Date: Thu, 10 Jun 93 17:06:20 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#050 Computer Privacy Digest Thu, 10 Jun 93 Volume 2 : Issue: 050 Today's Topics: Moderator: Dennis G. Rears Re: WANTED: E-Mail Privacy Policies Compromise proposal on encryption Re: even the White House Discovered the risks! Re: P.O. Boxes Organization: AT&T Those UPS clipboards again Re: Retaliatory Crimes Re: Retaliatory Crimes Re: California ID Requirement The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Bernie Cosell Subject: Re: WANTED: E-Mail Privacy Policies Organization: Fantasy Farm Fibers Date: Thu, 3 Jun 1993 23:47:26 GMT In article , 13501MBC@msu.edu writes: } } I am writing a research paper for a Telecommunications Technology class about } electronic mail privacy. Accordingly, I would like to collect samples of e-mail } privacy policies from people so that I can discuss employees' right to privacy } vs. employer's right to monitor e-mail. Actually, you might start your paper by exploring why you think employees *ought* to have a right-to-privacy with email. Basically, I think there is *no*such*right*. Employees have no _right_ to make non-business/professional use of their employer's equipment, and so any such investigation must start with 1) arguing *WHY* you think it is reasonable for employees to make such use of the equipment in the first place. 2) before there can be a policy on privacy, there has to be a policy on permission-to-use. Employees have no *rights* in this regard: they can _ask_, as a fringe benefit quite unrelated to their jobs, whether it is appropriate and permitted to make non-business use of the employer's facilities, but it is only *after* you've established some permitted-use can you go on to ask about what rights the employees make have so gained and what duties the employer may then inherit. The point about (2) is that until you ask you have no rights in the matter [it is *their* system, after all, and it is provided for business use]. AND, if you ask and are told 'NO', business use only, that's the end of the line. No rights, no privacy, no nothing. As a meta comment on this general question, I think that mixing business and personal use is VERY BAD POLICY, for _both_ parties, the employer AND the employee. If the system is used for business at all, then ALL other uses of it must be secondary to this primary purpose. But what if your break your leg and a temp is brought in to help out on your project. Can your manager/ the new temp/ anyone else in the company/ read your email, access all your files, etc? If the answer is 'no', then how ever do you expect anything to get done if you are away for a while? If the answer is 'yes', then what of your "privacy"? It is a very nasty conundrum, with the only real workable solution being: 1) giving up on privacy: if you want privacy, conduct your personal affairs on your *own*. 2) asking the employer for a *separate* "play" system and be _scrupulous_ about not mixing things: keep work on the various work systems, and confine personal/play to the for-play system. /Bernie\ -- Bernie Cosell cosell@world.std.com Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358 ------------------------------ From: Warren Jones Subject: Compromise proposal on encryption Date: Sun, 6 Jun 1993 12:55:21 -0700 (PDT) In the June issue of the "Puget Sound Computer User", editor Terry Hansen suggests a compromise on the Clipper chip. I thought his idea would interest readers of this group. Hansen says: ... I'm among those who are uncomfortable with the Clipper-chip plan. It has Orwellian overtones. The underlying assumption is that Americans cannot be trusted to conduct their affairs in private ... Even so, I'm a reasonable man and would be willing to compromise. As a proponent of open and democratic government, I am at least as disturbed about the increase in secret federal government programs (estimated by investigative reporter Tim Weiner to have reached $36 billion per year by 1989) as the government is with my use of secret communication methods. Citizens must know where those off-the-books tax dollars are going. So I'll make a deal with them: Government agencies can keep the ability to tap my communications if they will let me monitor what they are doing with my money. Deal, guys? -- Warren Jones ------------------------------ From: 13501MBC@msu.edu Subject: Re: even the White House Discovered the risks! Date: Sun, 06 Jun 93 16:29:47 EDT Organization: Michigan State University I also noticed that if you attempt to FINGER someone on the White House domain, you get a message that says something to the effect of "This machine does not accept finger requests for arbitrary usernames - valid addresses are president@ whitehouse.gov and vice.president@whitehouse.gov". I guess they are either a) Trying to protect privacy of the machine's users b) Trying to prevent hackers from finding out valid usernames c) Some combination of a and b I suspect c, because I tried to finger postmaster@whitehouse.gov and got the above message. ====================================================================== Matthew Cravit, Undergraduate | "Tactics is knowing what to Michigan State University | do when there is something East Lansing, Michigan 48825 | to do; strategy is knowing Internet: 13501MBC@IBM.CL.MSU.EDU | what to do when there is CRAVITMA@STUDENTC.MSU.EDU | nothing to do" -- Author CompuServe: 71442,225 | Unknown ====================================================================== ------------------------------ Newsgroups: comp.society.privacy,alt.privacy From: "richard.b.dell" Subject: Re: P.O. Boxes Organization: AT&T Date: Sun, 6 Jun 1993 23:06:35 GMT In article Steve Forrette writes: > >Another option is to go to one of the private maildrop places. They will >generally ask you to fill out a form with your name and home address, but >I've never seen one that actually verifies the information, and you can >pay in cash, so there's no reason you can't just use false information. >Generally speaking, you'll pay more than for a P.O. Box, generally $9-$14 >per month. > >Steve Forrette, stevef@wrq.com > At least in PA, at the private box place I rent a box at, I was told quite clearly that it is a state (I think) law that they be quite certain that I was not lying about my home address. The most natural thing for them to do, of course, is to ask for my drivers license with photo id (I seem to remember the forms had a spot for the drivers license number). I saw no reason to suggest anything else at the time, but I did take note that the glance at it was quite cursory, and in my opinion if I had lied, they would not have noticed. Particularly if I made the simple mistake of intermixing digits or some such. -- Richard Dell ------------------------------ From: Carl Oppedahl Newsgroups: alt.privacy,comp.society.privacy Subject: Those UPS clipboards again Date: 7 Jun 1993 20:33:15 -0400 Organization: PANIX Public Access Internet and Unix, NYC Remember those UPS clipboards, the ones where the recipient of a package is asked to sign on a touch pad rather than on a piece of paper? Well, today's Network World (June 7, 1993) describes Maxitrac, said to have debuted in 1991, which lets users employ their own PCs to tie into UPS's computer network to instantly check the status of any package they have shipped. Users can display actual receipt signatures on their PC screens for confirmation of delivery. -- Carl Oppedahl AA2KW (intellectual property lawyer) 30 Rockefeller Plaza New York, NY 10112-0228 voice 212-408-2578 fax 212-765-2519 ------------------------------ From: Geoffrey Kuenning Subject: Re: Retaliatory Crimes Organization: UCLA, Computer Science Department Date: Mon, 7 Jun 93 21:57:07 GMT In article John De Armond writes: > I really see no gray area here. Either the > person is authorized to be on a system or he is not. If he is not, > he should be punished just like someone who physically tresspasses > is punished. The problem here is similar to the "attractive nuisance" and entrapment laws. If the company in question (ThriftyTel) is actively pursuing a course which would induce an otherwise law-abiding citizen to commit a crime, then they are not behaving morally. John Higdon's original accusation was that ThriftyTel does this, and that their purpose in doing so is to receive the profits associated with the penalties. This, according to Justice Scalia, is precisely the reason the Eighth Amendment to the U.S. Constitution prohibits excessive fines: to remove the profit motive from classifying certain behavior as criminal. -- Geoff Kuenning geoff@maui.cs.ucla.edu geoff@ITcorp.com ------------------------------ From: steven armijo Newsgroups: comp.society.privacy Subject: Re: Retaliatory Crimes Date: 8 Jun 1993 09:01:03 GMT Organization: University of New Mexico, Albuquerque In article John De Armond writes: >Perhaps if we adopted something from the Saudi system and chopped off a >finger of anyone caught hacking or stealing services, there would be no >need for tight security. I really see no gray area here. Either the >person is authorized to be on a system or he is not. If he is not, >he should be punished just like someone who physically tresspasses >is punished. > Perhaps we should just repeal the rest of the constitution while we're at it eh? -- I'm just very selective about the reality i choose to accept. -Calvin I have plenty of common sense, i just choose to ignore it. -Calvin It's a windowing system named X, not a system named X windows. Unspoiled by progress,Mac,X,Unix,MsDos,Amiga,I-net, or raisins. ------------------------------ From: Jerry Sweet Subject: Re: California ID Requirement Originator: jsweet@fester.irvine.com Organization: Irvine Compiler Corp., Irvine, California, USA Date: Tue, 8 Jun 1993 03:48:16 GMT This is a response from an acquaintance who is a reserve police officer in the Los Angeles Police Department. (Forwarded with permission...) He said that he verified this information with LAPD Devonshire Division Jail. ------ Begin Forwarded Message Date: Fri, 04 Jun 93 09:35:01 PST From: jfay@fibermux.com Subject: [comp.society.privacy: California ID Requirement] Not having your ID on you will only get you in trouble if you are arrested (or pulled over for a traffic violation) and you are driving without a license. Still, if you know your driver's license number, you can sign the ticket and go. As for having to have your ID or $50 just to be out in public, this was ruled unconstitutional. Except if you are driving (which requires a driver's license), you are not required by law to even give your name to a police officer if you don't want to, but giving him a false name or address is illegal (Section 148(a) PC). If you are arrested and want to get out without bail (On Recognisance) you must be able to prove who you are, and there must be no warrants for your arrest. Given the above you can sign a RFC (Release from custody Ticket) saying that you promise to apear (just like a traffic ticket) and you are released. Valid ID can be any sort of document with your name and picture on it, or a collection of documents with your name on it (Credit cards, mail, business license) leading someone to believe you are that person. Knowing your drivers license number, you can be looked up on the computer and if you match the description on the license information to the satisfaction of the jail personal this might also suffice. Accepting non picture ID is left up to the discretion of the jail personnel, they must believe it is true. Lack of credibility and uncooperativeness may make it difficult to get out with borderline ID. ------- End Forwarded Message To put this in algorithmic terms: If: you are driving, then: you must have a valid driver's license. Otherwise: { If: you are arrested then: { If: you want to be released on recognisance, then: you must be able to identify yourself in some convincing manner. Otherwise: you lose. } Otherwise: you are NOT required to identify yourself BUT if you do, you may not give false information. } ------------------------------ End of Computer Privacy Digest V2 #050 ******************************