Date: Fri, 31 May 96 11:06:44 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#044
Computer Privacy Digest Fri, 31 May 96 Volume 8 : Issue: 044
Today's Topics: Moderator: Leonard P. Levine
Re: unsolicited email?
Re: unsolicited email?
Re: All Calls are Logged
Re: Privacy Phone Guard
Re: Credit Cards with Internet Fraud Insurance
Re: Credit Cards with Internet Fraud Insurance
Re: Biometric Encryption
Re: Biometric Encryption
e-Mail Privacy
Re: How Secure are 900 MHz Digital Cordless Phones?
Re: How Secure are 900 MHz Digital Cordless Phones?
Re: Equifax for Employee Background Checks
Re: Free PGP shell available for Windows
New Online Phone Directory
Re: EPIC Alert 3.11
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: johnl@iecc.com (John R Levine)
Date: 30 May 96 12:24 EDT
Subject: Re: unsolicited email?
Organization: I.E.C.C., Trumansburg, N.Y.
Please excuse if this has been beaten up here before, but I am
interested in any legal precedents for fighting unsolicited email.
Unfortunately, there aren't any. There is a law agaist junk faxes, and
the definition of a fax machine in the law could, if read literally, be
taken to describe most computers. (It describes a device with a modem
and a printer which can print text or images.) But the junk fax law is
clearly intended to address faxes rather than e-mail, and I'd be
surprised if any judge thought differently.
Most but not all Internet providers have Acceptable Use Policies which
forbid junk e-mail, and it's usually possible by persistent polite
complaining to the ISP to get the junk mailer's account cancelled. But
it's very easy to get throwaway trial accounts on everyone from AOL to
Interramp to Fred's Pest Control and ISP, and the most persistent
spammers use those, hopping from provider to provider. A few "rogue"
providers, from misguided principle or ineptness, refuse to apply any
discipline to their users at all. You can read about this continuing
process in far more depth than you want in news.admin.net-abuse.misc on
usenet. There are many sites (soon to include mine) which reject all
mail from rogue providers.
Given the existence of junk fax legislation, I'd think it'd be
straightforward to extend it to junk e-mail. The issues are similar,
most importantly that the cost of sending the messages is very low, and
the recipient bears much of the cost of receiving the message, so the
junk messages have a disproportionate out-of-pocket cost to the
unwilling recipients.
--
John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof
------------------------------
From: prvtctzn@aol.com (Prvt Ctzn)
Date: 29 May 1996 12:36:51 -0400
Subject: Re: unsolicited email?
Organization: America Online, Inc. (1-800-827-6364)
References: <comp-privacy8.43.7@cs.uwm.edu>
Please excuse if this has been beaten up here before, but I am
interested in any legal precedents for fighting unsolicited email.
The Telephone Conuser Protection Act of 1991 (47 USC 227) prohibits
unsolicited advertisements to fax machines.
A fax machine is define (by this law) to be equipment with the capacity
to:
- receive signals over a regular telephone line
- convert that data into text or graphics, and
- print that data on to paper
Therefore, your computer - email - printer system is (by definition ) a
fax machine.
You can sue the sender for $500 for each such transmission so long as
you have no existing or prior business relationship with the sender.
Robert Bulmash
Private Citizen, Inc.
http://webmill.com/prvtctzn/home
------------------------------
From: Rick Carlson <lnustoc.bzfhbg@eds.com>
Date: 29 May 1996 15:37:25 -0700
Subject: Re: All Calls are Logged
Organization: Manufacturing Service Center
References: <comp-privacy8.43.3@cs.uwm.edu>
Crissie Trigger wrote: For those who are upset about caller I.D., I
have been informed by several private investigators that every
telephone call, local as well as long distance made through a
typical phone company is registered on a computer as to the number
of the caller and callee, date & time of the call, and the length
of the call. Big brother isn't always listening, but he can
usually go back and check the records.
And sometimes those records have been searched - legally and illegally.
A few years ago, the Ohio Bell in Cincinatti, turned over its billing
records for all calls made from Cincinatti to Pittsburgh to assist
Proctor and Gamble in locating a person who "leaked" company data to a
Wall Street Journal writer in Pittsburgh. I seem to recall that around
10,000 calling records were turned over to the Cincinatti police who
then turned over the data to P&G.
------------------------------
From: hermit@cats.UCSC.EDU (William R. Ward)
Date: 29 May 1996 19:58:54 GMT
Subject: Re: Privacy Phone Guard
Organization: Computing and Telecommunications Services, UCSC
References: <comp-privacy8.38.2@cs.uwm.edu> <comp-privacy8.42.4@cs.uwm.edu>
The problem with caller-id is that we have people objecting to and
promoting different things:
1. People who want caller ID want to know the identity of the PERSON
who is calling them so they know who they're talking to.
2. People who do not want caller ID want to withold their PHONE NUMBER
so businesses they call can't add them to a database.
There are also businesses who want to know the phone number, and people
who want to withhold their personal identity, but I believe those cases
are far less common than the above.
It seems that there should be a way to give your identity without
giving your phone number, thus satisfying both groups. If I could
program my phone to transmit "Bill Ward" instead of my phone number
when I call someone, I wouldn't object to them seeing that. Wouldn't
that be preferable?
--
William R Ward Bay View Consulting http://www.bayview.com/~hermit/
hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072
hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862
------------------------------
From: John Pettitt <jpp@software.net>
Date: 29 May 1996 14:01:41 -0700
Subject: Re: Credit Cards with Internet Fraud Insurance
Organization: software.net
References: <comp-privacy8.42.14@cs.uwm.edu>
Winston Edmond wrote: A few weeks ago, I got a piece of junk mail
asking me to apply for a VISA card. What made the offer unique was
that it had the word WEB in big letters on the outside envelope and
a novel feature: it explicitly said that the card holder would not
be held liable for any charges resulting from the number being
stolen in the course of its use over the Internet. This was not
limited to encypted transmission.
The intestesting thing here is that you only have $50 liability anyway
and in most cases the bank will wave that (USA - othe countries may
vary, as I recall in the UK it's UKL 50). Anyway it's another sales
gimmick thats all.
Question: can anybody cite an instance of a card stolen in flight on
the net, not the local lan or by breaking into a machine but on the net
itself? I can't find one.
The big issue in internet credit card fraud is identity theft, that is
somebody gets your card and address the old fashioned way (mostly they
talk you our of it) and then they order stuff over the net. In this
case the merchant gets stuck with the fraud costs. Thats why merchants
like us what so much info before we process a transaction - we are
trying to mitigate our fraud risk.
--
John Pettitt jpp@software.net
VP Engineering, CyberSource Corp. +1 415 473 3065 (V) (fax 3066)
------------------------------
From: tpeters@hns.com (Thomas Peters)
Date: 29 May 1996 22:39:54 GMT
Subject: Re: Credit Cards with Internet Fraud Insurance
Organization: Hughes Network Systems Inc.
References: <comp-privacy8.42.14@cs.uwm.edu>
A few weeks ago, I got a piece of junk mail asking me to apply for
a VISA card. What made the offer unique was that it had the word
WEB in big letters on the outside envelope and a novel feature: it
explicitly said that the card holder would not be held liable for
any charges resulting from the number being stolen in the course of
its use over the Internet. This was not limited to encypted
transmission.
Since when have card holders been liable for unauthorized charges made
with a stolen card number? As long as you don't lose the physical card,
you may be inconvenienced by fraud, but you are not liable for the
losses. That the card number was disclosed over the web instead of over
the phone or in a dumpster is beside the point.
This clever card issuer is giving up something he never had.
--
Tom Peters
------------------------------
From: "Michael Lewkowitz" <M_Lewkowitz@msn.com>
Date: 29 May 96 23:08:24 UT
Subject: Re: Biometric Encryption
I have actually seen the Mytec device and had it demonstrated to me.
With regard to the worry that fingerprints can be lifted off of glasses
etc. and used as a replica, this is not possible. For that to work, a
3D model of the fingerprint would have to be recreated with a material
that has the same elasticity of the individual's skin. When "swiping"
the finger, the print distorts which affects the biocrypt.
Furthermore, you can have a number of fingers registered so that in the
event one gets disfigured or is lost by malicious action or accident,
one can activate another as back up. Technologically speaking, the
product is sound and has vast potential.
In regard to encrypting, I'm sure there will be much debate as to how
to set it up.
If you have any specific questions, they do have a web site through
which you should be able to contact them directly.
And finally, to end this disjointed letter, I was told that they are
attempting :-) to get a patent on fingerprint data encryption over the
net (or something along those lines).
--
Michael Lewkowitz
Com.Point Innovations Inc.
------------------------------
From: gtomko@noc.tor.hookup.net (George Tomko)
Date: 29 May 1996 09:42:54 -0400 (EDT)
Subject: Re: Biometric Encryption
Dear Mr. Levine:
Subject: Biometric Encryption
I have noticed a number of communications in your news group regarding
Biometric Encryption, especially some concerns about its use. As one
of the developers of this technology, I would appreciate if the
attached response could be posted in the news group to provide people
with some answers and also to obtain feedback and discussion.
Kind regards.
George J. Tomko, Ph.D.
Several people commented on four concerns in using a finger pattern for
biometric encryption, namely:
1. It's easy to get someone's fingerprints since they are left on
a vast number of everyday objects, such as drink cans and door handles;
2. Muggers would start cutting off people's fingers when stealing
their cards;
3. The crooks would forcibly hold down an individual's finger
against the biometric encryption authentication device to extract the
string coded by the individual's Bioscrypt; and
4. If the finger used to code the Bioscrypt is damaged or
destroyed, then an individual will not have access to the files
associated with the Bioscrypt.
I will try to answer these concerns in order. But, first, let me
define a Bioscrypt. A Bioscrypt is a two-dimensional image of a string
or set of characters which can represent a PIN, encryption key or
pointer and which has been coded (encrypted) by the two-dimensional
information in a fingerprint pattern. It has the following
properties:
- it has no resemblance to the original fingerprint.
- it cannot be reconverted to the original fingerprint.
- if an optical image of the correct live fingerprint is transmitted
through the Bioscrypt, then the output light beam uniquely represents the
coded number. By successfully decoding their Bioscrypt, the person also
confirms who they claim to be.
For purposes of the discussion below, it is important to note that the
optical authentication device is a coherent system and uses the phase
information in a finger pattern (complex domain) as a discriminating
parameter.
1. "Picking up latent prints from door handles, etc."
To perpetrate a masquerade using a latent fingerprint of a legitimate
user is very difficult for the following reasons:
* The system requires a three-dimensional reconstruction of the
legitimate user's fingerprint because the height of the various
fingerprint ridges can modify the two-dimensional complex optical image
which is the input to the authentication device. There is little
information in a two-dimensional latent print about the depth and the
height of grooves and ridges of the actual fingerprint.
* The three-dimensional reconstruction of the legitimate user's
fingerprint from a latent print would also need to duplicate the
approximate oil and moisture content of the skin, since this is one of
the factors which affects (modulates) the two-dimensional image read by
the system. Quantifying this information from a latent print is very
difficult. Even if it were, the three-dimensional reconstruction would
have to be made from a synthetic material which had the same oil and
moisture properties as the legitimate user's skin. To use an oil/water
based solution to place on the input scanning window would be useless
since this would frustrate all of the light bouncing off the window and
would convey little or no useful information to the optical system.
* The reconstructed fingerprint would also need to be made from a
material with approximately the same elastic properties as the
legitimate user's finger skin. During enrollment, and subsequently on
authentication attempts, the user slides a finger over the input
scanning window. This action warps the skin and the corresponding
fingerprint pattern based on the elastic properties of the skin.
Within the population, warping can vary significantly based on age,
dryness of skin, etc. and is thus another unique aspect of the
individual's finger pattern.
2. "Severing the finger to obtain access."
As already mentioned in some of the previous communications in this
newsgroup, measuring the temperature, humidity, pulse rate and even
heart rate to verify a live finger can be accomplished. One of the key
factors, though, is after the finger is severed the elastic properties
of the skin change rapidly and thereby would not warp in the same
manner as a live finger pattern. This would make a cadaverous finger
useless after a period of time. (Can't find subjects to do a double
blind study though).
3. "Crooks would forcibly hold down the finger."
By forcibly sliding an individual's finger against the biometric
encryption authentication device (reading device), the string coded by
the Bioscrypt can be extracted. The string coded by the individual's
finger pattern Bioscrypt could then be used for a one-time access for
whatever purposes the string was intended. However, assuming that the
individual is freed, he can then use his finger pattern to code a
completely different string to prevent repetitive access.
The system is robust in that it is very easy to change PINs, encryption
keys or computer pointers. It was suggested in some of the messages
that a pass phrase be used in conjunction but, again, if an individual
is holding your finger down forcibly, to extend that to pointing a gun
to your head to divulge the pass phrase is not an extreme assumption.
There is no perfect security system out there and I doubt one will ever
be designed since it has to work with real human beings. I suggest
that the goal is to provide privacy-enhancing technology that handles
the majority of the infringement cases and that, for exceptional
circumstances where extreme privacy and security must be guaranteed, we
combine the biometrics (something you are) with the pass phrase
(something you know) and a token (something you have). If the
combination of those three doesn't do it, then at this stage of
technological evolution, nothing will cut it.
4. "Losing or damaging a finger with the result of not being able
to access the Bioscrypt and related files."
One of the properties of optical processing is that composite patterns
can be made and thereby used to make the Bioscrypt. Accordingly, more
than one finger could be used or a finger and a proprietary pattern
(which one keeps hidden away somewhere). Of course, there is a
penalty. The more patterns one uses, the smaller the signal to noise
ratio of the system. The system is currently designed to give signal
to noise ratios in the order of 10 to 12 dB and thereby significant
degradation can still occur which would allow comfortably two to three
patterns to be superimposed in the same Bioscrypt.
If you are interested, more information can be gained by accessing
Mytec's web page at http://www.mytec.com.
--
George J Tomko
Mytec Technologies Inc.
Toronto, Ontario
------------------------------
From: mdc@mbay.net
Date: 29 May 1996 23:52:51 GMT
Subject: e-Mail Privacy
Organization: Monterey Bay Internet, Monterey, CA
I am interested in e-mail security and would like to hear from anyone
who knows about legal case histories, company policies, or personal
experience with e-mail privacy (particularly the lack thereof). The
gist of my research is should e-mail be treated like other forms of
communication as far as searches and warrants go? Thanks
for any input.
------------------------------
From: pfeifer@lf.hp.com (Mark Pfeifer)
Date: 30 May 1996 17:41:13 GMT
Subject: Re: How Secure are 900 MHz Digital Cordless Phones?
Organization: Hewlett-Packard Little Falls Site
References: <comp-privacy8.43.9@cs.uwm.edu>
I keep hearing that digital cordless phone conversations are
private. Could someone please explain to me why? Is it simply
because scanners which intercept digital transmissions are not
commonly available? Or is there something about digital
transmission technology that makes the transmissions un-decodable?
I recently purchased a Toshiba 900MHz digital cordless phone. It does
claim to encrypt calls. According to the documentation, each time the
handset is placed in the base unit, a new 16-bit key is picked and used
until the phone is placed in the base again (they quote 65536 unique
codes).
Part of the security comes from the fact that digital scanners appear
to be much less common than analog ones, so that helps keep down the
number of casual observers. The digital encryption should help matters
a bit more.
--
Mark Pfeifer (302) 633-8260 E-mail: pfeifer@lf.hp.com
Hewlett-Packard Little Falls Site #include <disclaimer.h>
Wilmington, DE 19808 #define OPINIONS mine
------------------------------
From: Ed Frankenberry <ezf@osf.org>
Date: 30 May 1996 17:30:41 -0400
Subject: Re: How Secure are 900 MHz Digital Cordless Phones?
Do digital cordless phones routinely scramble their transmissions?
If so, what kind of algorithms are used for scrambling? How hard
would it be to unscramble if someone was reasonably determined?
Digital cordless phones are "reasonably" secure. There are different
types of 900-MHz digital transmission. Early digital cordless phones
(e.g. the VTech Tropez and AT&T 9100) use a fixed channel frequency and
session key for the duration of the call. The conversation is
digitally encoded so an eavesdropper would need to perform digital
signal processing (beyond simply using a scanner). The key length is
typically 16-bits, so a determined eavesdropper could recover the clear
signal.
More recent digital cordless phones (e.g. the Uniden EXP 9100) have
frequency-agile transceivers that use spread-spectrum transmission.
Rather than using a fixed channel, the signal is transmitted over
multiple frequencies. This technique offers greater noise immunity, and
requires synchronization between the base and handset regarding the set
of transmission frequencies. It is difficult for a would-be
eavesdropper to distinguish spread-spectrum transmission from wideband
random noise.
from a privacy/security perspective, both forms of digital transmission
represent an improvement over conventional unencrypted analog (AMPS)
cellular telephones or analog cordless phones.
------------------------------
From: Wotan <wotan@netcom.com>
Date: 30 May 1996 18:42:00 -0400 (EDT)
Subject: Re: Equifax for Employee Background Checks
anonymous <levine@blatz.cs.uwm.edu> said: They are very intrusive
into your private life, and once info gets into their computers it
is hard to get it out.
I've got to disagree with this statement. They did once place bad
info in my report by mistake (combined mine and my sisters - our SS's
our only one number different.) They corrected the problem and deleted
the bad info immediately.
And periodically send me a gratis copy to ensure that the info is still
correct. Which is better that TRW ever was - I shouldn't have needed
to file an complaint with the FTC to get bad info off of TRW's
records.
--
God is an atheist.
------------------------------
From: dallas@eskimo.com (Dallas Waite)
Date: 30 May 1996 17:52:51 -0700 (PDT)
Subject: Re: Free PGP shell available for Windows
Organization: Eskimo North (206) For-Ever
I've downloaded PGPn123, and experimented with it a few times. No virus
probs, and can report no major bugs.
Since I've not used any other program of this type, I can not say if it
is any better or worse than others that are out there.
Hope this helps.
--
"Dr. Tom Blinn, 603-881-0646" <tpb@zk3.dec.com> wrote:
------------------------------
From: Paul Szabo <szabopk@teleport.com>
Date: 31 May 1996 06:23:22 -0700
Subject: New Online Phone Directory
I found a new online phone directory that allows you to search in
Canada and the U.S:
http://www.infospaceinc.com/space.html
This one had slightly out of date information, and also neglected to
include my (last years) apartment number.
This one does NOT have the feature of allowing you to delete yourself
from the directory, unlike [moderator, if you know this, please insert
here, I lost the URL]. Although they claim privacy is important,
obviously it is not any where near the highest on their list.
For information about this new startup:
http://www.infospaceinc.com/space.html
To do a search
http://www.infospaceinc.com
--
Paul Szabo
------------------------------
From: epic-news@epic.org (EPIC-News Mail Server)
Date: 29 May 1996 14:47:53 -0400
Subject: Re: EPIC Alert 3.11
Epic Alert, Volume 3.11 May 29, 1996
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org/
Table of Contents
[1] Children's Privacy Bill Introduced
[2] Recent Problems in Direct Marketing Industry
[3] New Medical Privacy Bill Introduced
[4] Canadian NII Panel Calls for Privacy Law
[5] Supreme Court Rejects California Caller ID Case
[6] NRC to Release Crypto Report
[7] FTC To Examine Privacy Issues
[8] Upcoming Conferences and Events
[moderator: this listing of excellent material is too long to post
here. I have archived it in CPD archives, or a copy can be found in
the URL indicated above.]
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 Mar 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #044
******************************
.