Date: Thu, 03 Dec 92 13:58:43 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#106 Computer Privacy Digest Thu, 03 Dec 92 Volume 1 : Issue: 106 Today's Topics: Moderator: Dennis G. Rears Re: Phone Privacy: Call Records SSN and privacy Grocery Store "Lottos" Telephone Logs Re: Lucky Supermarkets copies social security numbers on to checks. moderator misinformation Akron BBS trial update! Fully automated speeding tickets Re: Re: Blockbuster announces plan to use data from video rentals Digital Licenses in NY State The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Subject: Re: Phone Privacy: Call Records From: jms@carat.arizona.edu (A virtually vegetal non-entity) Date: 2 Dec 1992 15:06 MST Reply-To: jms@Arizona.EDU Organization: University of Arizona MIS Department - Mosaic Group In article , kguinn@diana.cair.du.edu (Kip J. Guinn) writes... > > Do phone companies keep records of local calls made from your telephone? >[Moderator's Note: They do not keep track of the local numbers you >call. This would be nice if it were true, but it isn't. Modern digital switches (i.e., most switches in most cities) log every call. The data, in fact, are huge, but this is why God invented computers, high density disk and tape drives---to keep track of large amounts of data. Naturally, it is reasonable for a particular local telephone company to turn off such an option, but few do, given the current legal environment. LECs also choose their own retention period, which I suspect gets longer every year, as technology and the courts encourage them to store more information. Getting access to the data is not only very difficult, but most unpleasant. Much is written to tape and erased frequently during the day. In addition, the data are sorted by calling, not called, number. I was recently informed that the COBOL code to describe the billing record is four pages in length; there's a lot of information there. Imagine the enthusiasm of the telephone company for a request---police, court, or private---to find out who called a particular number over some period of time, typically without offering to pay for the costs of such a search. Our campus, which has its own AT&T 5ESS switch (making it something like the 67th largest phone company in the US), generates approximately 100 Mb of records per month. I think we've got about 10K phones. Joel M Snyder, 1103 E Spring Street, Tucson, AZ, 85719 Phone: 602.882.4094 (voice) .4095 (FAX) .4093 (data) BITNET: jms@Arizona Internet: jms@arizona.edu SPAN: 47541::telcom::jms Yow! Am I in Milwaukee? ------------------------------ Date: Tue, 1 Dec 92 22:10 PST From: Michael Gersten Subject: SSN and privacy [Moderator's Note: Once again I have to ask: Does the knowlege of one SSN affect that's person privacy? I say no. All the SSN does is act as a global indentifier. In today's technology it is not difficult to for a legitimate business to get a person SSN. You don't need a SSN to get a credit report just a name and address. --- Well, the problem isn't this. The problem is that SSN can, and in some cases is, being used as an ID. How does this cause problems? Well, call up the utilities, and identify yourself by the SSN (you only have it if you are that person, or empowered to work for them, after all, they're private, right?), and turn off their gas/electricity. Or, since everything anyone has ever collected on you is availible, indexed by SSN you can get all the information ever collected on you -- and, since it's from a computer, it must be accurate, right? Those are the two that come to the top of my head immediately. Remember: Refusing to co-operate does not make you guilty unless innocent people are required to co-operate. According to the constitution, they aren't. (5th, paraphrased). -- Michael Gersten michael@stb.info.com HELLO! I'm a signature virus! Join in the fun and copy me into yours! ex:.-1,. w $HOME/.signature ------------------------------ Date: Wed, 2 Dec 92 09:01:13 -0500 From: zimmer@gw.wmich.edu Subject: Grocery Store "Lottos" A small local grocery store chain is giving out a small ticket with each purchase. The ticket has three silver ovals on it. Rub them off and if all three match you win the indicated amount of money. I recently won a dollar this way. When I was at the store to cash the ticket in, the cashier handed me a form requesting my name and address. I refused and did not get my winnings. Upon getting back home, I carefully looked at my ticket. The back of the ticket indicates (in very fine print) that FTC laws require winners' addresses to be posted in the store. I did not want my complete address posted for everybody to see. Had they asked for name and city, I would have been happy to oblige. I feel that would fulfill informational purposes for the store. If this is for tax reasons, I can hardly see where a single dollar is going to impact my taxes either way. The strange thing is that when I recently received some instant lottery tickets as a gift, I had a few one and two dollar winners, and a ticket or two. The dollar winning tickets were as good as cash at the lottery ticket booth, no questions, no hassle. Can anyone provide us with some more information on these FTC laws, whys and wherefores? [Moderator's Note: There a big difference between the lottery and local games. The primary reason the FTC reguires the name and address is so that the company sponsoring the promotion is forced to award all prizes. ._dennis ] W WWW WWW MM MMM UU UUU U Roy Zimmer zimmer@gw.wmich.edu W WW WW MM MM UU UUU U University Computing Services W W W W MM M M M UU UUU U Western Michigan University W WW MM MM MM UUU UU Kalamazoo, Michigan USA ------------------------------ Date: Wed, 2 Dec 1992 9:17:09 -0500 (EST) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: Telephone Logs In Computer Privacy Digest Volume 1 : Issue: 104 Apparently-To: uunet!comp-society-privacy writes: > Do phone companies keep records of local calls made from your telephone? >I have heard references to "phone records"--mostly in articles about >someone being investigated by the police--and wonder if they meant >local calls, or long-distance. > >Kip > >[Moderator's Note: They do not keep track of the local numbers you >call. New York Telephone does indeed keep a record of ALL calls made from a phone. I found this out quite by accident when, while playing around with the phone one day (getting used to Call Return and Last Call Redial), the number for my second line showed up on my bill when I dialed it from my primary one. It should be noted that I have Flat Rate service and no primary area calls (local exchanges and adjacent ones) should ever be listed even though logged. Dave Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ Subject: Re: Lucky Supermarkets copies social security numbers on to checks. From: jms@carat.arizona.edu (A virtually vegetal non-entity) Date: 2 Dec 1992 14:52 MST Reply-To: jms@Arizona.EDU Organization: University of Arizona MIS Department - Mosaic Group In article , reb@ingres.com (Phydeaux) writes... > >The California DMV has started to require a social security number >when applying for an initial Calif. drivers license or identification >card, or for renewing them. [text deleted] >However all the new licenses and id cards have a magnetic >strip. Now if you wish to make a purchase at a Lucky's Supermarket >and pay by check the license is passed thru a magnetic card reader -- >and the social security number is read from the card and printed on >the back of the check. Therefore the number which is not suppose to >appear on the license is simply available to any merchant that has >access to a card reader. I hope that the solution to this problem is obvious: take a small kitchen magnet, place it in close contact with your drivers license, and erase the strip. Doing so is probably not illegal, and certainly doesn't impair the legitimate uses for which your license was designed. If you feel uncomfortable changing the programming on your card purposefully, then simply leave it back-to-back with any other credit card in your wallet, and soon both will be unreadable. If you live where it's sunny, leave your wallet on the dash of your car. Joel M Snyder, 1103 E Spring Street, Tucson, AZ, 85719 Phone: 602.882.4094 (voice) .4095 (FAX) .4093 (data) BITNET: jms@Arizona Internet: jms@arizona.edu SPAN: 47541::telcom::jms Yow! I want my nose in lights! ------------------------------ From: Paul Wallich Subject: moderator misinformation Date: Wed, 2 Dec 1992 15:50:47 GMT Organization: Trivializers R Us In article "Kip J. Guinn" writes: > I can see where long-distance calls would be in records, but do they >actually keep logs on local calls made from each residential phone? >That would seem to be an awfully huge chunk of data... And a big >invasion of my privacy, too! Caller ID is bad enough for some >people--women's shelter's, etc-- and I don't like the fact that if I >call to complain to the police, or a company, etc, that they know my >home number (which I try to keep fairly private), but if local calls >are routinely logged--heck, what do you do? > >Kip > >[Moderator's Note: They do not keep track of the local numbers you >call. Most switches do have the capability to do so if there was a >compelling need. You might disagree with the concept but that >information belongs to the company not to you. I hope the fact that >medical records belong to the doctor and not to the patient doesn't >surprise you. ._dennis ] In many states, New York among them, medical records belong by law to the patient. This means that the patient can legally control access to the records (modulo what insurance companies insist on knowing) and can compel a physician to turn those records over to the patient or another physician. The question of who owns medical records or phone records (or any number of other items of personal information) is not nearly as settled as the moderator's notes might make it appear. paul [Moderator's Note: I stand partially corrected. The point I was making is that there are many records that people think belong to then when in reality they belong to somebody else. ._dennis ] ------------------------------ Date: 02 Dec 92 11:49:08 EST From: David Lehrer <71756.2116@compuserve.com> Subject: Akron BBS trial update! Akron BBS trial update: Dangerous precedents in sysop prosecution You may already know about the BBS 'sting' six months ago in Munroe Falls, OH for "disseminating matter harmful to juveniles." Those charges were dropped for lack of evidence. Now a trial date of 1/4/93 has been set after new felony charges were filed, although the pretrial hearing revealed no proof that *any* illegal content ever went out over the BBS, nor was *any* found on it. For those unfamiliar with the case, here's a brief summary to date. In May 1992 someone told Munroe Falls police they *thought* minors could have been getting access to adult materials over the AKRON ANOMALY BBS. Police began a 2-month investigation. They found a small number of adult files in the non-adult area. The sysop says he made a clerical error, causing those files to be overlooked. Normally adult files were moved to a limited-access area with proof of age required (i.e. photostat of a drivers license). Police had no proof that any minor had actually accessed those files so police logged onto the BBS using a fictitious account, started a download, and borrowed a 15-year old boy just long enough to press the return key. The boy had no knowledge of what was going on. Police then obtained a search warrant and seized Lehrer's BBS system. Eleven days later police arrested and charged sysop Mark Lehrer with "disseminating matter harmful to juveniles," a misdemeanor usually used on bookstore owners who sell the wrong book to a minor. However, since the case involved a computer, police added a *felony* charge of "possession of criminal tools" (i.e. "one computer system"). Note that "criminal tool" statutes were originally intended for specialized tools such as burglar's tools or hacking paraphenalia used by criminal 'specialists'. The word "tool" implies deliberate use to commit a crime, whereas the evidence shows (at most) an oversight. This raises the Constitutional issue of equal protection under the law (14'th Amendment). Why should a computer hobbyist be charged with a felony when anyone else would be charged with a misdemeanor? At the pretrial hearing, the judge warned the prosecutor that they'd need "a lot more evidence than this" to convict. However the judge allowed the case to be referred to a Summit County grand jury, though there was no proof the sysop had actually "disseminated", or even intended to disseminate any adult material "recklessly, with knowledge of its character or content", as the statute requires. Indeed, the sysop had a long history of *removing* such content from the non-adult area whenever he became aware of it. This came out at the hearing. The prosecution then went on a fishing expedition. According to the Cleveland Plain Dealer (7/21/92) "[Police chief] Stahl said computer experts with the Ohio Bureau of Criminal Identification and Investigation are reviewing the hundreds of computer files seized from Lehrer's home. Stahl said it's possible that some of the games and movies are being accessed in violation of copyright laws." Obviously the police believe they have carte blanche to search unrelated personal files, simply by lumping all the floppies and files in with the computer as a "criminal tool." That raises Constitutional issues of whether the search and seizure was legal. That's a precedent which, if not challenged, has far-reaching implications for *every* computer owner. Also, BBS access was *not* sold for money, as the Cleveland Plain Dealer reports. The BBS wasn't a business, but rather a free community service, running on Lehrer's own computer, although extra time on the system could be had for a donation to help offset some of the operating costs. 98% of data on the BBS consists of shareware programs, utilities, E-mail, etc. The police chief also stated: "I'm not saying it's obscene because I'm not getting into that battle, but it's certainly not appropriate for kids, especially without parental permission," Stahl said. Note the police chief's admission that obscenity wasn't an issue at the time the warrant was issued. Here the case *radically* changes direction. The charges above were dropped. However, while searching the 600 floppy disks seized along with the BBS, police found five picture files they think *could* be depictions of borderline underage women; although poor picture quality makes it difficult to tell. The sysop had *removed* these unsolicited files from the BBS hard drive after a user uploaded them. However the sysop didn't think to destroy the floppy disk backup, which was tossed into a cardboard box with hundreds of others. This backup was made before he erased the files off the hard drive. The prosecution, lacking any other charges that would stick, is using these several floppy disks to charge the sysop with two new second-degree felonies, "Pandering Obscenity Involving A Minor", and "Pandering Sexually Oriented Matter Involving A Minor" (i.e. kiddie porn, prison sentence of up to 25 years). The prosecution produced no evidence the files were ever "pandered". There's no solid expert testimony that the pictures depict minors. All they've got is the opinion of a local pediatrician. All five pictures have such poor resolution that there's no way to tell for sure to what extent makeup or retouching was used. A digitized image doesn't have the fine shadings or dot density of a photograph, which means there's very little detail on which to base an expert opinion. The digitization process also modifies and distorts the image during compression. The prosecutor has offered to plea-bargain these charges down to "possession" of child porn, a 4'th degree felony sex crime punishable by one year in prison. The sysop refuses to plead guilty to a sex crime. Mark Lehrer had discarded the images for which the City of Munroe Falls adamantly demands a felony conviction. This means the first "pandering" case involving a BBS is going to trial in *one* month, Jan 4th. The child porn statutes named in the charges contain a special exemption for libraries, as does the original "dissemination to juveniles" statute (ORC # 2907.321 & 2). The exemption presumably includes public and privately owned libraries available to the public, and their disk collections. This protects library owners when an adult item is misplaced or loaned to a minor. (i.e. 8 year olds can rent R-rated movies from a public library). Yet although this sysop was running a file library larger than a small public library, he did not receive equal protection under the law, as guaranteed by the 14'th Amendment. Neither will any other BBS, if this becomes precedent. The 'library defense' was allowed for large systems in Cubby versus CompuServe, based on a previous obscenity case (Smith vs. California), in which the Supreme Court ruled it generally unconstitutional to hold bookstore owners liable for content, because that would place an undue burden on bookstores to review every book they carry, thereby 'chilling' the distribution of books and infringing the First Amendment. If the sysop beats the bogus "pandering" charge, there's still "possession", even though he was *totally unaware* of what was on an old backup floppy, unsolicited in the first place, found unused in a cardboard box. "Possession" does not require knowledge that the person depicted is underage. The law presumes anyone in possession of such files must be a pedophile. The framers of the law never anticipated sysops,or that a sysop would routinely be receiving over 10,000 files from over 1,000 users. The case could set a far ranging statewide and nationwide precedent whether or not the sysop is innocent or guilty, since he and his family might lack the funds to fight this--after battling to get this far. These kinds of issues are normally resolved in the higher courts-- and *need* to be resolved, lest this becomes commonplace anytime the police or a prosecutor want to intimidate a BBS, snoop through users' electronic mail, or "just appropriate someone's computer for their own use." You, the reader, probably know a sysop like Mark Lehrer. You and your family have probably enjoyed the benefits of BBS'ing. You may even have put one over on a busy sysop now and then. In this case; the sysop is a sober and responsible college student, studying computer science and working to put himself through school. He kept his board a lot cleaner than could be reasonably expected, so much so that the prosecution can find very little to fault him for. *Important* Please consider a small contribution to ensure a fair trial and precedent, with standards of evidence upheld, so that mere possession of a computer is not grounds for a witch hunt. These issues must not be decided by the tactics of a 'war of attrition'; *however far* in the court system this needs to go. For this reason, an independent, legal defense trust fund has been set up by concerned area computer users, CPA's, attorneys,etc. Mark Lehrer First Amendment Legal Defense Fund (or just: MLFALDF) Lockbox No. 901287 Cleveland, OH 44190-1287 *All* unused defense funds go to the Electronic Frontier Foundation, a nonprofit, 501c3 organization, to defend BBS's and First Amendment rights. Help get the word out. If you're not sure about all this, ask your local sysops what this precedent could mean, who the EFF is--and ask them to keep you informed of further developments in this case. Please copy this file and send it to whoever may be interested. This case *needs* to be watchdogged. Please send any questions, ideas or comments directly to the sysop: Mark Lehrer CompuServe: 71756,2116 InterNet: 71756.2116@compuserve.com Modem: (216) 688-6383 USPO: P.O. Box 275 Munroe Falls, OH 44262 ------------------------------ Date: 2 Dec 92 18:16:00 +1800 From: KRUSE_NEIL@tandem.com Subject: Fully automated speeding tickets ------------ REPLY ATTACHMENT -------- SENT 12-02-92 FROM KRUSE_NEIL CAMERA ACTIVATED SPEEDING TICKETS SYSTEM One company I have heard is exploring the idea of a camera activated speeding tickets system. Here is what they want: digital cameras installed in strategic public highway locations; these cameras attached to a computer system, 24 hours a day, 7 days a week, reporting pictures of speeding cars taken, by activating the camera on a radar readout on a speeding car. This picture somehow, hopefully not manually, will provide the ASCII data representing the license plate of the "offending" car, this will trigger a ticket via mail and a subsequent collection of the payment. "Honest your Honor, that wasn't me behind the wheel" ;) Neil Kruse [Moderator's Note: New Jersey has banned the use of photo radar. ._dennis ] ------------------------------ Subject: Re: Re: Blockbuster announces plan to use data from video rentals From: "Roy M. Silvernail" Date: Wed, 02 Dec 92 23:27:14 CST Organization: Villa CyberSpace, Minneapolis, MN Sam Lowry writes: > In article "Roy M. Silvernail" > >Your message does bring up an interesting point, though. While we are > >all understandably concerned about our privacy, the very organizations > >we decry for violating our privacy must have some reasonable expectation > >of privacy, as well. Since the two imperatives obviously conflict, how > >should this conflict be resolved? > > > What you are telling me is that companies, which are not a human > being has the same rights as a living person? This is a problem we > all will have to deal with. Sure, it is. But you misunderstood my question. Both I and the company have rights of one kind or another. Those rights are not necessarily equal, but they will and do conflict at times. To unilaterally decide in favor of an individual strikes me as Neo-Luddite. > Do companies have rights? As Dennis pointed out, corporations are legal entities, with rights. I asked how we should resolve the conflict between these rights. -- Roy M. Silvernail | #include | "press to test" roy%cybrspc@cs.umn.edu | main(){ | cybrspc!roy@cs.umn.edu | float x=1; | "release | printf("Just my $%.2f.\n",x/50);} | to detonate" ------------------------------ From: Mike Johnston Subject: Digital Licenses in NY State Organization: Lehman Brothers Date: Thu, 3 Dec 1992 14:47:32 GMT Apparently-To: uunet!comp-society-privacy Today's (12/3/92) New York Times carried a small article in the Metro section describing NY's new licenses. In a nutshell, drivers will have *both* their pictures and signatures digitally stored on the state's computers. This makes me nervous. The reasons given are 'easier storage and retrieval and will result in more secure and higher-quality licenses and ID's'. Also noted is that duplicate licenses will be available within three weeks WITHOUT visiting the DMV. This is probably the hardest part of all to believe, as anyone who's ever tried to get ANYTHING from Motor Vehicles will attest. My biggest problem is this: I don't want my picture and signature digitally stored on NY's computers, where it can easily be transmitted to anyone the state deem's fit to receive it. This could include the Federal Government, other State's and various agencies within our own state. I won't even get into the ramifications of having my SIGNATURE stored where someone can replicate it, perfectly, every time they need to. It seems the privacy issues here have either been ignored or swept under the carpet. There is no review process on this, and I suspect and enormous amount of money has been spent on the hardware to handle all the storage needed for image retrieval on eleven million drivers and ordinary state ID holders. The reason I say this is because the article noted the system is now in effect and has been since the beginning of September. What's worse is that you don't even need to be a licensed driver to be on the state's computer. NY State, and probably many others, delegate responsibility to the DMV to process requests from people needing ordinary ID cards. This means that, from now on, if you show up at the DMV for a simple ID card, you'll wind up on their computers and probably another dozen or so databases. This is really getting to be too much. MJ -- Michael R. Johnston, System Administrator mjohnsto@shearson.com "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man." - G.B. Shaw ------------------------------ End of Computer Privacy Digest V1 #106 ******************************