys results
from the power of the computer. The only feasible use of these keys is
electronic- i.e., there is no "air gap" as there is with the use of
SSNs. The result is that our key will be known by everyone with whom we
do electronic commerce and they will have it in their database. They
will also have a great assurance that there is no error in the key, and
consequently they will know who we are. Electronic commerce is a
convenience that is enabled by these cryptographic authentication
methods. These same methods can also create an equally inconvenient,
even dangerous threat to privacy: when an individual loses control of
personal and identifying information, his personal security is
compromised. This was less true when our local community was small but,
with computers and the internet, the local community is limited only by
the population of the earth.
There is an essential conflict between the need to protect privacy and
the need to provide identification (or authentication).
The Fix
There are many possible fixes. Probably the most likely is the
institution of private "privacy brokers". A privacy broker would act as
a broker that mediates any secure transaction an individual would like
to make. Methods would include such things as performing the
transactions in the broker's name or issuing and providing
certification for one-time cryptographic keys. The necessary
identification security features may be provided by having the broker
maintain the appropriate logs of subscriber activities or records of
the keys issued to a subscriber. Privacy is maintained by not releasing
any personal information or activity information except in limited
fashion and in accordance with an appropriate security policy.
While many might identify the cypherpunk anonymous remailers as
examples of privacy brokers, their general practice of full anonymity
does not allow for legal accountability. Public and commercial
acceptance of privacy brokers will require more moderate security
policies that both protect privacy and ensure accountability.
--
Joe Collins
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Mar 1996 11:30:44 -0600 (CST)
Subject: [from CUD] PGP and Human Rights [long]
Organization: University of Wisconsin-Milwaukee
Taken from Computer underground Digest Mon Mar 18, 1996 Volume 8:Issue
21 ISSN 1004-042X
PGP and Human Rights
Date--Mon, 18 Mar 1996 12:01:37 -0700 (MST)
Subject--PGP and Human Rights
Recently, I received the following letters by email from Central
Europe. The letters provides food for thought in our public debates
over the role of cryptography in the relationship between a government
and its people. With the sender's permission, I am releasing the
letters to the public, with the sender's name deleted, and some minor
typos corrected. This material may be reposted, unmodified, to any
other Usenet newsgroups that may be interested.
-Philip Zimmermann
From--[name and email address deleted]
Date--Sat, 09 Mar 1996 19:33:00 +0000 (GMT)
Subject--Thanks from Central Europe
To--Philip Zimmermann <prz@ACM.ORG>
Dear Phil,
This is a short note to say a very big thank you for all your work with
PGP.
We are part of a network of not-for-profit agencies, working among
other things for human rights in the Balkans. Our various offices have
been raided by various police forces looking for evidence of spying or
subversive activities. Our mail has been regularly tampered with and
our office in Romania has a constant wiretap.
Last year in Zagreb, the security police raided our office and
confiscated our computers in the hope of retrieving information about
the identity of people who had complained about their activites.
In every instance PGP has allowed us to communicate and protect
our files from any attempt to gain access to our material as we PKZIP
all our files and then use PGP's conventional encryption facility to
protect all sensitive files.
Without PGP we would not be able to function and protect our client
group. Thanks to PGP I can sleep at night knowing that no amount of
prying will compromise our clients.
I have even had 13 days in prison for not revealing our PGP pass
phrases, but it was a very small price to pay for protecting our
clients.
I have always meant to write and thank you, and now I am finally doing
it. PGP has a value beyond all words and my personal gratitude to you
is immense. Your work protects the innocent and the weak, and as such
promotes peace and justice, quite frankly you deserve the biggest medal
that can be found.
Please be encouraged that PGP is a considerable benefit people in need,
and your work is appreciated.
Could you please tell us where in Europe we can find someone who can
tell us more about using PGP and upgrades etc. If you can't tell us
these details because of the export restriction thing, can you point us
at someone who could tell us something without compromising you.
Many thanks. ---
[ I sent him a response and asked him if I could disclose his
inspiring letter to the press, and also possibly use it in our
ongoing legislative debates regarding cryptography if the opportunity
arises to make arguments in front of a Congressional committee. I
also asked him to supply some real examples of how PGP is used to
protect human rights. He wrote back that I can use his letters if I
delete his organization's name "to protect the innocent". Then he
sent me the following letter. --PRZ ]
From--[name and email address deleted]
Date--Mon, 18 Mar 1996 15:32:00 +0000 (GMT)
Subject--More News from [Central Europe]
To--Philip Zimmermann <prz@ACM.ORG>
Dear Phil,
I have been thinking of specific events that might be of use to your
Congressional presentation. I am concerned that our brushes with
Governments might be double-edged in that Congress might not like the
idea of Human Rights groups avoiding Police investigation, even if such
investigations violated Human Rights.
However we have one case where you could highlight the value of PGP to
"Good" citizens, we were working with a young woman who was being
pursued by Islamic extremists. She was an ethnic Muslim from Albania
who had converted to Christianity and as a result had been attacked,
raped and threatened persistently with further attack.
We were helping to protect her from further attack by hiding her in
Hungary, and eventually we helped her travel to Holland, while in
Holland she sought asylum, which was granted after the Dutch Government
acknowledged that she was directly threatened with rape, harrassment
and even death should her whereabouts be known to her persecutors.
Two weeks before she was granted asylum, two armed men raided our
office in Hungary looking for her, they tried to bring up files on our
computers but were prevented from accessing her files by PGP. They
took copies of the files that they believed related to her, so any
simple password or ordinary encryption would eventually have been
overcome. They were prepared to take the whole computer if necessary
so the only real line of defence was PGP.
Thanks to PGP her whereabouts and her life were protected. This
incident and the young woman's circumstances are well documented.
We have also had other incidents where PGP protected files and so
protected innocent people. If the US confirms the dubious precedent of
denying privacy in a cavalier fashion by trying to deny people PGP , it
will be used as a standard by which others will then engineer the
outlawing of any privacy. Partial privacy is no privacy. Our privacy
should not be by the grace and favour of any Government. Mediums that
ensured privacy in the past have been compromised by advances in
technology, so it is only fair that they should be replaced by other
secure methods of protecting our thoughts and ideas, as well as
information.
I wish you well with your hearing.
Yours most sincerely
[name deleted]
---
[end of quoted material]
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 Mar 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #026
******************************
.