Date: Fri, 26 Feb 93 09:23:44 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#020 Computer Privacy Digest Fri, 26 Feb 93 Volume 2 : Issue: 020 Today's Topics: Moderator: Dennis G. Rears Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases Re: Digitizing signatures for credit card purchases Privacy of Police Reports Anonymity/Pseudonymity and Email/Usenet Civil Rights Story: originally Radar Detectors, believe it or not THE VIDEOPHONE The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: John De Armond Subject: Re: Digitizing signatures for credit card purchases Date: Tue, 23 Feb 93 08:31:10 GMT Organization: Dixie Communications Public Access. The Mouth of the South. jkuta@misvms.bpa.arizona.edu (Jeffrey Kuta) writes: >>This is a bug in the system. There is a workaround :-) What I do is >>two-fold. One, I have a markedly different signature that I use for >>non-negotiable things such as shipment receipts as opposed to the one I >>use for negotiable instruments. The second tact is to simply mark an >>"X" on electronic signature devices. >> >>This isn't as satisfying as organizing a boycott or a protest but it does >>work and it let you have one less thing to worry about. >I kinda like that 'X' tactic. But I'd appreciate it if you could give a >little better description of "negotiable" vs. "non-nbegotiable" for those >of us who are ignorant of those terms. :) I don't strictly hold to the Webster's definition of "negotiable". A check, a contract (other than "standardized" contracts), bonds, safety deposit box access, etc fits my definition of "negotiable". Letters, post cards, package receipts, credit card slips (because so many people have access to them) and similar items are non-negotiable. "Negotiable" generally means 'capable of being liquidated for cash". John -- John De Armond, WD4OQC |Interested in high performance mobility? Performance Engineering Magazine(TM) | Interested in high tech and computers? Marietta, Ga | Send ur snail-mail address to jgd@dixie.com | perform@dixie.com for a free sample mag Need Usenet public Access in Atlanta? Write Me for info on Dixie.com. ------------------------------ Date: Tue, 23 Feb 93 09:48:17 MST From: Tom Wicklund Subject: Re: Digitizing signatures for credit card purchases In comp.society.privacy, tenney@netcom.com writes: >I got some email from someone basically asking "What's so wrong, >they could digitize your signature from a piece of paper?" >If you use a computerized credit card charge system where the >ONLY receipt with your signature on it is one that THEY print >when a charge is disputed, then you have no possibility of >proving that you didn't make a purchase. Many stores are going to non-computerized forms of this -- they print you a receipt, then print a second receipt which you sign and they keep. You don't have a receipt with your signature. Since I doubt the store physically sends the signed receipt to the bank, your bank also doesn't have a signed receipt unless they get it from the store, which will have a hard time finding a particular receipt out of the hundreds for a certain day. >*IF* someone took your carbons or forged your signature, then >the signature would not be yours. You could go through all of >your receipts and see for yourself. The merchant could NOT produce >a forged receipt with un-forged signature. However, sometimes the customer receives the original of the signature while the store keeps a carbon. If the store's (valid) carbon signature is proof enough of the transaction, it's not hard for an unscrupulous store to get your signature on an extra carbon underneath the one you sign -- especially with new cash register printed carbonless reciepts, in which an extra sheet underneath would be easy to insert but hard for the customer to notice. >However, if a merchant (or actually someone working there) wanted >to defraud someone, they could claim you had made purchases when you >had not. When the bank or credit card company asked for a receipt, >they could easily produce one with your signature on it -- just like >the other ten thousand receipts they "keep on-line". Obviously, >you did make the purchase since the signature is yours and is not >forged. True, this will be simpler -- though for systems like the one originally described I'm not too worried -- I doubt it has a built in ability to patch an arbitrary signature on an arbitrary receipt. I wonder how important the signature is. Many companies operate mail order by taking phone orders. These companies never get a signature from the purchaser, yet I haven't heard of either massive abuse of credit card numbers (there are some, but it's not industry wide). Hotels also routinely take card numbers for guaranteed reservations and I assume they sometimes run the charges through. I assume credit card companies would need to handle digitized signatures in the same way they handle lack of signature. In both cases it's possible to create a fraudulent charge for which the card holder has no record. ------------------------------ From: Rhonda Landy Date: Wed, 24 Feb 93 13:17:02 PST Subject: Re: Digitizing signatures for credit card purchases Dean Collins writes: >I agree. It's things like this that give me chills down the spine. >Neither a computerized signature nor a paper signature is safe >since both are easily reproduced. For this reason a signature >will no longer be accepted as a valid authentication method >in a few short years. We will undoubtably move to more secure >procedures, such as retinal scans or DNA fingerprints. Man oh man! And the thought of that *doesn't* put chills down your spine? The more secure the procedure, the more they can invade your privacy. Retinal scans and DNA fingerprints will play *hell* with trying to set up a new identity for oneself. What will happen to witness protection programs? And what if retinal scans can be done without your noticing, say through a hidden camera zoom lens? Then I couldn't even make a cash purchase anonymously. (shudder) ------------------------------ Date: Wed, 24 Feb 93 13:54 EST From: Rasch@dockmaster.ncsc.mil Subject: Privacy of Police Reports I am working on a project involving issues of personal privacy and police and motor vehicle records. Specifically, a question has been raised about the legality of a private group which publishes newsletters and periodicals obtaining police reports, criminal history records, and licence plate checks from "friendly" law enforcement sources. I understand that this is a question of state law in most states. Can anyone advise where I might find a compendium of state privacy statutes which would cover the question of whether it it illegal to receive such information? ------------------------------ From: Wes Morgan Subject: Anonymity/Pseudonymity and Email/Usenet Organization: University of Kentucky Engineering Computing Center Date: Thu, 25 Feb 1993 16:08:00 GMT I'm going to avoid the "right to privacy" and "freedom of the net" discussions for the moment; I'd like to address a more fundamental question. I think that the bigger issue is one that most participants in this dis- cussion have not considered, namely: Can our current network(s) support anonymous/pseudonymous work *with the proper respect* for anonymity/pseudonymity? I say that it cannot. I say this for several reasons: - There are many means by which users can "spy on" the terminals of other users. There are commercial products that allow such monitoring without the user's knowledge. - Almost *anyone* can monitor a local network. For instance, there are several freely available programs that turn a net- worked PC into a real-time network monitor. Someone here at UK could be recording my every keystroke, and I'd never know it. - Most real-time traffic (e.g. TCP/IP traffic) from a given site goes through a single point of control to reach the 'outside world'. There's another opportunity for monitoring and violation of confi- dentiality. If a site gateways into CERFNet (for example), I wouldn't be surprised if that gateway saw every bit of traffic flying across the CERFNet backbone. If your local firewall/gateway has acutal users (as opposed to a standalone system), they could conceivably see every piece of email flying through the gateway. - Electronic mail is not necessarily a point-to-point channel. Your message may sit in a mail queue on your local machine; that's an opportunity for loss of confidentiality. (without even reading the message itself, depending on the information provided in mail logs) On some systems, *any* user can list the messages in the email queue. If the message cannot be delivered directly, it will sit in similar queues at several other systems before reaching its destination. I've seen email messages (and Usenet postings) that travelled through 12-15 systems before reaching me. - Almost *any* email administrator (or list owner, for that matter) can examine messages in the queue. 'Nuff said. - In some cases, queues can be examined by third parties. (other than the aforementioned administrators) For instance, I can retrieve quite a bit of information about queued BITNET files, even if they are not travelling through my site. (At one time, it was possible to examine the headers of queued RSCS files on other systems, which revealed the sending and destination addresses; this may no longer be possible.) - Most electronic mail systems return "bounced mail" messages when email cannot be delivered. Most of these messages, in turn, in- clude the headers of the failed message and the content of the message itself. - Of course, all multi-user computer systems are (almost by definition) insecure. If someone breaches security on a system, they probably have access to everything on the system. 'Nuff said. If you want to entrust your anonymity/confidentiality to such a large audience spread over (possibly) dozens of sites, I guess you can do so; *I* wouldn't trust "network anonymity" as far as I could throw it. (I wonder what a "bounced mail" message from an anonymous service reveals.) In conclusion, I do not believe that the current network structure can properly support anonymity/pseudonymity. Those who maintain that it can do so are merely fooling themselves; this false sense of privacy (or security, or confidentiality) should not be encouraged. The foremost rule of electronic communications is still, in my opinion, the first rule taught to me: Never entrust anything to electronic communications that you would not wish to see in your local newspaper. At a minimum, I would use encryption techniques on *every* anonymous or pseudonymous message. I've seen postings using PGP and other public key schemes; that's a step in the right direction. Plaintext *cannot* be considered secure or confidential in today's network environment; no 'alias server' or third-party email forwarding can provide the level of privacy/confidentiality you want. --Wes -- MORGAN@UKCC | Wes Morgan | ...!ukma!ukecc!morgan morgan@ms.uky.edu | University of Kentucky | morgan@wuarchive.wustl.edu morgan@engr.uky.edu | Lexington,Kentucky USA | JWMorgan@dockmaster.ncsc.mil Mailing list for AT&T StarServer S/E - starserver-request@engr.uky.edu ------------------------------ From: mailrus!samsung!ulowell!aspen.ulowell.edu!welchb@uunet.uu.net Subject: Civil Rights Story: originally Radar Detectors, believe it or not Organization: University of Lowell Date: Thu, 25 Feb 1993 21:15:18 GMT > I don't know about you, but if a rusty '75 Ford was trying to pull > me over, I wouldn't pull over, whether they had an official looking > light/siren or not. I'd have to see more evidence that this wasn't > some scheme someone was using to rob me. I hope I am not wandering too far from the purpose of this group, but your paragraph reminds of a story my son told us. He is taking junior year abroad in Europe, and took advantage of the Christmas vacation to travel using one of those "all the Europe you can travel in 2 weeks by rail" deals. He does not speak French well. Not only does he have long hair, but he had lost his razor and looked grungier than ever. He got off the train, and a man in plain clothes said something to him; he figured it might be a pickpocket, and mumbled something back. The man became more insistent, said he was a customs official, and asked him . Son asked him to show ID that he was a customs official; I heartily agree with son, at least in the USA. And that, without going any further, is the real point of my question. If they had arrested son, I am sure (from watching TV, 8-) ) that the case would get thrown out of court in this country; what would happen in France? what are your rights? For the idly curious, now that I have taken you this far, the man said something like, "OK. I will identify myself, but I am getting mad". (and added something like "I will give you one chance" if I recall). I guess I never did get what his ID looked like; but son in return shows him passport. Apparently this was sort of overkill; officer was looking for less; he says something to the effect of "it is you Americans we have all the trouble with". [This coincides with stories that French people hate American tourists.] But, as a result he let son go without looking in his bags at all. Sidelight: older son had studied in France for a year. He says that one reason for the trouble is that the train originated in Amsterdam (a source of drugs), although that is not where his brother got on. Adding that to "beatnik" looks is a red flag for customs. -- Brendan Welch, UMass/Lowell, W1LPG, welchb@woods.ulowell.edu ------------------------------ From: Michael Freudenthal Subject: THE VIDEOPHONE Date: Thu, 25 Feb 1993 22:00:23 GMT Organization: University of Illinois I am currently doing research on the videophone. I am interested on the positive and negative aspects the videophone will bring into the workforce and at home. If anyone has any information, I would really appreciate it. ------------------------------ End of Computer Privacy Digest V2 #020 ******************************