Date: Tue, 14 May 96 06:49:44 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#038
Computer Privacy Digest Tue, 14 May 96 Volume 8 : Issue: 038
Today's Topics: Moderator: Leonard P. Levine
Re: Privacy Phone Guard
Re: Privacy Phone Guard
Re: Privacy Phone Guard
Re: Automated Toll Collection
Re: Automated Toll Collection
Re: Automated Toll Collection
New Internet Journal
Privacy "Management" Companies
CLUB WIRED: Sameer Parekh, 16 May, 7 pm PDT
Biometric Encryption
Re: Medical Privacy on Nightline
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Wotan <wotan@netcom.com>
Date: 08 May 1996 23:01:45 -0400 (EDT)
Subject: Re: Privacy Phone Guard
Do you worry that your phone number is available to anyone whom you
call with a caller id box? [...] For a very simple phone guard that
you can implement right now with little or no equipment and little
or no cost send 4.95$ to:
Sounds a lot like Caller Id Blocking, which your local phone company is
supposed to provide info on for free if they support Caller ID.
------------------------------
From: chazl <chazl@leonardo.lmt.com>
Date: 09 May 96 10:26:30 -0500
Subject: Re: Privacy Phone Guard
Do you worry that your phone number is available to anyone whom you
call with a caller id box?
Do you worry that your phone number is very likely available to anyone
who knows your name and has access to a phone book, regardless of
whether or not you EVER CALL THEM?
I really do not understand all the hullabaloo about how CallerID
allegedly violates one's privacy. Here's the way I view it:
If you walked up to my door and rang the doorbell with a bag over your
head, would you be surprised that I would be unlikely to let you in?
Is it be a violation of your privacy for me to request that you
identify yourself before I decide whether to open the door?
Why should my phone [which is another means into my home and life] be
any different? Someone calls me and wants to talk to me. Why
shouldn't I have the right to know who that individual is before I
decide whether or not to grant that request?
For a very simple phone guard that you can implement right now with
little or no equipment and little or no cost send 4.95$ to:
I worry far more about those who would sell a sheet of instructions on
how to dial *67 before you place a call.
Uh-oh, did I let the cat out of the bag?
Oh, while I have your ear:
Do you worry that your computer is susceptible to power surges and
lightning strikes?
I DO!
For a very simple surge protection system that you can implement right
now with little or no equipment and little or no cost, please send me
$4.95.
This is a simple and elegant system which involves placing a barrier of
an easily obtainable gas between your computer's power cord and the
electrical outlet, and will render your computer immune to power surges
and lightning strikes.
--
Chaz Larson - chaz@visi.com - http://www.visi.com/~chaz
Once you take away my right to speak, everybody in the world's up shit
creek. - Ice-T, 'Freedom of Speech'
------------------------------
From: PatrickK@Mail.Reinhardt.Edu (NYOB)
Date: 09 May 1996 22:17:31 GMT
Subject: Re: Privacy Phone Guard
Organization: University System of Georgia (PeachNet)
References: <comp-privacy8.37.1@cs.uwm.edu>
Do you worry that your phone number is available to anyone whom you
call with a caller id box?
You might also simply want to try the *67 feature. Many bell services
offer this as an effective means of blocking caller id. Anytime you
dial *67 before dialing a number it will circumvent the caller id on
the recieving line.
------------------------------
From: Wotan <wotan@netcom.com>
Date: 08 May 1996 23:06:40 -0400 (EDT)
Subject: Re: Automated Toll Collection
The State of Virginia is encouraging drivers on the Dulles Tollway
to sign up for a program that automates toll collection. A sensor
at the toll station identifies your car and debits an account you
set up. You can opt for automatic transfer against a credit card
when the account [...]
Well, the option to just toss some change into the bucket or pay the a
real person is still open.
If i understand the purpose of this thing correctly, it is supposed to
help commuters save time by not needing to wait in line behind people
paying the toll - your supposed to just drive on thru. Is it more
conveinant to save the time than protect privacy on your driving
habits?
------------------------------
From: dan@dvl.co.nz (Dan Langille)
Date: 12 May 1996 20:24:03 GMT
Subject: Re: Automated Toll Collection
Organization: DVL Software Limited
References: <comp-privacy8.37.2@cs.uwm.edu>
The State of Virginia is encouraging drivers on the Dulles Tollway
to sign up for a program that automates toll collection. A sensor
[...]
As the program is voluntary, I don't see this as an invasion of
privacy. If it was compulsory, that would be quite different. But I
don't think any such program could be made compulsory as it would
prevent non-locals from using the Tollway.
It's really no different to a VISA bill; they know where you have
been. But so what?
--
Dan Langille
DVL Software Limited - Wellington, New Zealand
------------------------------
From: ipcab@planet.eon.net
Date: 13 May 1996 19:02:38 GMT
Subject: Re: Automated Toll Collection
Organization: Public Live Access Network (PLAnet)
References: <comp-privacy8.37.2@cs.uwm.edu>
The State of Virginia is encouraging drivers on the Dulles Tollway
to sign up for a program that automates toll collection. A sensor
[...]
That is not all,though. If you choose to enroll on-line, you must
supply a credit card number and other information. It does not appear
that any encryption is used to protect anyone who registers from their
home page.
This really is a double whammy: your car and its whereabouts can be
monitored with the technology they are pushing, while at the same time
their total disregard for the privacy issue is apparent in their asking
you to email them your credit card information in an insecure fashion.
Hmmm....
------------------------------
From: cpsr-global@Sunnyside.COM
Date: 08 May 1996 07:20:40 -0700
Subject: New Internet Journal
Taken from CPSR-GLOBAL Digest 376
Sender: Andy Oram <andyo@ora.com>
A journal that may interest readers in many countries has just started:
"First Monday" at http://www.firstmonday.dk. You can read it free on
the Web (just register your name) or pay to get it by email. The issue
I read had an interesting article on how digital cash could weaken the
currencies of small countries.
------------------------------
From: rj.mills@pti-us.com (Dick Mills)
Date: 11 May 1996 09:49:29 -0400
Subject: Privacy "Management" Companies
COMPUTER INDUSTRY DAILY 5/13/96 reported that Watts Wacker from SRI
predicted the development of "Privacy management companies [that] would
catalog facts about people then sell them to other companies."
--
Dick Mills +1(518)395-5154 O- http://www.pti-us.com
AKA dmills@albany.net http://www.albany.net/~dmills
------------------------------
From: ron@hotwired.com (Ron Hogan)
Date: 11 May 1996 23:03:07 -0800
Subject: CLUB WIRED: Sameer Parekh, 16 May, 7 pm PDT
Organization: Grifter Information Technologies
Newsweek calls him one of the "50 people who matter most on the
Internet." He's a programmer, entrepreneur, and activist whose company,
Community Connexion, has implemented an infrastructure supporting
completely private mail on the Internet, something resembling an
anonymity server.
Join technowhiz Sameer Parekh and Electronic Frontiers host Jon
Lebkowsky for a discussion of the technological and sociopolitical
issues of privacy in cyberspace on Thursday, 16 May at 7 p.m. PDT
(Friday 02:00 GMT).
The Club Wired 'room', unlike most of the content at the HotWired site,
is only accessible by registered HotWired users. Registration, however,
is free -- just use the URL below and select "Register Now", then fill
out the form. When you're fully registered, go to
http://www.hotwired.com/club/ to enter Club Wired.
Ron Hogan ron@hotwired.com
---------------------------------------------------------------------
HotWired: a website http://www.hotwired.com/
*********************************************************************
------------------------------
From: Phil Agre <pagre@weber.ucsd.edu>
Date: 12 May 1996 09:00:03 -0700 (PDT)
Subject: Biometric Encryption
Ann Cavoukian, the assistant privacy commissioner of Ontario, has
directed my attention to an Ontario company whose products seem to have
considerable positive implications for privacy protection. The company
is called Mytec Technologies (10 Gateway Blvd Suite 430, Don Mills ON
M3C 3A1, Canada, (416) 467-7726, (800) 845-0096, fax (416) 467-5368).
Mytec sells devices for fingerprint-based biometric encryption. When
we think of biometric authentication schemes, we usually have in mind
systems that derive an absolute identifier from biometric information.
The Mytec system, though, supports anonymous authentication protocols.
A client registers with the system by supplying a text string, such as
an encryption key, and pressing their finger against a lens on a device
that creates a "Bioscrypt" -- the text string encoded by means of an
optically transformed version of their fingerprint. Later on, then,
the client can cause the text string to be reconstructed by pressing
their finger against an authentication device. If the text string is
an encryption key, for example, then the key can now be used to decode
information on a smart card. Or the text string might be the
individual's private key in an public-key encryption protocol. The
system never captures an image of the fingerprint, and the Bioscrypt,
they claim, cannot be decoded to reconstruct the fingerprint or the
encoded text string.
The authentication device can be embedded in a variety of other
devices. For example, they market a personal computer mouse with the
authentication device installed, so that public-key-encrypted e-mail
can be sent or read without the client's private key needing to be
written down or digitally stored anywhere. Key management is probably
the single messiest obstacle to the widespread adoption of technologies
of privacy. David Chaum, for example, has described protocols that
would permit an individual to maintain separate "pseudo-identities"
with different organizations, or to warrant that the individual
satisfies a certain predicate (old enough to drink, eligible for
welfare, etc) in a zero-knowledge manner (that is, without revealing
any information beyond the predicte, e.g., how old one is, what one's
income is, etc). The weak link in the chain is warranting that people
are really who they say they are, without finding out who they are.
Biometric encryption fixes this problem in a cheap, uniform manner.
I am curious if anybody knows of any criticisms of this approach. I
can see one problem, which is that it will be very difficult to explain
the system to people who are accustomed to organizations lying and
ripping them off and using technology to invade their privacy under a
cloud of PR. The idea is hard enough to explain to professional
technologists, much less the public. "Digital cash" has the virtue of
being analogous to something familiar (paper cash), but I can't think
of a simple way to explain anonymity through biometric encryption and
zero-knowledge proofs.
--
Phil Agre, UCSD
------------------------------
From: bgold@platinum.com (Barry Gold)
Date: 13 May 1996 12:22:32 -0700
Subject: Re: Medical Privacy on Nightline
testing and is looking forward to something positive becoming law.
He sees bills moving forward that would forbid insurance companies
denying coverage in health insurance based on information gained
from such tests. He pointed out that no law had yet passed both
houses and been signed by the President however.
This is one of those problem areas with no easy answers. The proposed
legislation would create the opposite problem: adverse selection. If
it is possible to know whether you have a condition _and_ to conceal
that information from an insurer, then you don't buy the insurance
unless/until you have the condition.
For example, you can be tested for HIV without your insurer finding
out. (In some cases, without leaving any sort of record, using a
totally anonymous testing protocol.) If you are young, you have
relatively little need of medical insurance -- your odds of getting
sick are very small. At most, you need insurance against accidental
injury.
But if you are HIV positive, you suddenly have a desperate need of
insurance because you know you're going to have enormous medical bills
within a few years. So you can get a situation where the only people
who buy insurance are those who know they will need the payout. It's
like buying car insurance when you've already found out (somehow) that
you're going to have an accident this month.
If we extend this to enough conditions, the only people who will buy
insurance are the ones who have problems that will involve expensive
payouts. This defeats the purpose of insurance: sharing the risk among
a large pool of people, most of whom won't "use" the insurance. When
that happens, insurance either becomes very expensive or all the
insurance companies stop writing health (and maybe life) insurance
because they have run out of money to pay claims. Or maybe we
_require_ all insurance companies to write health and life, and
property/casualty insurance disappears or becomes prohibitively
expensive because it has to subsidize health/life insurance.
Then we end up either with no insurance at all (and if you are unlucky
enough to need any of a variety of expensive treatments, you're SOL) or
some scheme of "universal" insurance. Universal insurance solves the
adverse selection problem, but then you don't get any choice. You can
have any color of model T you want, as long as you want black. Want a
fee-for-service plan? Sorry, we only offer HMOs (or vice versa). You
want the Cigna HMO? Sorry, we only offer Kaiser and Maxicare.
Remember the furore about the Clinton health plan? It wasn't just
because of insurance company propaganda (though that helped). It was
also because people who have good health insurance through their jobs
(like me) didn't want to be forced into some sort of HMO. I voted for
Clinton, but I wasn't having any, thank you very much.
this to get the point across. His final remark was "...we all have
glitches in our DNA... probably 4 or 5 genes that are pretty fouled
up, and we are going to have the opportunity to find that out
pretty soon. If that is going to be used against us, who will be
left insurable, whose privacy is going to be safe. We have to act
now."
Well, if _everybody_ has some sort of genetic problems, it will
probably all even out. It won't be _just_ Diabetes and Fragile X,
_everybody_ will have one or more problems that would raise their
rates. Then you can just fall back on the existing rules that require
health insurers to insure all conditions rather than picking and
choosing. Everybody will still pay about the same rates, and nothing
much will change. The problem will be the transition period when we
can only find a few genetic problems (as is the case now).
One possible approach would be to sell a special policy: insurance
against having a high-risk condition. You buy it _before_ you have any
tests. Then if you turn out to have some problem, your health-risk
insurance pays the difference between "standard" rate and what you
acutally need to pay. Since only a small part of the population has
such a condition (at least among those we can test for now), the
premium should be (relatively) affordable.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 14 May 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #038
******************************
.