Date: Fri, 29 Mar 96 13:29:43 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#028
Computer Privacy Digest Fri, 29 Mar 96 Volume 8 : Issue: 028
Today's Topics: Moderator: Leonard P. Levine
Re: The Stalker's Home Page
Re: How Do Junk eMailers Get Addresses?
Re: How Do Junk eMailers Get Addresses?
Re: How Do Junk eMailers Get Addresses?
Re: Individual RTP vs. Corporate FOS
Re: Individual RTP vs. Corporate FOS
Chase Bank Credit Info
Computer Privacy
ANI blocking
Re: Privacy and Electronic Commerce
USENET Reposters: Privacy and Copyright Concerns
SSN Absurdity
Re: All Brothers May Be Watching Us
Re: 800 ANI
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: "Michael J. McClennen" <michaelm@eecs.umich.edu>
Date: 25 Mar 1996 16:34:11 -0500
Subject: Re: The Stalker's Home Page
Organization: University of Michigan EECS Dept., Ann Arbor, MI
References: <comp-privacy8.27.2@cs.uwm.edu>
In fact, this is nothing new. The capability to find anyone anywhere
in the country has existed for at least 20 years now. Case in point:
20 years ago, my cousin fled an abusive relationship in California.
For the next four years, until she found someone able to protect her,
she was regularly visited and threatened by this man. No matter where
she moved (or how far off the beaten path) he was always able to find
her within a few months.
All this technology does is make available to the casual user the kinds
of information that were formerly available to anyone willing to track
down the right sources and pay the right fees or bribes.
--
MIchael McClennen
------------------------------
From: "Chris W. Rea [UL]" <cwrea@credit.erin.utoronto.ca>
Date: 25 Mar 1996 18:13:11 -0500
Subject: Re: How Do Junk eMailers Get Addresses?
Organization: Erindale College, University of Toronto, Canada
References: <comp-privacy8.27.9@cs.uwm.edu>
Lee <lihou@ms2.hinet.net> wrote: I'd also appreciate if someone
tell basic facts about how they get other people's email
addresses.
There are many ways that unscrupulous advertisers can get ahold of
email addresses:
1) Some sites have lists of users available through gopher, WWW, etc.
The idea is to have some kind of address book to make the lives of
people who actually want to get in touch with _you_ easier. Your system
administrators mean well, but unscrupulous advertisers can copy these
lists. This is why some sites choose not to have such a service.
2) Unscrupulous advertisers can rip out your email address from any
news that you post to Usenet.
3) If you are on any public mailing list, unscrupulous advertisers can
join these and pilfer the names of any posters to the list.
4) Using a list of sites and finger, unscrupulous advertisers can see
if your system gives a list of online users when fingered. New
addresses can then be added to their master list. Some sites only allow
fingering a specific user ID, and don't give a list of all online
users.
There are automated ways of doing the above, so it is quite easy for
somebody to get hundreds of email addresses per minute. Unscrupulous
advertisers who don't want to go to so much trouble can probably buy
such a list from somebody else.
I use a program that screens incoming mail, and directs anything from
people I don't know to a secondary folder. It also sorts mail that is
directly addressed to me differently from mail that is only CC'd to me
or that is addressed to multiple recipients.
Also, when I get such a message, I send a request to the remote site's
administrator asking them to please inform the user who sent the
unsolicited mail to please not do so again.
If the mail is coming from somebody in the same country/state/province
as you, you might have recourse if your local harassment laws are
strict enough. Of course, I don't think these would count for first
offenses. If you do ask somebody to not mail you, and they do it again
and again, you might have a legal option. But I'm not a lawyer, so I
don't know. :-)
--
[ CHRIS W. REA [UL] UofT CompSci email: cwrea@credit.erin.utoronto.ca ]
[ This message is copyright (C)1996 by the author. All rights reserved. ]
------------------------------
From: glr@ripco.com (Glen L. Roberts)
Date: 28 Mar 1996 15:56:34 GMT
Subject: Re: How Do Junk eMailers Get Addresses?
Organization: Full Disclosure
References: <comp-privacy8.27.9@cs.uwm.edu>
lihou@ms2.hinet.net (Lee) wrote: I'd also appreciate if someone
tell basic facts about how they get other people's email
addresses.
It is trivial to write a program to cull them out of newsgroup
postings, and/or web pages...
------
Links, Downloadable Programs, Catalog, Real Audio & More on Web
Full Disclosure [Live] -- Privacy, Surveillance, Technology!
(Over 153 weeks on the Air!)
The Net Connection -- Listen in Real Audio on the Web!
http://pages.ripco.com:8080/~glr/glr.html
------
------------------------------
From: branden@ecn.purdue.edu (Branden Robinson)
Date: 29 Mar 1996 05:33:39 GMT
Subject: Re: How Do Junk eMailers Get Addresses?
Organization: Purdue University
References: <comp-privacy8.27.9@cs.uwm.edu>
Lee (lihou@ms2.hinet.net) wrote: Recently I have begun receiving
more and more junk e-mail. The most I'd also appreciate if someone
tell basic facts about how they get other people's email
addresses.
http://www.dejanews.com/ illustrates the method beautifully.
Simpy get a USENET feed, select your scope, and suck out every email
address you see.
--
"There is no gravity in space." | G. Branden Robinson
"Then how could astronauts walk around on the Moon?" | Purdue University
"Because they were wearing heavy boots." | branden@ecn.purdue.edu
------------------------------
From: johnl@iecc.com (John R Levine)
Date: 25 Mar 96 22:34 EST
Subject: Re: Individual RTP vs. Corporate FOS
Organization: I.E.C.C., Trumansburg, N.Y.
If you find yourself in any sort of agreement with some of the
ideas I'm expressing in this message to Deja News, please let them
know of your concerns. I'm concerned about the individual's right
to privacy which I feel is superior to corporate freedom of speech,
since the corporation can exert a much greater damaging influence
over an individual than an individual can exert on a corporation,
practically speaking.
I'm as strong a privacy advocate as anyone, but I really don't see the
point of railing against DejaNews. After all, when you send out a
message to usenet, you're asking a cooperating network of several
hundred thousand computers to distribute it all over the world so that
any or all of several million people can read it. And having done
this, you consider your message to be private? I don't get it.
The reality is that usenet messages have been archived practically
since usenet began 15 years ago. For example, I have complete archives
of comp.compilers, which I moderate, going back to when the group began
ten years ago. The archives are available via FTP, WWW, and e-mail.
Is this because I'm a snoop? No, it's because they're interesting and
people are constantly retrieving interesting past discussions. Also,
there have long been usenet sites that get their feeds on tape, either
for security reasons or because they're in remote areas where long
phone calls are impractical. What happens to the old tapes? I expect
they're all saved somewhere.
I actually think that DejaNews is a good thing from a privacy point of
view because it levels the playing field -- regular users can now look
through usenet archives the same way that snoops at three letter
organizations have been doing all along.
Note that this is a different issue from that of usenet material being
appropriated for commercial purposes. For example, I sent a summary of
a dismaying April 1994 speech by an IRS system manager to a couple of
places on the net, and my summary showed up word-for-word in Wired
magazine later that year with no attribution. That isn't an issue of
privacy, that's theft. But DejaNews makes their database available
informally at no charge to web users, which seems to me entirely in
keeping with the way usenet articles are distributed.
--
John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof
------------------------------
From: branden@ecn.purdue.edu (Branden Robinson)
Date: 29 Mar 1996 05:53:16 GMT
Subject: Re: Individual RTP vs. Corporate FOS
Organization: Purdue University
References: <comp-privacy8.27.10@cs.uwm.edu>
Steven D. Sybesma (sybesma@netcom.com) wrote: I am posting here an
e-mail message I just sent to Deja News about their business
practices. I didn't find out about what their service consisted of
(although I had vaguely heard of them) until I read the Rocky
Mountain News article from 3/10/96 entitled "Searched, stalked on
Internet"). [...]
I'm not sure you understand how USENET works. Do you remember that
little message Pnews tells you the first time you use it? ("This
message will be distributed to machines all over the world, costing the
net hundreds, if not thousands, of dollars.")
I know of few more blatant examples of self-advertisement than posting
to USENET. If you write a letter to the editor of a national magazine
where standard practice in the letters column is to print names and
addresses, should you be all that surprised if someone uses that
information to contact you?
Want your name and address withheld? You have to ask the magazine to
do that. Likewise, on the net, you must use an anonymous account or
mail-to-news gateway.
I, too, was a little startled to see the hits my name brought up on
DejaNews. Posts I had made months ago that I had completely forgotten
about showed up before my eyes.
Did I decide DejaNews was violating my right to privacy? No. My name
and email address show up at least twice on every message I post to the
public, international fora called USENET.
All the guys at DejaNews did was set up a news server that archives
posts back for a couple of months, and stuck a search engine on it. If
you had enough disk space to archive the posts, writing a search engine
to do what they do would be a trivial task for an undergraduate in
computer science (and for many non-CS majors as well).
USENET is anything BUT a private forum. You splatter your name across
the net and you expect no one to notice? If you have something to
protect, take that into account before you post. And don't tell me I'm
not sympathetic to privacy issues -- I am *very* concerned. I support
the Fourth Amendment without hesitation (and the other nine as well).
But if you expect remarks you make to a potential audience of millions,
tagged with your name, to just tumble down a hole and be forgotten,
whether they were serious discussions or flippant remakrs, you're
fooling yourself.
USENET, regardless of its original intent, today serves as a massive
bulletin board where anyone can air their thoughts to a worldwide
audience. Your complaint is simply the result of your
non-consideration of the ramifications of that function. If you want
to restrict your audience, use email (either personal or in the form of
a mailing-list). Were anyone to develop something like DejaNews for
electronic mail, I would be all over them in the name of privacy --
justifiably -- and I would hope you would join me.
--
"A celibate clergy is an especially good idea, | G. Branden Robinson
because it tends to suppress any hereditary | Aerospace Engineering
propensity toward fanaticism." | Purdue University
-- Carl Sagan | branden@ecn.purdue.edu
------------------------------
From: centauri@crl.com (Charles Rutledge)
Date: 25 Mar 1996 19:35:20 -0800
Subject: Chase Bank Credit Info
Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest]
Chase Bank is offering a new service for charge card holders that
allows you to get your information about your account over the phone.
Enter your account number and your zip code, and you can find out the
following:
1) Account balance
2) Credit available
3) Cash advance available
4) Ammount of last payment
5) Next minimum payment
6) Date that payment is due
I called Chase and asked why this information was available with so
little security. The representative told that only "basic" information
was given out, so it was not a security risk. Of course I explained
that this is information that I were prefer not be made public and that
it really should be protected with a pin number. How hard could it be
for someone to get my account number and my zip code? She said that
she send it on as a suggestion.
Considering that the banks are always warning us to be cautious with
our account information, I find it absurd that they would protect this
kind of info with my zip code. This my be the only instance where it
would be safer by using my SSN.
--
Charles Rutledge | Liberty is a tenuous gift. Hard to win, easy
centauri@crl.com | to give away, and no will protect it for you.
------------------------------
From: quinn@direct.ca (john quinn)
Date: 26 Mar 1996 04:28:50 GMT
Subject: Computer Privacy
Organization: Internet Direct Inc.
I need some help on a legal question. Can an employer obtain
information from a computer and from disks marked "private" and use
that information to fire an employee?
Specifically, another employee found files considered inappropriate,
reported them to management, who subsequently read through all the
files and built a case against the original employee.
Can this information be used against the employee, or is it
inadmissable due to an invasion of privacy?
--
Jack Quinn
------------------------------
From: Dean Ridgway <ridgwad@PEAK.ORG>
Date: 26 Mar 1996 00:20:56 -0800
Subject: ANI blocking
Greetings everyone!
I think this discussion on ANI/CLID is getting way out of hand. ANI is
a fact of life for 800 callers, get used to it. If you don't want them
to get your number use a phone booth.
I think I have said this once before here. If I am calling a business'
800 number, more than likely I want to do business with them. Thus I
don't particularily care if they get my name, number, and credit
rating.
What I *DO* care about is them selling this information to a third
party. Most companies see this as "free" money and the only way to get
them to stop this despicable practice will be some kind of legislative
action.
With all the pro-big business types in Washington, don't hold your
breath. :-(
--
/\-/\ Dean Ridgway | Two roads diverged in a wood, and I-
( - - ) InterNet ridgwad@peak.org | I took the one less traveled by,
=\_v_/= FidoNet 1:357/1.103 | And that has made all the difference.
CIS 73225,512 | "The Road Not Taken" - Robert Frost.
http://www.peak.org/~ridgwad/ PGP mail encouraged, finger for key:
28C577F3 2A5655AFD792B0FB 9BA31E6AB4683126
------------------------------
From: collins@ait.nrl.navy.mil (Joe Collins)
Date: 26 Mar 1996 14:56:07 -0500
Subject: Re: Privacy and Electronic Commerce
Organization: Naval Research Laboratory
References: <comp-privacy8.26.12@cs.uwm.edu> <comp-privacy8.27.5@cs.uwm.edu>
peter@nmti.com (Peter da Silva) wrote: The issue isn't that
electronic commerce is incompatible with privacy, but that
electronic *credit* is. And it's not always clear whan a
transaction is based on credit (for example, rentals are basically
credit transactions but people don't think of them that way).
I find some of Peter da Silva's arguments do not consider the breadth
of what I consider electronic commerce to be. I also find the specific
examples Peter da Silva cites of privacy ensuring methods either make
overly optimistic assumptions or are in agreement with the concepts of
privacy brokerage.
First, I do not consider commerce to be restricted to simple purchase
transactions of money for goods. I would also consider extension of
credit to be part of commercial activity. There are a wide range of
commercial contractual arrangements that are not restricted to either
of these. Examples: secured mortgage agreements, real property
transactions, insurance-covered medical treatment (requires
identification), etc.
"Electronic cash" in its many variations has the features fitting the
general concept of privacy brokerage:
The issuer is the privacy broker; The cash usually utilizes
one-time keys; There must be traceability and accountability
between the user and the issuer to prevent counterfeiting or
fraud.
(It would be a mistake to believe that any electronic cash system is
invulnerable to counterfeiting). Consider also that the bank
underwriting the electronic cash will probably report a transaction
history to me. How can that happen if I am unlocatable? Finally, how
many people will store lots of electronic cash on their computer if
they are liable for its loss?
With respect to electronic banking, many laws and customs prevent
anonymous account-holding for accounts against which I might issue a
draft (to prevent counterfeiting) or from which I earn interest
(reported to tax collectors). For banking, in general the bank would
serve as a privacy broker and WILL hold information about the account
holder. How they dispense that information depends on their security
policy.
The basic problem with the arguments presented by Peter da Silva lie in
assumptions in the following statement:
... Then you wouldn't have to reveal your identity unless you had a
dispute with the electronic bank holding your deposit.
Commerce is mediated by contracts: implicit, verbal, or written. A
contract is a bilateral or multilateral arrangement requiring trust
from all parties. If any party can remain anonymous, the contract
cannot be enforced against that person, and there is no reason to trust
that person.
--
Joe Collins
------------------------------
From: andypajta@aol.com (AndyPajta)
Date: 26 Mar 1996 17:44:35 -0500
Subject: USENET Reposters: Privacy and Copyright Concerns
Organization: America Online, Inc. (1-800-827-6364)
Copyrightable Postings....
I was using the new Alta Vista newsgroup search engine (very cool,
BTW), and got to wondering...
If anything I write is copyrighted as soon as it is "fixed" and I
choose to "publish" it on a newsgroup for other SUBSCRIBERS, that
doesn't give any individual subscriber (the search engine, in this
case), the right to re-publish it (i.e., to charge advertisers for
space on their web page and allow the viewing of my composition beyond
what I originally intended).
Further, because a composition can so easily be taken out of context,
there is a risk of literally changing the meaning of a posting.
I don't see a similar problem with Web indexers because they are just
creating directories, but the newsgroup re-posters are publishing
content.
Alta Vista claims messages are posted with the author knowing they can
be read by anyone, suggesting, perhaps, they view the material as
public domain. But I think that a lot of people who post material to
share among a group of subscribers intends that material to be shared
with only that group. To put it more...legal?... I can not photocopy a
magazine article and republish it in another magazine without the
copyright owner's permission.
I think, actually, a lot of what's posted is dribble -- maybe this post
included :-) -- but I have seen fleshed-out stories and original poetry
posted here as well as other material people have expressed an interest
in selling.
Does anyone have similar observations/concerns?
:-)
andypajta@aol.com
P.S. The key here is the "publishing" and "reposting" that's going on.
I should be able to pick my audience, eh?
------------------------------
From: glr@ripco.com (Glen L. Roberts)
Date: 28 Mar 1996 15:55:50 GMT
Subject: SSN Absurdity
Organization: Full Disclosure
Someone mailed me an few pages out of the 3/20/96 Congressional Record
- Senate S2546. It has a list of "Executive Nominations received by
the Senate 3/20/96" It then lists hundreds of NAMES & SSNs!
Are these people insane? Have they no concern for privacy?
------
Links, Downloadable Programs, Catalog, Real Audio & More on Web
Full Disclosure [Live] -- Privacy, Surveillance, Technology!
(Over 153 weeks on the Air!)
The Net Connection -- Listen in Real Audio on the Web!
http://pages.ripco.com:8080/~glr/glr.html
------
------------------------------
From: glr@ripco.com (Glen L. Roberts)
Date: 28 Mar 1996 15:56:04 GMT
Subject: Re: All Brothers May Be Watching Us
Organization: Full Disclosure
References: <comp-privacy8.26.10@cs.uwm.edu>
wjanssen@cs.vu.nl (Wouter Janssen) wrote: Big Brother is watching
us? Probably, I don't know for sure, I'm just careful :) but did
you know just anybody can search a database and see what articles
you posted on which newsgroups lately? I didn't untill I found out
about DeJaNews. An on-line database on WWW where you can enter
keywords to search on some specific topic. However, usernames are
topics too! Many of you probably knew about this, but in case you
didn't be warned when you post something! (btw, the URL for
DeJaNews = http://www.dejanews.com/forms/dnq.html)
DeJaNews is getting a lot of "crap" for this.
But... no one has noticed that "Net Search" (info seek) under netscape
does the same thing!
Beyond that... what is the point of posting in a public forum, if you
do not want others to read your post?
------
Links, Downloadable Programs, Catalog, Real Audio & More on Web
Full Disclosure [Live] -- Privacy, Surveillance, Technology!
(Over 153 weeks on the Air!)
The Net Connection -- Listen in Real Audio on the Web!
http://pages.ripco.com:8080/~glr/glr.html
------
------------------------------
From: JF_Brown@pnl.gov (Jeff Brown)
Date: 28 Mar 1996 22:27:12 +0000 (GMT)
Subject: Re: 800 ANI
Organization: Battelle Pacific Northwest Labs
References: <comp-privacy8.18.10@cs.uwm.edu> <comp-privacy8.22.7@cs.uwm.edu>
johnl@iecc.com (John R Levine) writes: An important question to
start with is how much per month extra you're willing to pay to
make 800 numbers blockable. Someone has to pay, and 800 customers
certainly don't have any interest in paying for this. If, as I
suspect, the answer for most people is "nothing", that suggests
that nothing's going to change.
Another few points:
I know that I think about which 800 calls I'll make since that gives
away my phone number. I had a conversation over lunch today with some
folks who have Cellular phones, and they said they had to be careful
giving out their number since they have to pay for all calls whether
initiated by them or not. They were not aware that call blocking did
not work on 800 calls, but now that they are will take care there
also.
Bottom line: how many calls are businesses willing to NOT get because
they want to get the phone number of the caller?
--
Jeff Brown
JF_Brown@pnl.gov
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Mar 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #028
******************************
.