Date: Sat, 08 Jun 96 08:01:38 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#046
Computer Privacy Digest Sat, 08 Jun 96 Volume 8 : Issue: 046
Today's Topics: Moderator: Leonard P. Levine
Re: Credit Cards with Internet Fraud Insurance
Re: Credit Cards with Internet Fraud Insurance
Re: Credit Cards with Internet Fraud Insurance
Fingerprint Technology
AOL Punishes a User
Re: unsolicited email?
Air Force Sergeant Jailed in e-Mail Case
New Chip Renews Privacy Debate
Workshop on Medical Privacy in Cambridge
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: leppik@seidel.ncsa.uiuc.edu (Peter Leppik)
Date: 04 Jun 1996 15:02:06 GMT
Subject: Re: Credit Cards with Internet Fraud Insurance
Organization: University of Illinois at Urbana
References: <comp-privacy8.44.6@cs.uwm.edu> <comp-privacy8.45.8@cs.uwm.edu>
arlenelea@aol.com (Arlene Lea) wrote: When we got the new ones,
there was a sticker saying to call in to activate the cards.
Called the number, was told by a computer voice to punch in the
card number and thats it. No questions of social security number,
date of birth, mother's maiden name, *nothing* - just a computer
voice saying punch in the numbers.
Discover (and several other credit card companies) apparently now uses
the caller-ID feature of 800 numbers for credit card activation. When
you call their 800 number, they capture the number you're calling from
and compare it to the phone number you gave on your credit
application. If the numbers match, they assume that the right person
is activating the card (on the assumption that if someone stole the
card, they wouldn't also break into your house to use your phone).
If they don't match, then a human operator will ask for additional
identification, such as mother's maiden name.
I had this happen to me once, after I moved and didn't give Discover my
new phone number.
So this method is actually more secure than you think--it is no less
secure than the old method of asking for "private" information, and
maybe more secure, since (a) they can keep track of where the card
activator called from, and (b) they can concentrate the human resources
on the 1% of activation calls most likely to be fraudulent.
--
Peter Leppik leppik@seidel.ncsa.uiuc.edu
Lost in the Information Supercollider
http://seidel.ncsa.uiuc.edu/
------------------------------
From: tpeters@hns.com (Thomas Peters)
Date: 04 Jun 1996 21:41:35 GMT
Subject: Re: Credit Cards with Internet Fraud Insurance
Organization: Hughes Network Systems Inc.
References: <comp-privacy8.45.8@cs.uwm.edu>
When we got the new ones, there was a sticker saying to call in to
activate the cards. Called the number, was told by a computer
voice to punch in the card number and thats it. No questions of
social security number, date of birth, mother's maiden name,
*nothing* - just a computer voice saying punch in the numbers.
Did you call from home? Was it an 800-number? They probably matched the
ANI from the call against your account information. If it hadn't
matched, they could transfer you to an operator for the personal info
quiz.
Just guessing,
--
Tom Peters
------------------------------
From: eichin@kitten.gen.ma.us (Mark W. Eichin)
Date: 05 Jun 1996 00:01:21 -0400
Subject: Re: Credit Cards with Internet Fraud Insurance
References: <comp-privacy8.44.6@cs.uwm.edu>
When we got the new ones, there was a sticker saying to call in to
activate the cards. Called the number, was told by a computer
voice to punch in the card number and thats it. No questions of
social security number, date of birth, mother's maiden name,
*nothing* - just a computer voice saying punch in the numbers.
And a computer at the other end logging the number you called from...
and double checking (1) what they have on file as your home number
already (2) what city they have listed for your home address. At least
one of the cards I've activated in the last year has *specifically*
said to call from my *home* number. It's just a consistency check
against where they mailed the card...
------------------------------
From: hans4648@tao.sosc.osshe.edu (CrazySexyCool DC)
Date: 04 Jun 1996 23:47:31 GMT
Subject: Fingerprint Technology
Organization: Oregon State System of Higher Education
I have heard rumors circulated about that individuals CAN alter/change
their fingerprints at any time. I am doing a research project
concerning the fingerprint identification, and am asking anyone out
there to contribute to my project. The question: Is there a way to
alter/change your fingerprints easily? And, if so, is it there a
temporary way to alter one's fingerprints, or is it only permanent? I
have sifted through one hundred or so investigative articles,
fingerprint subtitles, and so forth, with no answer to my simple
question regarding a temporary and/or permanent way to alter/change
your fingerprints! Without dismemberment of the finger/oil glands
themselves, is there a way? Thank you, please post or email me
--
Hans4648@tao.sosc.osshe.edu
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 05 Jun 1996 08:57:53 -0500 (CDT)
Subject: AOL Punishes a User
Organization: University of Wisconsin-Milwaukee
I found this report on a "fight censorship" mailing group. It has real
privacy implications.
---------- Forwarded message ----------
At my work we have no Internet access other than email, so I was glad
when I noticed the new desktop units had modems. The magazine I
brought to work that night had an AOL disk inside of it, and I
installed it.
I tried to logon a couple of times, but it insisted that my account was
invalid.
A co-worker noticed what I was doing and used his name/password to
logon and it worked fine. I chalked it off as a billing error and
decided to look into it the next day after I woke up.
A small crowd gathered around the computer we were using and someone
asked, "So where are all of the BAD places I keep hearing about on the
Internet?"
I hate when someone says that about the Net. It's even worse when
there idea of it involves a wild story they saw on the local news about
child molesters lurking. I know it happens, but nothing like some
media portrays. So I broke into a description about how most of the
Internet pales in comparison to America Online's chat rooms.
I proceeded to show them all of the 'private' rooms, loaded with
raunchy names. I showed them some of the GIF-related rooms where you
could get tons of porno images whether you wanted them or not (you
don't even have to ask -- enter the room and you are on the list.)
I then took them to a room called WAREZ. This is where you can request
to get on a mailing list that will dump 400-500 messages in your
mailbox with attached files. Attached files like Microsoft Office 95,
and Duke Nukem III.
They were amazed. I told them the same things were on the Internet,
but it took a little more effort to find it. On America Online, you
can literally stumble on it -- that's how I found it. I described
how, on AOL, I discovered hundreds of people trading stolen credit card
numbers and trying to sell fraudulently obtained equipment.
The next day I tried to logon at my house, and my account still came up
invalid. I then phoned customer service and they promptly told me that
I had been banned from AOL for life.
"Why?", I asked.
"Because you were in a chat room called Jaurez."
"Jaurez? I have never been a chat room called Jaurez."
"It is spelled W-A-R-E-Z."
I explained to her that one was tequila, and the other was software.
She begain to explain the situation in detail.
I broke out my notepad and starting asking questions. She put a legal
person on the phone and we had a brief conversation. Long-story-short;
AOL has decided to crack down on all of the illegal software that is
being traded online. They now automatically log everyone who enters
WAREZ (or WAREZ1, WAREZ2, etc...) and cancel the account.
You can get back on by writing them a letter begging for forgiveness
and telling them that you will never do it again -- but I am not
going to.
I decided not to because when I asked her what they were going to do
about the porno rooms, some of which contain horrible pedophile stories
and pictures --- she proceeded to tell me that pornographic material
does not exist on America Online.
A few days later, my co-worker had his account canceled because I
showed him how to find the bad areas.
He asked me if I could write the letter for him.
(steve)
Steven : Access@Phoenix.Net or Steven.Baker@Roche.Com
Baker :__________________.d.i.g.i.t.a.l..l.i.f.e.________________
: http://www.taponline.com/tap/net/features/digital.html
---------- End Forwarded message ----------
--
Leonard P. Levine e-mail levine@cs.uwm.edu
Professor, Computer Science Office 1-414-229-5170
University of Wisconsin-Milwaukee Fax 1-414-229-2769
Box 784, Milwaukee, WI 53201
PGP Public Key: finger llevine@blatz.cs.uwm.edu
------------------------------
From: gmcgath@mv.mv.com (Gary McGath)
Date: 07 Jun 1996 13:12:03 GMT
Subject: Re: unsolicited email?
Organization: Conceptual Design
References: <comp-privacy8.43.7@cs.uwm.edu> <comp-privacy8.44.2@cs.uwm.edu> <comp-privacy8.45.4@cs.uwm.edu>
eck@panix.com (Mark Eckenwiler) wrote: For the contrary view (that
the TCPA does not apply to e-mail), see my article (acknowledging
Bob Bulmash's position and referring to him) at
http://techweb.cmp.com/net/issues/036issue/036law.htm The issue has
also been beaten to death multiple times this year in
misc.legal.computing and other Usenet groups. A suitable set of
AltaVista and DejaNews searches should turn up much archived
discussion on the subject.
If those who want to get E-mail regulated as fax transmissions have
their way, not only will this have a severe chilling effect on
electronic communications, it will presumably require us to put our
phone numbers on all E-mail -- including cease-and-desist requests to
junk mailers. Won't *that* have a lovely effect on our privacy!
--
Gary McGath gmcgath@mv.mv.com
http://www.mv.com/users/gmcgath
------------------------------
From: jwarren@well.com (Jim Warren)
Date: 06 Jun 1996 13:32:25 -0700
Subject: Air Force Sergeant Jailed in e-Mail Case
----- forwarded message -----
Date: 06 Jun 1996 11:40:59 -0400
To: freematt@coil.com (Matthew Gaylor)
From: freematt@coil.com (Matthew Gaylor)
Subject: US Air Force Times article: Master sergeant is sent
to jail in e-mail case
[Note from Matthew Gaylor: I find it ironic that while our military is
sworn to uphold and defend the US constitution, the military brass is
busy eliminating personal freedoms enjoyed by our troops. I'd advise
my military subscribers to Freematt's Alerts to get a private IP for
Email and other net use.]
To: freematt@coil.com <freematt@coil.com>
Subject: FW: Email use for private/unauthorized use, Right to privacy.....
Following is an AF Times article concerning the consequences of Email
abuse.
The Information Protection Office is asking everyone to please read
this article and be aware of what can happen to abusers of gov't
Email.
Air Force Times June 10, 1996
Master sergeant is sent to jail in e-mail case
By Andrew Compart. Times staff writer
It was a case that tested the right of military employees to
electronic-mail privacy. The judge's conclusion was they had none.
As a result, an Air Force master sergeant will spend the next three
months in jail for using his office computer to exchange sexually
explicit stories, jokes and comments with other consenting adults.
Master Sgt Jeffrey Delzer, 37, who has 19 years of service, was
convicted of misuse of a government computer; distribution of obscene
writing; communicating indecent language on topics such as sexual
intercourse, oral sex, masturbation and bestiality; and obstruction of
justice for allegedly trying to delete his e-mails.
Delzer's punishment also includes demotion to staff sergeant, a
reduction of two ranks that will cost him about $300 a month in
retirement pay.
The military judge's ruling said Delzer had no expectation of privacy
on a government computer and that investigators could look at the
postings without a search warrant, said Mike Powell, an Alexandria,
Va., lawyer who defended Delzer, as did two Air Force lawyers, Capts
Mike Apol and Print Maggard.
The ruling will not set a precedent for similar cases unless Delzer
appeals the case to a higher court. But it is similar to civilian
court rulings that do not offer employees any e-mail privacy, an
American Civil Liberties Union attorney said.
Powell said his client's conviction and sentence send a clear message.
It means there is no right to privacy in the workplace in the Air
Force, that s what it means; and you should never use your e-mail for a
personal message, Powell said just after the guilty verdict was
announced May 24 at Malmstrom Air Force Base near Great Falls Mont.
Malmstrom officials did not immediately respond to questions about the
case.
The court-martial also raised the issue of the sale of adult-oriented
magazines such as Playboy, Penthouse and Hustler at military exchanges
including the base exchange at Malmstrom.
The defense won the right to submit stories from the magazines in a
failed attempt to prove the e-mail postings had not violated community
standards of decency.
In an interview on May 26, the day before he was to go to jail, Delzer
said his situation still seemed unreal although the case had dragged on
for a year. Nobody can believe you're being investigated or prosecuted
for something like this, he said. The bottom line is I don t think
this was anyone else's business. I'm not saying there shouldn't be
limits, but I think they went way too far.
What makes this case unusual is that the alleged obscenity involves
only written material. Obscenity prosecutions for material that does
not include pictures or videos are rare, said Ann Beeson, an American
Civil Liberties Union lawyer specializing in Internet law.
Beeson also said it is unusual and disturbing to prosecute someone for
e-mail, which is sent to a specific person instead of being posted in a
public area, such as a computer bulletin board, accessible to
virtually anyone with Internet access.
The investigation of Delzer began last spring after a co-worker
reported him to superiors. The co-worker said he saw some obscene words
on Delzer's computer screen when he walked by, Powell said.
Air Force Times June 10, 1996
*****
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues Send a
blank message to: freematt@coil.com with the words subscribe FA on the
subject line. List is private and moderated (7-30 messages per week)
Matthew Gaylor,1933 E. Dublin-Granville Rd.,#176, Columbus, OH 43229
*****
----- end forwarded message -----
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 05 Jun 1996 15:40:58 -0500 (CDT)
Subject: New Chip Renews Privacy Debate
Organization: University of Wisconsin-Milwaukee
Japanese Data-Scrambling Chip Renews Privacy Debate
A recent copyrighted article in the New York Times (6/4/96) describes a
powerful data-scrambling chip-set that is now being quietly sold by
Nippon Telegraph and Telephone Corp. According to John Markoff, the
author of the Times article, the product is likely to severely
undermine the Clinton Administration's efforts to restrict the
international export of the fundamental technology for protecting
secrets and commerce in the information age.
According to the article, the existence of the chip set was disclosed
in Washington in a speech at a public policy workshop by the chief
executive of RSA Data Security, a Silicon Valley-based company that has
frequently dueled with the administration over its export-control
policies. The company plans to resell the chips in the United States.
He CEO of RSA Data Security said "There is clearly going to be a lot of
demand for their chips."
The executive has been a vocal and longtime opponent of U.S. export
laws that prohibit the sale, without a special license, of products
that have powerful data-scrambling capabilities. The government's
policy is directed at limiting the spread of systems that could make it
more difficult for American intelligence and law enforcement agencies
to conduct electronic surveillance.
The device also underscores fundamental differences that exist between
Japan and the United States on the issue of privacy in the Information
Age. While U.S. officials have struggled to maintain their ability to
conduct electronic surveillance, Article 21 of Japan's Constitution
specifically forbids wiretapping.
Next, the article quotes Mark Rotenberg, director of the Electronic
Privacy Information Center as saying: "It's very interesting that the
Japanese regard for privacy in their Constitution translates into
better cryptographic technology."
It is reported that the chips were far more powerful than the so-called
Clipper chip, a data-scrambling system that the administration proposed
for the nation's telephone system. Furthermore, the report continues
that while the Clipper system has a built-in "back door" intended to
permit the FBI to gain wiretap information, the NTT system has no such
surveillance feature. It also uses much stronger data-encryption
algorithms than U.S. export laws permit.
According to the article, those laws restrict the export of encryption
systems which employ digital "keys" of more than 40 bits in length. The
new NTT chips, however, use a 56-bit key, and actually triple the
strength of that standard. Such a scrambling system is believed to be
beyond the capability of the most powerful code-breaking system.
In addition to the "private" key system for scrambling data, NTT uses
RSA Data's "public" key method to permit computer users who have not
previously exchanged information to swap private key information
safely. The NTT system uses the RSA Data key which is 1,024 bits in
length, also far stronger than the U.S. export regulations permit.
"If there is anyone in the government who hasn't already seen the
writing on the wall, here it is," the article concludes.
------------------------------
From: rja14@cl.cam.ac.uk (Ross Anderson)
Date: 04 Jun 1996 11:36:33 GMT
Subject: Workshop on Medical Privacy in Cambridge
Organization: University of Cambridge, England
This conference is being sponsored by the British Medical Association
and the Isaac Newton Institute for Mathematical Sciences at Cambridge.
We hope to bring together computer security professionals with
clinicians and policy makers to explore how we can ensure the privacy
and safety of clinical information, and thus facilitate the uptake of
telematics in medicine.
WORKSHOP ON PERSONAL INFORMATION
Security, Engineering and Ethics
Isaac Newton Institute, University of Cambridge
21-22 June 1996
FRIDAY 21 JUNE
9 - 10 Registration and Coffee
10.00 Welcome Mac Armstrong, BMA
10.05 Introduction Ross Anderson, Isaac Newton Institute
10.15 Simon Jenkins Comments on the Information Strategy of the NHS
10.45 Otto Ulrich The relationship between the patient and the
security infrastructure
11.15 - 11.30 Coffee
11.30 Reid Cushman Exceptionalism Redux: Is Health Care
Information Practice Really Different?
12.00 Bernd Blobel Clinical Record Systems in Oncology.
Experiences and Developments on Cancer
Registers in Eastern Germany
12.30 Mary Hawking Organisation of General Practice: implications
for IM&T in the NHS
13.00 - 14.00 Lunch
14.00 Ruth Roberts, Practical Protection of Confidentiality
Joyce Thomas, Michael J
Rigby, John G Williams
14.30 Alan Hassey, Mike Wells Clinical systems security - Implementing the
BMA policy & guidelines
15.00 Peter Landrock Using Commercial Off-the-Shelf Technology to
John Williams Secure GP Provider Links
15.30 - 16.00 Tea
16.00 Paula J. Bruening Medical Information Privacy Law in the United
States
16.30 Beverly Woodward Information management is no longer records
management but a risk management issue
17.00 Discussion
19.30 Reception followed by dinner
SATURDAY 22 JUNE
9.00 Andrew Blyth Responsibility Modelling: A New Approach to the
Re-Alignment and Re-Engineering of Health-Care
Organisations
9.30 Michael J Rigby Keeping Confidence in Confidentiality
10.00 Ronald Draper Electronic Patient Records : Usability vs
Security, with Special Reference to Mental
Health Records
10.30 - 11.00 Coffee
11.00 Ulrich Kohl User-Oriented Control of Personal Information
Security in Communication Systems
11.30 Gerrit Bleumer Privacy Oriented Clearing for the German Health
Matthias Schunter Care System
12.00 Yoshikazu Okada, Series of Personal Health Data on Optical
Yasuo Haruki, Youichi Memory Cards
Ogushi, Masanobu Horie
12.30 - 13.30 Lunch
13.30 Fleur Fisher The Perspective of Medical Ethics
14.00 Dave Banisar Legal Requirements for Computer Security: An
American Perspective
14.30 A.G. Breitenstein U.S. Health Information Privacy Legislation:
Theory and Practice
15.00 - 15.30 Tea
15.30 Roderick Neame Healthcare Informatics Security in New Zealand
16.00 Ross Anderson An Update on the BMA Security Policy
16.30 Discussion
17.00 Adjourn
******************************************************************************
REGISTRATION FORM
(Please return to s.miller@newton.cam.ac.uk)
Last Name:....................................Title:.....................
Forenames:....................................................................
Present Position:.............................................................
Date of Birth:.......................... Nationality:.........................
Address of Home Institution: Permanent Home Address:
.................................... .....................................
.................................... .....................................
.................................... .....................................
.................................... .....................................
.................................... .....................................
Office Phone:........................ Home Phone:...........................
Fax Number:.......................... E-mail:..............................
Institution of graduation: .................................................
Date of Arrival:.................... Date of Departure:....................
I would like help with finding accommodation in Cambridge YES / NO*
(* Please delete as required)
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 May 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #046
******************************
.