Date: Thu, 07 May 92 16:14:29 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#015 Computer Privacy Digest Thu, 07 May 92 Volume 1 : Issue: 015 Today's Topics: Moderator: Dennis G. Rears SSN's from AT&T Cordless phones Re: Cordless phones Re: Cordless Phones Re: Cordless phones Free TRW Reports Re: Is e-mail private? Re: FBI Interest in Mailing Lists The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Date: Wed, 6 May 92 18:09 EDT From: michael.scott.baldwin@att.com Subject: SSN's from AT&T >I just got this bounce message from a machine at AT&T having responded to >a message someone sent to comp.compilers. It appears that their mailer >uses employees' SSNs as the internal acccount ID and thoughtfully blats >the SSN on any mail bounce message. The original message had a different >return address in the text at the end, so we'll see if that works better. *I* wrote that code! The Usenet access machines at AT&T do use SSN as a key into the corporate database to route e-mail; the database has each employee's current e-mail address (and phone, FAX, room, etc), so the Usenet machines look it up each time rather than maintain their own copy. In any case, the SSN does *not* show up on *any* bounce. This only happens if the person left the company and their Usenet login hasn't been removed yet. Theoretically, this shouldn't happen, but it does. I suppose it would be nice if it didn't send back the SSN in this rare case. I am not maintaining that code anymore, so it's up to the current Usenet administration group (postmaster@cbnews.att.com). PS. Dennis--you forgot to X-out one occurrence of the SSN! >Doesn't AT&T have privacy guidelines? Yes, we aren't supposed to divulge things like SSN for employees unless there's a need-to-know. I could really weasel and point out that, since the only time the SSN is revealed is when the person leaves the company, it doesn't violate the guidelines (they aren't employees anymore)! Actually, that guideline was put in place partly because of me; my group provides the on-line corporate directory referenced above, and we used to give out anyone's SSN to anyone that wanted it. I wrote the code, and I didn't bother putting a restriction in (not because I forgot; I knew what I was doing). Some people got annoyed, so they wrote the rule; I then changed our software to conform. We still allow anyone to update the directory info for anyone else (no rule against it). We do keep track of where the updates come from--this has been useful in the very few times there were malicious updates, and we've been doing this for years. You can get quite a bit of info from networks these days (yay Caller-ID) and some people were quite surprised we traced them. I think this is better than some pre-authorization scheme. I will admit that I think along the lines of Higdon and I consider much of the privacy paranoia unwarranted, especially when it comes to Caller-ID and SSN's. I believe in giving as much information out as possible in as many ways as possible (after all, I work on an on-line directory!). These capabilities are much more often used for legitimate purposes than nefarious ones. E.g., mapping number to name is useful when I have a "call me" note with a legible number but illegible name. Yes, people do abuse things, but like John said, not much stops you from running over 10 people with your car. It just happened in NYC not too long ago. These are the risks I am willing to take. Signed (please Dennis, do *not* X this one out--it's mine), ssn=215-80-8110@att.com ------------------------------ From: Charlie Mingo Date: Wed, 06 May 1992 23:59:30 -0500 Subject: Cordless phones "Robert L. McMillin" writes: > Skipper Smith writes: > >> For those people who are paranoid about people snooping in on their >> cordless phone calls but don't want to be tied down to a corded phone, >> Motorola started producing (about three months ago or so) a cordless >> phone with a simple coding of the signal. I don't know what type of >> coding it is, but it will definately stop the casual snooper (kind of >> like a lock on the door). Since the coding scheme is public knowledge, >> it won't stop anyone who is really serious. For those people who are >> REALLY paranoid, you will have to wait for the next version :-). > > The phones in question, according to the folk who write in TELECOM > Digest (Usenet: comp.dcom.telecom), are not really encoded at all, but > are digital, thus preventing reception by people listening in on > scanners or other brands of cordless phones. Uhhh, perhaps you had better go back and reread the Digest. The Motorola phones are analog, with a form of frequency inversion to deter casual snooping. The frequencies are not approved for digital use, and digital would cist quite a bit to implement. For those of you without Digest access, I am providing the following excerpt. (A subsequent poster confirmed that analog inversion was being used, with the clear signal being subtracted from 3000 Hz to prodice the coded signal.) ------------------------------ Organization: Motorola Inc., Cellular Infrastructure Group [...] The Motorola cordless phones feature "SecureClear" (TM), which provides privacy and corded phone quality. Technically, the phone uses the exact same ten channels that all other cordless phones use. As these channels are approved for analog transmission only, the voice tranmission is not digital. There is a communications link between the microprocessors in the base and the handset that is used for signallig (ring, dialed digits, channel changes, authenication, e.t.c), but the voice link is analog. My understanding is the the encyption method used is a type of analog frequency inversion. While not being secure enough for DoD usage, it does prevent the casual scanner buff or other cordless phone users from listening in. I've heard that it may be possible to build a decoder, but that would require some extra effort on the eavdropper's part. Until spectrum space is made availible for commercial digital cordless, we won't be able to buy phones that are secure enough for the DoD. But for now, the Motorola phones at least keep the neighborhood kid with a scanner from understanding your conversations. [...] ------------------------------ From: Phil Stracchino Subject: Re: Cordless phones Date: Thu, 7 May 1992 04:03:33 GMT Apparently-To: comp-society-privacy@uunet.uu.net A while back, Craig DeForest wrote: ] >>But, if you want privacy, you *don't* shout so that everyone within ten ] >>miles can hear it. If you want privacy, you don't broadcast your conversation. ] >>If people don't want me to hear their conversation, they ought not to ] >>be shooting photons at me! I've watched with amazement as this particular debate has gone back and forth, and frankly I can only say that this argument is totally fatuous. Merely the fact that someone is using a cordless phone and unintentionally broadcasting their conversation does not _compel_ anyone with the capability to listen in to do so. To give an analogy: He who glances out of his window one night and happens, by chance, to observe the attractive young woman who lives in the building opposite in the process of undressing, is merely fortunate. He who buys a telescope and scans the windows of the building opposite in the hope of observing some attractive young woman undressing, is a Peeping Tom. 'Nuff said? -- The Renaissance Man | "Pack your bags full of guns and ammunition Alaric of Dare | Bill's come due for the Industrial Revolution alaric@sti.com | Scorch the Earth 'till the Earth surrenders...." phils@sti.com | -- Midnight Oil ------------------------------ Date: Thu, 7 May 92 11:31:26 EDT From: Anthony Rzepela Subject: Re: Cordless Phones In , John Higdon, {john@zygot.ati.com}, writes: >so I ask about this "privacy in general" issue: >please cite some case histories of genuine and undeserved harm that an >innocent citizen has experienced as a result of computerized >information gathering. >I am [..deleted..], and am actively >involved in the matter of technical consultations for criminal matters. >Many, many people have my SSN. Can someone find out things about me? >You bet. And so what? You would think by now, at least SOME of this >much discussed evil would have befallen me, no? This view, I hope, speaks for itself: Another law-and-order type wearing his conformity like a medal, reminding us that these neat, new methods only catch "bad guys", so keep your nose clean, and there won't be any trouble.... I am very, VERY curious as to just what kinds of harm Mr. Higdon thinks ARE deserved, outside of those delivered before a judge and jury.... This is not a law-morals forum, however, and I agree with Mr. Higdon that postings in the CORDLESS PHONES thread is getting bogged down in endless "what ifs", but still, no one is touching on three very basic privacy-tech issues: 1. Ideological models seem to be based mostly on "what anyone can see", yet technology is rapidly expanding that realm. Views on what constitutes "what anyone can see" have NOT kept up with technology. The Supreme Court has stated that info gathered via a helicopter flying over someone's backyard does not constitute unlawful search. Heat-seeking technology can tell when someone is in a house and pretty much the nature of their activities. Our gov't has not responded to protect its citizens from the intrusion of new, sophisticated information-gathering techniques. End result: as technology gets smarter and more sensitive, even our body heat enters the realm of what we are broadcasting "for all to see", so any model of privacy bounds that refers to that concept spells doom for the individual. 2. Rulings from FCC/S.Court/Congress are NOT moral guideposts. Does anyone think laws and regulations come from some vacuum, or more likely go through the famous "sausage" process? Protections for microwave transmission protect the carriers' income, and little else. I wish some of these libertarian types who keep belittling consumers and citizens concerned with the intrusions inherent in the consumer's "choice" of media would adopt the same condescending attitude towards HBO when it tries to avoid the inherent costs of its choice of media. Instead, the FBI is enlisted to protect Time-Warner's income from would-be video pirates. 3. "Freedom of Choice" and $$$. We are losing our choice of delivery method for more and more vital services everyday. Furthermore, in those arenas where choice will remain available, the cost of the 'secure' methods will grow to be prohibitive. The view that one can reasonably expect privacy only when protected by an electronic and brick fortress will not work in a society where the costs of these things restrict availability to precious few citizens. +----------------------------------------------------------------------+ | Anthony J. Rzepela rzepela@cvi.hahnemann.edu | | Resource Mgr, CVI Computer Center (215) 448-7741 | +------------------------------+---------------------------------------+ | Mail Stop 110 | | | Hahnemann University | | | Broad & Vine Sts. | | | Philadelphia, PA 19102 | | +------------------------------+---------------------------------------+ "I can't stop thinking about Tony...wondering where he is, what he is doing, who he is with, what is he thinking, is he thinking of me, and if he'll ever return some day." ------------------------------ From: mark@SSD.intel.com (Mark Rogers) Subject: Re: Cordless phones Date: Thu, 7 May 1992 18:25:31 GMT In article , skipper@motaus.sps.mot.com (Skipper Smith) writes: |> In article ugtalbot@KING.MCS.DREXEL.EDU (George Talbot) writes: |> >Craig DeForest writes: |> >>But, if you want privacy, you *don't* shout so that everyone within ten |> >>miles can hear it. If you want privacy, you don't broadcast your conversation. |> > |> >>If people don't want me to hear their conversation, they ought not to |> >>be shooting photons at me! |> > |> > I don't think that I agree with you. I have a cordless phone. |> >The major use I have it for is so that I can sit outside of my |> >apartment and still use the phone on a nice day. The regular phone |> >wire will not reach, and consequently I would have sit inside to use |> >the phone. You seem to be of the opinion that if my conversation is |> >transmitted over copper wire, then I have a right to privacy, but if |> >it's transmitted over the air, then I don't. |> >[...] |> > |> >George T. Talbot |> >ugtalbot@mcs.drexel.edu |> |> For those people who are paranoid about people snooping in on their cordless |> phone calls but don't want to be tied down to a corded phone, Motorola started |> producing (about three months ago or so) a cordless phone with a simple |> coding of the signal. I don't know what type of coding it is, but it will |> definately stop the casual snooper (kind of like a lock on the door). Since |> the coding scheme is public knowledge, it won't stop anyone who is really |> serious. For those people who are REALLY paranoid, you will have to wait for |> the next version :-). |> |> Since the phones are produced by a different segment, I am afraid that I don't |> know where they are sold or who they are sold by. |> |> |> -- I recently bought one of the Motorola Cordless Phones you describe. Sears has them. Its the 4th cordless phone I've bought in the last 2 years. It is by far the best as far as range that I can imagine. The previous three were, Sony, ATT Freedom, and by far the worst was the Southwestern Bell one. The scrambling you describe sounds like Darth Vader at 78RPM. The phone has a demo button on it. By pushing this button, the listener can hear what the scrambled conversation would sound like to someone else on the channel. Mark Rogers mark@ssd.intel.com 1-800-421-2823 FAX: (503)629-9147 ------------------------------ From: Adrienne Voorhis Subject: Free TRW Reports Date: Wed, 6 May 92 20:03:18 EDT A few months ago, when I first heard that TRW was allowing people to get a free TRW report on him or herself, I sent in a request. I made sure to accurately give them info such as my SSN, my last two home addresses, etc. After waiting a few weeks, I got my reply. It was a report simply stating that there is no credit history for "Robert Boorhis." The problem was my last name was Voorhis. They couldn't even get my name right for the search, and didn't think to double check with all the other information I sent them! (To be fair, I sent them another request and they did get it right that time.) I understand that TRW is offering this service to defend against criticismsabout the level of accuracy of the information they supply, by at least allowingthe person being reported to check out the information once a year for inaccuracies, without having to pay for the privilege. But if they can't even get my name right on a record search about me, I have to wonder how good a job they are doing reporting all our credit histories in general. Bob Voorhis c/o voorhis@aecom.yu.edu Albert Einstein College of Medicine "These are just my opinions." -- ------------------------------ Date: Wed, 6 May 92 21:32:02 EDT From: Brinton Cooper cc: comp-privacy@PICA.ARMY.MIL Subject: Re: Is e-mail private? It depends upon who owns the computer hosting your electronic mailbox. I believe (and others can probably cite chapter and verse) that, if your mailbox is hosted on your employer's machine, the employer's ownership gives him/her authority to have access to any files you keep on the machine. This is certainly true for all levels of government and for machines owned by private companies. It may, by inference, apply to universities, etc. The rules are probably different for bbs e-mail systems, "public access" Unix systems for which you pay a fee, Compuserve, Tymnet, etc. All this has been discussed in another forum somewhere. It has to do with whether there is a "common carrier" involved. In most cases, I think it probably is not. _Brint [Moderator's Note: There ia One problem with that. If the computer is accessible to outside networks what about the privacy of the sender. Example: My fiance sends me mail from XXX@compuserve.com. to drears@brl.mil. While I don't have any expectation of privacy does she? Sure the owner of the equipment owns the media but do they own the information on it? To add another bit to it. What if she copyrights her mail to me. _Dennis] ------------------------------ From: samsung!ulowell!willow.ulowell.edu!welchb@uunet.uu.net Subject: Re: FBI Interest in Mailing Lists Date: Thu, 7 May 1992 15:14:14 GMT Apparently-To: ulowell!uunet!comp-society-privacy I just got some mail (obviously from a mailing list) for my father, who has been dead for 14 years; it was from a political party he was never associated with. I think we may have the FBI involved in some witch hunts again, if they buy stuff like this. -- Brendan Welch, UMass/Lowell, W1LPG, welchb@woods.ulowell.edu ------------------------------ End of Computer Privacy Digest V1 #015 ******************************