Date: Fri, 04 Mar 94 09:00:25 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#038 Computer Privacy Digest Fri, 04 Mar 94 Volume 4 : Issue: 038 Today's Topics: Moderator: Leonard P. Levine NTIA Proceeding on Privacy Biometrics We {Will} Find you... Re: Computer databases of information Databases etc. Re: Privacy and Sexual Crimes RE: Unsolicited Advertising - A Proposal Re: Electronic Banking - CheckFree Re: Van Eck Radiation Re: FBI Digital Telephony Proposal and PCS mobile phones Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs RE: Unsolicited Advertising - A Proposal The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "BETH GIVENS, 619-260-4806" Date: Thu, 3 Mar 1994 17:44:57 -0800 (PST) Subject: NTIA Proceeding on Privacy Organization: Privacy Rights Clearinghouse 3/3/94 Important NTIA proceeding on privacy. Please post and otherwise distribute. Thanks. ============================================= NTIA RELEASES NOTICE OF INQUIRY ON PRIVACY ISSUES CONTACT: Larry Williams (202) 482-1551 MARCH 1, 1994 The National Telecommunications and Information Administration (NTIA) is undertaking a comprehensive review of privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure (NII). Public comment is requested on issues relevant to such a review. After analyzing the comments, NTIA will issue a report and make recommendations as needed. The inquiry will focus on potential uses of personal information generated by electronic communications, including interactive multimedia, cable television and telephony. NTIA is studying the issues that arise when such telecommunications- related information is used to create detailed dossiers about individuals. NTIA seeks to determine whether any overarching privacy principles can be developed that would apply to all firms in the telecommunications sector. In addition, NTIA is soliciting comment on other countries' actions to ensure the privacy of information transmitted over telecommunications networks, and to ascertain how any U.S. policies in this area will affect the international arena. The Notice of Inquiry and Request for Comments appears in Part IX of the February 11, 1994, Federal Register and is also available on the NTIA Bulletin Board at (202) 482-1199. Set communications parameters to no parity, 8 data bits and 1 stop. Go into the menu "Teleview-Public Notices and Comments." File size is 48,514 bytes or about 18 pages of text. Internet users can telnet into the BBS at ntiabbs.ntia.doc.gov. Comments should be filed on or before March 30, 1994. NTIA is accepting comments in writing or posted electronically via its BBS. If you have further questions, please contact Carol E. Mattey or Lisa I. Leidig at the Office of Policy Analysis and Development, NTIA, 202-482-1880. ------------------------------ From: Paul Robinson Date: Wed, 2 Mar 1994 22:42:24 -0500 (EST) Subject: Biometrics Organization: Tansin A. Darcos & Company, Silver Spring, MD USA 'Biometrics' refers to the use of physical charactersistics as identification. Human beings use this in that when we see a friend, we identify them by face, size, hair color, etc. Changes in Biometric data usually return an identification when positive ("Are you losing weight?", "Gee your hair looks teriffic") while negative changes are usually not stated publicly ("I see he's getting married, but his bride-to-be looks somewhat plumper than before; perhaps they _had_ to..."). However, when someone else needs to identify you and doesn't know you, they usually have to rely on authentication. Usual forms of authentication are various forms of paper, photographic/multimedia, and/or magnetic authentication issued by a government or trusted third-party. With the increased sophistication of duplicating equipment, relyance on documentary authentication is becoming unreliable. Witness the fact that anyone giving out a social security number is presumed to be the holder of that number. When they aren't, the actual holder is usually chagrinned to find out how much expense and damage they have to suffer to rectify the situation. With this, various organizations are working on means of real-time automatic biometric identification of individuals. The implications of this can be both good and bad. As the actual article is rather complicated, I'll summarize it in a separate article here. The dangers to people is that if, for example, biometric photographic measurements are used, that real-time tracking of people could be done as the technology gets cheaper. Further, you may never even know that you've been tracked unless and until something happens that it comes to your attention. ------------------------------ From: Paul Robinson Date: Wed, 2 Mar 1994 23:17:29 -0500 (EST) Subject: We {Will} Find you... Organization: Tansin A. Darcos & Company, Silver Spring, MD USA In an article on the cover of the February 10, 1994 {Washington Technology} magazine of the same name, talks about a specialized use of biometrical information (specific details unique to a person like size, etc.) to identify them. The idea behind this is that in an airport, an infrared camera is mounted near the arriving passengers section, taking pictures of every person who is passing through the facility. This captures the 'aura' or underlying facial vascular system (pattern of blood vessels and such). In 1/30 of one second, it captures the data and forwards it via high-speed data lines to an FBI database that has stored auras of the worlds most-wanted criminals and terrorists, then matches generate an order to nab a suspect, supposedly producing "a piece of evidence that is as rock-solid as any presented to a court." Currently, infrared cameras are being attached to desktop computers to create digitized thermograms of people's faces in 1/30 of a second. The company that is working on this technology, Betae Corp, an Alexandria, VA government contractor, claims that the aura is unique for every single person. The photos in the front of the article show two clearly different thermographic images that are claimed to be from identical twins. The facial print does not change over time (and would allegedly require very deep plastic surgery to change it), retains the same basic patterns regardless of the person's health, and can be captured without the person's participation. The technology will have to show it is a better choice than current biometric techniques such as retinagrams (eye photographs, voice prints and the digital fingerprint. A Publicity-Shy Reston, VA company called Mikos holds the patent for certain technology uses of this concept. Dave Evans of Betac who has obtained certain "non exclusive" rights in the technology claims that "thermograms are the only technology he has seen in his more than two decades of security work that meet the five major criteria of an ideal identification system: They are unique for every individual, including identical twins; they identify individuals without their knowing participation; they perform IDs on the fly; they are invulnerable to counterfeiting or disguises; they remain reliable no matter the subject's health or age," the article said. Only retinal photos are equivalent, but potential assasins aren't likely to cooperate in using them. Right now it takes about 2-4K per thermograph, (it says '2-4K of computer memory' but I suspect they mean disk space) and that's not really a problem for a PC-Based system of 2000 or so people going to and from a building; it's another magnitude of hardware to handle millions of aircraft travelers in airports. Also, infrared cameras are not cheap, in the $35,000 to $70,000 range, which, for the moment is likely to keep small law enforcement facilities from thermographing all persons arrested the way all persons arrested are routinely fingerprinted. But we can expect the price to come down in the future. The writer apparently had to agree with Evans not to raise privacy and security issues in the article, it says, since first they have to show the technology works. But even it raised questions: - The technology could be a powerful weapon in a "big brother" arsenal, with cameras in front of many stores and street corners, scanning for criminals or anyone on the government's watch list? - Does the government have the right to randomly photograph people for matching them against a criminal database? - What guarantees do we have that thermographs are actually unique for every person, or that the system is foolproof? - What is the potential for blackmail, with thermographs to prove people were in compromising places and positions? There are also my own points - While this can be used to protect nuclear power plants against infiltration by terrorists (as one example it gives), what is to stop it, for example, to be used to find (and silence or eliminate) critics and dissidents? I wouldn't give China 30 seconds before it would use something like this to capture critics such as the victims of Tianamen Square. - Long history indicates that better technology is not used to improve capture of criminals who violate the lives and property of other private parties, it is used to go after whatever group the government opposes. That's why people who defend themselves with guns against armed criminals in places where gun controls are in effect, can expect to be treated harsher than the criminal would have been. Existence of criminals supports the need for more police and more police-state laws; defending oneself against criminals shows the ineffectiveness of those laws. ------------------------------ From: rinewalt@GAMMA.IS.TCU.EDU Date: Thu, 03 Mar 1994 11:27:14 -0600 Subject: Re: Computer databases of information chiang@berdis.ecn.purdue.edu (Ray Lon Chiang) writes: > 4) Federal Records > ... > - Medical information in the MIB. MIB is a commercial, not governmental, database. Quoting from RISKS 10.63 (which was quoting from the Christian Science Monitor): Perhaps one of the most mysterious consumer-reporting companies is MIB, formerly the Medical Information Bureau, in Brookline, Mass. "It's a very difficult company to learn very much about," says Massachusetts state senator Lois Pines. "They don't want people to know that they exist or what they do." Dick Rinewalt Computer Science Dept Texas Christian Univ rinewalt@gamma.is.tcu.edu 817-921-7166 ------------------------------ From: Paul Robinson Date: Fri, 4 Mar 1994 04:25:22 -0500 (EST) Subject: Databases etc. Organization: Tansin A. Darcos & Company, Silver Spring, MD USA chiang@berdis.ecn.purdue.edu (Ray Lon Chiang), writes: > 4) Federal Records > > The government probably has the single largest combined database of > information on most individuals, law-abiding or otherwise. :) I > would expect that most of this information is distributed across > many departments. I suppose some of the more obvious would be: > > - Criminal records with the FBI (in the NCIC). > - Tax records in the IRS. > - Medical information in the MIB. To the best of my knowledge, the MIB (Medical Information Bureau) is a _private_ organization operated by the insurance industry, since they are the ones who query (and supply) its databases. ------------------------------ From: mea@intgp1.att.com (Mark Anderson) Date: Thu, 3 Mar 94 19:50 CST Subject: Re: Privacy and Sexual Crimes swayne@draper.com (A. Steven Wayne) writes: Chuck Weckesser <71233.677@CompuServe.COM> wrote: Should Rapist's And Pedophiles Be Forced To Register With The Authorities Every Time They Move Away? There are two issues here: the rights of the individual (who I assume to have been previously convicted) and the security of society. [A. Steven Wayne chooses the security of society] Your proposal scares me a little bit, not because you mention it here in this mailing list, because I think your attitude towards these types of crimes reflects the norm of society. It's now becoming acceptable to sacrifice any kind of privacy or liberty if it prevents just one child from being molested or one woman from being raped. The nightly TV tabloid^H^H^H^H^H^H^Hnews seems to create enough hysteria about this crime that if a proposal to place electronic monitoring devices on these people for the rest of their lives, there wouldn't be much objection. For people convicted of these crimes, databases already exist that allow interested parties access. If you, as a concerned neighbor, investigated every new neighbor coming into the neighborhood, you could find out convicted rapists and molesters using the laws already on the books. Having these people report to the authorities after they've served their debt to society can have dangerous side effects. Personally, I'd also want to know about the murderers, home burglars, and drug dealers moving into my neighborhood. The problem with child molestation is that it has gotten totally out of hand. People are being accused of this crime more and more based on flimsier and flimsier evidence. The recent Cardinal Bernadin case attests to that fact. Therefore, if people can be accused of this crime so easily, convictions can also easily follow. It's bad enough to go to jail, lose your reputation, lose everything you worked for your whole life based on false accusation. To be forced to report to the "authorities" everywhere you move for the rest of your life will basically also brand you a second hand citizen. You will have no way to ever rebuild your life. Personally, I've chosen to stay away from all non-relative kids. I had been paying a 14 year old below minimum wages to do work around my building. The same kind of work I used to do at 14. My dad convinced me not to have this kid around. All he had to do is make up a story and his family could take my building. The risk isn't worth it anymore. So much for community service and being a role model. ------------------------------ From: jnc@ginger.lcs.mit.edu (Noel Chiappa) Date: Fri, 4 Mar 94 09:33:05 -0500 Subject: RE: Unsolicited Advertising - A Proposal It's only junk mail if you have no interest in the material at all. ... Adversising is only "junk" if its concerning things that you don't want. I think there is a "signal/noise" ratio issue. Lists like the IETF list have a definite purpose in mind, and once we start to allow non-IETF related traffic on it, we could get a lot of traffic to it. If there's only one IETF related message in 100, we'd lose a lot of people we need to have on. (I got off TCP-IP because the S/N ratio fell too far.) I don't *know* this will happen; advertisers seem to be working on technology to be more selective, and there's no reason to think it won'tbe true on the Internet too. However, I don't want to chance it, by allowing advertising on the IETF list. This seems to imply that there is *no place at all* for advertising on the Internet. I think this statement in and of itself to be false on its face. I don't think that those of us who don't like advertising posts are saying this. We just object to "anything goes" rules, which would allow forums with a general good, like the IETF list, to be effectively destroyed by people who are out for individual return. Not that individual return is bad, mind you; far from it! It's just there are times and places when it's appropriate, and times and places when it's not. the question which needs to be asked is: what is the standard by which you say that 'this activity is wrong' but 'this activity isn't'? ... is ALL unsolicited E-Mail wrong? We all know advertising when we see it. Just because it may be hard to exactly define it ("unsolicited communications whose principle and immediate purpose is to make money for the sender by speading knowledge of their commercial activity" isn't bad, but there are bugs with it) doesn't change that. But let's define under what circumstances it is and is not acceptable for someone to be sending out unsolicited mail to another person, before we exclude the class of 'advertisement.' What about advertisements posted to mailing lists or news groups? I think it's up to each mailing-list/news-group. The IETF community has repeatedly expressed the opinion that *no* advertising is acceptable on this list. The problem may be in part that there is an "anti-commercial" bias with many of the people on the Internet, and with people in general. Balderdash. I had a lot of fun, and made a lot of money, at Proteon, as have many others on this list with similar stories. We aren't being hypocritical in rejecting commercial activity in the IETF; we just recognize that there are times and places for commercial activity, and the IETF isn't one of them. almost everything they own they obtained as a result of advertising telling them about it or raising a desire they were unaware of Speak for yourself... most of the contents of this room, looking around, are a result of deliberate searches for outlets (e.g. yellow pages, which are a *very* different form of advertising from unsolicited personal communication), or information gained from other sources. But (in the given example) we have a precisely targeted audience (bicyle enthusiasts) being targeted for something related to them. So what, if that group of people has made clear that their community channel is *not* to be used for advertising? While courts have given some leeway to banning the distribution of pure advertisements, an advertisement attached to an editorial becomes material protected under the 1st Amendment. So what? Last time I looked, the 1st Amendment didn't allow you entry to private clubs to post whatever ads (or editorials) you saw fit. Anyway, the IETF list is not a solely US entity (although it's current primary distributor is in the US, but this could be changed), so please stop appealing to US law. the implied threat of having an organization whose charter is the examination of Criminal activities ...keeping lists of people because some other people don't like their messages Clearly, the suggestion of involving the CERT was way off base. ------------------------------ From: kbass@sdesys1.hns.com (Ken Bass) Date: Thu, 3 Mar 1994 20:35:15 GMT Subject: Re: Electronic Banking - CheckFree Organization: Hughes Network Systems, Inc. Matthew Lyle (matt@ra.oc.com) wrote: : Hyatt_Edward_R@byu.edu writes: I have thought about using the : CheckFree service, but I am worried about the prospect of giving : them my SS#, bank account #, etc. Can I trust their claim of : : They will set up the account without having your SS#. Mine is set up : with CheckFree that way. But I don't want them to have my bank number either!!! ;) ------------------------------ From: wbe@psr.com (Winston Edmond) Date: Thu, 3 Mar 1994 17:44:57 GMT Subject: Re: Van Eck Radiation Organization: Panther Software and Research herronj@MAIL.FWS.GOV writes: Don't think that just because you have many computers that they wouldn't be able to pick out one from the crowd and monitor it. I would expect, though, that a room full of the same model and brand would pose more of a challenge. Normal keyboards, printers and monitors are the worst. Imagine sitting a mile away and picking up every scan line that your monitor generates and reconstructing it. Are LCD displays less radiative/monitorable than CRTs? ------------------------------ From: mckeever@cogsci.uwo.ca (Paul McKeever) Date: 3 Mar 1994 00:28:29 GMT Subject: Re: FBI Digital Telephony Proposal and PCS mobile phones Organization: University of Western Ontario, London, Ont. Canada In line with the discussion of tracking is the following addition to the Canadian Criminal Code, introduced by Kim Campbell while she was Justice Minister of the Federal Government: section 492.1(1) A justice who is satisfied by information on oath in writing that there are reasonable grounds to suspect that an offene under this or any other Act of Parliament has been or will be committed and that information that is relevant to the commission of that offence, including the whereabouts of any person, can be obtained through the use of a tracking device, may at any time issue a warrant authorizing a person named therin or a peace officer (a) to install, maintain and remove a tracking device in or on any thing... (unfortuneately, I'm missing page 19 of Bill C-109, but you get the idea). I find it sort of disturbing that the suspected offence need not be criminal for someone's location to be tracked by a police officer or anyone else to whome the warrant is awarded. Not having page 19, I am unsure that the circumstances listed under subsection (1) are the only ones which allow such a huge violation of privacy. For example, another addition to the Criminal Code that was introduced by Bill C-109: section 184.4: A peace officer may intercept, by means of any electro-magnetic, acoustic, mechanical or other device, a private communication where (a) the peace officer *believes* [my emphasis] on reasonable grounds that the urgency of the situation is such that an authorization could not, with *reasonable* diligence, be obtained under any other provision of this Part; (b) the peace officer believes on reasonable grounds that such an interception is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; *and* (c) either the originator of the private communication or the person intended by the originator to receive it is the person who would perform the act that is *likely* to cause the harm or is the victim, or intended victim of the harm. [in other words, if the "officer *believes*" that the situation is too urgent to wait for a warrant, he doesn't have to wait: he can just proceed with the wire tapping/privacy invasion]. If I get some time, I'll see if such a lax set of requirements is all that need be met in order to track a person's location. Either way, it's interesting to note that this new legislation got little or no press, and met with little, if any resistance from the public. This may be, in part, because the changes re: easing restrictions on wire taps were imbedded in a slew of other additions to the Canadian Criminal Code...a technique that U.S. privacy advocates should keep an eye out for. Just thought you all might be interested. ------------------------------ From: bernie@fantasyfarm.com Date: Thu, 3 Mar 1994 23:49:39 GMT Subject: Re: EFFector Online 07.04 - FBI Digital Telephony Nightmare Recurs Organization: Fantasy Farm Fibers [Note: I originally posted this to comp.org.eff.talk. However, since Prof Levine has reposted the EFF's commentary here, I'm following with a slightly edited form of my original comments on Stanton's posting. I think the topic merits a more balanced discussion than it has received.] [second note: I apologize for the extensive quotes from the original post. The problem is that this is *NOT* a freestanding essay on the Digital Telephony proposal, but is _specifically_ a response to the EFF statement on it. As such, I had to include enough of the EFF's original text to make clear to what I was responding and also to ensure that I didn't give people the idea that I was trying to divert the discussion by lifting things out of context....] In article <2kj0gc$q12@eff.org>, Stanton McCandlish writes: } Subject: Digital Telephony - FBI "Wiretap Bill" Resurrected } ----------------------------------------------------------- } } The Clinton Administration is backing a proposal by law enforcement } agencies that could make the entire communications infrastructure } susceptible to surveillance. ... } } In short, the bill lays the groundwork for turning the National Information } Infrastructure into a nation-wide surveillance system, to be used by law } enforcement with few technical or legal safeguards. Would you elaborate [as you did *NOT* in what followed [see below] just how the use of the term "turning ... into" is appropriate? } Although the FBI suggests that the bill is primarily designed to maintain } status quo wiretap capability in the face of technological changes, in } fact, it seeks vast new surveillance and monitoring tools. Among the new } powers given to law enforcement are: } } 1. Real-time access to transactional information creates the ability to } monitor individuals "live". Is this information not available now? At best, it is only _difficult_ to collect now, and it, again, brings up the question of whether [and to what extent] it is proper to call something that is in line with the 4th amendment as being an intrusion. =-=-=-=-=-=-=-=-=-=-=-=-=-= Side comment =-=-=-=-=-=-=-=-=-=-=-= This harks back to a common theme I see in many of the 'privacy' advocacy postings that are frequent in many discussion groups [not just clipper and digital telephony, but such things as consumer information and other databases of private citizen information]. It seems to be that many folk are futilely attacking the *messenger*, while they basically ignore the message. The message, of course, is that some information about you is just-plain-public-info and a LOT of other info about you is available to LEOs when they get a warrant. Putting your head in the sand and feigning surprise when you learn of an aspect of one or the other [and attacking the *specific*whatever*] is not either an effective or scholarly strategy [what was that previous attack.. Lotus marketplace? Folks seemed to think it was a victory for privacy, but of course it was only a victory for "ostriching". The information is still there, and anyone who wants it can easily get it... it is just easier to _pretend_ that it isn't about having beaten Lotus Marketplace down]. There are two substantive issues lurking behind statements like the one EFF made here, and I'm very dismayed that EFF seems not inclined to address either issue: 1) The information: was that information *already* available to an LEO with a warrant? That is, is the claim that what you have now is, at the *very*best* "security by obscurity" [in that the info might have been difficult to collect]? If you think that information is *currently* inviolate, then I'd think that the advocates would be shouting LOUD AND CLEAR about the violation [since that'd be a *substantive* rock you can throw]. On the other hand, if that information is NOT particularly 'privileged' now, then I think you have the obligation to *make*a*case* for why that information _should_ be dignified with being beyond the 4th amendment. 2) The third-party: is it proper for the LEOs to mandate that a third-party manage information in such a way that it is *subject* to subpoena? On (1), I confess that I think that most of the arguments posted don't seem to have a leg to stand on. I've been pushing [pretty hard at times] to uncover the (1)-type issues, and in *EVERY* case [so far] in the end it turned out that the answer was "No, that info *would*be* subject to subpoena now...this is really *not* a "new" intrusion". I cannot say whether this is the case here [I hope that an advocate of the EFF position can elaborate], but I suspect the real point here is the "real time"... that is, what we have now is security-by-obscurity in that the info is somewhat tricky to collect, but the *info* **IS** available to LEOs, and what is happening here is that it is being made easier to collect. [Footnote to comp.society.privacy readers: *no*one* from EFF stepped forward to provide any support to their implied position that the matter mentioned here is actually a new or precedent setting intrusion. So I can only conclude that this, too, is another instance of "No, that info *would*be*... etc"] (2) is the by-far more interesting issue. You can phrase it in various ways [depending on your political bias], but the sense will usually be: "It is proper [legal?] for it to be a matter of *law* that a third-party holding information about _you_ mnust do so in a form that keeps it subject to surrender upon presentation of a warrant." Note that such third-parties are not bound by the 5th, and so cannot use self-incrimination as a justification for non-compliance with a warrant. Note that there *are* some precedents in this area [if I understand the law right]: various IRS and currency laws *require* that third-parties *keep* records [and in fact, in many cases *require* that the information be turned over to the gov't, directly]. The question is not the security of the information, per se, but the obvious conclusion: there is NO way to prevent any such information from being surrendered to a warrant. =-=-=-=-=-=-=-= Back to the EFF's statement =-=-=-=-=-=-=-=-=-=-= } The bill would require common carrier networks (telephone companies } and anyone who plans to get into the telephone business, such as cable TV } companies) to deliver, in real-time, "call setup information." ... } ... As we all come } to use electronic communications for more and more purposes, however, this } simple call setup information could also reveal what movies we've ordered, } which online information services we've connected to, which political } bulletin boards we've dialed, etc. ... Nice-reading words aside, on what basis do you think this information should be confidential? Isn't that information available NOW? And moreover, unlike merely-encrypting-your-phone [and/or email], there's *no* way to prevent its disclosure, since as far as I know the third-party [in this case, the telco] has no basis for denying a warrant. Is there some principle which I'm not privvy to by which this information should be immune from collection by warrant [or however it is collectable now]? Again the key question: is this something *new*? } .. With increasing use of } telecommunications, this simple transactional information reveals almost as } much about our private lives as would be learned if someone literally } followed us around on the street, watching our every move. Isn't that last part legal, too? And actually, I suspect this is rather an exaggeration, at least for telecommunications. More and more, the telecommunications services we use are going to be interconnected and so I suspect that over time, you'll get *LESS* info fromm your phone record about these sorts of activities: the only data bit you'll get is that I called my internet provider [or my SLIP/PPP provider or whatever] for X hrs yesterday. Where my IP packets went, what services I used, in a real sense, what I was _doing_ is all opaque to traffic analysis. Of course, this'll bring us around to the question of whether your *IP* provider can be compelled to disclose info about what you were doing. I suspect the answer is an unequivocal "YES" [cf, The Cuckoo's Egg], and so you have no protection _there_. } We are all especially vulnerable to this kind of surveillance, because, } unlike wiretapping the *content* of our communications, it is quite easy } for law enforcement to get permission to obtain this transactional } information. Whereas courts scrutinize wiretap requests very carefully, } authorizations for access to call setup information are routinely granted } with no substantive review. Ah, so your complaint doesn't have to do with the proposed legislation, but is actually a complaint about the *current* state of affairs? I suspected as much... More ostriching, to my view... } 2. Access to communication and signalling information for any mobile } communication, regardless of location allows tracking of an individual's } movements. Is that information confidential/not available now? And "allows tracking" is cute: allows tracking ONLY if you use a cellular phone. And only grossly [unless I misunderstand the technology]. That is, they'll know which cell you're in, but not where you are in the cell or what you're doing or anything else. Moreover, it is hard to believe that someone would broadcast that kind of information willy-nilly and then act surprised that an LEO might collect it with a warrant. } The bill requires that carriers be able to deliver either the contents or } transactional information associated with any subscriber, even if that } person is moving around from place to place with a cellular or PCS phone. Why is that unreasonable? More precisely, what about that situation do you find in violation of the 4th? } It is conceivable that law enforcement could use the signalling information } to identify that location of a target, whether that person is the subject } of a wiretap order, or merely a subpoena for call setup information. Straw man alert. *what* is "conceivable"? } This provision takes a major step beyond current law in that it allows for } a tap and/or trace on a *person*, as opposed to mere surveillance of a } telephone line. First off, I was under the impression that one *could* "tap and/or trace" a person. Is it really illegal/unconstitutional for an LEO [with a warrant] to follow you around and note what you do, who you talk to, etc? Maybe I've watched too many crime movies, but I thought that kind of stuff was SOP police/investigator work. Moreover, I note that you took a string of hypotheticals and conditions, didn't actually justify, much, ANY step along the way. And now have the audacity to state the end of this squishy logical chain as a conclusion. The leap from cell-by-cell [at best] tracing of cellular phone calls to continuous point-by-point tracking of a *person* is one that is pretty huge and so requires a LOT of justification if the claim is to carry any weight whatever. } 3. Expanded access to electronic communications services, such as the } Internet, online information services, and BBSs. } } The privacy of electronic communications services such as electronic mail } is also put at grave risk. Today, a court order is required under the } Electronic Communications Privacy Act to obtain the contents of electronic } mail, for example. Those ECPA provisions would still apply for the } contents of such messages, but the FBI bill suggests that common carriers } might be responsible for delivering the addressing information associated } with electronic mail and other electronic communications. Are you admitting that ECPA is _silent_ on the matter of headers and addressing information? [much as it is different to observe the addess on an envelope you're mailing than it is to look at the contents?] That strikes me as a *longstanding* distinction in the application of the 4th. Is there some problem here? } ... For example, if } a user connects to the Internet over local telephone lines, law enforcement } might be able to demand from the telephone company information about where } the user sent messages, and into which remote systems that user connects. } All of this information could be obtained by law enforcement without ever } receiving a wiretap order. Of course not: it is *NOT* a wiretap. Sounds perfectly fair to me. On what basis do you think that any of those players you mention has any duty, obligation, prerogative, or right *NOT* to comply with a warrant for that information? Moreover, I think that in the time scale you're talking about, the model is wrong. Users are probably NOT going to be connecting to a huge number of different systems, but it seems pretty obvious that the direction of things is to have a provider to the 'superhighway' and you go where you will from there. Which, again, brings us to the question of whether network providers allow one to trace *network*packets*, and I think the answer there is _yes_. } Subject: What YOU Can Do } ------------------------ } You've been following the newspapers and reading EFFector Online. } You know that today there are several battles being fought over the future } of personal privacy. The Clipper Chip, export restrictions, the Digital } Telephony Proposal - the arguments are numerous and complex, but the } principles are clear. Who will decide how much privacy is "enough"? Indeed, and the answer is "each person will". *NO*ONE*ELSE* has any duty, moral or legal, to protect _your_ privacy. I can't see why folks have such a hard time with that. Nothing I've seen in the current round of ongoing discussions seems to have shifted ANY balance of 'privacy' [other than Clipper which will unquestionably *IMPROVE* your privacy] } The Electronic Frontier Foundation believes that individuals should be } able to ensure the privacy of their personal communications through any } technological means they choose. Yes!!! And I note that *NOTHING* in the essay that came before that statement had _any_ bearing on this matter. } ... However, the government's current } restrictions on the export of encrytion software have stifled the } development and commercial availability of strong encryption in the U.S. Say again?? I thought that *export* meant "sending stuff out" not bringing it in. I was under the impression that in consumer products [that *IS* what you're talking about, I assume, since you're concerned about largish-scale economic matters] the US was *king* and that by and large, if the US consumers want something that is, by itself, a more than large enough market. How does the export restriction prevent US folks from obtaining what they want? But I can't complain much here, since [as I mentioned in my comments on the JPB article] this is a potentially substantive criticism: *SHOULD* crypto stuff fall within the purview of ITAR? How _should_ ITAR work in a post-cold-war world? but on the other hand, that's not really all that much of a domestic privacy matter. ------------------------------ From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Date: Thu, 3 Mar 94 23:20 EST Subject: RE: Unsolicited Advertising - A Proposal From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring MD USA --- Bob Raisch , writes to the IETF and COM-PRIV lists, as follows: > Recently, there have been a number of incidents where > individuals or organizations have posted commercial advertising > to a broad range of mailing lists and individual electronic mail > addresses. Err, Bob, If I hadn't seen *your company's announcement* of its service, (which only appeared on the Internet), I wouldn't have purchased the proxy domain service from your company. And I would not have obtained a service I wanted, and your company would not have made a sale. Yet perhaps 99% of the people who saw the message probably did not have an interest in it. > There is a marketing firm (J.S. McBride of Los Altos, CA) which > is selling lists of electronic mail addresses which it has > gathered from various online sources. By collecting names and > addresses of all those who have posted to Usenet in the > rec.bicycles newsgroup, for example, this firm would then sell > this direct marketing mail list to companies selling bicycling > products. This places anyone who participates in the online > community at risk. It's only junk mail if you have no interest in the material at all. I used to have a PO Box in Washington DC (70970) that got tremendous amounts of mail, most of it advertising. The only thing I considered "junk mail" was the stuff that was supposed to go to the CIA, which had the PO Box above mine (70967), and that the Post Office kept putting their mail in my box. (In case anyone cares to correct me, I know the technical name of the holder of that box is the "National Photo Interpretation Center" but they did get mail marked "US CIA" so I think that counts.) The advertising kept me aware of trends in the computer industry, pricing, what is being sold, what is available. A very intensive education in what is offered by the marketplace. For free. > "Myth: No Unsolicited Advertising -- Fact: Unsolicited > Advertising has been taking place on the Internet for quite > some time, but you must proceed with caution" I think the point at which I knew that I had arrived on the Internet was when I got my first "Junk Email" message, which was an ad for something, I forget what. The only reason I could have gotten it is someone looked up my fidonet address in the WHOIS directory, some three or four years ago. The only reason I subscribed to MCI Mail is that our company got a "junk telex" from them regarding their telex service. Adversising is only "junk" if its concerning things that you don't want. In fact, some people would classify visits by the Jehovahs Witnesses as in the same class as Junk Mail, but no one expects they make a lot of money selling Awake and Watchtower. > And... "Unsolicited advertising (via email) is a gray area of > Internet culture which requires very careful planning and > execution to avoid the wrath of an extremely vocal community." >...(Personally, I find this sentiment to be very distasteful in that > it suggests that it is acceptable to steal from the individual > and from the community as long as you do not "get caught.") The tone of this implies that unsolicited mail sent to someone is stealing from them. Or that unsolicited advertisements are. I think these points are incorrect. This seems to imply that there is *no place at all* for advertising on the Internet. I think this statement in and of itself to be false on its face. Now, perhaps some people who are on rec.bicycles might not want advertisements, some people would be interested in *factual* information about bicycles, including the advertiser's specifications and prices. Now maybe the point being that because one can duck messages in newsgroups, while E-Mail has to be read to be noticed, the question which needs to be asked is: what is the standard by which you say that 'this activity is wrong' but 'this activity isn't'? Let's look closer: is ALL unsolicited E-Mail wrong? Well, first, any time someone makes a public posting to a mailing list or news group, they have to accept the fact that someone may send them a personal response to their message, even if they have not asked for one. Second, any "public figure" is bound to get some e-mail from someone who might ask them a question. Bill Gates of Microsoft had his mailbox publicly postable by anyone on the Internet. He's been getting over 3,000 messages a week since a story about this came out; as such, he may have to have someone read his E-Mail for him. But let's define under what circumstances it is and is not acceptable for someone to be sending out unsolicited mail to another person, before we exclude the class of 'advertisement.' What about advertisements posted to mailing lists or news groups? Ads that are clearly marked as such in the first 5 lines? Ads marked so in the Subject? > This behavior is considered by many to be unacceptable for two > primary reasons. > > --Many consider the sending of unsolicited advertising to be > socially irresponsible and about as valuable to the public good > as littering. This, I believe is partly based on the history of > direct marketing in the actual world and its failure to > effectively target narrow demographic groups. The problem may be in part that there is an "anti-commercial" bias with many of the people on the Internet, and with people in general. Neglecting the fact that almost everything they own they obtained as a result of advertising telling them about it or raising a desire they were unaware of, is something quickly forgotten. People seem to be unaware that supermarkets don't fill themselves, it takes transport trucks, and an infrastructure, and a demand for the product for it to show up. But (in the given example) we have a precisely targeted audience (bicyle enthusiasts) being targeted for something related to them. > --There is also the more measurable reason that any information > one receives without request costs the recipient money -- both > in terms of the time required to process and discard the > information and in the actual cost of the reception itself. I have to wonder how many services people are subscribing to that charge for information that don't cause people to "vote with their feet" to another place. MCI Mail doesn't charge to receive internet mail. I also use Digital Express which doesn't charge for mail received, only for online time in excess of 6 hours a day. Your own Private Domain service doesn't cost me anything for mail sent to domain TDR.COM. Sprintmail is one of the ridiculous providers and extremely expensive, costing 10c per K sent or received, plus monthly charges. AT&T Mail has allegedly started charging 2c/K for incoming Internet mail due to the volume involved. I think charging for incoming mail is likely to be a relic of the past. > Any complete solution to this problem would need to be deployed > ubiquitiously and would require rather fundamental changes to the > underlying mechanisms we use to send and receive email. Thus, I > believe that a complete solution may not be easily attained -- at > least, not until the deployment of IPng, which I believe > represents a unique opportunity to "remake" many of the Internet > services. I have been thinking about this too, from a different and yet complimentary angle. I hereby propose the creation of several new "non geogaphic" internet base level domain names. The exact 3-letter combination need not be the same, but the idea should be considered: .SVC - Explicit Commercial Services (not just commercial domains, but services which either operate over the Internet or use the Internet as part of the service). This is supposed to be the equivalent of the indication that U.S. Area Code 900 and prefix 976 numbers make. If you write to an address on a .SVC domain, you consent to receiving ads; a service on an .SVC domain may require you to pay for use (for which "payment" could include receiving advertising.) .PVT - Private Domains. Domain names where the entire domain belongs to a single individual. Currently, people like myself, David Sternlight, T William Wells, Paul Vixie, and others that through context and usage, are running domain names that only one person subscribes to, can only use the .COM domain. If someone wants to display a business presence, that's fine. But other people may want to use a non-geographic name without having to declare themselves a commercial site. I had considered ".IND" as the other name for private domains, except it might be confused with the ".INT" domain. I think I need to find out who is in charge of the groups that handle this issue that I can propose it for adoption as a standard. > I believe that with a simple change to the agency which > actually receives mail at one's local site Oh yeah, people just love rewriting their SENDMAIL.CF files, now you suggest they accept patches for Sendmail when they don't even know all the bugs in that program yet! (BSD Sendmail with the IDA patches is probably the most common SMTP mail transport on Internet, probably 90% of all sites using it, since it's free and comes with source, which probably nobody touches.) > coupled with some reasonable administrative support from an > agency like the Computer Emergency Response Team (CERT), we can > dramatically reduce the impact which unsolicited advertising has > on the global Internet. CERT can't even get out reports about spoilage in software ("bugs") in any reasonable fashion short of 'once every alternate leap year' and until those security defects have been exploited many times, by the assumption that "if we don't tell anyone about a weakness, nobody else will find it," and yet you expect them to take any interest in stopping Junk Email? In fact, I suspect the whole purpose of creating CERT was the same reason there are Bar Associations and Medical Boards: so that the incompetent practicioners can hide their screwups privately. No wonder people are hiring programmers from India. > I also believe that CERT is a very appropriate agency for this > project as I believe strongly that the proliferation of > unsolicited advertising via electronic mail represents a real > threat to the security of the global Internet -- Oh great, I can see the headlines; Imminent Death of the Internet Predicted; Cause of death: Suicide by Unsolicited Junk E-Mail Poisoning. > security in the sense that any use of my local computing > facilities without my express permission is theft of service. Hmm. Have you tried to raise that issue in a court? Seriously, have you tried to find someone who has sent unsolicited advertisements as E-Mail and either filed charges or sued them civilly? I think you are doing a bit of a reach here, Mr. Raisch. :) (Pun Intentional) Or let's try another tack; a company sends out articles to people that contain ads along with textual material. While courts have given some leeway to banning the distribution of pure advertisements, an advertisement attached to an editorial becomes material protected under the 1st Amendment. A court would be very hard pressed to allow a 'theft of service' argument to be used as a form of restraint, I suspect. > This proposal contains three elements: administration, > implementation, and distribution. > > The administration portion would require: > >--CERT act as a clearinghouse for announcements of incidents of > this kind; ...collect reports on the receipt of unsolicited > email;... list offenders which exceed some pre-defined limit; > post this list both to a subscription list of interested > parties as well as on Usenet. I think CERT has more important things to ignore than Junk E-Mail; it's probably kept busy enough ignoring calls for more information. > --A method of guaranteeing the validity of this data would be used. What criterion is to be used? And how do we know what is a mailing to five or six people on a newsgroup versus mail from five or six people complaining about unsoliticed mail? > The implementation portion would require: > > --Patches be made in the standard "mail reception agents" which > would allow them to refuse to deliver mail from certain > indentified sources through the use of a stop-list or "kill > file." > > --Development of adminstrative tools to manage the local kill file. This assumes (1) the issue is serious enough to warrant this, e.g. that the administrator take time out from more important things like taking his secretary to a cheap motel during working hours or banning everyone else from access to alt.sex, to put in filters for unsolicited junk mail; (2) the sender can't change its domain name every time it does a mailing, e.g ordering 50 or 60 different domain names and using ONE once a week, means a whole year of uninterupted junk mailing before they have to think up new ones. Of course, you can filter by the originating dotted quad address, but then that's another story. > CERT would not function -- and should not, in my opinion -- as an > arbiter of "correct behavior", only as an informational resource > which allows the community to implement their own local policy. But your particular argument does _exactly_ that. > Upon receipt of reports of violation, CERT would send out a > statement to the sender (to be written by the community) that > many sites on the global Internet consider such behavior to be > unacceptable I thought CERT would not be arbiter of acceptable behavior? I note that your original message mentions the "SEATTLE WINDOWS BACKGROUND" issue but misses the famous "Dave Rhodes MAKE.MONEY.FAST" incident. Perhaps the reason you have to ignore that one is the firestorm of protest that the recipients generally get from such issues, which would make this campaign totally unnecessary. I think The Net can take care of itself quite nicely without requiring the net.police to come in like the FBI at Waco, thank you. > I would be very interested in coordinating this effort and > welcome comments, suggestions and offers of support. I commend you on your efforts to offer the service you indicate (the mailing list for reports). I doubt that we need anything as drastic as your proposals suggest; I dislike the idea of being bombarded by lots of advertisements, but I dislike content restrictions and the implied threat of having an organization whose charter is the examination of Criminal activities investigating people or keeping lists of people because some other people don't like their messages, a lot more. How long before some unpopular religion like Wicca, Jehovah's Witnesses', or the First Church of Satan is 'voluntarily banned' from The Net? ------------------------------ End of Computer Privacy Digest V4 #038 ****************************** .