Date: Mon, 11 May 92 16:36:17 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#020 Computer Privacy Digest Mon, 11 May 92 Volume 1 : Issue: 020 Today's Topics: Moderator: Dennis G. Rears Re: TRW Reports Re: E-mail privacy should be independent of carrier. Re: E-mail privacy should be independent of carrier. Re: is email private? Re: Personal Info. Privacy and companies Re: Cordless Phones Re: Cordless phones Re: Cordless Phones Re: Cordless phones The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- From: James Davies Subject: Re: TRW Reports Date: Sun, 10 May 92 04:42:06 GMT Apparently-To: In article zimmer@gw.wmich.edu writes: > >Montgomery Wards, when successfully soliciting business over the phone >with you, does ask for private information you've previously supplied >them to verify you are who they think you are. It's been my experience that most organizations use the same piece of "private information" for verification -- your mother's maiden name. This is about as secure as using your social security number in some sense, in that someone who cared could easily find it out with a little research. AT&T asked for this when I called their Universal Card 800 number with a change request last week. I've been tempted to make up a different "mother's maiden name" for each organization that asks (including, in the past, various utility companies and banks), but I worry that I'll forget it and they won't have any way of resetting my "password" (after all, your mother's maiden name isn't supposed to change, right?). ------------------------------ Date: Sun, 10 May 92 21:10:45 EDT From: Brinton Cooper cc: Bob Weiner Subject: Re: E-mail privacy should be independent of carrier. Bob Weiner writes, in response to my posting on whether one has an expectation of privacy in e-mail: > The ignorance that yields this kind of widespread corporate view on > information privacy comes from a biased analysis that asks only "What > can we do with this technology?" not "What should we do, given what we > know we can do?" The poster's question was whether there IS an expectation of privacy, not whether there SHOULD BE. I addressed this question and did not state my position on it's correctness. I believe that, taken to the presently-constituted Supreme Court, the "corporate view" would prevail. (Incidentally, I do not hold corporate views. I have no connection with any corporations.) > No such right has been widely recognized in our electronic mediums > such as e-mail within a private network, even though it should be easy > to recognize the direct parallels to both paper mail and telephony. A > call that goes from one extension of a PBX to another of its > extensions never passes through any "common carrier" network, yet I am > fairly certain, it is protected in the same way, because we recognize > that there is more to the issue at stake than just the status of the > carrier that transfers the signals. We may recognize it, but the machines' owners may not. In any case, the machines' owners can, in fact, get access to any file on the machine. Do you expect an employee to obtain a federal court injunction denying a machine's owners access? > So answers to issues of privacy that we can socially tolerate are not > to be found in asking questions such as "who's equipment was involved" > but only in "who were the conversants," "what was the conversation > on," "in what capacity was the conversation held," etc. I rather like the concept embodied in the last three "questions," but I believe that, in the present climate, they represent only wishful thinking. _Brint ------------------------------ From: Steve Barber Subject: Re: E-mail privacy should be independent of carrier. Date: Mon, 11 May 1992 01:35:10 GMT In rsw@cs.brown.edu (Bob Weiner) writes: >No such right has been widely recognized in our electronic mediums >such as e-mail within a private network, even though it should be easy >to recognize the direct parallels to both paper mail and telephony. A >call that goes from one extension of a PBX to another of its >extensions never passes through any "common carrier" network, yet I am >fairly certain, it is protected in the same way, because we recognize >that there is more to the issue at stake than just the status of the >carrier that transfers the signals. While I agree that "personal" communications made from the place of business ought to be private, when made by telephone they just aren't. Courts have ruled that companies may listen into employee phone calls, since, after all the company owns the PBX. Sigh. Privacy activists (and workplace rights activists like 9to5) are busting their guts just to get companies to even *notify* employees about surveillance policies. Getting them to stop monitoring is a long way off. Solution? Get a cellular phone and take it to work. Get one with a modem and jack into the internet via a public access host that ensures your privacy by contract or statute (i.e. the ECPA of 1986), from your own laptop. Ridiculous? Sure. -- Steve Barber sbarber@panix.com "The direct deed is the most meaningful reflection." - Bill Evans The above is not a legal advice. It is, at best, a discussion of generalities. Consult your attorney before acting in a specific situation. ------------------------------ Date: Mon, 11 May 1992 10:13:01 EDT From: Stacy Veeder Subject: Re: is email private? Some electronic mail is covered by the Electronic Communications Privacy Act of 1986 (ECPA). Specifically, 18 USC 2701 states: (a) Offense.-- Except as provided in subsection (c) of this section whoever-- (1) intentionally accesses without authorization a facility through which an electronic commmunication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. [subsection b (punishment) omitted here--sbv] (c) Exceptions.--Subsection (a) of this section does not apply with respect to conduct authorized-- (1) by the person or entity providing a wire or electronic communications service; (2) by a user of that service with respect to a communication of or intended for that user; or (3) in section 2703, 2704 or 2518 of this title. Section 2703 discusses requirements for governmental access, section 2704 provides for back-up preservation, and section 2518 describes the procedure necessary for obtaining a warrant to intercept electronic communications. Earlier sections of 18 USC provide similar protections for the interception of electronic communications while they are in transmission. What all this means is that a nosy user is prohibited from reading another user's mail, but system owners, administrators and operators, properly authorized law- enforcement officials, etc., may carry out their duties unimpeded by this statute. The law also distinguishes between public and private networks. In other words, mail sent by one MCI Mail/GEnie/etc. user to another on the system is protected to a much greater extent than mail sent by one user to another on a private (e.g., corporate in-house) network. So, if you work for Company X and send mail to a colleague within the same company through your employer's system, you have no federal guarantee of privacy. BUT- there are two buts here, actually... The first is that the ECPA is a _minimum standard_. There exist approximately 200 _state_ statutes that carry privacy protections much further than the federal minimum. One of these states is California, where even the state constitution explicitly guarantees certain kinds of privacy. Roughly half a dozen lawsuits are currently pending, mostly in California, under these state statutes, and these cases introduce the second "but." The ECPA does not explicitly address situations in which electronic communications that are carried over public networks originate on or are sent to private networks. Alana Shoars, who is suing Epson in the first test case of this kind of situation, was fired for mail she sent from her Epson computer (private) through a gateway to MCI Mail (public). (The lower court has dismissed the case on the grounds that the state statute she cited does not cover electronic mail, but she is appealing.) This class-action suit is remarkable only because it is the first. Other suits (mostly not class-action), none of which have yet been heard, as far as I know, describe similar circumstances. The outcome of these lawsuits will create the first case law on the subject. Stacy B. Veeder Bitnet: SBVEEDER@SUVM.BITNET Internet: sbveeder@suvm.acs.syr.edu DISCLAIMER: I may be married to a lawyer, but that doesn't make me one. I'm just a layman, not an attorney, and views expressed here should be regarded as legally useless. ------------------------------ From: Jacob DeGlopper Subject: Re: Personal Info. Privacy and companies Date: Mon, 11 May 92 15:22:39 GMT Apparently-To: comp-society-privacy@uunet.uu.net In a previous article, newhaven@leland.stanford.edu (Eric Sword) says: >For both my personal interest, and as assistence for a presentation I am giving >next week, I would be interested in hearing from people (specifically, >companies that deal in large scale information transfer for profit) of the >benefits to having so much information about an individual be public knowledge. > >For example, having your medical history encoded on your drivers license >to assist paramedics in case you are in a car wreck. A few thoughts on this... It's not a bad idea. I don't routinely go digging through my patient's wallets, however. Although it might be justified, it leaves me open to yet another avenue of attack -- "they stole my money!" If there's a need to look in someone's wallet, usually the call is such that we have police on the scene as well, and I'll let them do it. Currently, we have Medic Alert bracelets which can include a reference to a wallet card. Again, I don't like digging around to try to find that particular card. The bracelet can hold enough information to give you an idea of what the patients signifigant previous medical history has been. Inside a house, there's a program known as Vial of Life. (Usually) elderly patients will have a form filled out by their doctor with a history, current meds, and any comments in a vial in the freezer. It's easier to look in someone's freezer than wallet, and there's a sticker which goes on the outside of the freezer to indicate that there is a vial inside. I've used them a few times, although it's never made a life or death difference. -- Jacob DeGlopper, EMT-A, Wheaton Volunteer Rescue Squad -- CWRU Biomedical Engineering - jrd5@po.cwru.edu -- ------------------------------ From: Ted Lemon Subject: Re: Cordless Phones Date: 11 May 92 17:14:58 GMT >And even if you can [receive signals from a telco microwave], aren't >those signals multiplexed in some fashion to make better use of the >available bandwidth? Someone correct me if this impression is >incorrect. They're completely digital. The transmission standard is well documented and you can get it - if you were willing to spend a lot of money (perhaps ~$1 million for the first unit, and $20k thereafter), you could intercept such transmissions. This means that you and I really can't decode the signals, but Uncle Sam wouldn't have any trouble at all. In the future, it will probably be possible to decode microwave transmissions even more cheaply, because more and more flexible equipment is becoming cheaper and cheaper - you can now buy a card for your IBM PC that's capable of talking to a Switch over a T1 connection as if it were also a Switch; decoding microwave transmissions is harder, but not that much harder. _MelloN_ ------------------------------ From: "Ehud Gavron 602-570-2000 x. 2546" Subject: Re: Cordless phones Date: 11 May 92 17:17:00 GMT Reply-To: sunquest!Diamonds.ACES.COM!gavron@uunet.uu.net In article , alaric@smurfsti.com (Phil Stracchino) writes... #To give an analogy: # #He who glances out of his window one night and happens, by chance, to #observe the attractive young woman who lives in the building opposite #in the process of undressing, is merely fortunate. # #He who buys a telescope and scans the windows of the building opposite #in the hope of observing some attractive young woman undressing, is a #Peeping Tom. # #'Nuff said? No, and not by a long shot. He who puts a telescope within the confines of his property, who through looking out the glass of a closed window is able to spy an attractive young woman undressing (or a drug deal, or the neighbor's TV, or the neighbor beating his kids) is merely exercising his right to keep his eyes open, augmented or not. #-- # The Renaissance Man | "Pack your bags full of guns and ammunition # Alaric of Dare | Bill's come due for the Industrial Revolution # alaric@sti.com | Scorch the Earth 'till the Earth surrenders...." # phils@sti.com | -- Midnight Oil Ehud -- Ehud Gavron (EG76) gavron@vesta.sunquest.com This ASEXUAL PIG really BOILS my BLOOD... He's so..so.....URGENT!! ------------------------------ From: Ted Lemon Subject: Re: Cordless Phones Date: 11 May 92 17:32:29 GMT >The only legitimate use of privacy is to protect secure information >that can be used by competitors to gain a market advantage. Other >than that, the only reason for privacy is to protect something that >someone has to hide from the government or insurance companies. Hm. I think you've missed an entire wide range of reasons to protect privacy. Privacy is a good way to protect yourself from the tyranny of the majority if you are in the minority. For example, gay couples in states where homosexuality is against the law must use their right to privacy to protect themselves - if the police could legally tap their phone to find out when they were planning on having a romantic evening, then they would have probable cause to step in and make an arrest. Religion is another good reason for one to protect one's privacy. There are countless communities in the U.S. where, regardless of actual constitutional law, the fact that you are a Jew or an atheist (or, heaven forfend, a Pagan), can wind up costing you your ability to function in the community, and sometimes your job or even your life. Privacy *is* important. While it's impossible to prevent Joe Random Loser from listening in on your cellular phone conversations, establishing the legal precedent that such listening is an illegal invasion of privacy means that if the information obtained in that way is openly used against you, you have grounds for both a lawsuit and for the dismissal of any charges that may be made against you. If there is no such precedent, then there are no grounds for either a civil suit or the dismissal of any resulting charges. Laws don't always have to be generally enforceable to be useful. _MelloN_ ------------------------------ From: Mike Percy Subject: Re: Cordless phones Date: Mon, 11 May 1992 17:33:27 GMT Apparently-To: comp-society-privacy@uunet.uu.net fitz@wang.com (Tom Fitzgerald) writes: >alaric@smurfsti.com (Phil Stracchino) writes: >> I've watched with amazement as this particular debate has gone back and >> forth, and frankly I can only say that this argument is totally fatuous. >> Merely the fact that someone is using a cordless phone and unintentionally >> broadcasting their conversation does not _compel_ anyone with the capability >> to listen in to do so. >Of course it doesn't compel. But it doesn't prohibit, either. Or are >you using the argument that "everything not mandatory is forbidden?" >> He who buys a telescope and scans the windows of the building opposite >> in the hope of observing some attractive young woman undressing, is a >> Peeping Tom. >Peeping-Tomism is _unethical_. And listening in on someone else's cordless >phone conversation is tacky by any standard. But it is and will remain >legal, because the invasion of privacy necessary to detect and prove >listening is far worse than the invasion of privacy caused by the listening >itself. Since the EM waves caused by your conversation pass through the >inside of your neighbors' houses, and can be received without you being >able to detect it, the only way to prove that your neighbors aren't >listening in is to search their houses for receivers. A law against >listening would give us a solution worse than the crime, to the limited >extent that it's enforceable at all. But - if the federal gvt decides that those EM waves are "owned" by private corporations, then you can and will eb arrested for trying to receive them. Veering from cordless phones somewhat... A federal seizure operation was run in South Carolina (probably other areas too) last year. Busted were dealers and owners of "illegal" satellite TV receivers/decoders. I maintain that satellite TV broadcasters (HBO, etc.) who want to earn money off their broadcasts (using what should be considered a public resource - the EM spectrum and basic physics) then the onus should be on _them_ to protect their investments. I see two ways for them to do this: 1) provide enough goodies in a subscription that people would rather pay than "steal" (assumes a decent price too); 2) use adequate encryption techniques that render it much more difficult to "steal" signals than it currently is. Currently they rely on encoding that is so simple to break (as evidenced by the huge number of "pirates") that it cannot be viably called encryption. Since this method is bound to fail, a backup plan is to use the might of the federal gvt to hassle its citizens. I can understand a need for some sort of regulation (not necessarily by the gvt!) for broadcasting rights. But passive reception of EM signals should always be permitted, and once received, a person should be able to use them in any way he/she choses. [I don't have a satellite dish.] Mike Percy | grimlok@hubcap.clemson.edu | I don't know about Sr. Systems Analyst | mspercy@clemson.clemson.edu | your brain, but mine Info. Sys. Development | mspercy@clemson.BITNET | is really...bossy. Clemson University | (803) 656-3780 | (Laurie Anderson) >--- >Tom Fitzgerald Wang Labs fitz@wang.com >1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz ------------------------------ End of Computer Privacy Digest V1 #020 ******************************