Date: Fri, 14 Jun 96 10:05:17 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#047
Computer Privacy Digest Fri, 14 Jun 96 Volume 8 : Issue: 047
Today's Topics: Moderator: Leonard P. Levine
What's the Word on Cookies?
RISKS: HTTP Cookie Privacy Risk
Re: All Calls are Logged
Re: Fingerprint Technology
Are Keboard Recorders Legal?
Re: Air Force Sergeant Jailed in e-Mail Case
Key Escrow in France and Britain [long]
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: kmp@spiritone.com (Ken Peterson)
Date: 08 Jun 1996 11:05:20 -0700
Subject: What's the Word on Cookies?
Organization: Someone using Xplor's internet service
What is the current wisdom on Netscape Cookies?
I have tried to configure Netscape 3.0b4 (Macintosh) to "ask" before
accepting a cookie, but some sites try to send 10-20 of the damn things
during loading the first page and during the simplest navigation of
their site. So endlessly clicking NO in the Ask dialog is a tremendous
hassle.
I know about Cookie Monster, but I have no other reason to run
AppleScript and don't want the extension-load it adds.
Cookies aren't executable code, I guess. What harm can they do? What
possible downsides are there? Anybody?
Are there any non-AppleScript Cookie Crumblers out there?
--
Ken Peterson
Peterson TechSystems, Portland, OR <kmp@SpiritOne.com>
"Any nitwit can understand computers. Many do"
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Jun 1996 14:01:51 -0500 (CDT)
Subject: RISKS: HTTP Cookie Privacy Risk
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Monday 10 June 1996
Volume 18 : Issue 19 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public
Policy, Peter G. Neumann, moderator
From: hgoldste@bbs.mpcs.com (Howard Goldstein)
Date: 08 Jun 1996 01:38:13 GMT
Subject: HTTP cookie privacy risk
I recently installed Netscape 3.0b4, a beta version, to try out the new
(compared to 1.1N) features and see how well FreeBSD runs foreign
binaries.
One of the new features, a security feature strangely categorized as a
'network' feature, queries the user before allowing "cookies" to be
set. Out of curiousity I set it so as to find out how often this
feature was invoked. Cookies (discussed in earlier RISKS volumes, I
seem to recall) [YES: RISKS-14.36, 17.89. PGN] are documented at
http://www.netscape.com/newsref/std/cookie_spec.html .
I was surprised to find that every night for the last two weeks after
enabling this I've been handed a "cookie" by a site I never knowingly
visited, at http://ad.doubleclick.net .
Upon visiting this site I discovered they engage in attempts to collect
various data about web users including their o/s. Why they feel it
necessary to 'ping' me each night to set a cookie I do not know, but it
seems they are also collecting data about browser usage. Such a
statistic regarding times online while in a browser would seem valuable
from a marketing standpoint.
While cookies may be useful when voluntary and insofar as they may be
helpful to the user (as I feel the cookie I'm handed that avoids an
access validator for a particular newspaper's site). Cookies from
marketing companies benefit me not.
Categorize this as a risk to users of older netscapes lacking the
conditional-cookie setting? Or to advertisers who will find their
targets are hidden behind "mini" HTTP firewalls that hide the users
from cookies along with advertisement filter such as the one being
tested by a North Carolina startup?
--
Howard Goldstein <hg@n2wx.ampr.org>
Computer Risks Moderator: [And you'd probably be surprised to know
how many people are affected. But you *know* there has to be a
gotcha with free web sites and free browsers, and lots of folks are
selling lists. Always look a gift Trojan horse in the mouth (and
everywhere else too).]
------------------------------
From: Ofer Langberg <rve_rvid@mail.netvision.net.il>
Date: 09 Jun 96 11:02:19 GMT
Subject: Re: All Calls are Logged
Crissie Trigger wrote: For those who are upset about caller I.D., I
have been informed by several private investigators that every
telephone call, local as well as long distance made through a
typical phone company is registered on a computer as to the number
of the caller and callee, date & time of the call, and the length
of the call. Big brother isn't always listening, but he can
usually go back and check the records.
That's true in most cases, but there are ways to circumvent this
feature, usually by transferring the call through an analogue phone
directory (they still exist in some countries...), and so if someone
really want to hide his/her identity it's possible.
-------------------------------------
Ofer Langberg CPA(ISR) CISA
Raveh - Ravid & Co.
P.O.B. 33538 Tel-Aviv,61334,ISRAEL
Tel:973-3-6963267 Fax:972-3-6963260
<rve_rvid@mail.netvision.net.il>
Date: 06/09/96
Time: 10:37:46
-------------------------------------
------------------------------
From: kfl@access.digex.net (Keith F. Lynch)
Date: 09 Jun 1996 11:13:21 -0400
Subject: Re: Fingerprint Technology
Organization: Express Access Public Access UNIX, Greenbelt, Maryland USA
References: <comp-privacy8.46.4@cs.uwm.edu>
CrazySexyCool DC <hans4648@tao.sosc.osshe.edu> wrote: Is there a
way to alter/change your fingerprints easily?
from David Fisher's _Hard Evidence_:
In 1941, a criminal named Roscoe James Pitts gained a painful place
in sci-crime history by having the skin surgically removed from his
fingertips, which were then sewn onto his chest until they healed.
That actually worked. Pitt's fingertips had no ridge pattern; he had
successfully destroyed his fingerprints. But unfortunately for him,
both his original print card, as well as the prints taken when he was
arrested, included portions of the ridges just below the first joint,
allowing him to be positively identified by a comparison of the
ridges in the middle of his fingers.
No criminal has ever escaped prosecution by obliterating his
fingerprints, although they continue to try.
In 1990 Miami police arrested a suspect in a drug case whose prints
were severely scarred. Latent-print experts soon discovered that the
suspect had actually sliced his fingerprints into small pieces and
transplanted those pieces onto other fingers. His fingertips had
healed, leaving him with new prints in which broken ridges ran in all
different directions, making it impossible to link him to previous
crimes by comparing his prints.
Or so he thought. Latent-print specialist Tommy Moorefield was
intrigued by the problem. He cut photographs of these prints into
small pieces and began trying to fit these ridge patterns together;
it was literally a human jigsaw puzzle. Nights and weekends, working
at home and in his spare time in the office, Moorefield painstakingly
restored small sections of several prints to their original pattern,
until specialists in the Technical Section [of the FBI] were able to
match them to those of a fugitive convicted in another major drug
case. That comparison led directly to the man's conviction.
--
Keith Lynch, kfl@access.digex.net http://www.access.digex.net/~kfl/
------------------------------
From: lihou@ms2.hinet.net (Lee)
Date: 13 Jun 1996 08:11:16 GMT
Subject: Are Keboard Recorders Legal?
Organization: DCI HiNet
Today I received the following junk mail message. Is the use of such
sofware by employers (and others) legal? For instance, monitoring if
employees play games during office hours, etc. If remember right,
similar sofware ("virus") that records online shoppers' credit card
numbers was created by DigiCash to prove unreliability of some online
payment sofware.
--
Sean
Taipei
PS. In order not to advertise their products, I cut their contact nos.
If sombody wants these, mail me.
Cut Message - - <Begin>
" Is your computer being monitored by someone else?
Is someone using your computer without your knowledge?
Is your mate chatting online with someone else?
Are your children chatting online with the wrong crowd?
Now , you can monitor your computer with my private collection of
keyboard recoders from around the world.
Also known as:Keyboard Grabber, Keyboard Key Logger, Keyboard Monitor.
PURPOSE: Captures keystrokes and sends & saves them to a hidden file.
Now you can keep a record of any keyboard activity on your
computer. Monitor your computer at home or office.
My private collection of keyboard recorders is yours for only $9.95.
You will receive 19 different programs on a 3 1/2 disk."
For Dos,Windows,and Mac's.(some come with actual source codes)
You'll get:Keycopy,Keyfake,Keyread,Keytrap,Keyrec,Keylogwn(Windows),
Hackkey,Bagkeys,Getit,Playback,Robokey,Record,Encore,
Kcap10,Ptm229N,Qwertman,GKG,Depl,Maclife(Mac).
Cut Message - - <End>
------------------------------
From: bdonovan@gtn.net (Donovan, Bill)
Date: 13 Jun 96 09:21:26 GMT
Subject: Re: Air Force Sergeant Jailed in e-Mail Case
References: <comp-privacy8.46.7@cs.uwm.edu>
[Note from Matthew Gaylor: I find it ironic that while our military
is sworn to uphold and defend the US constitution, the military
brass is busy eliminating personal freedoms enjoyed by our troops.
I'd advise my military subscribers to Freematt's Alerts to get a
private IP for Email and other net use.] [...] As a result, an Air
Force master sergeant will spend the next three months in jail for
using his office computer to exchange sexually explicit stories,
jokes and comments with other consenting adults.
While I believe strongly in personal privacy for email, my position on
use of corporate/government accounts and equipment would be that
everything is up for grabs, and that only the corporation has a right
to privacy. These are *not* personal accounts. I would even extend
this principal to listening in on phone conversations made through
company phones. (I don't agree with video cameras monitoring staff,
though.)
Re the severity of the penalty? Yikes! Unless there was a
pre-existing policy, I would have issued a "cease and desist" order, or
at most, yanked the account priveleges.
I reiterate your recommendation that people get a private IP account
for private email and other net use.
That's my two cents; and now, I have to get back to work. And, um...
this in no way represents the views of GTN Communications Corp. :)
--
Bill Donovan
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 14 Jun 1996 08:54:30 -0500 (CDT)
Subject: Key Escrow in France and Britain [long]
Organization: University of Wisconsin-Milwaukee
Taken from CPSR-GLOBAL Digest 393
1) British and French/ Clipper-like key escrow plans (@)
by Andy Oram <andyo@ora.com>
(by way of marsha-w@uiuc.edu (Marsha Woodbury))
-----
From: Andy Oram <andyo@ora.com>
(by way of marsha-w@uiuc.edu (Marsha Woodbury))
Date: 13 Jun 1996 15:29:48 -0500
To: cpsr-global@cpsr.org
Subject: British and French/ Clipper-like key escrow plans (@)
Sender: Andy Oram <andyo@ora.com>
At almost exactly the same moment, the French parliament and British
government have announced key escrow programs. This comes just as a
scandal emerges in the U.S. over the improper release of FBI files
concerning prominent Republicans to the White House, demonstrating once
again why the government cannot be trusted to keep confidential
information about citizens. We are indebted to two journalists for the
following reports: T. Bruce Tober for Britain and Jerome Thorel for
France. These are also on the cyber-rights FTP site. Let me know if
you'd like to see the full press release on the British situation, or
an article by Tober.
Andy
----------------------------------------------------------------
DTI Press Release
P/96/430 10 June 1996
GOVERNMENT SETS OUT PROPOSALS FOR ENCRYPTION ON PUBLIC
TELECOMMUNICATIONS NETWORKS
To meet the growing demands to safeguard the integrity and
confidentiality of information sent electronically over the public
telecommunications networks, the Government has today published a paper
on the provision of encryption services.
These services cover the digital signature (an electronic equivalent of
a hand-written signature) of electronic documents and the protection of
the accuracy and the privacy of their contents. In recognition of the
need to set the right balance between commercial and personal
confidentiality and the continuing ability of the law enforcement
agencies to fight serious crime and terrorism, the Government proposes
to introduce the licensing of Trusted Third Parties (TTPs) to provide
such services.
Licensed TTPs are the way to offer encryption services to the public.
Ultimately, it is for organisations or individuals to consider whether
or not the benefits of such licensing will outweigh any existing
arrangements that they have.
In a written answer to a parliamentary question from Peter Luff MP
(Worcester), Science and Technology Minister Ian Taylor said:
"Following the discussion between Departments to which I referred in
my replies to the hon Member for Brigg and Cleethorpes of 6 March,
Official Report column 229 and 25 March, Official Report column 411, I
am today publishing a paper outlining the Government's policy on the
provision of encryption services on public networks. Copies of the
paper are available in the library of both Houses.
"The Government aims to facilitate the development of electronic
commerce on the emerging global information infrastructure. This is of
significant importance in maintaining the UK's competitiveness and is a
component of the Department's Information Society Initiative. There is
a growing demand for encryption services to safeguard the integrity and
confidentiality of electronic information transmitted on public
telecommunications networks. The Government therefore proposes to make
arrangements for licensing Trusted Third Parties (TTPs) who would
provide such services. These TTPs would offer digital signature, data
integrity and retrieval, key management and other services for which
there is a commercial demand. The licensing policy will aim to protect
consumers as well as to preserve the ability of the intelligence and
law enforcement agencies to fight serious crime and terrorism by
establishing procedures for disclosure to them of the encryption keys,
under safeguards similar to those which already exist for warranted
interception under the Interception of Communications Act.
"Officials within my department have held preliminary discussions with
industry groups on the concepts set out in the paper. The Government
intends to bring forward proposals for legislation following
consultation by DTI on detailed policy proposals."
(Details deleted--Andy)
--
| Bruce Tober - octobersdad@reporters.net - Birmingham, England |
| pgp key ID 0x9E014CE9. For CV/Resume:http://pollux.com/authors/tober.htm |
| For CV/Resume and Clips: http://nwsmait.intermarket.com/nmfwc/tbt |
--------------------
netizen's --> Lambda Bulletin 2.08 <-- contents
French Telco Act puts the Internet in leash
+ New rules regulating Internet content
+ First key-escrow encryption rules
As the Communications Decency Act was declared unconstitutional
yesterday, June 12, the French Parliament (Senate and Assembly) passed
a kind of Telco Act a la francaise last week, June 7. This law, aimed
at providing new regulations for the telecommunications market
(including the end of telephone monopoly in 1998), stresses two
interesting points for Internet users : 1) a kind of CDA amendement was
introduced en force in the Senate on Wednesday, June 5, just two days
before it was voted Friday, at 3 in the morning. 2) the law establishes
the first ever key escrow encryption rules created in industrialised
countries. It will create trusted third parties (TTPs), private
companies that would keep encryption keys in custody for law
enforcement purposes. It turns out that before the vote of the law,
French military circles had already choosen which firms would be well
suited to be TTP : Alcatel, Sagem and Bertin. All of them are well
connected to the French military complex, and are all big defense
contractors.
The amendment number 200 in the Loi sur la Reglementation des
Telecommunications (LRT) was sponsored by French Senator Larcher and
introduced by French telmecom minister Francois Fillon. At first
glance, it depenalizes Internet Access Providers for the content of
text, images and documents that they are transmitted. But there is an
IF. The condition stresses on that they must conform to future
recommendations that will be establish by a French government's
council: the Comite Superieur de la Telematique. Created in February
1993, the CST has a mission of regulation of Minitel services (text and
voice based services), through a professional code of ethics. The CST
will no longer depends upon the French telecom ministry, but will be
placed under the tutelage of another famous regulation watchdog : the
CSA (A for audiovisuel - a kind of French FCC), aimed at regulating
radio and TV broadcasts.
The law makes clear that if IAPs don't respond to "black" lists of
Internet sites or newsgroups (in case where these sites may be in
opposition to French law), the IAP will be held responsible for what it
is carrying. These lists will be set up by the CST. Internet
organisations and professionnals are scheduled to be members of the new
CST -- today, in its "Minitel" form, it has 20 members, magistrates,
ministry officials, France Telecom reprsentatives, Minitel providers,
family and consumer organisations...
So, the French amendment smells like the CDA, with the introduction of
a so-called reprentative body. In the U.S. the IAP or ISP must control
its content. In France this is a centralised body that will do the job.
It feels that the French succeeded in what some in the US dreamt : to
give the FCC the power to rate sites or content on the Internet. The
French State, once again, plays the Big Mother (mother =3D the
Republic) game with a huge sense of precipitation.
Furthermore, the law broke in great haste -- and mess. Because before
the amendment 200, telecom minister Fillon established an
interministerial commission to work on guidlines and recommendations to
enforce French law on the Internet. It came after a Jewish organisation
sued IAPs for transmitting neo-nazi propaganda; and early in May, when
2 IAP directors were arrested for one day, and convicted, for
transmission of pedophile pictures.
The mess comes about because that Fillon didn't wait for the
Commission: it was scheduled to publish a report on its work around
June 15. Another mess concerns French pro-users organizations. The
newly created French Chapter of the Internet Society (ISOC-France)
decided, apparently with the government commission's consent, to
organize a mailing list consultation on the issue. Another group, the
AUI (Association of Internet users), published a report this week about
ethics, Internet content selection, and so on. Both organizations were
openly ignored by Fillon. He did this even after saying during various
interviews that the problem of IAP legal responsability on the Internet
will be the result of a "broad consensus".
It turns out, however, that a small pressure group of IAPs (the AFPI)
were consulted Monday, June 2, and had the opportunity to read the
amendment before its final review in the Senate. The IAPs are quite
satisfied now, because they didn't want to be treated as "pedophiles"
and "neo-nazi" anymore. But they will have to adopt the CST
guidelines.
During my personnal inquiry of the CST last year, I found some clues to
understanding how the CST has been working at regulating Minitel
services. The CST has a surveillance assignment on the Minitel market
(to ensure that each provider follows deontology principles written in
his contract with France T=E9l=E9com). But surveillance operations are
not organized by the CST, but by a small army of France Telecom spook
agents in Bordeaux: they are 5 to 8 people regulating hundreds of
thousands of services! It is no surprise to learn that France Telecom
regularly intervenes in this choice, and that France Telecom itself is
a big Minitel provider, through a lot of business affiliates. It turns
out that theses spook agents are infiltrating private discussions in
adult-oriented forums to check for indecent speech (which may be
sanctionned by the CST). Here is what here in France we have inherited
to regulate the Internet!
The second important point of this Telco Act concerns encryption.
France was already the first country in the OECD to forbid an
individual to use any crypto system not approved by the French
authorities (ie, the military). Thus, PGP-like software were, de
facto, forbidden. The new law introduces the first key-escrow
regulation. It frees cryptography use ONLY for digital signature; but
to ensure privacy of email messages, however, the liberation of use is
under condition : to give encryption keys to a so-called TTP. Some
confidential reports in the press said that one or three private
companies are already on the list to serve as TTPs for the French
government. The first is Bertin & Co., an engineering company that has
some competence in cryptography, and the others seem to be
Alcatel-Alsthom (a big industrial conglomerate in telecommunications,
defense and public-works engineering), and Sagem, another telecom
conglomerate. It seems clear that all of these companies were choo!
sen according to their defense expertise and good relations with the
French military. The mess is that these choices, if confirmed, have
been made before the vote on the law, and even before "applications
decrees" were published (they may be prepared this summer).
France has no NSA. But some big ideas. (During the oil crisis in the
70's, a government commercial stated : "In France we have no oil. But
we have good ideas".)
--
Jerome Thorel <jt@freenix.fr>
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Jun 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #047
******************************
.