Date: Thu, 11 Apr 96 18:33:31 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#031
Computer Privacy Digest Thu, 11 Apr 96 Volume 8 : Issue: 031
Today's Topics: Moderator: Leonard P. Levine
White Pages on the Net
Re: USENET Reposters: Privacy and Copyright Concerns
Re: USENET Reposters: Privacy and Copyright Concerns
Re: USENET Reposters: Privacy and Copyright Concerns
Re: USENET Reposters: Privacy and Copyright Concerns
Caller ID in California
Re: Increasingly Intrusive Capability
Copyright of Usenet Articles
Robert Arkow vs CompuServe and CompuServe Visa
800 ANI
Re: SSN Absurdity
Social Security Info Used By Stolen Credit-Card Ring
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: "Richard Schroeppel" <rcs@cs.arizona.edu>
Date: 07 Apr 1996 19:52:43 MST
Subject: White Pages on the Net
A nation-wide white pages has been effectively available for 40 years.
Chicago 1955: The biggest downtown department store, Marshall Fields,
maintains a bank of >20 public pay phones on the third floor. Next to
the phones is a set of phone directories for the cities of the US and
Canada. They are well used.
Santa Monica 1988: I want to locate a not-quite-an-acquaintance from
1970 by his name. I recall that he lives near Toronto. I go to the
public library, and consult several phone directories for the vicinity
of Toronto. His name is somewhat uncommon, and I find a few possible
hits. I write down the phone numbers. Later, at home, my second call
finds him.
--
Rich Schroeppel rcs@cs.arizona.edu
------------------------------
From: andypajta@aol.com (AndyPajta)
Date: 08 Apr 1996 11:32:17 -0400
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
Organization: America Online, Inc. (1-800-827-6364)
References: <comp-privacy8.29.3@cs.uwm.edu>
Are you willing to sue Digital?
No. Copyright is largely an "interpretive" set of laws and unless there
are significant damages, no lawyer will even take the case (I tried
about 7 years ago for a $2000 loss).
But, while we can argue about fair use of reposting, certainly if
someone takes my thoughts and puts them on a CD and sells it, that's
some sort of infringement. Yes?
--
andypajta@aol.com
------------------------------
From: andypajta@aol.com (AndyPajta)
Date: 08 Apr 1996 11:56:27 -0400
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
Organization: America Online, Inc. (1-800-827-6364)
paul@TDR.COM (Paul Robinson) writes: If you posted an article that
you are the owner, it would presume that you gave permission for
its distribution.
Yes, to a SPECIFIC site--I choose my audience and that is what *I
allowed*. Any other use was *NOT* authorized.
Your analogy of a USA Today letter further substantiates my point
because they say.. ALL LETTERS BECOME PROPERTY OF USA TODAY--it is with
that understanding that a submitter relinquishes copyright. Again, an
author must explicity give-up copyright. There is noting implied in
copyright law. Even "fair use" is highly (and typically incorrectly)
interpreted by publishers.
I think this area will, in the future, have plenty of legal battles
coming. InformationWeek recently did a cover story on copyright and Web
pages which suggested copyright may as well be throw-away because it's
so easy to pluck custom clip-art and content from various sites. But
just because there's no good way to control it doesn't make it right.
--
andypajta@aol.com
------------------------------
From: peter@nmti.com (Peter da Silva)
Date: 08 Apr 1996 15:22:36 GMT
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
Organization: Network/development platform support, NMTI
References: <comp-privacy8.30.5@cs.uwm.edu>
Paul Robinson <paul@TDR.COM> wrote: If a site archived everything
on Usenet at the end of each day to CD-ROM and distributed that, I
believe it is no more infringing (and no less infringing) than
copying onto tape or delivering via wire in real-time.
For the first few years, Usenet was distributed to Australia in just
this way.
Some years later a company named Sterling Software started selling
Usenet feeds on CDROM. There was much bitching, but nobody was able to
make a convincing case that this was any different from any other feed.
What happened to them, anyway?
There is ample precedent that distribution of Usenet in ways that
retain Usenet-nature is legitimate (what's Usenet-nature? Well, if it's
organized into newsgroups and is unedited it's cretainly Usenet-like...
and AltaVista and DejaNews qualify...).
------------------------------
From: Patrick Crumhorn <patrik@io.com>
Date: 09 Apr 1996 16:49:38 -0500 (CDT)
Subject: Re: USENET Reposters: Privacy and Copyright Concerns
John C. Rivard wrote: The courts have an established precedent to
guide them on this specific example called "The Eight-Bar Rule."
Essentially, it is a legal rule of thumb which states that if more
than eight measures of a song is substantially (melodically)
identical to a pre-existing copyrighted work, the new work is
considered derivative work, and royalties must be paid to the
copyright holder of the original work. If the "identical" parts of
the song are less than eight bars, it is generally considered an
original (non-infringing) work.
Well, Allan Sherman's (admittedly humorous) attempt at copyrighting the
note "middle C" would not pass the eight-bar test, if judged as a
musical composition, true.
The problem here is that "middle C" is not a composition, but a
frequency (of 256 Hertz, if memory serves correctly). And over the
past several years, the US government has ruled that actual ownership
of specific frequencies is indeed legal, and protected by law.
There was recently some controversy over whether enormous portions of
the electromagnetic spectrum should be sold to the highest corporate
bidders, or should simply be given to them outright to do with as they
pleased. Nowhere in the superficial coverage of this issue was there
any hint that such a concept as ownership of the electromagnetic
spectrum would have been laughed at as silly fantasy as little as 10-15
years ago.
The Federal Communications Commission (FCC) was charged with
*regulating* the use of the electromagnetic spectrum within the
boundaries of the United States, and an organization called the ITU
coordinates such use on a worldwide scale. This is logical, as
coordination is needed to avoid interference between users of the
spectrum (one would not want a kid's walkie-talkie to be operating on a
frequency reserved for police or military use, for example).
But in the deregulation frenzy of the Reagan years, the idea of
allowing corporations to *own* frequencies outright (and resell or
trade this "property" amongst themselves) was adopted. One side-effect
of this is that a broadcast entity, say CBS, is outright *owning* a set
of frequencies, ostensibly for use for high-definition TV
broadcasting. But since they are now the owners of that part of the
spectrum, they are free to sell or rent it to Burger King to use in
their fast-food drive-thru 2-way communication. The resulting chaos
and negative impact on the rest of the world's communications is a
topic for another forum.
The bottom line, though, is that if Mr. Sherman were alive today, he
very well *could* get the legal rights to the frequency of 256 Hz, and
anyone attempting to modulate a signal on that frequency might very
well have to pay a license fee to Mr. Sherman. So his whimsy has bme
reality.
--
Patrick Crumhorn patrik@io.com
http://www.io.com/~patrik
"If you're not living on the edge,
you're taking up too much space." -- Bryan Estes
------------------------------
From: Beth Givens <bgivens@pwa.acusd.edu>
Date: 08 Apr 1996 11:35:15 -0700 (PDT)
Subject: Caller ID in California
FOR IMMEDIATE RELEASE Contact: Beth Givens
April 4, 1996 (619) 260-4160
CALLER ID: COMING SOON TO A PHONE NEAR YOU Privacy Rights Clearinghouse
Funded to Conduct Education Campaign
The Privacy Rights Clearinghouse joins a statewide campaign in
California to spread the word about the privacy impacts of Caller ID.
It is one of 43 consumer-related organizations to receive grant funds
from Pacific Bell and GTE as part of the massive consumer awareness
campaign required by the California Public Utilities Commission.
"Telephone privacy is precious to many Californians," said Beth Givens,
director of the Privacy Rights Clearinghouse. "Half of the households
in the state have unlisted numbers, the highest percentage of any
state."
Starting June 1 in California, telephone numbers will be transmitted
when calls are made. Those who subscribe to the Caller ID service and
who purchase a special display device will be able to see and capture
the calling party's number. Phone users who do not want their number to
be released can take advantage of blocking options, offered free. The
purpose of the consumer education campaign is to alert consumers to
those blocking options -- Complete or Selective Blocking (called Per
Line and Per Call Blocking, respectively, in other states).
"Our job, and that of the other grantees, is to reach people who might
not be aware of the announcements on TV, the radio and newspapers,"
said Givens. "The Clearinghouse is especially concerned about those who
are at risk from the release of their phone number -- victims of
domestic violence and stalking, and the shelters which serve them;
people who want to remain anonymous when calling hotlines for AIDS
counseling, suicide- prevention, and the like; and people in
professions like law enforcement, mental health counseling, and
teachers who need to shield their phone numbers when calling clients
from home."
The Clearinghouse offers an 8-page guide called "Caller ID and My
Privacy." Consumers can call (800) 773-7748 (California only, elsewhere
619-298-3396) to order. The guide provides an in-depth discussion of
the many privacy implications of Caller ID.
The Privacy Rights Clearinghouse is a grant-funded program administered
by the University of San Diego Center for Public Interest Law. In
operation for over 3 years, it has received 33,000 calls from
California consumers. It offers 19 guides on a variety of consumer
privacy issues, including privacy in cyberspace, telemarketing, credit
reporting, government records, workplace privacy and medical records.
NOTE: The fact sheet "Caller ID and My Privacy" is on the
Clearinghouse's Web site: URL:http://www.acusd.edu/~prc (Click on fact
sheets / English / number 19.)
--
Beth Givens Voice: 619-260-4160
Project Director Fax: 619-298-5681
Privacy Rights Clearinghouse Hotline (Calif. only):
Center for Public Interest Law 800-773-7748
University of San Diego 619-298-3396 (elsewhere)
5998 Alcala Park e-mail: bgivens@acusd.edu
San Diego, CA 92110 http://www.acusd.edu/~prc
------------------------------
From: huggins@tarski.eecs.umich.edu (James K. Huggins)
Date: 09 Apr 1996 12:41:06 -0400
Subject: Re: Increasingly Intrusive Capability
Organization: University of Michigan EECS Dept., Ann Arbor, MI
References: <comp-privacy8.30.9@cs.uwm.edu>
Robert Ellis Smith <0005101719@mcimail.com> writes: How can people
who work daily with computers and know their capabilities simply
shrug whenever a new application comes along that threatens
privacy? "So, what else is new?" they ask. [...] What's new is
that - even though that information has always been available - to
get it you would have had to search directories in public libraries
- or phone booths - in hundreds of cities. It was simply
impractical. Now it isn't.
I guess my main response is ... what can be done about it? If I agree
to have my name and address published in my local phone book, it
becomes public information --- and anyone can come along and give that
information to someone else without my knowledge. True, the process of
compiling huge repositories of such information is far easier than it
used to be. But there is nothing illegal about such activity. In the
case of the local phone book, I can (partially) eliminate the problem
by removing my address, or my address and phone number, from the phone
book. (Of course, this may cost me extra, but that's another debate.)
I think the issue that we're all dancing around is the notion that
"information" about an individual is now a tradeable commodity, and
that rarely does the individual described by a piece of information
have control over that information. If control exists, it is often of
an "all-or-nothing" nature, like the phone book example above. It
would be nice to see a finer-grained level of information control
introduced in many domains ... though I haven't the foggiest idea about
how such a system would work, or if it would be practical.
--
Jim Huggins, Univ. of Michigan huggins@umich.edu
(PGP key available upon request) W. Bingham Hunter
------------------------------
From: martin@kcbbs.gen.nz (Martin Kealey)
Date: 10 Apr 1996 01:48:26 +1200 (NZST)
Subject: Copyright of Usenet Articles
To quote from RFC-1036 section 2.1.5 (and RFC-850 section 2.1.7): "It
is recommended that no message ID be reused for at least two years."
To me, this means that after 2 years I can expect to publish another
article with the same message-id, and that it will circulate with out
any problem. In other words, all traces of the previous article will
have gone. I have a reasonable expectation that anything I post won't
last any longer than 731 days; if you keep it any longer than that,
you're beyond the implied licence to use my article.
Note that some groups and all mailing lists have a charter which in
some cases will provide for their own permanent archive. In that case,
you haven't a leg to stand on. In other cases, read on:
I would also like to remind everyone of one of the features of usenet
distribution that seems to have been overlooked in the hue and cry
about DejaNews: the "Expires" header. You can set the lifetime of your
message by including an "Expires" header.
This is as much a part of the implied license for distribution as the
act of posting since (it is machine readable), and any site which
retains a message for longer than the time indicated is not covered by
that implied licence. I don't know whether DejaNews abides by Expires
headers, but if they don't, someone is going to sue them one of these
days and succeed.
(In addition to the time specified by the expiry header, there is an
additional license implied by the nature of the propagation algorithm
to keep the message for a small minimum amount of time to prevent
looping: however this should be no more than 2 weeks, and should
*decrease* as network speeds increase.)
Actually, copyright legislation in some (most?) countries has provision
for "private study", which in effect means that I can keep things as
long as I like for my own edification, but can't make copies to pass
on. Handing it to a potential employer (for their own "personal use")
would be a gray area.
Aside from the legal issues, there are some technical things one can do
to ensure that articles are not retained:
* include !dejanews.com! somewhere in the "Path" header
* keep a store of 2-year-old message IDs and deliberately
reuse them (we aren't under any obligation to make indexing
easy after all)
And to give yourself some legal standing when it eventually comes to
blows:
* include an Expires header
hrick@gate.net (Rick Harrison) wrote: Personally I hope messages
posted to Usenet will be proven to be public domain material
[unless otherwise endorsed]
There is no need for articles to fall into the public domain if an
automatic licence to copy and forward the message is granted by
posting; you have all the licence you need *and no more*. All such a
suggestion would do would be to encourage people to plaster pseudo
copyright notices over their messages and take up yet more bandwidth
for no good reason.
Other rights should not be extinguished by any sort of publication,
including the right to be identified as the author.
jcr@mcs.com (John C. Rivard) said: The current copyright law states
that any item fixed is automatically copyrighted by the author,
copyright notice or not. The act specifically states that
copyrighted items do NOT fall into the public domain unless
specifically placed their by the copyright holder.
This is the general tenor of such legislation around the world,
including here; I believe this is as required by the Berne Convention.
johnl@iecc.com (John R Levine) said: Finally, remember that
copyright is a civil, not a criminal law. Unless you've registered
your copyright, which requires a paper form and $20, you can only
claim actual damages from an infringer.
This is the nub of the matter; if I write something, and then five
years down the track I write a book "my life on the net", then I can
claim real losses if someone else prints a copy of my book in
competition with me based on the messages they've stored - they are
still mine to distribute how I see fit, and by then any implied licence
to use should have expired. (See the 2-year note above.)
On the other hand, if I lose a contract because someone hands my client
a note I wrote 5 years ago, it's going to be a lot harder to prove a
material COPYRIGHT loss.
DejaNews does more than index: an index is legal; a permanent archive
isn't necessarily so.
Paul Robinson <paul@TDR.COM> said: I believe that the legal
doctrine of "fair use" and "implied license" would apply here: by
posting a message on usenet you are permitting its distribution to
other sites that carry it. [...] if a place has the disk space to
store everything, it would be permissible for it to do so.
I disagree; there is an implied maximum of two years, and provision to
set an explicit maximum.
--
Martin.
------------------------------
From: Urs Gattiker <Urs.Gattiker@uniBW-Hamburg.de>
Date: 10 Apr 96 14:15:43 -0700
Subject: Robert Arkow vs CompuServe and CompuServe Visa
Organization: University of the German Federal Armed Forces at Hamburg
I am looking for information on Robert Arkow and his lawsuit against
CompuServe and CompuServe Visa. The information I have to date is that
the lawsuit was filed, however I need to know what the outcome was or
if it is still pending. Do you have such information, and if so, could
you please let me know where I can find it?
Thank you for your help, and I look forward to hearing from you.
Sincerely,
Linda Janz
------------------------------
From: dgc@mar.del (David G. Cantor)
Date: 10 Apr 1996 15:12:30 -0700
Subject: 800 ANI
Organization: CCR
References: <comp-privacy8.29.11@cs.uwm.edu>
I have a personal 800 number. I have to pay for every call on that
number. I certainly want to know who's calling.
But how about the following:
Someone calling an 800 (or 888) number who wants privacy (no ANI) PAYS
for the call. In other words, there should be a privacy prefix, as in
Caller-ID), but use of this prefix will cause the CALLING number to be
billed.
--
dgc
David G. Cantor
CCR
San Diego, CA
dgc@ccrwest.org
------------------------------
From: wrfuse@mab.ecse.rpi.edu (Wm. Randolph U Franklin)
Date: 09 Apr 1996 23:06:05 GMT
Subject: Re: SSN Absurdity
Organization: ECSE Dept, Rensselaer Polytechnic Institute, Troy, NY, 12180 USA
References: <comp-privacy8.28.12@cs.uwm.edu>
There are other examples of peoples' SSNs being listed.
- The public tax returns (form 990) of nonprofit orgs list many of the
orgs' officials' SSNs.
- The Daily Racing Form lists SSNs of suspended jockeys.
Concerning SSNs there was a recent story about some SSA employees being
disciplined for selling personal info to be used for credit card
fraud. Does anyone remember when the SSA itself used to sell SSN info
to credit agencies?
--
Wm. Randolph Franklin, Rensselaer Polytechnic Institute.
------------------------------
From: taxhaven@ix.netcom.com (Adam Starchild )
Date: 07 Apr 1996 21:55:00 GMT
Subject: Social Security Info Used By Stolen Credit-Card Ring
Organization: Netcom
Social Security Info Used By Stolen Credit-card Ring
NEW YORK (Apr 6, 1996) -- In what computer experts say may be one of
the biggest breaches of security of personal data held by the federal
government, several employees of the Social Security Administration
passed information on more than 11,000 people to a credit-card fraud
ring, according to federal prosecutors in New York.
That information, the prosecutors said in court papers filed last week,
included Social Security numbers and mothers' maiden names, and allowed
the ring to activate cards stolen from the mail and run up huge bills
at merchants ranging from J&R Music World to Bergdorf Goodman.
The court papers do not name the Social Security employees who
prosecutors said stole the information from the agency. But the
documents refer to an unidentified female employee of the Brooklyn
office of the agency who pointed investigators to Emanuel Nwogu, a New
York City employee who was charged last week with fraud in federal
court. He was released on bond.
A spokesman for the U.S. attorney in Manhattan said that the
investigation is ongoing, and that others are likely to be charged.
The court documents link this case to one involving Tony Iohya,
arrested in Louisiana in February with what prosecutors said was also
personal information stolen from the same Social Security office.
The New York case is the first known widescale break into the vast
Social Security database, which contains personal information on
virtually every working American, said Philip A. Gambino, the director
of press affairs for the agency. The agency is "shocked and
disheartened" by the case, Gambino said, and will look for ways that
its security can be improved.
The case is also part of an increasing number nationwide in which
information is stolen from business, medical and government files.
While much attention has been paid to hackers who break into electronic
databases through high-tech back doors, experts say most computer crime
is committed by employees who are authorized to use the systems.
"The human link is the weakest link in any information security
program," said Ira Winkler, technical director for the National
Computer Security Association. "If you are a clerk making $12,000 or
$18,000 a year, and someone offers you a few hundred to a few thousand
dollars every so often to look up some specific information, it's a
tempting offer."
Such personal information is increasingly necessary to commit credit
card fraud, because antifraud measures like holograms have made it
harder to manufacture a fake card simply with an account number stolen
from a discarded receipt.
Credit card fraud is estimated to be $1.5 billion in 1995, according to
H. Spencer Nilson, publisher of the Nilson Report, a newsletter. The
fastest growing type of fraud, he said, involves stealing valid cards
out of the mail or filing a change-of- address from for existing
cardholders.
The scheme involving Social Security records was first detected in
February by Citibank, which noticed an unusual amount of fraudulent
charges on credit cards that it had mailed to customers, but that the
customers said they had not received, according to court papers.
Citibank, like many banks, now requires customers who receive new cards
to activate them by calling a special telephone number and providing
information like their mother's maiden name. But the bank discovered
that its security system had been foiled in 52 cases in which cards
were activated by someone who was not the cardholder but had access to
the cardholder's mother's maiden name.
Citibank got in touch with Social Security, which keeps files of
maternal maiden names and records the identification number of
employees who call up files. The agency determined that a female
employee at the Brooklyn Social Security office had checked the records
of at least 23 of the 52 cases and had looked at personal records for
10,000 people since January 1995. Ten other employees in the same
office had looked at the records of 1,200 to 1,400 other people.
When confronted by federal investigators, the female worker chose to
cooperate, the court papers say. According to the papers, she met
Nwogu, a case worker at the New York City Human Resources
Administration in Brooklyn, in mid-1993, and over the last two years
she has checked the records of 30 people per day for him.
The government says it has identified at least $330,000 in unauthorized
charges, and the total is "believed to be much greater," according to
the court papers.
--
Posted by Adam Starchild
Asset Protection & Becoming Judgement Proof at
http://www.catalog.com/corner/taxhaven
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 Mar 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #031
******************************
.